W3C home > Mailing lists > Public > public-usable-authentication@w3.org > April 2006

Authentication Idea

From: John Best <johnb@eclios.com>
Date: Mon, 10 Apr 2006 20:42:16 +0100
Message-ID: <006d01c65cd6$e0e02320$0500a8c0@Jimbo>
To: <public-usable-authentication@w3.org>
Hello all, I didn't attend the conference, but I would like to put forward an idea for authentication.

I will try to be as brief as possible, if any of you would like to know more about this idea, I would be happy to give more details.

The key concept is to use the users mobile phone as a second factor in authentication.

The mobile phone requires a camera and software to interpret a barcode.
(possibly a 2 dimensional, multi-shade barcode)

Example process
-------------------------------

Preparation

- Whilst on a trusted machine, user requests an authentication key
- Server sends the user a package, containing
   The url of the service
   The name of the service
   The decryption key 
   (all wrapped up in a barcode image)
- User photographs the screen, and the mobile unwraps the package, and generates an entry for this site.

Usage

- The user requests to authenticate using Image Authentiation
- The server sends the user a package, containing
   The URL of the service
   An encrypted message containing
   The name of the service
   A short message

- The user photographs the screen, and the mobile decrypts the package
 (checking that the name of the service matches the URL)

- The user enters the short message (and possibly a part of their password)
- If the message is correct, the user is considered to be authenticated


Benefits.
-----------------
Authenticates both parties
Limits the damage a Keylogger would do (hence can be used from an untrusted computer)
Has no cost if the user has a camera phone.
(so sites can deploy it with no capital outlay)

Problems.
Requires a seperate device (but only one device for all services)

Thank you very much for reading this far.

John Best

---
[This E-mail has been scanned for viruses but it is your responsibility 
to maintain up to date anti virus software on the device that you are
currently using to read this email. ]
Received on Tuesday, 11 April 2006 12:39:55 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 19:53:15 UTC