Log in Securely Without Password

Monday, June 9, 2014 @ 03:06 PM gHale

Passwords are a common security measure to protect personal information, but who can remember them? Plus, they don’t always prevent bad guys from finding a way into devices.

There is now an easy to use secure login protection in development that eliminates the need to use a password and developers call it zero-interaction authentication, said researchers at the University of Alabama at Birmingham.

How Attackers Bypass Security: Report
Ineffective Password Security Practices
Insider Threat Real; Protection Weak
Aware of Info Loss, Data Still Not Secured

Zero-interaction authentication enables a user to access a terminal, such as a laptop or a car, without interacting with the device. Access ends up granted when the verifying system can detect the user’s security token — such as a mobile phone or a car key — using an authentication protocol over a short-range, wireless communication channel, such as Bluetooth. It eliminates the need for a password and diminishes the security risks that accompany them.

A common example of such authentication is a passive keyless entry and start system that unlocks a car door or starts the car engine based on the token’s proximity to the car. The technology can also provide secure access to computers. An app called BlueProximity enables a user to unlock the idle screen in a computer merely by physically approaching the computer while holding a mobile phone set up to connect with it.

The research into the new capability was from Nitesh Saxena, Ph.D., associate professor in the Department of Computer and Information Sciences and co-leader of the Center for Information Assurance and Joint Forensics Research. The work is in collaboration with the University of Helsinki and Aalto University in Finland.

Existing zero-interaction authentication schemes are vulnerable to relay attacks, commonly referred to as ghost-and-leech attacks, in which a hacker, or ghost, succeeds in authenticating to the terminal on behalf of the user by colluding with another hacker, or leech, who is close to the user at another location, Saxena said.

“The goal of our research is to examine the existing security measures that zero-interaction authentication systems employ and improve them,” Saxena said. “We want to identify a mechanism that will provide increased security against relay attacks and maintain the ease of use.”

The researchers examined two types of sensor modalities that could protect zero-interaction systems against relay attacks without affecting usability. First, they examined four sensor modalities commonly present on devices: Wi-Fi, Bluetooth, GPS and audio. Second, they looked at the capabilities of using ambient physical sensors as a proximity-detection mechanism and focused on four: Ambient temperature, precision gas, humidity and altitude. Each of these modalities helps the authentication system verify the two devices attempting to connect to each other are in the same location and thwart a ghost-and-leech attack.

The research showed sensor modalities, used in combination, provide added security. “Our results suggest that an individual sensor modality may not provide a sufficient level of security and usability,” Saxena said. “However, multiple modality combinations result in a robust relay-attack defense and good usability.”

Platforms that employ sensor modalities to prevent relay attacks in mobile and wireless systems are available on many smartphones or can be added using extension devices, and they will likely become more commonplace in the near future, Saxena said.

“Users will be able to use an app on their phones to lock and unlock their laptops, desktops or even their cars, without passwords and without having to worry about relay attacks,” said Babins Shrestha, a UAB doctoral student and co-author of papers on the subject. “Our research shows that this can be done while preserving a high level of usability and security.”

Leave a Reply

You must be logged in to post a comment.