Authenticating Mobile Users Using Untrusted Computers

Anna Vapen
Department of computer and information science, Linköpings universitet, Sweden

Ladda ner artikel

Ingår i: NODES 09: NOrdic workshop and doctoral symposium on DEpendability and Security; Linköping; Sweden; April 27; 2009

Linköping Electronic Conference Proceedings 41:6, s. 43-43

Visa mer +

Publicerad: 2009-07-14


ISSN: 1650-3686 (tryckt), 1650-3740 (online)


Users of web applications are mobile in the sense that they use different computers; for example at work; at home or at an Internet café. These computers can be considered untrusted since they can contain keyloggers and malware. When a user logs in to use a web application there is a need for an authentication method that is secure even if the computer cannot be trusted; and that can be used on any computer anywhere.

Normally usernames and passwords are used in simple authentication solutions. The problem is that users need to remember a large variety of different usernames and passwords. For a password to be secure it needs to be relatively complex which makes it difficult to remember. To use complex passwords there is a need for secure storage of the passwords; or an alternative method such as using one-time passwords and challenge-response where the user is presented with a challenge that only this user can give the correct response to.

Both for storage of passwords and for running a cryptographic application that calculates a response we need a trusted environment that can be reached by the mobile user. Many securityconscious organizations; specifically in the areas of e-commerce and online banking; use hardware security tokens for authentication. The token can be for example a smartcard; a USBstick or other hardware specific for the application. In recent years mobile phones have been used in authentication solutions and identity management. Because of their prevalence; mobile phones are an excellent platform for something the user wants to have available at all times.

Using a smartphone; an enhanced mobile phone similar to a PDA; we get access to a rich set of input channels (e.g. camera; voice; keypad; touch screen; accelerometers; GPS etc) and communication channels (long distance as GSM/WCDMA; WiFi etc and short distance as Bluetooth; NFC etc). They also contain trusted hardware in the form of a SIM or USIM card.

An interesting challenge with using a smartphone as a hardware security token is to explore its interactive features to be able to create a highly usable and fast authentication solution that can provide a high level of security in security critical settings as well as for simpler services like social networks; e-mail and blogs. One solution that we are investigating is the possibility of using optical input as part of an authentication process where the user has a smartphone as a hardware token.


Inga nyckelord är tillgängliga


Inga referenser tillgängliga

Citeringar i Crossref