Files:DescriptionFile size FormatBrowse
Fulltext0.26 MBPDF (requires Acrobat Reader)Previous | Next
  
Authors:Anna Vapen: Department of computer and information science, Linköpings universitet, Sweden
Publication title:Authenticating Mobile Users Using Untrusted Computers: A Smartphone Approach
Conference:NODES 09: NOrdic workshop and doctoral symposium on DEpendability and Security; Linköping; Sweden; April 27; 2009
Publication type: Abstract
Issue:041
Article No.:006
Abstract:Users of web applications are mobile in the sense that they use different computers; for example at work; at home or at an Internet café. These computers can be considered untrusted since they can contain keyloggers and malware. When a user logs in to use a web application there is a need for an authentication method that is secure even if the computer cannot be trusted; and that can be used on any computer anywhere.

Normally usernames and passwords are used in simple authentication solutions. The problem is that users need to remember a large variety of different usernames and passwords. For a password to be secure it needs to be relatively complex which makes it difficult to remember. To use complex passwords there is a need for secure storage of the passwords; or an alternative method such as using one-time passwords and challenge-response where the user is presented with a challenge that only this user can give the correct response to.

Both for storage of passwords and for running a cryptographic application that calculates a response we need a trusted environment that can be reached by the mobile user. Many securityconscious organizations; specifically in the areas of e-commerce and online banking; use hardware security tokens for authentication. The token can be for example a smartcard; a USBstick or other hardware specific for the application. In recent years mobile phones have been used in authentication solutions and identity management. Because of their prevalence; mobile phones are an excellent platform for something the user wants to have available at all times.

Using a smartphone; an enhanced mobile phone similar to a PDA; we get access to a rich set of input channels (e.g. camera; voice; keypad; touch screen; accelerometers; GPS etc) and communication channels (long distance as GSM/WCDMA; WiFi etc and short distance as Bluetooth; NFC etc). They also contain trusted hardware in the form of a SIM or USIM card.

An interesting challenge with using a smartphone as a hardware security token is to explore its interactive features to be able to create a highly usable and fast authentication solution that can provide a high level of security in security critical settings as well as for simpler services like social networks; e-mail and blogs. One solution that we are investigating is the possibility of using optical input as part of an authentication process where the user has a smartphone as a hardware token.

Language:English
Year:2009
No. of pages:1
Pages:43-43
Series:Linköping Electronic Conference Proceedings
ISSN (print):1650-3686
ISSN (online):1650-3740
File:http://www.ep.liu.se/ecp/041/006/ecp0941006.pdf
Available:2009-07-14
Publisher:Linköping University Electronic Press; Linköpings universitet

REFERENCE TO THIS PAGE
Anna Vapen (2009). Authenticating Mobile Users Using Untrusted Computers: A Smartphone Approach, NODES 09: NOrdic workshop and doctoral symposium on DEpendability and Security; Linköping; Sweden; April 27; 2009 http://www.ep.liu.se/ecp_article/index.en.aspx?issue=041;article=006 (accessed 11/25/2014)