SAINTlogin Webservice is online ! CellPhone users validation is now FREE ! NO JAVA IS NEEDED IN LATE

Discussion in 'Computer Security' started by Runner, Oct 16, 2003.

  1. Runner

    Runner Guest


    We developed a WebService which could be of interest for many purposes,
    mainly for secure login at on-line paysites.

    Take a little time to read what it is, and then go to the 'test drive' page,
    It works fine from any country, actually I tested it in Ireland, France,
    Switzerland and Italy...

    The SAINTLOGIN site is at

    php sources are downloadable free at the 'downloads' page inside the site...

    We at EXO are looking for people (webmasters and interested service
    providers) to support the basic idea.

    The plan is to set up saintlogin authentication servers in all countries.

    Thanks in advance for your collaboration, and I hope to find someone to
    remain in touch with for the deployment....

    if you wish to contact me just write at the address dropping nosp_ from the
    beginning !

    waiting for your comments,

    Ciao everybody

    SAINTlogin, a brief introduction

    Basically it's a simple idea, but I found that it's not so easy to explain
    in words, so I put on the internet a real testing solution, I'll try to be
    as clear as possible explaining it, so maybe you can test it and tell me
    your impressions, since I'm looking for people abroad to support the idea
    and the business behind it...

    1) The problem

    On-line services are often deployed using subscriptions, users receive a
    userid/password to access the web site online.
    This practice leads (obviously) to undesired access from unauthorized
    people, it is the so called 'password-sharing', and it's something
    webmasters and online publishers do not appreciate at all.

    Let's say, for example, that I publish a service for on-line news, it
    exposes a daily web-newspaper, if I sell yearly subscriptions for 100$, more
    people could share the same subscription and I loose much money....
    Handling rotating passwords could partly solve the problem, but it's not so
    easy to manage and users won't appreciate much the fact of frequent password

    2) Solutions

    -The problem could be afforded by using certifications, but certificates
    are, basically, simple files that could also be shared, and the solution is
    not easily portable, so what if I want to have access from other pcs than
    the one on which I installed the certficate ?... And what if my PC looses
    data on the hard disks ?
    -One other solution could be selling subscriptions together with hardware
    smart-cards or hardware tokens (i.e. usb), but that implies using hardware,
    a solution that is not well accepted by users and it is expensive for the

    3) SAINTlogin !

    The ultimate solution :
    I developed a system (a web service) that implements user identification by
    telephone, that is, the basic idea was :
    If my telephone -does have- a smart card inside, and it is unique all over
    the world, why not to use it as user identification system ?

    What I mean is that caller-id on the GSM Phone card is unique and not

    Note that a GSM SIM cards, are virtually uncloneable (and this is true,
    because once cloned it wouldn't be useable, the telephone service provider
    would not accept two identical gsm sim-card phones being in use at the same
    time and would block the two immediately if found in simultaneous use... )

    I called this system SAINTlogin, it stands for :

    Secure Access with Identity Notification by Telephone...

    4) How it works :

    SAINTlogin is a software system connected to many GSM phones (the number of
    phones is expandable, actually I have connected 12, more concurrent users,
    the more phones can be added, but note that usage of each phone is limited,
    just at the time of user login !)
    SAINTlogin is written in pure JAVA and ASP (Vb,Javascript) and it's built on
    a Windows NT Service written in C++ and C...

    A) When a user goes to the service page, he is asked to simply press a
    button, then SAINTlogin requires to dial a number.

    B) Users dial the number and 'magically !' (if he/she is registered) access
    is granted, otherwise not...

    To register to an on-line service (actually a demo)

    A) go to the registration page, select the desired service, type your name
    and press the button
    B) Send an SMS message to the number shown, including in it the personal
    code that was displayed

    When SAINTlogin receives the message, it checks for the received code on an
    internal database, and if it exists the user is registered to the service,
    basically user's telephone number that comes with the SMS message is stored
    a unique user identifier that'll be used to recognize him when access is

    Easier to test than to explain !!!

    I don't know of any other developer around the world that made something
    like this, so I want to share it to let it it know, if you want, please
    forward this letter to other friends that could be interested in deploying
    this idea too...

    5) Advantages of SAINTlogin validation

    -Mobile phone usage
    Mobile phones are today widely used, there is at least one phone for every
    person in the developed countries...

    -It could work with fixed phones too !
    SAINTlogin relies on caller-id, and there is no reason why it couldn't work
    from fixed phones, and it does, offering the same level of security....
    Apart from the demo, which relies on sending an SMS for registration, a
    provider could manually register users' telephone numbers and manage them
    for the duration of the subscription, as it would do with normal user id and

    -SAINTlogin is not privacy pervasive !
    Although SAINTlogin stores telephone numbers in a user's database, there is
    not any direct connection between phone numbers and real user names, the
    stored identifier can be just a nicknmae, not the real name and it is user

    SAINTlogin is a zero-cost implementation : zero-cost for users (no charges
    for un-answered calls to the system) zero-costs for on-line providers, they
    just have to add a few lines of code to implement the SAINTlogin web service

    6) Where are we going from now on

    -SAINTlogin is going to be transformed in a real web service, it could be
    used by webmasters or site developers to implement secure access for their
    users, just adding some lines of code to their web pages that invokes the
    running on our server (or on other clone SAINTlogin servers around the

    - SAINTlogin is going to be a FREE service, or at least it will be just with
    some limitations on the number of users (small organizations with, say, 50
    to 100 users won't pay anything, but large organizations could pay a small
    per/user price to validate their users and an annual fee...)

    - I think that SAINTlogin can be as much secure as a credit card, if we link
    it to a 4 pin code number, (using ssl protocol) after user dialled to

    -Lot's of supplemental services can be built around it, I have many in mind,
    I'll tell you about them it if you're interested...

    -I've heard of some companies around the world (someone told me there's a
    new zealand bank) implementing something like SAINTlogin. they use GSM
    phones for their users validation, but it has never been implemented as a
    free web service designed to be incorporated in ANY website....
    Some of them use just sending an SMS containing a new password at each
    requested login, and that's expensive for providers (an SMS at every login)
    and boring for users that have to wait for the sms containing a new password
    each time they login !

    Runner, Oct 16, 2003
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. KumarForG
    Apr 6, 2004
  2. Jimmy
    Render Me
    Sep 12, 2005
  3. Runner
    Oct 27, 2003
  4. Replies:
    Oct 21, 2007
  5. Daniel

    java apps for cellphone.

    Daniel, Aug 9, 2004, in forum: NZ Computing
    Dave -
    Aug 10, 2004

Share This Page