QR-Scan OTP: ergonomic authentication

QR-Scan OTP is an multi-factor authentication Android application that combines cryptography, one-time passwords and challenges in QR codes.

Download the application from Android Market (link for Android smartphones only) or scan the lateral QR code with your Android. You can use it as an authentication mechanism at Safelayer Sandbox's Semantic Web Trust Portal (remember that you must register).

For an authentication mechanism to be successful and become widely deployed, it must, above all, be easy to use. It is essential, however, that this simplicity is not detrimental to security. To this end, Safelayer has designed a new, more secure and robust mechanism based on an application installed in an Android mobile, which manages and uses asymmetric user keys to authenticate the user in a Web portal.

Despite the apparent complexity of the technologies that intervene in the system, QR-Scan OTP allows users to authenticate in a Website simply by taking a photo of the temporary QR code that appears on screen with their mobile.

The QR-Scan OTP application decodes the QR code, verifies the validity of the content and checks that the server is legitimate to avoid phishing attacks. To authenticate, the user has two options:

• Online mode. For this mode, the mobile phone must have a data connection for communicating with the server. In this process, which is transparent to the user, the challenge sent by the server with the user's private key is signed and sent to the server via a secure connection. Click the image below to see how the online mode of QR-Scan OTP works.

• Offline mode. In this mode, the mobile phone does not require a data connection for communicating with the server. The application generates a one-time alphanumeric password (OTP) that can be entered in the Web portal manually.Click the image below to see how the offline mode of QR-Scan OTP works.

This work was co-funded by the Spanish government's Center for the Development of Industrial Technology (CDTI, Centro para el Desarrollo Tecnológico Industrial) as part of the SEGUR@ project, reference CENIT-2007 2004 of the CENIT program (part of the INGENIO 2010 initiative).