Can I use two-factor authentication like in Yandex.Money on my website?

AlexTest2012-08-26 03:39:49

Yandex

AlexTest, 2012-08-26 03:39:49

Today I came up with what seemed to me at first glance, the original idea of two-factor authentication on my site:
It is assumed that the user registers on the site from a "trusted" computer. When a user registers, a special additional access plate is generated on the server for him and a letter with a picture is sent, containing, for example, the following plate:
... x c h e f
-------------
8 | g f i m p
4 | j 9 h n v
5 | k s l w 7
1 | q x y 4 d
9 | 6 a z 3 t
Such a plate can be printed out, but it is easy and simple to write it down once on a piece of paper and always carry it with you, for example, in your wallet.
When entering the site, the user in the login form is asked to enter an additional code in addition to the login and password, and next to this field a captcha-type picture with the content “x4-c1-e8-h9” is displayed.
This means that the user must look into his table, determine the necessary characters, similar to the numbering of cells in Excel, and enter the code "jxmz".
If the user makes a mistake, the code is changed, and all the usual measures are applied to detect hacking.
I even wrote an article on Habré, but they immediately pointed out to me that I “invented” enhanced authorization in Yandex.Money and I removed the article to drafts.
I don’t live in Russia, I have never used Yandex.Money — I came up with the idea myself, but since it has already been implemented in Yandex.Money — then the question arises: is it possible to use this method on your site? Is this method protected by a patent or otherwise? I googled and didn't find anything about this. Perhaps there are representatives of Yandex on Habré who can answer this question.
Because I accidentally found a similar patent - I decided to continue the discussion in a new question:
Continuation: Can I use two-factor authentication like in Yandex.Money on my site?
Thanks to the latest answer from a Yandex representative, I found a patent protecting this "technology":
www.google.com/patents/US5712627

Answer the question

In order to leave comments, you need to log in

8 answer(s)

Masha Formanyuk, 2015-07-23
@AlexTest

Hello, I work at Yandex.Money, now we no longer support this authentication method. Our tables were produced and worked under the Entrust license: www.rnbo.ru/catalog/4/29

EugeneOZ, 2012-08-26
@EugeneOZ

You should ask Yandex employees about this. And then after all, if the habravchans answer “it is possible”, this will not be a resolution, just a guess.

ixSci, 2012-08-26
@ixSci

Our country does not seem to be as sick as the United States, in terms of patents, and in order to understand whether you are violating someone's patent, you need to go through them all. Even if Yandex uses such authentication, it is not a fact that this does not violate the patent of some PupkinTrollPatent LLC.

Banzeg, 2012-08-26
@Banzeg

Oh, here it is, where the dog rummaged... We just started commenting, but put plus signs - bam, and there is no article :)
If in essence, then my guess is that - why not? After all, many send sms, and no one asks permission. Captchas to protect against bots are used everywhere. But someone came up with it!
In my opinion, Yandex will be able to run into only if you copy the method one-to-one, and then the question is, either it is patented (which is unlikely), and if you implement it in your own way, then there will be no crime.

Vladimir Kivva, 2012-08-26
@zionkv

A small addition, no offense to the author - do not complicate people's lives, please. The machine won't even guess to answer x8-c8. They come to this gradually, but not all, so I would like to preempt.
Interesting information on the topic

OnYourLips, 2012-08-26
@OnYourLips

> Is this method protected by a patent or otherwise?
No, it is fundamentally impossible to protect ideas with patents in Russia.

no1, 2012-08-26
@no1

Basically the question has already been answered.
As for the proposed algorithm, there are many disadvantages. The main one is that it is more tied to the key-value computer logic than to the human one. In addition, you will either have to generate fields using the same algorithm (and this is a potential hole), or store a large amount of unique static information (which has the same chances of being leaked as arrays of password hashes).

Puma Thailand, 2012-08-27
@opium

Yes, it’s a dupe, it’s cumbersome to add numbers
. A bunch of banks have two-factor authorization, a certain number is shown on the keychain and once in a while it changes, it’s simple and convenient.
The keychain is sent by mail without any problems.