Secure Two-Factor Authentication with SwissPass Crypto Card: A Case Study

Two-factor authentication requires two pieces of independent evidence, mostly one based on possession and the second based on knowledge. The major drawback of these methods are usability and the costs to procure and (re)place the hardware token. The SwissPass is a contactless crypto card mainly used to inspect travel tickets (GA and Half-Fare travel cards) by the Swiss federal railways. This paper presents an authentication protocol using the widely spread SwissPass that allows to log in into web and mobile applications in a secure and intuitive way via smart phone. The protocols are further developed to create the SwissPass Authenticator providing federated authentication on the smart phone.