Mobile Computing, Applications, and Services. Second International ICST Conference, MobiCASE 2010, Santa Clara, CA, USA, October 25-28, 2010, Revised Selected Papers

Research Article

Secure, Consumer-Friendly Web Authentication and Payments with a Phone

Download33 downloads
  • @INPROCEEDINGS{10.1007/978-3-642-29336-8_2,
        author={Ben Dodson and Debangsu Sengupta and Dan Boneh and Monica Lam},
        title={Secure, Consumer-Friendly Web Authentication and Payments with a Phone},
        proceedings={Mobile Computing, Applications, and Services. Second International ICST Conference, MobiCASE 2010, Santa Clara, CA, USA, October 25-28, 2010, Revised Selected Papers},
        proceedings_a={MOBICASE},
        year={2012},
        month={10},
        keywords={},
        doi={10.1007/978-3-642-29336-8_2}
    }
    
  • Ben Dodson
    Debangsu Sengupta
    Dan Boneh
    Monica Lam
    Year: 2012
    Secure, Consumer-Friendly Web Authentication and Payments with a Phone
    MOBICASE
    Springer
    DOI: 10.1007/978-3-642-29336-8_2
Ben Dodson1,*, Debangsu Sengupta1,*, Dan Boneh1,*, Monica Lam1,*
  • 1: Stanford University
*Contact email: bjdodson@cs.stanford.edu, debangsu@cs.stanford.edu, dabo@cs.stanford.edu, lam@cs.stanford.edu

Abstract

This paper proposes a challenge-response authentication system for web applications called Snap2Pass that is easy to use, provides strong security guarantees, and requires no browser extensions. The system uses QR codes which are small two-dimensional pictures that encode digital data. When logging in to a site, the web server sends the PC browser a QR code that encodes a cryptographic challenge; the user takes a picture of the QR code with his cell phone camera which results in a cryptographic response sent to the server; the web server then logs the PC browser in. Our user study shows that authentication using Snap2Pass is easy to learn and considerably faster than existing one-time password and challenge-response systems. By implementing our solution as an OpenID provider, we have made this scheme available to over 30,000 websites that use OpenID today. This paper also proposes Snap2Pay, an extension of Snap2Pass, to improve the usability and security of online payments. Snap2Pay allows a consumer to use one-time credit cards as well as the Verified by Visa or Mastercard SecureCode services securely and easily with just a snap of a QR code.