Abstract:

Objective- Explosive growth of cloud services and web applications has made it impossible for users to manage dozens of passwords for accessing different cloud services. The situation is even worse considering the potential application of massively parallel computing devices such as GPU and ASIC for efficient password cracking. Motivated by a number of recent industry initiatives for online authentication, we present Payment Assistant, an innovative solution for password-less universal login.

Design/Methodology/Approach- Payment assistant aims to improve on passwords with respect to both usability and security. It takes advantages of push message services for mobile devices and enables users to access multiple cloud services by using pre-owned identities, such as email  addresses, together with few taps on their mobile devices. It is resistant to the most common attacks on cloud services such as replay attacks and man-in-the-middle attacks. We also discuss possible extensions for protecting payment assistant from vendor lock-in and single point of failure, in order to ensure payment assistant to be an open and stable authentication system.

Findings- First main step is the web based client registration in order to get access to application. The application requests the user for one time registration process, user identity is checked by e-mail verification. It then requests PMS server to get pms credentials. Pms credentials and user id are sent to application server and in return the server provides OTP to confirm the identity and privacy, all details are protected by use of private key. All the registration details are stored and protected inside application server. The application of the proposed payment assistant  security framework to the recent MintChip Challenge.

Practical Implications- System ensures user privacy and provides better security.

Keywords- MintChip Challenge, Loxin server, PMS server, Certificate Authority