Reply New Topic
2-10-2013 23:46:45
#1
Offline
Home away from home

Secure login: A replacement for passwords, tokens and everything else

Steve Gibson from GRC has proposed a new approach for secure login that does not require passwords, security tokens or the involvement or third parties.

In a nutshell, the site login page generates a QR code containing the login URL and a unique random number, which you show to an app on your smartphone. The app generates a *unique* public/private keypair for that site, cryptographically signs the random number and sends it together with the public key to the login URL for validation. If the signature is good the site lets you in.

The public key becomes your ID for that site, and you authenticate yourself by signing random numbers generated by the site using your private key. There is nothing to remember, no shared secrets and you don't need to type anything.

This looks like a pretty good system to me. As far as I can tell there is only one major downside: You need develop a phone app. I might have a go at this for Android (you iPhone users are on your own, sorry).

Worth a look?


3-10-2013 0:44:55
#2
Offline
Home away from home

Re: Secure login: A replacement for passwords, tokens and everything else

Certainly worth a look indeed - I've recently come across software and services that exist for "captcha busting" - and they're shockingly cheap.

There are ways to make life trickier for spammers, but they also make life trickier for the users... the idea you suggested is certainly one possible solution to consider.


3-10-2013 23:17:10
#3
Offline
Home away from home

Re: Secure login: A replacement for passwords, tokens and everything else

You open the website on your PC. A QR code is visible. You point your *phone* at the code...and your PC logs in automagically, and securely.

Sound better?


4-10-2013 0:28:05
#4
Offline
Home away from home

Re: Secure login: A replacement for passwords, tokens and everything else

Certainly sounds a good solution.

Does it work in all countries?


4-10-2013 1:04:17
#5
Offline
Home away from home

Re: Secure login: A replacement for passwords, tokens and everything else

Probably. I'm using the PHP QR Code library, its dox say that it can handle Japanese characters, but the developer has not tested it extensively. Maybe we can help with that later.

I've got a module skeleton that can generate the QR codes, and successfully read the data out with a barcode reader app. The module side looks like it will be fairly simple, its just checking signatures.

Making an Android app will be the hard part.


4-10-2013 1:18:16
#6
Offline
Home away from home

Re: Secure login: A replacement for passwords, tokens and everything else

By the way this approach is discussed in the latest Security Now! podcast.


4-10-2013 2:44:48
#7
Offline
Webmaster

Re: Secure login: A replacement for passwords, tokens and everything else

Interesting approach, even if it could be overkill for some users. This seems to be a form of two-factor authentication, but backwards

Using 2-factor authentication, you get a code via a phone app that you have to put into the login page. Here, you get a code via the login page that you enter (via QR code) in the app.

What puzzles me is how you can login on your pc, by doing some stuff in an app. Would the random number be the linking element perhaps?

Other risk is that your 'keys' are stored on your smartphone. You'll need to have some pretty nifty security in place to prevent those to get breached.

_________________

Me on Ohloh


4-10-2013 15:00:34
#8
Offline
Home away from home

Re: Secure login: A replacement for passwords, tokens and everything else

Sort of. The long random number is a cryptographic challenge. You authenticate by signing the number with your public key (which is effectively your ID) and sending it back to the server. If the signature is valid it knows to let you in.

The phone app reads the data out of the QR code (random number, URL for processing login requests), signs it and sends it off for verification. The app also handles creation and management of site-specific keys.


Reply New Topic extras
 Previous Topic   Next Topic
You can view topic.
You can start a new topic.
You can reply to posts.
You cannot edit your posts.
You cannot delete your posts.
You cannot add new polls.
You cannot vote in polls.
You cannot attach files to posts.
You can post without approval.