January 3, 2008 at 12:17Secure and convenient authentication technology for web
...
At the moment, all authentication methods used in web applications are either not secure enough or too inconvenient to use. It is because of this that the global system of micropayment via the Internet has not yet appeared.
What exactly is the inefficiency of each of the existing methods?
At the moment, all authentication methods used in web applications are either not secure enough or too inconvenient to use. It is because of this that the global system of micropayment via the Internet has not yet appeared.
What exactly is the inefficiency of each of the existing methods?
- Simple password: convenient, but there are several threats, and the most important one is not so much unauthorized access to it, but rather that approximately the same login / password combination can be used for many different services, some of which may not be sufficiently protected.
One-time passwords: safe and relatively convenient (but, nevertheless, an extra device is added), but quite expensive.
Digital Signature Certificates: safe, but very inconvenient (problems with cross-platform token support), and also expensive.
Using the second communication channel for confirmation (usually a mobile phone): relatively safe, relatively convenient, relatively scalable (for now ...).
OpenID: safe, but currently hard to access due to the fact that 99% of people do not have a trusted web server.
However, now it is already possible to swipe at the global authentication system, if you use a combination of 3 phenomena that have already become a reality:- IPv6
OpenID
stable internet connection from a mobile phone / communicator.
Here it is:
Each mobile phone, being in the provider's network, will be constantly connected to the Internet and have a static IPv6 address, as well as a DNS of the form <phone number>. <Operator domain>. Each phone will have an integrated OpenID service.
Thus, a person will only need to log in to his phone every morning in order to be able to automatically authenticate to any site. In such a system, of course, a vulnerability appears - the phone itself, in the case of which possession, attackers can impersonate its owner. But here, even at first glance, a lot of protection methods are seen:
0. (not to mention blocking the phone when the operator calls);
1. for some sensitive transactions (for example, payments), you can make additional authorization in the form of, for example, a password (now two-factor authentication);
2. you can add biometric authentication or use an additional token, for example, an RFID keychain that a person can wear on a keychain, neck or wrist, and which should be located no further than, for example, 2 meters from the phone in order for the OpenID service to work.
I think there are other reasonable ways ...
In such a system, mobile operators can take on the role of mobile micro-banks if payments are made directly from the operator’s personal account or authentication service providers (the first attempts are now being made to implement this approach, but with proprietary authentication systems that have no prospects for scaling beyond the scope of individual payment systems).
- IPv6