[Discuss] A Little OT: The Password Post-It

[tmetro-blu at vl.com (Tom Metro)]

Chris Tyler wrote:
> What about using single-sign-on with something more than a simple
> password? Perhaps a token generator (Yubikey or RSA token), smart card...

I've been waiting to see someone adopt the idea of using cell phones
with Bluetooth as a form of two-factor authentication. The basic version
would work with any smart or feature phone with Bluetooth, and rely on
the built-in Bluetooth security mechanisms to authenticate the phone and
laptop/desktop. A more advanced version would run an app on a smart
phone and use a PKI exchange.

The advantage to this approach is that 1. no additional devices to carry
or forget, 2. the 2nd factor authentication would be completely
automatic whenever the phone was in range, with no user intervention,
and you wouldn't even need to remove the phone from your pocket.

You could even have such a setup automatically lock the user's screen
when they step away, and unlock it without a password on their return,
providing it hasn't been long since they left (1 or 2 hours?).

I haven't ran across (or looked for) an open source implementation for
this on the laptop/desktop side. I did look for something using PKI (or
other two-factor mechanisms) and Bluetooth in the Android market, but
didn't find anything relevant. (Plenty of two-factor token generators
that require manual interaction.)

But it does look like Samsung owns a patent on the idea:

Public key infrastructure-based bluetooth smart-key system and operating
method thereof
http://www.faqs.org/patents/app/20090136035

 -Tom

-- 
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/