We discuss an authentication method using multiple communication channels. This method enables on-line service providers to strongly authenticate their users on a non-trusted communication channel (e.g. using a kiosk PC in an Internet cafe to access the Internet) via trusted communication channels (e.g. a mobile phone network). For the illustration purpose, we use a commonly available configuration in the current marketplace, in which users access service providers through PCs over the Internet and also have mobile phones with user identification capabilities (e.g. UIM), throughout the paper. The method uses a unique identifier (e.g. UIM, device ID or a digital certificate) on a mobile phone terminal to authenticate users so that the users do not have to input any person-identifiable information or to install devices and/or software on the non-trusted PCs?for the authentication. The authentication is done in the following manner. (1) A user reads a session-id of a communication channel between a service provider and a PC using a barcode reader on a mobile phone terminal and (2) sends the session-id through mutual authenticated secure channel over a mobile phone network to the authentication server and (3) the authentication server matches the session-id and binds the user with the corresponding communication channel to provide service to the PC.Our method can also prevent users to be "phished" by double checking the returned authenticator from the service provider.
展开▼
