SORACOM Endorse ("Endorse") enables SORACOM to act as an authentication service provider by offering device authentication functionality for devices that use an Air SIM. This SIM-based authentication can also be used with communication systems other than SIM, such as a Wi-Fi.
* Endorse is provided as a Public Beta.
Features of Endorse
Nowadays, user authentication for web services is widely done through a user ID and password. The use of a user ID and password relies on the memory of the user, so they tend to be based on a collection of relatively simple words, and sometimes people even end up writing their passwords on a piece of paper. In addition, user IDs and passwords need to be entered every time user authentication is required, a step that could be considered as being relatively inconvenient.
An alternative to this system is the use of SIMs for implementing mobile communications. SIMs offer the following features:
- Highly tamper resistant (a feature that prevents others from illegally reading or falsifying data stored in the SIM), making it extremely difficult to create duplicates.
- SIMs have a universally unique ID known as their International Mobile Subscriber Identity (IMSI). IMSIs are issued per mobile network provider, and data communications are only enabled when the IMSIs are registered with that mobile network provider.
- IMSIs are used as the basis for identifying the originator of a data connection. An exchange of security keys then takes place based on private information available only on the SIM. This enables the implementation of user authentication and the encryption of all data communications.
Endorse provides authentication functionality based on Air SIMs.
Authentication results can be used not only within the mobile network, but also on other network services such as Wi-Fi. This enables users to utilize or link with multiple services based on a strong SIM-based authentication system, without losing out on the convenience of other services.
Endorse's Device Authentication Service
Endorse offers a device authentication service for devices that use an Air SIM.
When sending data using an Air SIM, SORACOM Beam (referred to as Beam below) allows you to denote a specific server by specifying an IMSI. The server receiving the data transferred using Beam can then read the IMSI included in the data to identify the SIM of the originator of the data connection.
Without Beam, the transferred data would not include the IMSI of the originator device. In this case, the server receiving the data from Beam would be unable to determine which SIM the communication had been sent from.
Let's take a look at the following connection cases:
- Using an Air SIM to connect to a server through Beam.
- Using an Air SIM to connect to a network server connected through SORACOM Canal/Direct.
- Using an Air SIM to connect to a server through the Internet.
- Connecting to a server through the Internet, using communication methods other than SORACOM Air, such as Wi-Fi, etc.
In case 1, the server can use Beam to determine the SIM of the originator device from its assigned IMSI.
In case 2, the SIMs that are allowed to connect through Canal/Direct can be configured based on particular users. Authentication is done when connecting with the Air SIM, so users would have been verified if the data connection through Canal/Direct had been initiated from a SIM configured by the user (a SIM that has been included within a configuration group). However, the data does not contain information that denotes which SIM the communication originated from.
In cases 3 and 4, the server that accepts the connection is unable to determine whether the originator of the connections is using an Air SIM or not.
Endorse is a service that allows you to do authentication and find out which SIM the connection originated from, even with cases 2 to 4.
The process of the Endorse authentication functionality is as follows:
When an Air SIM makes a connection, an authentication token request is sent through to Endorse. Endorse then issues an authentication token containing data such as its IMSI and IMEI (*1). This token is signed using a private SORACOM key.
When the device sends this token to the server, the server uses a SORACOM public key to determine whether the token was genuinely issued by SORACOM. Once the token has been received, the server can also, for example, create a system for logging in directly into the server in order to determine the SIM of the connecting device. Then once the authentication token has been delivered and the authentication process has been completed successfully, the user's system can handle the connection knowing exactly which SIM the connection was initiated from, even when using Wi-Fi instead of Air SIM.
IMEI: International Mobile Equipment Identity.
An international identification number assigned to each mobile device.
In addition to the IMSI that is assigned to a SIM, the IMEI can also be used to implement a strong authentication system based on a combination of SIM + mobile device identification. This prevents the misuse of stolen SIMs.
Main Example Uses
Device authentication is done via the SIM, and if Wi-Fi is available, a system can then be implemented so that the Wi-Fi connection is used to upload the data.
For example, let's say you are using a device that has a 3G/LTE module and a Wi-Fi interface, and you want to upload a large file to a storage service using Wi-Fi. By providing an Endorse token, the IMSI and IMEI included in the token can be authenticated to be granted access to the system.
Business System Log-in
When logging in to a business system, the system provides a token obtained from Endorse. The business system verifies the token, and if the IMSI and IMEI combination matches the stored information, then access is granted to the system.
If you create a business system in conjunction with SORACOM Canal/Direct, you can build a SIM-based single sign-on system. Once the authentication process is complete, the authentication is carried over even through Wi-Fi, allowing users convenient access to the system even from smartphones or tablets.
One Element of Multi-factor Authentication
In an authentication system, after going through the primary authentication method, the system then redirects the connection to an Endorse endpoint. If a valid Endorse token containing a pre-registered IMSI and IMEI is then returned once more to the authentication server, access to the system is granted.
Please contact us if you have any questions.