Computer: Security: Authentication
Please Beam Your Password Now   (+1)  [vote for, against]
You already own a smart card and don't even know it

Passwords and PINs are a bit of a nuisance. If you try to be a good security citizen and use different ones for each account/context/site, you end up with a horribly long list of things to remember. There are pieces of software for your PC to remember them for you, but if you often log in from different places, they aren’t much help.

Meanwhile, using cards instead of keys to open doors is becoming ubiquitous. This has been extended to computer systems as well, but not quite as widely. The problem is users need to be able to log in anywhere, but fitting every PC and laptop with a card reader is pretty difficult.

Card systems also suffer from the scalability problem of passwords: inevitably you will have to carry two or three or ten of them around for the different systems that you need to access. Essentially these are little repositories of personal information (i.e. a password) that reside in your wallet, and they are not very efficient ways to store what amounts to perhaps a few hundred bytes of data.

It occurs to me that most of us already carry around a larger repository of personal data that could be called upon to solve this problem: a cell phone and/or PDA. Let us call upon it to do our dirty work.

Yes, there are password database programs for PDAs, but these expose your passwords to shoulder surfing via the PDA screen. I think there is an easier way.

Develop a standard Infrared (IR) protocol for requesting and supplying a password or PIN to any device that requires it. This could be as simple as a keyboard-like protocol that lets the device supply the characters at the appropriate moment, relying on the user to select the right password from a menu on their device. Or you could make it a bit more sophisticated so that the device needing the password could request it with some sort of identification, allowing the device to look up the corresponding password out of a table and beam it back.

Now to enter that door at work, instead of swiping your card you just lift up your phone/PDA and either simply point it at the door, or perhaps tap a few keys.

Advantages include the fact that millions of devices already have an infrared interface that could be used. This includes most PDAs and many cell phones on the password supply side, and laptops and home entertainment devices such as TV set-top boxes on the password demand side.

With ATM PINs, you now have to steal both my debit/credit card (or the account number, somewhat easier) and my cell phone in order to abuse my account. You could potentially do away with the debit card entirely, but then the cell phone becomes an incredibly tempting target.

A problem with the IR versions of this scheme in public places is shoulder surfing could be automated, depending on the IR-friendliness of the environment around the reader. To mitigate this, a small hood around the IR reader could be supplied, simply insert your phone/PDA into the hood before use.

(You could do a Bluetooth version of this too, but shoulder surfing would then be trivially easy. Mitigation would require a Faraday cage around the ATM booth, probably not too practical. You could also use a direct-connect, but there is no entrenched standard for a connector to use. Even cell phones that actually use USB as their data transfer method, almost always use a proprietary connector).

Enhancements to this scheme might include sending back a digital receipt for your transaction after it is complete, for instance at an ATM.
-- krelnik, May 11 2004

Programmable Bar-code card http://www.halfbake...e_20Bar-code_20card
This idea by [sadie] could also be used as an alternate implementation: display the password as a barcode on the PDA/phone screen, hold it up to a camera to be read. [krelnik, Oct 04 2004, last modified Oct 05 2004]

SecurID for PalmOS http://www.rsasecur...techspecs/palm.html
For those who haven't seen it, SecurID is a system where (essentially) you have a new password every minute. This software puts it into your Palm so you don't have to carry the little doohickey around separately, but there is no beaming capability. (Also available for PocketPC and Blackberry). [krelnik, Oct 04 2004, last modified Oct 05 2004]

i-Mode handset door key service http://www.techjapa...ile=article&sid=674
NTT DoCoMo is offering a similar service in Japan [krelnik, Nov 12 2004]

RSA supports cellphone and PDA implementations for SecureID.

However, based on the Lexus commercial ("A car that recognizes you"), and we're talking about a car costing more than $40,000, I don't see why you just can't walk in to an ATM, take some money out, and leave.
-- theircompetitor, May 11 2004


Hmm, didn't know about the SecurID implementation for handhelds. Not only does it exist, you can download it for free. Of course, for that to be useful you need a whole lot of pricey RSA technology to be installed at the server end of things. I was thinking of something that was more open, and didn't lock you into any particular vendor.
-- krelnik, May 11 2004


Too long, didn't read it all. What I did read seems to amount to "the card scanners aren't everywhere, so let's implement yet another ID reading device and put it everywhere".

No thanks.
-- Freefall, May 11 2004


I agree that if everyone in the world had to adopt some new technology to make it work it would fall squarely in the "Not Gonna Happen" bucket.

However in the idea I point out that the readers and senders are already present in millions of devices deployed worldwide. That is precisely what makes it interesting.
-- krelnik, May 11 2004


Having had both my ATM card and my cell phone stolen (there's this thing called a "purse"), I'm not too thrilled.

This needs PIN protection in the device and encryption in the IR channel.
-- jutta, May 11 2004


A friend of mine took one of those 'remember all your passwords, encrypt them, and put them in the right place when asked' programs and installed it onto a USB memory stick along with an autorun.inf file. He just plugs it in to whatever PC he is using and can log in to any service with a 'CTRL-something-or-other'. Clever bugger.
-- wagster, Nov 12 2004


That's a darn neat idea. Maybe I'll try doing that with my phone, which can be made to behave as if it were a thumb drive.
-- krelnik, Nov 12 2004



random, halfbakery