2013/10/2 23:46:45
|
---|
|
Secure login: A replacement for passwords, tokens and everything elseSteve Gibson from GRC has proposed a new approach for secure login that does not require passwords, security tokens or the involvement or third parties.
In a nutshell, the site login page generates a QR code containing the login URL and a unique random number, which you show to an app on your smartphone. The app generates a *unique* public/private keypair for that site, cryptographically signs the random number and sends it together with the public key to the login URL for validation. If the signature is good the site lets you in. The public key becomes your ID for that site, and you authenticate yourself by signing random numbers generated by the site using your private key. There is nothing to remember, no shared secrets and you don't need to type anything. This looks like a pretty good system to me. As far as I can tell there is only one major downside: You need develop a phone app. I might have a go at this for Android (you iPhone users are on your own, sorry). Worth a look? |
2013/10/3 0:44:55
|
---|
|
Re: Secure login: A replacement for passwords, tokens and everything elseCertainly worth a look indeed - I've recently come across software and services that exist for "captcha busting" - and they're shockingly cheap.
There are ways to make life trickier for spammers, but they also make life trickier for the users... the idea you suggested is certainly one possible solution to consider. |
2013/10/3 23:17:10
|
---|
|
Re: Secure login: A replacement for passwords, tokens and everything elseYou open the website on your PC. A QR code is visible. You point your *phone* at the code...and your PC logs in automagically, and securely.
Sound better? |
2013/10/4 0:28:05
|
---|
|
Re: Secure login: A replacement for passwords, tokens and everything elseCertainly sounds a good solution.
Does it work in all countries? |
2013/10/4 1:04:17
|
---|
|
Re: Secure login: A replacement for passwords, tokens and everything elseProbably. I'm using the PHP QR Code library, its dox say that it can handle Japanese characters, but the developer has not tested it extensively. Maybe we can help with that later.
I've got a module skeleton that can generate the QR codes, and successfully read the data out with a barcode reader app. The module side looks like it will be fairly simple, its just checking signatures. Making an Android app will be the hard part. |
2013/10/4 1:18:16
|
---|
|
Re: Secure login: A replacement for passwords, tokens and everything elseBy the way this approach is discussed in the latest Security Now! podcast.
|
2013/10/4 2:44:48
|
---|
|
Re: Secure login: A replacement for passwords, tokens and everything elseInteresting approach, even if it could be overkill for some users. This seems to be a form of two-factor authentication, but backwards
Using 2-factor authentication, you get a code via a phone app that you have to put into the login page. Here, you get a code via the login page that you enter (via QR code) in the app. What puzzles me is how you can login on your pc, by doing some stuff in an app. Would the random number be the linking element perhaps? Other risk is that your 'keys' are stored on your smartphone. You'll need to have some pretty nifty security in place to prevent those to get breached. |
_________________
|
2013/10/4 15:00:34
|
---|
|
Re: Secure login: A replacement for passwords, tokens and everything elseSort of. The long random number is a cryptographic challenge. You authenticate by signing the number with your public key (which is effectively your ID) and sending it back to the server. If the signature is valid it knows to let you in.
The phone app reads the data out of the QR code (random number, URL for processing login requests), signs it and sends it off for verification. The app also handles creation and management of site-specific keys. |