- From: john best <john.best@gmail.com>
- Date: Tue, 11 Apr 2006 07:25:03 +0100
- To: public-usable-authentication@w3.org
- Message-ID: <7127da180604102325h3e8ccb6fl625f712a3ef353c3@mail.gmail.com>
Hello all, I didn't attend the conference, but I would like to put forward an idea for authentication. I will try to be as brief as possible, if any of you would like to know more about this idea, I would be happy to give more details. The key concept is to use the users mobile phone as a second factor in authentication. The mobile phone requires a camera and software to interpret a barcode. (possibly a 2 dimensional, multi-shade barcode) Example process ------------------------------- Preparation - Whilst on a trusted machine, user requests an authentication key - Server sends the user a package, containing The url of the service The name of the service The decryption key (all wrapped up in a barcode image) - User photographs the screen, and the mobile unwraps the package, and generates an entry for this site. Usage - The user requests to authenticate using Image Authentiation - The server sends the user a package, containing The URL of the service An encrypted message containing The name of the service A short message - The user photographs the screen, and the mobile decrypts the package (checking that the name of the service matches the URL) - The user enters the short message (and possibly a part of their password) - If the message is correct, the user is considered to be authenticated Benefits. ----------------- Authenticates both parties Limits the damage a Keylogger would do (hence can be used from an untrusted computer) Has no cost if the user has a camera phone. (so sites can deploy it with no capital outlay) Problems. Requires a seperate device (but only one device for all services) Thank you very much for reading this far. John Best
Received on Tuesday, 11 April 2006 12:39:55 UTC