Abstract An investigation into the ability to extend the authentication credentials stored on a smartphone to a nearby computer. A system (QRAuth) was built that allows users to log in to a web service in their browser by scanning a barcode embedded on the page from their smartphone. The system was then integrated in to another ap- plication, allowing the user to extend their smartphone experience to their computer on a temporary basis. The method developed fulfilled its requirements; However is a proof-of-concept, and would need further development in order to be ready for a production environ- ment. Most notably, the systems developed were reliant on third party services for core functionality and lacked end-to-end request encryption. ii Dissertation Declaration I agree that, should the University wish to retain it for reference purposes, a copy of my dissertation may be held by Bournemouth University normally for a period of 3 academic years. I understand that once the retention period has expired my dissertation will be destroyed. Confidentiality I confirm that this dissertation does not contain information of a commercial or confiden- tial nature or include personal information other than that which would normally be in the public domain unless the relevant permissions have been obtained. In particular any information which identifies a particular individual's religious or political beliefs, infor- mation relating to their health, ethnicity, criminal history or sex life has been anonymised unless permission has been granted for its publication from the person to whom it relates. Copyright The copyright for this dissertation remains with me. Requests for Information I agree that this dissertation may be made available as the result of a request for infor- mation under the Freedom of Information Act. Signed: Name: Date: Programme: Original Work Declaration This dissertation and the project that it is based on are my own work, except where stated, in accordance with University regulations. Signed: iii Acknowledgements I would like to thank Dr Andrew Main for his guidance and support throughout the project process. The QRAuth logo was provided courtesy of Jonathan Ginn, who I also thank. Finally, I am grateful to the authors and contributors of the open source projects used: AFNetworking and ZXing. iv Contents 1. Introduction 1 1.1. Goals . .1 1.2. Approach . .1 2. Background Reading 3 2.1. Authentication . .3 2.2. Existing Methods . .4 2.2.1. NFC . .5 2.2.2. Bluetooth . .5 2.2.3. Bump . .5 2.2.4. Single Sign-on Services . .5 2.3. Smartphone Platforms . .6 3. Proposed Development Methods and Tools 8 3.1. Development Methodologies . .8 3.2. Languages and Frameworks . .9 3.3. Version Control System . 10 4. Project Considerations 11 4.1. Criteria . 11 4.2. Constraints . 11 4.2.1. Time . 11 4.2.2. Equipment . 12 4.2.3. Technical Understanding . 12 4.2.4. Monetary Requirements . 12 5. QRAuth: Design 13 5.1. Process Overview . 13 5.1.1. Login Page Scanning and Identification . 13 5.1.2. Authentication Request . 14 5.1.3. Login Allocation on the Web Server . 14 5.1.4. Trigger Login Success on Client Page . 14 5.2. Process Walkthrough . 15 5.2.1. Installation . 15 5.2.2. Authentication Process - User's perspective . 15 5.2.3. Authentication Process - Technical Overview . 15 5.3. Ruby on Rails Server Application Details . 16 5.3.1. QR Code . 16 5.3.2. Deferred Web Login Process . 17 5.3.3. Web Client Notification . 17 v 5.3.4. API Endpoints . 18 5.3.5. Testing . 19 5.4. iOS Mobile Application Details . 19 5.4.1. QR Code Scanning . 19 5.4.2. Network Requests . 19 5.5. Designs . 19 5.5.1. Login View . 20 5.5.2. User View . 20 5.5.3. Scanning View . 20 5.6. Implementation Stages . 21 6. QRAuth: Implementation 22 7. QRAuth: Evaluation 24 7.1. Problems and Concerns . 24 7.2. Code Documentation . 24 7.3. Does it Meet the Criteria? . 25 7.4. Reflection on Methods . 27 8. Slides: Design 28 8.1. Ruby on Rails Server . 29 8.2. API Endpoints: . 29 8.3. Site Design . 30 8.4. Objective-C iOS Application . 30 8.4.1. Method . 30 8.4.2. Designs . 31 8.4.3. Implementation Stages . 31 9. Slides: Implementation 33 10.Slides: Evaluation 35 10.1. Problems . 35 10.2. Does It Meet the Criteria? . 36 10.3. Reflection on Methods . 37 11.Summary 38 11.1. Goal #1 . 38 11.2. Goal #2 . 39 11.3. Goal #3 . 39 11.4. Methods . 40 11.5. Deviation from Proposal . 40 vi 12.Future Work 41 12.1. Secure Socket Layer (SSL) . 41 12.2. QR Code Generation . 41 12.3. Realtime Notification . 42 12.4. Enhanced Security . 42 12.4.1. Timeouts . 42 12.4.2. Hash-based Message Authentication Codes . 43 12.4.3. Additional Connection Vectors . 43 12.5. Protocol Versions . 43 12.6. Instruction for Use . 44 12.7. A New Paradigm . 44 13.Bibliography 45 Appendix A. Ethics Checklist Appendix B. Turnitin report Appendix C. Project Proposal Appendix D. Work Plan Appendix E. Comparison of Work Plans Appendix F. QRAuth Git Commits Appendix G. Slides Git commits Appendix H. RSpec Unit Test Titles for QRAuth Server Appendix I. QRAuthRails Notable Classes Appendix J. QRAuthIPhone Notable Classes Appendix K. SlidesRails Notable Classes Appendix L. SlidesIPhone Notable Classes Appendix M. CD-ROM Contents Listing vii List of Figures 1. QRAuth login process overview. 13 2. Slides authentication system interactions. 15 3. Spotify and Facebook login views. 20 4. QRAuth login view design. 20 5. QRAuth main view design. 21 6. QRAuth login view screenshot. 22 7. QRAuth main view screenshot. 23 8. QRAuth scanning view screenshot. 24 9. QRAuth authentication system interactions. 28 10. Slides iOS application main view. 31 11. Slides iOS application load/save slideshow view. 31 12. Slides website homepage screenshot. 33 13. Slides scanning view screenshot. 33 14. Slides list view screenshot. 34 15. Slides website logged in screenshot. 34 viii 1. Introduction Desktop computers are often fixed to a physical location and shared between multiple users who may visit the same web applications. When accessing a web application on a computer, the user is often required to log in to their account by entering a username and password combination. Not only is this process required every time a user wishes to access the application from a new computer, but users are often prompted to re-enter their credentials after an extended period of inactivity. Many web services now provide a counterpart smartphone application for mobile access. One difference between web applications and their mobile counterparts is that user login state is maintained indefinitely on a mobile device. Mobile devices by nature belong to an individual user and can be used to confidently identify the device owner. For this reason, internet accounts used on mobile devices do not expire. Given that many users of a web service carry a device with their login state, could a method be developed where a user can use a mobile application to log in to the web application from day to day on the computers they use? The goal of this project is to develop a method allowing the user to share the login state of a mobile application with a web browser session just by being in close proximity. 1.1. Goals 1. Develop a system allowing web authentication via a smartphone, and evaluate its suitability and effectiveness for a live website environment. 2. Determine whether such a system could be added to existing smartphone and web applications, and investigate how this could be achieved. 3. Investigate whether such a system could allow for a new authentication paradigm without the requirement for username and password credentials. 1.2. Approach After a period of background reading and research, a system will be designed and devel- oped from scratch that allows for user authentication via a smartphone application. The system will be demonstrated in a prototype web application with a counterpart iPhone application, QRAuth. The application developed will allow a user.