h a l f b a k e r y"Bun is such a sad word, is it not?" -- Watt, "Waiting for Godot"
add, search, annotate, link, view, overview, recent, by name, random
news, help, about, links, report a problem
browse anonymously,
or get an account
and write.
register,
|
|
|
Open Sesame App
Use smartphones to securely authenticate through the back door | |
Passing an internet cafe, you stop to check your favourite vlogs on a nice big screen. At the terminal, you browse to arsebook.com.The login page appears. You point your smartphone at the screen, and suddenly you're logged in.
There is no special software installed on the computer; no bluetooth,
no NFC, your phone isn't connected to the cafe's wifi, the terminal is a bog-standard computer and you've never logged on here before. Yet without having to enter a username or password, you're securely authenticated.
This method of logging in uses your smartphone's camera to snap a QR code or other computer readable symbol from the login page which is unique to this browser session, with the session cookie encoded in it. Your smartphone then sends the cookie along with your username and password, which are stored in your phone, over its cellular network connection to the arsebook.com server. It matches up your credentials with the session, and the browser is authenticated and is prompted to update via an AJAX push or polling mechanism.
This could be extended to anything that requires authentication; locked screen savers, doors, etc. Aside from the convenience, it is also more secure than typing your username and password as it is not vulnerable to key-loggers. If you forget to log out when you leave, you can terminate the session from your phone. Usernames and passwords could be stored on an intermediary server to minimise the security consequences of losing your phone.
The disadvantage of this method is that it relies on your phone having a network connection at the moment of use (meaning people on Orange will be locked out most of the time), but in that eventuality, the user can just log in the old fashioned way.
My prototype of this
http://mitxela.com/temp/QRlogin.php
Log in on phone's browser first [mitxela, Feb 15 2011]
A more complete prototype and video demo
http://arsebook.8x.cc/
Try this out if you have an Android smart phone [idris83, Feb 16 2011]
Now available on Google!
http://lifehacker.c...out-typing-anything
[mitxela, Jan 17 2012]
[link]
|
| |
Why not just something RFID based like the car keys that
unlock your car for you? Rumor is the iPhone 5 will have
an RFID chip. |
|
| |
As you point out, the biggest problem would be losing one's phone. Perhaps if there was more than just the QR code submitted, like the IMEI number or a 4 digit pin you have to enter. |
|
| |
It would be quite simple to bake a prototype of this, if I have a spare moment I shall give it a go. |
|
| |
[DIY] the point about this is it would not require any modification to the phone. |
|
| |
// Why not just something RFID based // |
|
| |
This method works on any existing computer without additional hardware or software. |
|
| |
// It would be quite simple to bake a prototype of this // |
|
| |
I'm actually whipping one up right now :-p (android / php / zxing). |
|
| |
In fact rather than a specialized app, the QR code could simply be a URL to arsebook.cow?newsession=asdf |
|
| |
This means if you'd previously logged in on the phone's browser, if would see those cookies and duplicate them to the session given to it by URL. |
|
| |
[+] Nice. You could make it into a two-factor system by having the phone app prompt you for a password. That way, an attacker needs both your password and your phone to gain access. |
|
| |
Agreed that it's dead easy to prototype. |
|
| |
Suggested protocol: the QR code contains a URL which includes a random one-time nonce as a query parameter. The phone does a POST to the URL containing its IMEI number and a hash of (URL + IMEI + password). |
|
| |
(Of course this is a bit suboptimal in that an attacker who can obtain both the URL and the POST body can perform a dictionary attack on the password. A bit more cleverness might be able to plug this hole, though.) |
|
| |
You don't need the phone to be connected to anything (at least not at the time of authentication). If the screen displayed a 2d (or 1d) barcode, the phone could scan this and, based on it having registered some private-key with the organisation previously, be able to output a number, that you type in. (Basically, it's a session-specific RSA dongle thing built-in to your phone) If you enter this number, that should be enough to identify you as a specific, phone-authenticated individual to the server, for that specific session. |
|
| |
So fine, you have to enter a number - it's not totally automatic - but at least you don't need a connection on your phone. (And yes, I am on Roange) |
|
| |
[edit] Thinking about it, it may be too open to just accept a code-number since you might try entering any random number in the hope of getting into *someone's* account. Better to take the step of entering your username and for the 2d code to be generated based on that. Sadly this breaks the rather nice mode described in the idea //Yet without having to enter a username or password, you're securely authenticated.// which would, undoubtedly, be cool. |
|
| |
The phone could try to contact the server, and display the code if it fails. |
|
| |
Well I made a very quick, extremely simple, no-security proof-of-concept for this. [link] |
|
| |
Visit the page on your phone and log in using a username (write anything). Then visit the page on your computer and click log in via QR code. |
|
| |
Well done for the idea - shame it's impossible to make any money from it... |
|
| |
I've put together a little spoof website which uses this authentication mechanism: see links. You can try it out yourself if you have an Android handset, or there's a video :-) |
|
| |
I'm buying an Android smartphone so I can try this. Tomorrow. |
|
| |
Unless [idris83] works for Google, they've stolen this idea entirely! Right down to the sesame part! |
|
| |
It's likely a coincidence. "Open sesame" is an obvious thing to say when waving your magic wand / smartphone to open a portal. |
|
| |
I'm glad the idea's catching on :-} |
|
| |