Abstract
This paper proposes a challenge-response authentication system for web applications called Snap2Pass that is easy to use, provides strong security guarantees, and requires no browser extensions. The system uses QR codes which are small two-dimensional pictures that encode digital data. When logging in to a site, the web server sends the PC browser a QR code that encodes a cryptographic challenge; the user takes a picture of the QR code with his cell phone camera which results in a cryptographic response sent to the server; the web server then logs the PC browser in. Our user study shows that authentication using Snap2Pass is easy to learn and considerably faster than existing one-time password and challenge-response systems. By implementing our solution as an OpenID provider, we have made this scheme available to over 30,000 websites that use OpenID today. This paper also proposes Snap2Pay, an extension of Snap2Pass, to improve the usability and security of online payments. Snap2Pay allows a consumer to use one-time credit cards as well as the Verified by Visa or Mastercard SecureCode services securely and easily with just a snap of a QR code.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
T.I.A.D.C. (ADC). Consumer password worst practices (2009), http://www.imperva.com/download.asp?id=239
Aloul, F., Zahidi, S.: Two factor authentication using mobile phones. In: Proceedings of the IEEE International Conference on Computer Systems and Applications, pp. 641–644 (2009)
Balakrishnan, M., Mohomed, I., Ramasubramanian, V.: Where’s that phone?: geolocating IP addresses on 3G networks. In: Proceedings of the Internet Measurement Conference, pp. 294–300 (2009)
Bellovin, S.M., Merritt, M.: Encrypted key exchange: Password-based protocols secure against dictionary attacks. In: Proceedings of the IEEE Symposium on Research in Security and Privacy, pp. 72–84 (1992)
Bump technologies, http://bumptechnologies.com
Captcha, http://www.captcha.net
Cova, M., Kruegel, C., Vigna, G.: There is no free phish: An analysis of “free” and live phishing kits. In: Proceedings of the 2nd Usenix Workshop on Offensive Technologies 2008, pp. 1–8 (2008)
Dhamija, R., Tygar, D., Hearst, M.: Why phishing works. In: Proceedings of ACM CHI 2006 Conference on Human Factors in Computing Systems, pp. 581–590 (2006)
Dodson, B., Nguyen, C., Huang, T.-Y., Lam, M.S.: Junction: a decentralized platform for ad hoc mobile social applications (2010), http://mobisocial.stanford.edu
Florencio, D., Herley, C.: A large-scale study of web password habits. In: Proceedings of the 16th International Conference on World Wide Web, pp. 657–666 (2007)
Jackson, C., Boneh, D., Mitchell, J.: Transaction generators: Root kits for the web. In: Proceedings of the 2nd USENIX Workshop on Hot Topics in Security (2007)
Kirovski, D., Sinclair, M., Wilson, D.: The martini synch. Technical report, Microsoft Research Technical Report, MSR-TR-2007-123 (2007)
Mastercard securecode, http://www.mastercard.com/securecode
Maxmind, http://maxmind.com
Mayrhofer, R., Gellersen, H.: Shake Well Before Use: Authentication Based on Accelerometer Data. In: LaMarca, A., Langheinrich, M., Truong, K.N. (eds.) Pervasive 2007. LNCS, vol. 4480, pp. 144–161. Springer, Heidelberg (2007)
Mccune, J.M., Perrig, A., Reiter, M.K.: Seeing-is-believing: Using camera phones for human-verifiable authentication. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 110–124 (2005)
Murdoch, S.J., Anderson, R.: Verified by Visa and MasterCard SecureCode: Or, How Not to Design Authentication. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 336–342. Springer, Heidelberg (2010)
Oprea, A., Balfanz, D., Durfee, G., Smetters, D.: Securing a remote terminal application with a mobile trusted device. In: Proceedings of the 2004 Annual Computer Security Applications Conference, pp. 438–447 (2004)
Parno, B., Kuo, C., Perrig, A.: Phoolproof Phishing Prevention. In: Di Crescenzo, G., Rubin, A. (eds.) FC 2006. LNCS, vol. 4107, pp. 1–19. Springer, Heidelberg (2006)
Pierce, J.S., Nichols, J.: An infrastructure for extending applications’ user experiences across multiple personal devices. In: Proceedings of the 21st Annual ACM Symposium on User Interface Software and Technology, pp. 101–110 (2008)
Rafter, M.V.: A breakout year for openid (2009), http://technology.inc.com/security/articles/200902/openID.html
Schneier, B.: Unauthentication (2009), http://www.schneier.com/blog/archives/2009/09/unauthenticatio.html
Steeves, D.: Securing online transactions with a trusted digital identity. In: First TIPPI (Trustworthy Interfaces for Passwords and Personal Information) Workshop (2005), http://crypto.stanford.edu/TIPPI/first/program.html
Verified by visa, http://www.visa.com/verified
Wu, M., Garfinkel, S., Miller, R.: Secure web authentication with mobile phones. In: DIMACS Workshop on Usable Privacy and Security Software (2004)
XEP-0206: XMPP over BOSH, http://xmpp.org/extensions/xep-0206.html
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Dodson, B., Sengupta, D., Boneh, D., Lam, M.S. (2012). Secure, Consumer-Friendly Web Authentication and Payments with a Phone. In: Gris, M., Yang, G. (eds) Mobile Computing, Applications, and Services. MobiCASE 2010. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 76. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-29336-8_2
Download citation
DOI: https://doi.org/10.1007/978-3-642-29336-8_2
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-29335-1
Online ISBN: 978-3-642-29336-8
eBook Packages: Computer ScienceComputer Science (R0)