Secured Mobile Interaction
Call Us Free: 1-800-123-4567
+33 970 468 468


Basics of the Technical Solution

The Patent

The invention patent for the M2Key technology describes the following items:

  • A session token is dynamically generated as an OTP (One Time Password, or One Time Pad) token, in an authentication server. This token is then sent to a fixed Point of Contact device (interactive display, totem etc.)
  • The token is then read by a mobile smartphone that validates the authentication request by sending this token to the authentication server (technology secured by Cloud). The corresponding service session is then opened on the associated Point of Contact.

The M2Key solution is neutral from a technological point of view and thereby suitable to the functional means of the mobile smartphone. It can use either NFC, Bluetooth, visual (QR Code) or basic manual typing of a code comprised of a short character string (web/SMS).

The connection is established in a very simple quick and ergonomic way for users (one click, one 2D scan, or quickly typing a few characters).

Depending on the capabilities of the mobile and on the users’ preferences, the various connection modes allow almost every type of mobile user to be addressed.



For reasons of operational and Research and Development (R&D) security, the accessible API parts (the signatures) are isolated from the execution (model) that takes place within the cloud, according to the CVM pattern (Controller-View-Model).

Beyond the security aspects generated by the use of the OTP (One Time Password, or One Time Pad) temporary token in the user’s service authentication chain, all the communication methods are doubly-secured by a specific encryption mechanism and parameter hashing technologies.

As well as these internal mechanisms, a global SSL encryption mechanism has been added (implying HTTPS exchanges) also known as physical encryption.

There is no personal or confidential information directly exchanged between the Point of Contact and the mobile application. There is only one temporary token, propagated in an encrypted way, between both elements.

In this way, the security weaknesses observed, for example, when using NFC technology do not exist with the M2Key model. The user’s authentication and the personal information exchanges are completely addressed within the solution infrastructure.

The technology developed by M2Key does not rely on any protection and security mechanism associated with the use of SIM technology. It therefore becomes completely independent of any telecom operator.

API server

The API server allows the interactions between the M2Key ™ server, the Point of Contact (totems /interactive displays) and the mobile applications which connect to them.

Each service or application using the API will be provided with an ID, and a dedicated Key representing the rights and usage limits of this service with this API. For example, the “personal information” access will be granted to service provider X, while the access to the “profile management” section will not be granted to service provider Y.


L’API M2Key permet l’utilisation des fonctionnalités suivantes :

  • Inscription
  • M2Key Authentication
  • Point of Contact Authentication
  • Dynamic rotating tokens and QR-Codes request
Authentication Mode User action User terminal
SMS Send the token to a short (or long) mobile number Basic mobile phone
QR Code Scan the dynamic QR-Code in the mobile app Smartphone
Web mobile Manual typing of the token code in the mobile app Smartphone
NFC NFC scan of the token in the mobile app Smartphone NFC