Authenticating physical location using QR codes and network latency

QR codes are increasingly being used as a mechanism to transmit one time passwords (OTPs) between devices for the purpose of authentication due to their convenience, low cost, and the ubiquity of consumer mobile devices. Existing practice typically utilizes a single QR code which is relatively easy to capture and relay to an offsite attacker or collaborator. We propose a mechanism using a stream of rapidly changing QR codes that maintains the convenience, ubiquity, and low cost of the standard approach, while aiming to eliminate the viability of relay attacks. We test this setup using a university class attendance scenario and successfully distinguish between valid physically present users and invalid offsite attackers.

[1]  L. O'Gorman,et al.  Comparing passwords, tokens, and biometrics for user authentication , 2003, Proceedings of the IEEE.

[2]  Balázs Benyó,et al.  Student attendance monitoring at the university using NFC , 2012, Wireless Telecommunications Symposium 2012.

[3]  Daniel Riccio,et al.  Biometric Authentication , 2014, Lecture Notes in Computer Science.

[4]  Shyan-Ming Yuan,et al.  Physical Access Control Based on QR Code , 2011, 2011 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery.

[5]  John D. Woodward,et al.  Biometrics: privacy's foe or privacy's friend? , 1997, Proc. IEEE.

[6]  Tabassam Nawaz,et al.  Development of Academic Attendence Monitoring System Using Fingerprint Identification , 2009 .

[7]  Wei-Hsun Lee,et al.  A Novel User Authentication Scheme Based on QR-Code , 2010, J. Networks.

[8]  Sharath Pankanti,et al.  BIOMETRIC IDENTIFICATION , 2000 .

[9]  N. Harini,et al.  2CAuth: A New Two Factor Authentication Scheme Using QR-Code , 2013 .

[10]  Michael K. Reiter,et al.  Seeing-is-believing: using camera phones for human-verifiable authentication , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[11]  O. Kainz,et al.  Visual system for student attendance monitoring with non-standard situation detection , 2014, 2014 IEEE 12th IEEE International Conference on Emerging eLearning Technologies and Applications (ICETA).

[12]  Lorenz Froihofer,et al.  QR-TAN: Secure Mobile Transaction Authentication , 2009, 2009 International Conference on Availability, Reliability and Security.