0

I've been asked to implement a digital card for member's of our organisation, to replace the old plastic ones. Members would install our app on their phone and setup a "card" with their photo on it within the app. Once setup they could not change the photo.

Then when coming onsite they may get asked to show their card by opening the app and showing the security team the card screen in their app.

The security team of course needs some way to check that they are looking at the real app and not a photo-shopped screenshot or another app made to look like ours if they get suspicious.

I was thinking perhaps using the TOTP algorithm like Google Authenticator does to display a series of codes on the staff members card screen might work. Security staff could then enter the codes on their phone to verify them against the server and see if it was legit.

This wouldn't be completely secure though of course as I'm sure there are ways for someone to steal the secret key from the phone and make use of it but perhaps it would be difficult enough? This isn't super top secret stuff so just making it hard enough should suffice.

Does anyone have experience or ideas with ways to ensure authenticity of a digital card (app) that might work?

Thanks!

TerryB
  • 101
  • Thanks @AndrolGenhald, had missed that one. Should I change mine to be more specific about the use of TOTP to do this? – TerryB May 21 '19 at 03:14
  • Yes, if the answers there don't answer your question and you want to distinguish your question from that one as asking specifically about the use of TOTP I'll remove my close vote. You may also want to change "Does anyone have experience or ideas ... that might work?" as it sounds open ended and could result in the question being closed as "too broad". – AndrolGenhald May 21 '19 at 14:02

0 Answers0