Alternative OpenDuino authentication
The [/w/index.php?title=Talk:OpenDuino&offset=20110523190102&lqt_mustshow=23 highlighted comment] was edited in this revision. [diff]
feel free to modify these or add your own.
[edit] Possibility A
- Step 1: Log in to an application (ideally a mematool addon)
- Step 2: Print a QrCode that will be valid for at most 2h
- Step 3: Show your QrCode to a webcam installed at the Space's front door
- Step 4: OpenDuino will verify your qrcode and send you a confirmation code to your mobile phone.
- Step 5: You will get an SMS (of course you'll need a mobile phone and have your number registered with us) with a verification code
- Step 6: Show the verification code to the webcam or scribble it on a sheet of paper.
- Step 7: OpenDuino will confirm that you are who you claim to be.
If, at first sight, you compare this to the current auth, this method is more secure. So I try to determine what were the conditions to come up with this procedure.
- the user must give his password
- the user has to be at the front door
- ??? I can't think of anything else
So procedure optimized as follows:
ask via authenticated webpage for a code.
that code is sent via sms and is valid 2h
show the code to the webcam (or via IR or bluetooth)
The difference is that with a login, unless someone wrote down his/her password, you can be reasonably sure that the person entering it is the person s/he claims to be. So s/he needs to fulfill both requirements at the same time. However, if you're using a sheet, there is the risk of someone else stealing or finding it and thus not being who s/he claims to be. Ok, chances that this person (if s/he finds the sheet) knows what purpose it serves are rather slim, but not impossible. (my 2cents)
- IR is not a viable alternative in my eyes because the costs involved will not be much higher than a wifi-capable device.
- Bluetooth is almost as bad as rfid in security terms. (And how do you get the code onto your phone in the first place if it isn't wifi capable?)