Using mobiles for secure login – part 2

Posted on December 15, 2012

0



In my previous post I talked about a scheme that I was involved in back in my Vodafone days (I forgot to say that Tim the Sim was the main man on it,  in case you thought it was me)

That was a scheme to use SMS to send a code to a previously registered phone so that a cracker would need to have access to the phone to be able to enter the code sent to it.  Much like when banks call yo uup and ask you to enter a code they put on screen.
So how else might this work,  well PixelPIN is a brilliant alternative to the whole username and password,  or as a second factor.  People, or at least most people, are good with pictures and remembering things that are graphical.  The old saw that a picture equals a thousand words is true.
So PixelPIN have you choose a picture, and then have you select a range of points on it.  Say 5 or 6.
To login you must select the correct picture from a small gallery,  and then also select the correct points on the picture in the right order.
It’s brilliant, and quite rightly PixelPIN are winning awards left right and centre and are able to find funds.
I guess it won’t be long before their snapped up.  This has to be better than second passwords/codes or security questions or captchas.  It’s personal, easier to remember than you might think,  and well a bit more fun, of course it works particularly well with touch screens.
In case your thinking it’s too easy,  they have a lot of trials for a single case and no one has broken it.  Also if you think back to the spot the ball competitions that papers ran in the 70s and 80s,  that was a single point and rarely did a lot of people win.  In this case there are many points to select !
Keyfree login is a system that is developed by Ford Motor Company in France, and is inspired by their keyless systems, whereby the car only starts if the key is inside the car.  Makes hot wiring much harder.
anyway if you can do that for a car,  what about for a login.  Only let the user login if their mobile phone is near the computer.
Now I am a bit more skeptical about this because GPS is not reliable enough, doubly so in buildings and built up areas.  You could use bluetooth or Wifi however there is quite a lot of setup to perform,  and this is not ideal.
However if you can find a way then this makes some sense.
I prefer the idea of touching your phone to the computer using an NFC tag/receiver as this is close proximity.
What you can’t do is ask for the user to enter anything on the mobile phone,  this is important so “listen up people, you not in Kansas anymore” .. ohh hang on that’s Avatar …
It is important though because you cannot be certain that when the user enters anything on the device that no other app is also receiving the input.  So for now, this is not a good idea.
Ohh and by the way the link for the keyfree is from Springwise,  a brilliant website that showcases new business ideas for entrepreneurs,  there are some amazing ideas.  well worth a look every now and then.
Another scheme, similar the the SMS idea from part one is LaunchKey in this case when the user is logging in, rather than enter a password their mobile phone receives a notification and the user selects a go or no go button on the mobile screen.
What’s good here is that if someone else tries to use your username you’ll receive the notification on your phone,  so they will have to be in possession of the phone.  And you can say no if you are not expecting it.  I think the user should still have to enter a secret of some kind,  as this is a good way of knowing that the user is who they say they are.  So i think this needs to be included in the scheme.
This scheme does not transgress the golden rule: do not have the secret entered on the mobile phone, as the user is just selecting a button.
I’d want to see their protection against man-in-the-middle attacks (are they using mutual auth or some such) and against session replay attacks and/or sql injection type attacks before I would accept it.
So finally, we are seeing some success in the use of the mobile as a security channel,  a no brainer to my way of thinking.
Advertisements
Posted in: mobile