Authentication Idea

Hello all, I didn't attend the conference, but I would like to put forward
an idea for authentication.

I will try to be as brief as possible, if any of you would like to know more
about this idea, I would be happy to give more details.

The key concept is to use the users mobile phone as a second factor in
authentication.

The mobile phone requires a camera and software to interpret a barcode.
(possibly a 2 dimensional, multi-shade barcode)

Example process
-------------------------------

Preparation

- Whilst on a trusted machine, user requests an authentication key
- Server sends the user a package, containing
   The url of the service
   The name of the service
   The decryption key
   (all wrapped up in a barcode image)
- User photographs the screen, and the mobile unwraps the package, and
generates an entry for this site.

Usage

- The user requests to authenticate using Image Authentiation
- The server sends the user a package, containing
   The URL of the service
   An encrypted message containing
   The name of the service
   A short message

- The user photographs the screen, and the mobile decrypts the package
 (checking that the name of the service matches the URL)

- The user enters the short message (and possibly a part of their password)
- If the message is correct, the user is considered to be authenticated


Benefits.
-----------------
Authenticates both parties
Limits the damage a Keylogger would do (hence can be used from an untrusted
computer)
Has no cost if the user has a camera phone.
(so sites can deploy it with no capital outlay)

Problems.
Requires a seperate device (but only one device for all services)

Thank you very much for reading this far.

John Best

Received on Tuesday, 11 April 2006 12:39:55 UTC