An experimental method for two-factor authentication to websites employs mobile phones in a new way to ensure that users' online accounts don't get hijacked.
Called password less authentication (PLA), the scheme gathers authentication data over the Internet as well as carrier cellular networks and ties them together to positively identify the person trying to log in to an account, according to the author of PAL, Srikar Sagi, a security architect for PayPal.
PLA gets around some shortcomings of other scenarios in which cellphones are used in two-factor authentication. Some of these other methods have secure websites send SMS messages containing one-time passwords to cellphones for users to copy into the authentication page for the site they are logging into.
The downside of this method is that attackers have developed Trojans that intercept these SMS messages and forward them to attackers' phones so they can use the passwords to log in to victims' accounts.
By contrast, when logging in with PLA, users enter their username and PIN, which is relayed to a PLA server via the Internet. Then, in the background and unbeknownst to the user, a second authentication transpires between a PLA application on the phone and the PLA server. If successful, the second interaction confirms that the person who knows the username and password has in his possession the same phone that has been registered with the account.
In order to compromise an account an attacker would have to steal the username, password and phone. The likelihood of that happening is very small given the logistics of both stealing the login information and also figuring out where victims are located in order to grab their phones, Sagi says. While it would be possible, the probability would be very low, he says.
Sagi was to have presented PLA at a TakeDownCon mobile security conference this week, but had to cancel.
Here is a step-by-step explanation of how PLA works:
1. A customer registering to use an online banking site time via a Web browser would also be offered the opportunity to register for PLA. If the customer chooses to do so, he or she enters a username, password and a cellphone number. The cellphone receives an invitation to download a PLA mobile application. Once installed, it captures the phone's international mobile subscriber identity (IMSI) and its integrated circuit card ID (ICCID).
2. The user enters into the application the same username and password created on the banking site, and the app sends the IMSI and ICCID data encrypted to a remote PLA server. The server creates an AppID using an algorithm that incorporates the IMSI and ICCID, and that is sent encrypted to the phone using the server's public key.
Sign up for Computerworld eNewsletters.