What would be a good way to authenticate a user to authenticate to websites and applications over a smart phone? By good, I mean that it is both secure, and user-friendly. Passwords don't seem to be the best fit because a password needs to be long to be secure, but it is hard to type a long password on a smart phone. Some thoughts I have begun to think about are biometric measures (e.g. possibly facial recognition), and / or a token. I asked a very similar question of authenticating a user to the smartphone itself here: What is a good way to authenticate a user to a smart phone?
Asked
Active
Viewed 1,191 times
0
-
1Same answer from me, SSO. I'm not an SSO salesperson, I promise! – AlexH Feb 12 '15 at 14:40
-
What are you authenticating? I mean what is the ID you are using? In many mobile apps, by using their phone number as the ID, it is easy to authenticate their ID. – Aron Feb 12 '15 at 16:08
-
@Aron I would consider authenticating by any ID that would be easy and secure. A phone number sounds like a great idea! – Jonathan Feb 18 '15 at 21:15
3 Answers
2
Consider SQRL. It's a quite new, free, token based authentication system, using a client application. To authenticate, the client signs a cryptographic challenge with a per-domain private key. Thus it offers per-domain pseudonymity.
From Wikipedia:
SQRL or Secure, Quick, Reliable Login (pronounced "squirrel") is a draft open standard for secure website login and authentication.
Some more resources:
Marcel
- 3,494
- 1
- 18
- 35
1
Consider FIDO as a standard that's being backed by a lot of large organizations, and has already seen deployments.
roguesys
- 111
- 1
- 2
1
Authenticate using SMS is pretty typical in mobile apps.
Aron
- 763
- 4
- 13
-
-
1@AndréDaniel cheap and convenient do not make for a system that is NSA proof. – Aron Feb 19 '15 at 17:40