论文信息 - 2-clickAuth Optical Challenge-Response Authentication

2-clickAuth Optical Challenge-Response Authentication

Internet users today often have usernames and passwords at multiple web sites. To simplify things, many sites support some form of federated identity management, such as OpenID, that enables users to have a single account that allows them to log on to many different sites by authenticating to a single identity provider. Most identity providers perform authentication using a username and password. Should these credentials be compromised, e.g. captured by a key logger or malware on an untrusted computer, all the user’s accounts become compromised. Therefore a more secure authentication method is desirable. We have implemented 2-clickAuth, an optical challenge-response solution where a web camera and a camera phone are used for authentication. Two-dimensional barcodes are used for the communication between phone and computer, which allows 2-clickAuth to transfer relatively large amounts of data in a short period of time. 2-clickAuth is considerably more secure than passwords while still being easy to use and easy to distribute to users. This makes 2-clickAuth a viable alternative to passwords in systems where enhanced security is desired, but availability, ease-of-use, and cost cannot be compromised. We have implemented an identity provider in the OpenID federated identity management system that uses 2-clickAuth for authentication, making 2-clickAuth available to all users of sites that support OpenID, including Facebook, Sourceforge and MySpace.

Nahid Shahmehri | David Byers | Anna Vapen

[1] Do Van Thanh,et al. Simple Strong Authentication for Internet Applications Using Mobile Phones , 2008, IEEE GLOBECOM 2008 - 2008 IEEE Global Telecommunications Conference.

[2] David W. Chadwick,et al. Federated Identity Management , 2009, FOSAD.

[3] David M'Raïhi,et al. HOTP: An HMAC-Based One-Time Password Algorithm , 2005, RFC.

[4] Lorenz Froihofer,et al. QR-TAN: Secure Mobile Transaction Authentication , 2009, 2009 International Conference on Availability, Reliability and Security.

[5] Cheryl Madson,et al. The Use of HMAC-SHA-1-96 within ESP and AH , 1998, RFC.

[6] J. Yan,et al. Password memorability and security: empirical results , 2004, IEEE Security & Privacy Magazine.

[7] Srinivas Devadas,et al. The untrusted computer problem and camera based authentication using optical character recognition , 2002 .

[8] Kang G. Shin,et al. On Mobile Viruses Exploiting Messaging and Bluetooth Services , 2006, 2006 Securecomm and Workshops.

[9] Simson L. Garfinkel,et al. Secure Web Authentication with Mobile Phones , 2004 .

[10] Hugo Krawczyk,et al. HMAC: Keyed-Hashing for Message Authentication , 1997, RFC.

[11] M. Bellare,et al. HMAC: Keyed-Hashing for Message Authentication, RFC 2104 , 2000 .