Sazka Improves the Login User Experience with Wultra Mobile Security Suite

Petr Dvořák
Wultra Blog
Published in
3 min readDec 4, 2018

--

Until today, the mobile app by Sazka had one pain point that was hurting its app ratings: the login user experience. The app required the combination of e-mail and password on every login.

Today, Sazka is our first customer outside the banking industry who decided to improve the authentication user experience with Wultra Mobile Security Suite, on both iOS and Android. As a result, players can sign in using just a PIN code, or with biometry (Face ID, Touch ID).

Good PIN, bad PIN…

Now, there is one thing that makes selling a PIN authentication difficult. It is not about what you see, but about what happens in the background. From the user perspective, every PIN implementation seems the same. However, the internals may differ significantly.

To illustrate this, let me show you one example of how a certain bank in Kazakhstan implements the PIN code:

Weak PIN code implementation only uses a comparison of stored value with the one user entered.

Yes, this is an actual real-world example of a banking app PIN code implementation. Also, let’s disregard the lack of obfuscation for now…

This is what I call the “Bad PIN”. Basically, it works like this:

  1. Let the user enter the PIN code.
  2. Compare the stored PIN code value (plaintext) with what the user entered.
  3. If the values match, use stored credentials (again, stored on the device in plaintext) to log in.
  4. If the values do not match, decrease a locally stored number of failed attempts.

This approach has many issues. To extract the main problems:

  • No help from the server-side: When an attacker finds a device, it is possible to perform a local attack on the PIN code and eventually compromise the user account without the server ever knowing there might be an issue.
  • No cryptographic protection: When an attacker intercepts the request over HTTP, he/she can modify the request contents, send a completely different request, or replay the intercepted request.

There is a better way

In fact, our PIN code implementation, that is included in the Wultra Mobile Security Suite (PowerAuth) is what I call the “Good PIN.”

It is not possible to verify the PIN code locally on the device under no circumstances. Cooperation with the server is required for every PIN code validation, and therefore, the PIN code can be effectively blocked on the server-side after five failed authentication attempts.

Also, every request to the server is protected with a one-time multi-factor signature, that is strongly bound with the request data. As a result, it is not possible to replay the request, modify the request data, or forge an entirely new request.

You can check it for yourself: our cryptography is open-source.

Partners for the win!

To wrap this story up, we would like to acknowledge one specific aspect of this project: the cooperation with our technology partners.

NeoGames (Tel Aviv, Israel) was responsible for the server-side integration. It would seem that they are not exactly compatible with us: while we write our systems in Java, they use .NET. Despite this and the remote work, NeoGames managed to implement their part in just a couple of weeks and were extremely helpful in testing.

Adastra.one (Prague, Czechia) implemented the mobile app part. Moreover, they set the world record for the fastest PowerAuth technology integration. Everything was ready on mobile in under two weeks! What we are especially proud of is that Adastra.one managed to implement everything just based on our online documentation.

Well done, and thank you! :-)

--

--

Petr Dvořák
Wultra Blog

CEO and Founder of Wultra . Cybersecurity specialist, author of two security-related patents, and a passionate motorcyclist.