Is there such an authorization by a smartphone using a qr-code?

A

Andrey Rogov2013-02-02 00:19:54

User identification

Andrey Rogov, 2013-02-02 00:19:54

Is there such an authorization scheme on sites with a smartphone (connected to the Internet)?:
The user enters “site address” into the address bar.
On the site page in the corner a qr-code is drawn for authorization.
The user directs the phone to the qr-code, clicks on the icon of the installed application "Loginer" (let's say that's what it's called).
Clicks on any internal link of the site (or updates itself) and already sees his private data.

If not, then how does such a scheme fail? :

The user installs the "Loginer" application on the phone.
In this application, the user enters a password.
A hash sum is calculated from the password (let's call it the "password hash sum") and stored in a safe place in the phone's memory.

Registration:
The user enters "site address" into the address bar.
Presses the "Register" button.
He is shown an input field for his unique nickname/id (let's call it "user id").
The user enters a unique "user id" and sends it to the site server.
The site server checks the uniqueness of the “user id” and generates a “registration qr-code” containing a combination of “user id” and “site address”.
The user is shown a page containing a “registration qr-code”, containing a “user id” (new) and a “website address”.
The user pulls out their phone and launches the "Loginer" application.
The "Loginer" application photographs the "registration qr-code", from which it receives the "user id" and "website address".
A bunch of "user id" and "website address" is stored in a safe place on the phone.
The "Loginer" application concatenates the "user id" with the "password hash sum" and calculates the hash sum from the received string (let's call it "id hash sum").
The "Loginer" application sends a bunch of "user id" and "id hash-sum" to the "site address".
The site server saves the resulting bundle ("user id" and "id hash sum") to the database.

Entrance:
The user visits the "website address".
The server generates a "login qr code" containing a new "session id" and "site address". And asks to write "session id" in cookies.
The user using the “Loginer” application takes a photo of the “login qr code”, receives a “session id” and a “website address”. According to the "site address" in the phone's memory, the corresponding "user id" is searched and the "id hash-sum" is generated. The "id hash-sum" and "session id" bundles are concatenated and the hash-sum is calculated from the resulting string, let's call it the "session hash-sum".
A bunch of "session hash", "session id" and "user id" is sent to the "site address".
The server checks if the "session id" coming from the phone is fresh.
The site server searches its database for the "id hash-sum" corresponding to the "user id".
The server concatenates "id hash sum" and "session id", the hash sum is calculated from the received string and compared with the "session hash sum" received from the phone. If they match, then the "user id" is assigned to the "session id".
The next time the client contacts with the “session id” set in the cookie, the server checks which “user id” it corresponds to and starts giving private data.

PS Probably I don’t know how to search, but for such phrases as “authorization by smartphone”, terrible slag is issued, in addition to a very good method of authorization with sending messages (in some way) to a smartphone.

Reply

Answer the question

In order to leave comments, you need to log in

5 answer(s)

X

xaker1, 2013-02-02
@rogallic

A similar authorization scheme is used on the liqpay.com website.
There, a unique random 16-digit numeric code is encoded in the QR code (like login_XXXXXXXXXXXXXXXX).
In the Android application, you can enable the QR code scanning mode. As soon as the application finds the required QR code, it asks if we really want to log in. If yes, a request is sent from the smartphone to the server (naturally, the application is authorized in liqpay) with this code (authorization is confirmed).
js script makes a request to the server every 15 seconds at the URL /inapi?code=login_XXXXXXXXXXXXXXXX&action=qrcode_ajax.
In response, receives the authorization result. If passed, a session is created, the page is updated and we get into the closed part.

N

numitus, 2013-02-02
@numitus

I haven't seen this method, but it's a good idea. It is only possible to replace all this incomprehensible description of the algorithm with this one. There is some code in the qr code. The loginer enters the site, logs in and enters this code. The window automatically reloads and you are taken to your page. Patent before it's too late

E

Efsi, 2013-02-02
@Efsi

Look for qr-authorization in Gmail. They did something similar.

X

xmoonlight, 2013-02-02
@xmoonlight

I would make it easier))))
1. Login - store in cookies or enter manually.
2. Login went to the server — the server has generated session IDs and is waiting…
3. Login, timestamp and hash=md5(md5(pass)+timestamp) are sent from the smart
(md5(pass) is stored on the server and on the smart)
4. Server checks that the hash and hash of the formula parameters are equal and if TIMEOUT has not expired (10 seconds, for example, to update the wait via AJAX in the browser), then returns a list of active sessions for this user.
Further, you can do anything (if there are more than 1 sessions, for example, then you logged in from several computers at once with the same password !!!):
By sessions on smart, you can: see IP, initialization time, browser, screen resolution, ip2town, etc.
and enter in one click on a smart phone with the necessary rights, settings, immediately to the desired tab, etc.
You can protect the entrance to the session with a PIN code or kill all sessions on the server forcibly ...
That's enough fantasy)

L

la0, 2013-02-02
@la0

A similar scheme: www.enum.ru/default.aspx (QR code simply allows you not to enter values by hand)
At the same time, the smartphone does not need Internet access at all.