FAQs


What are Mobile Authentication Tokens?
What is mCode?
What is mSign?
What authentication servers support Salt mobile authentication tokens?
What phones do the Salt tokens work on?
What mobile service provider networks do the Salt mobile authentication tokens work on?
What happens if I lose my mobile phone?
What happens when I change my mobile handset?
What happens when I change my SIM card?
What happens if I'm out of range from my mobile service provider?
What happens if I forget my PIN?
How do I get my mCode or mSign token unblocked?
Can Salt mobile authentication tokens utilise overseas mobile service provider networks?
Do mCode and mSign require WAP support?
Do mCode and mSign require SMS support?
What happens if the network is unavailable?
How secure is my mobile phone?
What precautions do I need to take against mobile phone viruses, spyware and malware?
How are mCode and mSign deployed?
How big is a Salt Mobile Authentication Token?
How many Salt Mobile Authentication Tokens will I need?
How can new products integrate Salt mobile authentication technology?

What are Mobile Authentication Tokens?

Mobile authentication tokens utilise a user’s mobile handset as a means to authenticate the user’s identity or a transaction that they are submitting to a third party.

Salt’s mobile authentication tokens include simple SMS based one time password delivery (Salt SMS), highly secure standalone tokens which run on the handset (Salt mCode), and sophisticated network enabled applications that actively utilise the mobile channel as part of the authentication process (Salt mSign).

What is mCode?

mCode is a standalone authentication token with application level PIN access control, onboard cryptographic functionality and high assurance provisioning and customer activation of the authentication service.  mCode can be configured as a one time password device, challenge-response device or a “signature” device.

mCode provides similar functionality to Vasco, RSA, and Thales specialised authentication devices at a fraction of the up-front and operational costs.

What is mSign?

mSign provides a mobile network enabled authentication mechanism with application level PIN access control, onboard cryptographic functionality, high assurance provisioning and customer activation of the authentication service and strong transaction non-repudiation.  

mSign enables a unique "second channel" confirmation of a transaction's details. mSign protects against a range of identity and transactional fraud including man-in-the-middle attacks.

mSign is unique in the market and provides strong transaction authentication functionality which cannot be provided in commercially available specialised tokens.

What authentication servers support Salt mobile authentication tokens?

Salt tokens interwork with Thales SafeSign Authentication Server and ActivIdentity 4TRESS server.  In these modes they can co-exist with other authentication mechanisms implemented within the enterprise.

mCode OATH tokens can interwork with any OATH compliant authentication server, with Salt OATH token key distribution supporting standard OATH interchange protocols.

What phones do the Salt tokens work on?

Salt mobile authentication tokens are designed to operate within the application environment on mobile handsets utilising common mobile network provider communications interfaces.

Specifically, mCode and mSign operate on handsets that support J2ME MIDP 1.0, with extended features required for mSign supported on J2ME MIDP 2.0 handsets.  mCode and mSign have also been validated on Blackberry and Symbian devices.

MS Windows Mobile V5 devices are supported through the .NET Compact Framework.

Apple iPhone devices are supported for mCode, mCodeXpress and mSign Remote

What mobile service provider networks do the Salt mobile authentication tokens work on?

Salt mobile authentication tokens are network independent and can be deployed using GSM, CDMA and 3G networks globally.

SMS capability is required for mSign, mSign Remote and Salt SMS for the transfer of user or transaction authentication codes.

Salt mobile authentication tokens have been validated widely in Europe, North America, and Asia Pacific.

What happens if I lose my mobile phone?

Salt mCode and mSign authentication tokens are PIN protected, with incorrect PIN thresholds protecting exhaustion attacks on the PIN.  Once the issuer-set threshold is reached, the token is locked and will require reset through user interaction with the token issuer.

Salt SMS token utilises standard SMS messaging and has no PIN protection.

What happens when I change my mobile handset?

Once activated, mCode and mSign tokens are only valid on the mobile handset that they were activated on.  If a handset is changed, a new Salt token will need to be issued and (if applicable) the old token revoked.

What happens when I change my SIM card?

There are no special requirements for mobile service provider configuration of the SIM and no SIM Toolkit (STK) development is involved. 

As long as a user’s mobile phone number does not change there is no need to issue a new Salt token.

What happens if I’m out of range from my mobile service provider?

mCode is a standalone application on the handset and does not require network connection.

Salt SMS and mSign require connectivity.
For mSign there is an offline mode available for instances when the network is unavailable.

What happens if I forget my PIN?

mCode and mSign tokens are protected by PIN retry counts. If the PIN retry count is exceeded then the Salt token will lock and cannot be accessed until reset through user interaction with the token issuer.

How do I get my mCode or mSign token unblocked?

A call to the token issuer’s help desk will result in token reset.  Different token issuers may deal with this situation differently

Can Salt mobile authentication tokens utilise overseas mobile service provider networks?

All Salt tokens are mobile service provider independent and all deployment and transactional functionality can be completed whilst “roaming”, provided the underpinning telecommunications provider interchange and roaming privileges have been established for the handset.

Do mCode and mSign require WAP support?

Yes. Both mCode and mSign require WAP support to be enabled for provisioning of the application to the handset.

Do mCode and mSign require SMS support?

mCode is a standalone application and once deployed has no network connections.

mSign utilises the SMS transport channel for communication between the authentication server and the handset application.  The SMS messages are privileged and do not appear or reside within the SMS message queues resident in handsets.  The SMS message processing is under the full control of mSign.

What happens if the network is unavailable?

mSign can be started from the handset and, after the user has entered the PIN and transaction summary information, mSign will generate an authorization code as if the handset were on the network.

How secure is my mobile phone?

Salt’s mobile authentication tokens are most secure and incorporate a number of protections against fraudulent use and cloning of the token.  All key material is held encrypted and PIN protected and the PIN is not held within the clear in the handset.

Communications between the authentication service and handset is protected.

What precautions do I need to take against mobile phone viruses, spyware and malware?

As with a laptop or PC, users should deploy security protection for their mobile devices where available.

How are mCode and mSign deployed?

Salt's Mobile Token Management Service implements an over-the-air application deployment model that provides rapid and highly secure distribution and activation of the Salt mobile token. It ensures full deployment and that the application and its core cryptographic processes are operational and in the control of the registered user.

Importantly, mobile tokens may be re-provisioned as necessary to provide new features or to address emerging threats.

How big is a Salt Mobile Authentication Token?

Less than 32 kB.

How many Salt Mobile Authentication Tokens will I need?

Each Salt token is electronically branded by the issuer of the token.  Multiple tokens can exist independently on the handset, each with their own PIN and key material.

There is no longer a need to carry multiple authentication devices – just a single mobile handset.

How can new products integrate Salt mobile authentication technology?

Salt Group provides an SDK to assist developers with integrating Salt mobile technology into new products and applications. Please apply directly to Salt Group either by Phone: +61-3-9866-4400 or Email: sales@saltgroup.com.au for further information on features and pricing.