joshthecoder · January 21, 2012 22:48
diff --git a/gistfile1.txt b/gistfile1.txt
 QR code based authentication
 ============================
 This would be mainly used when the user visits a site from a computer
 besides their mobile device (ex: desktop). QR codes are used to initiate
 a handshake.

 User Experience
 ---------------
 1. User visits site for the first time.
 2. Site displays a QR code.
 3. User scans code using authentication app.
 4. The mobile devices performs the authentication handshake
   with the site using the private key stored on the device.
 5. Upon successful handshake the site can request additional
   information about the user that may be stored on the device.
   Ex: name, email, location, etc. User must approve these requests
   before the device sends them. Any information not held on the mobile
   device will instead be requested on the computer viewing the site.
 6. The site being viewed on the computer will continue (automatically by
   scripting or manually by user clicking a button or such).
 7. A session cookie will be stored to remember the user for future requests.

 Self authentication
 ===================
 If a site is being viewed on the mobile device that contains the authentication
 credentials no QR code scanning is needed. The handshake can be initiated directly.

 Securing credentials on mobile device
 =====================================
 The authentication credentials (private key) must be protected in the event
 the device falls into wrong hands. There are a few ways to protect these credentials.
 First a password can be created which is used to encrypt the key. The key can only
 be used by the user first typing the password into the mobile device to unlock it.

 The whole point of this is to rid users of passwords. Most mobile devices have front facing
 cameras or audio inputs. Both can be used to create biometrics for identifying and unlock
 the key only when the actual user demands.

 Experience using front facing camera for facial & voice recognition
 -------------------------------------------------------------------
 1. After user scans the QR code or visits site on the device
   user must unlock the key.
 2. Authentication app accesses the front facing camera and performs
   facial recognition. Mic will be used to capture the user reading off
   words displayed on the screen.
   By some algorithmic analysis the private key will be decrypted from
   this biometric data.
 3. Handshake will be performed and once completed the decrypted key removed from memory.
	QR code based authentication
	============================
	This would be mainly used when the user visits a site from a computer
	besides their mobile device (ex: desktop). QR codes are used to initiate
	a handshake.

	User Experience
	---------------
	1. User visits site for the first time.
	2. Site displays a QR code.
	3. User scans code using authentication app.
	4. The mobile devices performs the authentication handshake
	with the site using the private key stored on the device.
	5. Upon successful handshake the site can request additional
	information about the user that may be stored on the device.
	Ex: name, email, location, etc. User must approve these requests
	before the device sends them. Any information not held on the mobile
	device will instead be requested on the computer viewing the site.
	6. The site being viewed on the computer will continue (automatically by
	scripting or manually by user clicking a button or such).
	7. A session cookie will be stored to remember the user for future requests.

	Self authentication
	===================
	If a site is being viewed on the mobile device that contains the authentication
	credentials no QR code scanning is needed. The handshake can be initiated directly.

	Securing credentials on mobile device
	=====================================
	The authentication credentials (private key) must be protected in the event
	the device falls into wrong hands. There are a few ways to protect these credentials.
	First a password can be created which is used to encrypt the key. The key can only
	be used by the user first typing the password into the mobile device to unlock it.

	The whole point of this is to rid users of passwords. Most mobile devices have front facing
	cameras or audio inputs. Both can be used to create biometrics for identifying and unlock
	the key only when the actual user demands.

	Experience using front facing camera for facial & voice recognition
	-------------------------------------------------------------------
	1. After user scans the QR code or visits site on the device
	user must unlock the key.
	2. Authentication app accesses the front facing camera and performs
	facial recognition. Mic will be used to capture the user reading off
	words displayed on the screen.
	By some algorithmic analysis the private key will be decrypted from
	this biometric data.
	3. Handshake will be performed and once completed the decrypted key removed from memory.