Article | NODES 09: NOrdic workshop and doctoral symposium on DEpendability and Security; Linköping; Sweden; April 27; 2009 | Authenticating Mobile Users Using Untrusted Computers: A Smartphone Approach

Title:
Authenticating Mobile Users Using Untrusted Computers: A Smartphone Approach
Author:
Anna Vapen: Department of computer and information science, Linköpings universitet, Sweden
Download:
Full text (pdf)
Year:
2009
Conference:
NODES 09: NOrdic workshop and doctoral symposium on DEpendability and Security; Linköping; Sweden; April 27; 2009
Issue:
041
Article no.:
006
Pages:
43-43
No. of pages:
1
Publication type:
Abstract
Published:
2009-07-14
Series:
Linköping Electronic Conference Proceedings
ISSN (print):
1650-3686
ISSN (online):
1650-3740
Publisher:
Linköping University Electronic Press; Linköpings universitet


Export in BibTex, RIS or text

Users of web applications are mobile in the sense that they use different computers; for example at work; at home or at an Internet café. These computers can be considered untrusted since they can contain keyloggers and malware. When a user logs in to use a web application there is a need for an authentication method that is secure even if the computer cannot be trusted; and that can be used on any computer anywhere.

Normally usernames and passwords are used in simple authentication solutions. The problem is that users need to remember a large variety of different usernames and passwords. For a password to be secure it needs to be relatively complex which makes it difficult to remember. To use complex passwords there is a need for secure storage of the passwords; or an alternative method such as using one-time passwords and challenge-response where the user is presented with a challenge that only this user can give the correct response to.

Both for storage of passwords and for running a cryptographic application that calculates a response we need a trusted environment that can be reached by the mobile user. Many securityconscious organizations; specifically in the areas of e-commerce and online banking; use hardware security tokens for authentication. The token can be for example a smartcard; a USBstick or other hardware specific for the application. In recent years mobile phones have been used in authentication solutions and identity management. Because of their prevalence; mobile phones are an excellent platform for something the user wants to have available at all times.

Using a smartphone; an enhanced mobile phone similar to a PDA; we get access to a rich set of input channels (e.g. camera; voice; keypad; touch screen; accelerometers; GPS etc) and communication channels (long distance as GSM/WCDMA; WiFi etc and short distance as Bluetooth; NFC etc). They also contain trusted hardware in the form of a SIM or USIM card.

An interesting challenge with using a smartphone as a hardware security token is to explore its interactive features to be able to create a highly usable and fast authentication solution that can provide a high level of security in security critical settings as well as for simpler services like social networks; e-mail and blogs. One solution that we are investigating is the possibility of using optical input as part of an authentication process where the user has a smartphone as a hardware token.

NODES 09: NOrdic workshop and doctoral symposium on DEpendability and Security; Linköping; Sweden; April 27; 2009

Author:
Anna Vapen
Title:
Authenticating Mobile Users Using Untrusted Computers: A Smartphone Approach
References:
No references available

NODES 09: NOrdic workshop and doctoral symposium on DEpendability and Security; Linköping; Sweden; April 27; 2009

Author:
Anna Vapen
Title:
Authenticating Mobile Users Using Untrusted Computers: A Smartphone Approach
Note: the following are taken directly from CrossRef
Citations:
No citations available at the moment