A mobile based approach to strong authentication on Web

Abstract

The rapid increase of the phishing phenomenon states that the Web authentication systems not based on one time password (OTP) are definitively ineffective in providing financial services. Existent Web authentication systems have been developed on the classic username/password mechanism using a single channel, either mobile or Web, generating an expensive or inadequate authentication system. The proposed solution is a combined Web/mobile authentication system. The basic authentication mechanism is integrated with a challenge/response process and an OTP. The challenge is issued from an authentication server and has to authenticate a mobile device, typically a cell phone. This device can communicate with any other involved parts through a fixed terminal, typically a personal computer, via a Bluetooth connection. The mobile device, once accepted, performs the authentication with the web site or application. This final step is accomplished using a temporary one-time password