Pairwise Authentication of Humans – Schneier on Security

Pairwise Authentication of Humans

Here’s an easy system for two humans to remotely authenticate to each other, so they can be sure that neither are digital impersonations.

To mitigate that risk, I have developed this simple solution where you can setup a unique time-based one-time passcode (TOTP) between any pair of persons.

This is how it works:

1. Two people, Person A and Person B, sit in front of the same computer and open this page;
2. They input their respective names (e.g. Alice and Bob) onto the same page, and click “Generate”;
3. The page will generate two TOTP QR codes, one for Alice and one for Bob;
4. Alice and Bob scan the respective QR code into a TOTP mobile app (such as Authy or Google Authenticator) on their respective mobile phones;
5. In the future, when Alice speaks with Bob over the phone or over video call, and wants to verify the identity of Bob, Alice asks Bob to provide the 6-digit TOTP code from the mobile app. If the code matches what Alice has on her own phone, then Alice has more confidence that she is speaking with the real Bob.

Simple, and clever.

Tags: authentication, protocols

Posted on February 10, 2025 at 7:00 AM •
22 Comments