Re: Secure login: A replacement for passwords, tokens and everything else |
by Madfish on 2013/10/4 15:00:34 Sort of. The long random number is a cryptographic challenge. You authenticate by signing the number with your public key (which is effectively your ID) and sending it back to the server. If the signature is valid it knows to let you in. The phone app reads the data out of the QR code (random number, URL for processing login requests), signs it and sends it off for verification. The app also handles creation and management of site-specific keys. |
Re: Secure login: A replacement for passwords, tokens and everything else |
by fiammybe on 2013/10/4 2:44:48 Interesting approach, even if it could be overkill for some users. This seems to be a form of two-factor authentication, but backwards Using 2-factor authentication, you get a code via a phone app that you have to put into the login page. Here, you get a code via the login page that you enter (via QR code) in the app. What puzzles me is how you can login on your pc, by doing some stuff in an app. Would the random number be the linking element perhaps? Other risk is that your 'keys' are stored on your smartphone. You'll need to have some pretty nifty security in place to prevent those to get breached. |
Re: Secure login: A replacement for passwords, tokens and everything else |
by Madfish on 2013/10/4 1:18:16 By the way this approach is discussed in the latest Security Now! podcast. |
Re: Secure login: A replacement for passwords, tokens and everything else |
by Madfish on 2013/10/4 1:04:17 Probably. I'm using the PHP QR Code library, its dox say that it can handle Japanese characters, but the developer has not tested it extensively. Maybe we can help with that later. I've got a module skeleton that can generate the QR codes, and successfully read the data out with a barcode reader app. The module side looks like it will be fairly simple, its just checking signatures. Making an Android app will be the hard part. |
Re: Secure login: A replacement for passwords, tokens and everything else |
by david on 2013/10/4 0:28:05 Certainly sounds a good solution. Does it work in all countries? |