Proving who you are is becoming more and more important, now that almost every transaction is conducted over a hostile and malevolent Internet.
Using your face as a password (and, also a User ID) works fine until somebody copies your digitised face, and reuses it in a series of replay attacks or, worse, sells it on the Internet.
Since people have never embraced any security scheme which got in the way of convenience, it would be best if we could submit a credential which was as easy to enter as a password, but which was useless to anyone who copied it, stole it or watched you enter it.
https://www.researchgate.net/project/IDaaS-with-secure-data-at-rest/update/5a94e4f1b53d2f0bba5491cf?_iepl%5BviewId%5D=8vG6Ns0fd6TgtCocBCAHdPQS&_iepl%5Bcontexts%5D%5B0%5D=projectUpdatesLog&_iepl%5BinteractionType%5D=projectUpdateDetailClickThrough
Consider usage of zero-knowledge proof (aka ZKP) cryptography protocols such as Feige-Fiat-Shamir. The protocols are more dedicated to key knowledge proof, but the approach could be used for your task if some changes would be made, password salting for instance, otherwise it could be applied, but security level would suffer.
Also there are more focused works, those consider zero-knowledge password proof (aka ZKPP).
We looked at that at the start of the project. It's impractical, because it needs a very thick client, which would have trouble running on a smartphone. We use no client.
Also, any system based on large primes (like Diffie-Hellman) is vulnerable to rainbow table attack.
Have you checked the authentication protocols based on QR codes, such as SQRL or QRP?
People don't trust QR codes. Too many have been used by criminals to redirect users to malicious sites. Anyway, some phones find them difficult to read, especially in high ambient light conditions.
Mark Sitkowski
"Also, any system based on large primes (like Diffie-Hellman) is vulnerable to rainbow table attack."
It is quite debatable notion considering word "any". As I'm aware, passwords salting or including nonces into signature/identification scheme solved the rainbow table attack problem.
Anyway, in most cases brute force attack on passwords would be easier, than adaptive one on cryptographic algorithm. And this is worth considering while choosing the path of your solution development.
" which would have trouble running on a smartphone. " It is not obligatory. authentication procedure is not huge arrays of data encryption, it uses lesser amount of resources. And nowadays smartphones aren't such helpless as we used to think :). Heard about smartphone cryptocurrency mining applications. It is inadequate for my taste, but it shows certain computational ability of them, which should be enough for authentication task solving.
"We use no client"
You confused me... So, who is supposed to enter password? Could you specify task more or provide some use-case?
Nobody enters a password. The user responds with random metadata. We do not query his device, nor install any cookies or apps. The device talks to us.
In my opinion, a hybrid authentication scheme should work well. i.e. combination of smartcard and password/OTP along with some heuristic techniques to determine authenticity.
- Badges
- Science topic
- Similar topics
- Computer Communications (Networks)
- Simulators