What would be a good way to authenticate a user to a smart phone? By good, I mea

Question

What would be a good way to authenticate a user to a smart phone? By good, I mean that it is both secure, and user-friendly. Passwords don't seem to be the best fit because a password needs to be long to be secure, but it is hard to type a long password on a smart phone. Some thoughts I have begun to think about are biometric measures (e.g. possibly facial recognition), and / or a token. I am interested for this question in authenticating to the phone. As pointed out in the comments, my original question was too broad, so I am splitting the other portion into another question here: What is a good way to authenticate a user to websites and applications with a smart phone?

Explanation / Answer

Your best bet might be to use the standard methods as mentioned in Ohnana's answer along a strong second-factor authentication using U2F.

Yubico's YubiKey NEO allows secure TLS-channel second-factor authentication, even over NFC, if I remember the spec correctly. You're using a hardware security module, so this, combined with a strong inconvenient password would be a very strong way of verifying that the user is who they claim to be.

Even crazier would be to write a GPG smart card driver for Android which would use the OpenPGP applet in said YubiKey NEO to have a server/phone-initiated one-time challenge where the user would have to enter the key to their smart card in order to decrypt, sign, and return a challenge from the server/phone. You'd need a USB dongle, though, as there's no NFC protocol for GPG if I recall correctly.

The sky's the limit. Make sure the phone's encrypted with a strong inconvenient passphrase, and make it power down if more than 5 incorrect login attempts.

Related Questions

Navigate

• Browse (All)
• Browse W
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.