AW: Authentication Idea from Sebastian Gajek on 2006-04-11 (public-usable-authentication@w3.org from April 2006)

From: Sebastian Gajek <sebastian.gajek@nds.rub.de>
Date: Tue, 11 Apr 2006 14:48:38 +0200
To: <public-usable-authentication@w3.org>
Message-ID: <E1FTIIU-0004S6-3m@maggie.w3.org>

Sound like the idea of McCune, Perrig and Reiter: "Seeing is believing:
Using Camera Phones for Human-Verifiable Authentication". See
http://sparrow.ece.cmu.edu/~adrian/projects/sib.pdf

Is it right???


________________________________

	Von: public-usable-authentication-request@w3.org
[mailto:public-usable-authentication-request@w3.org] Im Auftrag von John
Best
	Gesendet: Montag, 10. April 2006 21:42
	An: public-usable-authentication@w3.org
	Betreff: Authentication Idea
	
	
	Hello all, I didn't attend the conference, but I would like to put
forward an idea for authentication.
	 
	I will try to be as brief as possible, if any of you would like to
know more about this idea, I would be happy to give more details.
	 
	The key concept is to use the users mobile phone as a second factor
in authentication.
	 
	The mobile phone requires a camera and software to interpret a
barcode.
	(possibly a 2 dimensional, multi-shade barcode)
	 
	Example process
	-------------------------------
	 
	Preparation
	 
	- Whilst on a trusted machine, user requests an authentication key
	- Server sends the user a package, containing
	   The url of the service
	   The name of the service
	   The decryption key 
	   (all wrapped up in a barcode image)
	- User photographs the screen, and the mobile unwraps the package,
and generates an entry for this site.
	 
	Usage
	 
	- The user requests to authenticate using Image Authentiation
	- The server sends the user a package, containing
	   The URL of the service
	   An encrypted message containing
	   The name of the service
	   A short message
	 
	- The user photographs the screen, and the mobile decrypts the
package
	 (checking that the name of the service matches the URL)
	 
	- The user enters the short message (and possibly a part of their
password)
	- If the message is correct, the user is considered to be
authenticated
	 
	
	Benefits.
	-----------------
	Authenticates both parties
	Limits the damage a Keylogger would do (hence can be used from an
untrusted computer)
	Has no cost if the user has a camera phone.
	(so sites can deploy it with no capital outlay)
	 
	Problems.
	Requires a seperate device (but only one device for all services)
	 
	Thank you very much for reading this far.
	 
	John Best

Received on Tuesday, 11 April 2006 14:16:13 UTC