I was at the c0c0n conference between 7th & 8th October 2011 held at Cochin and attended some very good interesting works and presentations, such as “Wi-Fi Malware for Fun and Profit” by Vivek Ramachandran which is real good exploit in windows7, which I have attended in Banglore(September-2011) itself to understand and another one “When I Grow Up I want to be a Cyber Terrorist” by Michael Kemp and more.
However, I have attend one more presentation on “Password Less Authentication, Authorization & Payments” by Srikar Sagi from PayPal – and I was first intrigued by the very title itself that, how is authentication possible without a password (thought some mind freak – no pun intended).
I somehow liked it after deeper understanding of costs involved in account takeovers, development costs and fraud investigation costs (poor guy has explained me well and convinced me).I observed that the Design proposed by him is dividing the authentication process itself into two halves i.e. the authentication journey starts on the IP Network by entering a simple USERID and a PIN to server and receives a small challenge on the web page which you need to enter into a mobile application.
Server reads the message and loads the temporary auth database against the user based on the mobile phone number, decrypts the packet using the server’s private key and compares the hashes.I was surprised that the truth is I’m authenticated using my own secrets (IMSI, ICC-ID, APPID, PIN) with arbitrary codes and but no passwords, no password complexities, no need to carry tokens (hardware or software).
Though I did not liked the registration process which again has two halves one starts on the web page and finishes on the mobile application downloading, installing and sending the IMSI, ICC-ID and receiving the APPID from the server, but the good thing is I don’t have to remember the passwords.
What I see as advantages:
1.No need to carry tokens
2.No need to remember complex password(s)
3.If I have multiple bank accounts I do not have to remember multiple passwords or multiple tokens for that matter. If any bank implements this design then all I have to do is download the respective bank’s public key and still hold the same userid and same PIN
4.I just have to protect my phone as it would become my Identity device
5.If I lose my phone or stolen, its same as calling your credit card or telecom company to block the card or SIM
Even if a malware or spyware gets hold of my userid and PIN the authentication lands on to my mobile phone and if I’m not the one to initiate the authentication request sure I can decline that or simply say change pin.The same applies to any online purchases as well and for any system or application changes in my web mails, or corporate accounts or for that matter my own banking accounts.
When he explained me the advantages, I felt wow then why doesn’t paypal implements I got simple answer, its under patent processing and can’t talk internal company details, however, I see some work required towards all mobile phones i.e. GSM and CDMA networks and some low level development so that all types of phones can use the public key encryption not just smart phones.
Some pics I got on the presentation that I luckily could mange is given below – interesting but intriguing as well.
Do let us know whats your take on this .