We are working on a new user registration, site access and authentication component utilizing SMS messaging to Mobile phones.

 

Rules based system but the basic flow is as follows:

 

#1: Login / Registration

 

#2  Access  verification with Ajax Token

 

SMS Message

 

 

Benefit for this security method:

 

#1: Simple – less code and more secure

#2: Authentication transported in two parts across two separate networks (voice and data)

#3: No Bots – No captcha - No additional user clicks

#4: Privacy – No personal identification or email stored in system.

#5: End User gets a SMS notification and receipt per access.
#6: Pin prevents spam SMS
#7: Demographic control for site access: ie. country, area, provider etc.
#8: One time encryption key for session
#9: Mobil number can be used for license generation - acceptable use etc.
#10: SMS access to portal users

Cons:

#1: Limits site access to those with Mobile phones on supported networks.
#2: SMS messaging cost (Free to a few cents per login)
#3: SMS message delay for reply authentication (10 seconds) 
#4: No remember me.. autologin etc...  (This is for security)

We are looking for ideas and ways to defeat this new authentication scheme.  So far we are stumped as even a wire tap over the data and voice network will not be easy to defeat such system within a 5 minute period not to mention the key is limited to the specific IP.

- Flooding and Denial of Service attacks: - Watchdog / IP  Banning
- SMS Spoofing  - PIN with rules lockout
- Lost Pin - 24 hour delay before sending
- Session Interception - SSL or better SMS one time encryption key.

Applications are for financial portals - software downloads -  Mobile number can be integrated into the software key to track piracy and abuse.   Lots of applications for this rules based system.

Feedback please.