Posts tagged ideas

You probably saw my previous post about using QR codes as part of an authentication scheme.  I call it “Instant Authentication.”  The idea is fairly simple: scan a QR code from a login screen with your smartphone and then use your smartphone as an authentication device.  Once authorized, Instant Authentication “unlocks” the original login screen by using some websocket goodness.

My intent was to work on a full, two-factor authentication application for my smartphone in support of this scheme.  I decided, however, to take an intermediate step by just using the smartphone’s browser as a simple challenge/response device.  Not two-factor authentication compliant, but still safer and easier to use than a regular username/password.  

Here’s the workflow:

1. You arrive at a login screen of a web site.  It contains an “Instant Authentication” QR code.
2. You scan the QR code with your smartphone, which opens an “authorization” page on your phone.
3. If you have authenticated with the service before, it simply sets a session cookie on your phone, which is transferred to the computer’s login screen via websockets.  Otherwise, it asks for credentials and then repeats step 3.
4. Voila!  You have “logged-in” to a web site by just clicking on a QR code.

Benefits:

1. Easy to use:  Just snap a picture and you’re in.
2. More secure:  You do not need to type your username/password into the login screen.
3. Fast: The QR scan and websockets are fast, fast, fast
4. Fun:  Your users will love using QR codes.

I have a new proof of concept posted here: http://goo.gl/WPfp  It may not be 100% clear what you are seeing, but once you authenticate, check your browser’s cookies and you will see that cookie has been set for instantauthentication.davidcarns.com.

One of the coolest things about Instant Authentication is that it can be delivered as a javascript plugin to your existing website.  It only requires adding a line of javascript to your login page and authentication page. Simple, fast and more secure.

What do you think?

The Interest

QR codes seem like they should be so useful. Two dimensional bar codes for the masses, QR codes can store lots of data in a small space. For example, they can represent URLs, vCards, package contents, etc. But to date, QR codes have been used as nothing more than ad tracking services and URL hyperlinks, thus relegating their popularity to the realm of the :CueCat in the 90’s. 

The Ah-Ha

Still, I am enamored of the QR code. It is so cool, that surely it has potential to be something more than it currently is - so I kept thinking. That’s when I realized the QR codes do not have to represent data, but can also represent actions. Order something off a menu, request more paper in the copy center or purchase more trips on your Metrocard. Yes, QR codes can be a point and click link to an action you want to take, thus bringing technology to static objects via that which you already bring with you (camera enabled smartphones and tablets). So maybe QR codes aren’t so boring after all. 

The New Hook

And that led me to using QR codes for Two-factor authentication (T-FA). Let me explain. T-FA is the concept of logging into a system without just a username and password, but some other form of proof of identity. The “motto” of T-FA is “Something you know, something you have and something you are: pick any two.” The best known implementation of T-FA is RSA’s key fobs, which you have to carry with you (something you have) in order to enter the constantly changing digits on the fobs along with your username and password (something you know). 

The Idea

So my idea is this. Use QR codes on websites as a onetime code you must scan with an app on your  smarphone that has already been authenticated/initialized with your web app. Scanning the QR code with your smartphone (something you have) prompts you to enter a pin (something you know) and the QR code will “unlock” the website without the need to type in your full username and password. Add some modern web magic (like websockets via the backward compatible Socket.io) and you have QR code scanning that unlocks your website instantaneously.  It is Instant Authentication.

*** If you are interested in seeing partial proof of concept code in action, go to this URL: http://goo.gl/6azG. ***

What do you think?  Is this something worth pushing forward? Does it solve problems, or just introduce new ones? I would love to hear your thoughts.

I had an idea for Infobeacons that I eventually put together in a proof of concept application.  I think Bonjour Infobeacons have a lot of promise, but one of my friends, Cory Siansky, raised the idea that Infobeacons would be of greatest use if they were available anyplace, anywhere - regardless of local area network.

With the advent of CoreLocation (both cell tower and wifi triangulation) in the iPhone SDK, we could easily bring Infobeacons to any location.  I think there is a lot to this idea - and I am sure I am not the first to think of it….. 

Here’s the idea:

Info Beacons are simple snippets of information that are available on a local subnet for anyone to view.  An Info Beacon could contain office contact information, personal contact information (think business card), or even advertisements. 

Info Beacons are broadcast using ZeroConf/SD-DNS and are consumed via a simple client application (such as an Apple Dashboard Widget, Google Desktop Gadgets, etc). 

Anyone can broadcast Info Beacons.  They would be useful on corporate networks for quick information access - especially information dissemination to office visitors.  Info Beacons would be useful to free WiFi networks as a way to draw customers to other offerings or for customers to commicate with each other (virtual business contacts).