Comments on: Authentication over a network

By: Chris Hills

Chris Hills — Wed, 15 Apr 2009 16:15:31 +0000

Since you are specifically authenticating a mobile phone, I would suggest a one-time pad delivered via SMS. The user registers their mobile phone number, and when they require access, the server sends a code via SMS which the user then copies into the client application. The Google SMS gateway would have been ideal for this, unfortunately it was shut down due to abuse from a certain iPhone application.

By: me

me — Wed, 15 Apr 2009 07:53:40 +0000

Bluetooth-type authentication does not have to violate your second requirement, if you implement bluetooths ‘discoverable’ status. So on one of the devices, you set the device to be discoverable. The device shows you some kind of code. The other device now can see the first device, you type in the code and they connect.

As long as the implementation is correct (make sure you use secure random numbers) this works reasonably seamless and secure. The only thing that can happen is a man-in-the-middle attack and that would require the attacker to intercept all communication, which is rather impractical.

By: Johannes Berg

Johannes Berg — Sat, 11 Apr 2009 19:44:46 +0000

Maybe see http://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup for some ideas. It’s implemented in wpa_supplicant now, but I don’t know about any UIs. Might not solve your problem at all, but maybe some of the methods could be usable — I don’t know off-hand, just seemed like WPS is like what you need.

By: Pierre

Pierre — Sat, 11 Apr 2009 19:35:15 +0000

What about a dialog in the desktop application that would show a random 4 digits code that you would have to type in any client you want to allow ?