Submitted by #dongle

This is a hardware and server software solution to improve security when logging in to web sites from a shared terminal. It allows a user to log using a public computer without reviling credentials that can be used to log them in a second time. This will prevent an account being compromised if passwords are captured by concealed cameras or key logging software.

The hardware part of the solution is based around the Arduino microprocessor board. The hardware produces a sequence of characters generated using a SHA1 based algorithm, a secret shared with the server, and an incremental value.

The web services login screen needs to have a field added for this value to be entered, but most of the implementation is included in our library code. In our example implementation we produced a PHP library, but this is easily portable to other development platforms. The library manages authentication and synchronisation and only requires a small backing store.

This is not all new technology, and there are closed commercial products on the market solving the same problem, but these solutions are closed and carry a high per seat cost. This implementation is open to all and implemental at a low cost.

We are currently using four alpha characters that the user needs to type, giving 4.5 times the entropy of the lower end commercial solutions, while remaining easy for a user to enter in one go.

Time information on the server side is retrieved using the Yahoo! API.

• #dongle Members
• Alistair MacDonald
• Nigel Crawley
• Mr Duck
• Status
• Finished