An experimental method for two-factor authentication to websites employs mobile phones in a new way to ensure that users' online accounts don't get hijacked.
Called password less authentication (PLA), the scheme gathers authentication data over the Internet as well as carrier cellular networks and ties them together to positively identify the person trying to log in to an account, according to the author of PAL, Srikar Sagi, a security researcher.
MORE ON SECURITY: From Anonymous to Hackerazzi: The year in security mischief-making
PLA gets around some shortcomings of other scenarios in which cellphones are used in two-factor authentication. Some of these other methods have secure websites send SMS messages containing one-time passwords to cellphones for users to copy into the authentication page for the site they are logging into.
The downside of this method is that attackers have developed Trojans that intercept these SMS messages and forward them to attackers' phones so they can use the passwords to log in to victims' accounts.
By contrast, when logging in with PLA, users enter their username and PIN, which is relayed to a PLA server via the Internet. Then, in the background and unbeknownst to the user, a second authentication transpires between a PLA application on the phone and the PLA server. If successful, the second interaction confirms that the person who knows the username and password has in his possession the same phone that has been registered with the account.
In order to compromise an account an attacker would have to steal the username, password and phone. The likelihood of that happening is very small given the logistics of both stealing the login information and also figuring out where victims are located in order to grab their phones, Sagi says. While it would be possible, the probability would be very low, he says.
Sagi was to have presented PLA at a TakeDownCon mobile security conference this week, but had to cancel.
Here is a step-by-step explanation of how PLA works:
1. A customer registering to use an online banking site time via a Web browser would also be offered the opportunity to register for PLA. If the customer chooses to do so, he or she enters a username, password and a cellphone number. The cellphone receives an invitation to download a PLA mobile application. Once installed, it captures the phone's international mobile subscriber identity (IMSI) and its integrated circuit card ID (ICCID).
2. The user enters into the application the same username and password created on the banking site, and the app sends the IMSI and ICCID data encrypted to a remote PLA server. The server creates an AppID using an algorithm that incorporates the IMSI and ICCID, and that is sent encrypted to the phone using the server's public key.
3. After that, whenever the user logs in to the banking site with username and password, the site displays Request Challenge-1 -- a set of numerals sent by the PLA server. The user enters that set into the PLA mobile app and gains access to the secured portion of the banking site.
4. In the background a second challenge, Challenge-2, is sent from the server to the phone via SMS.
5. The PLA mobile app creates a hash using Challenge-1, Challenge-2, and the AppID as well as the IMSI and the ICCID read directly from the phone. The app encrypts the hash and sends it to the server.
6. Independently the server hashes the same values from its database and compares the resulting hash to the hash sent from the phone. If they match, the user gets a welcome screen on the Web page.
Sagi says he is uncertain about plans to commercialize PLA.