WebCallerID: Leveraging cellular networks for Web authentication

摘要

Web authentication that is both secure and usable remains a challenge. Passwords are vulnerable to phishing attacks, while physical tokens face deployment obstacles. We propose to leverage the authentication infrastructure of cellular networks to enhance Web authentication. We design WebCallerlD, a Web authentication scheme that uses cell phones as physical tokens and uses cellular networks as trusted identity providers. Since WebCallerlD requires no user participation during authentication, it prevents security mistakes by users. WebCallerlD also prevents rogue websites from replaying authentication assertions or stealing users' identities. We have implemented a prototype of WebCallerlD using the OpenID framework. The prototype shows that WebCallerlD seamlessly integrates into OpenlD-capable Web authentication while avoiding phishing problems in OpenID and simplifying user participation.