Killing Passwords/ Use Mobile Phones and QR Codes for Auth-N (4G)

From IIW

Session Topic:Killing Passwords (T4G)

Convener: Isaac Potoczny-Jones

Notes-taker(s): Isaac Potoczny-Jones

Tags for the session - technology discussed/ideas considered:


Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

  • Animate Login blog entry:

http://corp.galois.com/blog/2011/1/5/quick-authentication-using-mobile-devices-and-qr-codes.html

Passwords are past their prime. Users are buried under the weight of too many passwords, and most of us constantly struggle with these password conundrums: Simple passwords are easy to guess, but complex passwords are hard to remember. Writing passwords down means not having to remember them, but it also means they might get stolen. Sharing passwords between accounts means that if one account has a password database spill, all the accounts are compromised.

Animate Login replaces passwords with mobile phones and replaces typing passwords with scanning a barcode on that phone. The phone uses two-dimensional barcodes to make a link between the user’s browser session and the physical presence of the user, then utilizes the phone’s Internet connection to send a long and complex shared secret to the web site to prove the user is who he/she claims to be.

Animate Login includes three components: the protocol, the mobile app, and the server-side software. We have developed a prototype implementation of the system using Android. This approach can be deployed with minimal changes to web sites. In fact, in just a few hours, we were able to modify two popular open source content management systems to support it.

In this session, we discussed what's wrong with passwords, the Animate Login approach, the prototype, some vulnerabilities, and Isaac got advice from the room. At the end Isaac did a quick demo of the live system. Several people voiced enthusiasm and interest in the approach!

Some advice we got:

  • Consider going beyond shared keys. e.g. hash the shared key with a

one-time session key

  • One of the user adoption problems will be that it needs to either

be used by a lot of web sites or easily integrated with existing password management systems so that it's not a separate thing the users need to do

  • Similar to the above, consider this as a browser plugin

There will be a demo session Oct. 19, 2011.