Hello,

I would like to share with you the results of my efforts, here is the fact,I developed an interesting solution that I would like you to try.

I hope you'll be interested in testing it and deploying the idea....

Take a little time to read the text below, and then go to the testing site I published, It 'should' work well from any country, actually I tested it in Ireland, Switzerland and Italy...

The test site is at this address

http://www.exosystem.it/eng/soluzioni/saint_test.php

(please note that JAVA vrtual machine is needed installed on your pc, either the SUN jvm, or the latest MS jvm, which is not any more available form MS, but I could send to you an address for downloading if you need...)

Thanks in advance for your collaboration, and I hope to find someone to remain in touch with for the deployment....
waiting for your comments,

send your comments to nosp_orlandi.marco@libero.it
(drop nosp_ and have the correct mail)

Ciao
Marco
--------------

SAINTlogin, a brief introduction

Basically it's a simple idea, but I found that it's not so easy to explain in words, so I put on the internet a real testing solution, I'll try to be as clear as possible explaining it, so maybe you can test it and tell me your impressions, since I'm looking for people abroad to support the idea and the business behind it...

1) The problem

On-line services are often deployed using subscriptions, users receive a userid/password to access the web site online.

This practice leads (obviously) to undesired access from unauthorized people, it is the so called 'password-sharing', and it's something webmasters and online publishers do not appreciate at all.

Let's say, for example, that I publish a service for on-line news, it exposes a daily web-newspaper, if I sell yearly subscriptions for 100$, more people could share the same subscription and I loose much money....

Handling rotating passwords could partly solve the problem, but it's not so easy to manage and users won't appreciate much the fact of frequent password change.

2) Solutions

-The problem could be afforded by using certifications, but certificates are, basically, simple files that could also be shared, and the solution is not easily portable, so what if I want to have access from other pcs than the one on which I installed the certficate ?... And what if my PC looses data on the hard disks ?

-One other solution could be selling subscriptions together with hardware smart-cards or hardware tokens (i.e. usb), but that implies using hardware, a solution that is not well accepted by users and it is expensive for the publisher...

3) SAINTlogin !

The ultimate solution :

I developed a system (a web service) that implements user identification by telephone, that is, the basic idea was :

If my telephone -does have- a smart card inside, and it is unique all over the world, why not to use it as user identification system ?

What I mean is that caller-id on the GSM Phone card is unique and not cloneable....

Note that a GSM SIM cards, are virtually uncloneable (and this is true, because once cloned it wouldn't be useable, the telephone service provider would not accept two identical gsm sim-card phones being in use at the same time and would block the two immediately if found in simultaneous use... )

I called this system SAINTlogin, it stands for :

Secure Access with Identity Notification by Telephone...

4) How it works :

SAINTlogin is a software system connected to many Nokia GSM phones (the number of phones is expandable, actually I have connected 12, more concurrent users, the more phones can be added, but note that usage of each phone is limited, just at the time of user login !)

SAINTlogin is written in pure JAVA and ASP (Vb,Javascript) and it's built on a Windows NT Service written in C++ and C...

A) When a user goes to the service page, he is asked to simply press a button, then SAINTlogin requires to dial a number.

B) Users dial the number and 'magically !' (if he/she is registered) access is granted, otherwise not...

To register to an on-line service (actually a demo)

A) go to the registration page, select the desired service, type your name and press the button

B) Send an SMS message to the number shown, including in it the personal code that was displayed

When SAINTlogin receives the message, it checks for the received code on an internal database, and if it exists the user is registered to the service, basically user's telephone number that comes with the SMS message is stored as

a unique user identifier that'll be used to recognize him when access is requested...

Easier to test than to explain !!!

I don't know of any other developer around the world that made something like this, so I want to share it to let it it know, if you want, please forward this letter to other friends that could be interested in deploying this idea too...

5) Advantages of SAINTlogin validation

-Mobile phone usage

Mobile phones are today widely used, there is at least one phone for every person in the developed countries...

-It could work with fixed phones too !

SAINTlogin relies on caller-id, and there is no reason why it couldn't work from fixed phones, and it does, offering the same level of security....

Apart from the demo, which relies on sending an SMS for registration, a provider could manually register users' telephone numbers and manage them for the duration of the subscription, as it would do with normal user id and passwords.

-SAINTlogin is not privacy pervasive !

Although SAINTlogin stores telephone numbers in a user's database, there is not any direct connection between phone numbers and real user names, the stored identifier can be just a nicknmae, not the real name and it is user provided....

-ZERO COSTS !

SAINTlogin is a zero-cost implementation : zero-cost for users (no charges for un-answered calls to the system) zero-costs for on-line providers, they just have to add a few lines of code to implement the SAINTlogin web service !

6) Where are we going from now on

-SAINTlogin is going to be transformed in a real web service, it could be used by webmasters or site developers to implement secure access for their users, just adding some lines of code to their web pages that invokes the service

running on our server (or on other clone SAINTlogin servers around the world)...

- SAINTlogin is going to be a FREE service, or at least it will be just with some limitations on the number of users (small organizations with, say, 50 to 100 users won't pay anything, but large organizations could pay a small per/user price to validate their users and an annual fee...)

- I think that SAINTlogin can be as much secure as a credit card, if we link it to a 4 pin code number, (using ssl protocol) after user dialled to login....

-Lot's of supplemental services can be built around it, I have many in mind, I'll tell you about them it if you're interested...

-I've heard of some companies around the world (someone told me there's a new zealand bank) implementing something like SAINTlogin. they use GSM phones for their users validation, but it has never been implemented as a free web service designed to be incorporated in ANY website....

Some of them use just sending an SMS containing a new password at each requested login, and that's expensive for providers (an SMS at every login) and boring for users that have to wait for the sms containing a new password each time they login !

_____________________________________