For SURFnet we created a mobile authentication application, named ‘Tiqr’.
The app allows users to log in to websites without having to enter a username and password. The website displays a so-called QR Code (a 2D barcode), the user scans this code using the authentication application, and the application securely authenticates the user, based on the identity of the user that is stored on the phone.
This means the user does not have to remember yet another username/password combination, and when using insecure machines such as in an internet cafe, the user doesn’t have to worry his password will be stolen.
Features
Some noteworthy features of the solution:
- Fully based on open security standards such as OATH HOTP and OCRA.
- Core parts of the solution are open sourced by SURFnet at tiqr.org.
- Support for multiple identities across a range of services; one app allows the user to login to many different websites.
- Support for 2-factor / step-up authentication, where the user logs in using a traditional username/password first, but then proves that she really is who she claims by performing an additional authentication using her phone.
- Support for push notifications to open the app and authenticate without even having to scan a QR code.
This projects is used to explore the possibilities of mobile authentication. Additional features are planned for the future.,The app is available in the Apple App Store and the Android Market
If in the meantime you are interested in deploying mobile authentication within your own applications, please contact us.
Demo
The below video, which is an episode from the Egeniq Kitchen Table Talks, demonstrates mobile authentication: