- From: John Best <johnb@eclios.com>
- Date: Mon, 10 Apr 2006 20:42:16 +0100
- To: <public-usable-authentication@w3.org>
- Message-ID: <006d01c65cd6$e0e02320$0500a8c0@Jimbo>
Hello all, I didn't attend the conference, but I would like to put forward an idea for authentication. I will try to be as brief as possible, if any of you would like to know more about this idea, I would be happy to give more details. The key concept is to use the users mobile phone as a second factor in authentication. The mobile phone requires a camera and software to interpret a barcode. (possibly a 2 dimensional, multi-shade barcode) Example process ------------------------------- Preparation - Whilst on a trusted machine, user requests an authentication key - Server sends the user a package, containing The url of the service The name of the service The decryption key (all wrapped up in a barcode image) - User photographs the screen, and the mobile unwraps the package, and generates an entry for this site. Usage - The user requests to authenticate using Image Authentiation - The server sends the user a package, containing The URL of the service An encrypted message containing The name of the service A short message - The user photographs the screen, and the mobile decrypts the package (checking that the name of the service matches the URL) - The user enters the short message (and possibly a part of their password) - If the message is correct, the user is considered to be authenticated Benefits. ----------------- Authenticates both parties Limits the damage a Keylogger would do (hence can be used from an untrusted computer) Has no cost if the user has a camera phone. (so sites can deploy it with no capital outlay) Problems. Requires a seperate device (but only one device for all services) Thank you very much for reading this far. John Best
Received on Tuesday, 11 April 2006 12:39:55 UTC