Authentication with Personal Devices

• Many personal devices have rich set of capabilities: sensors, communication, computing power and data storage, and they are “personal”.

• Potentially they can aid the owners in performing authentication and securing communication.

• (User friendliness) + (Security) + ?

Authentication using personal devices

Server

12345

Terminal

User

smartcard

(password, key)

password,biometric

Key, location info.

I. Trust models

1. Personal device is trusted. Terminal untrusted. (Public Kiosk)2. 2-Factor Authentication.3. Personal device is honest but it can be lost. (can’t store sensitive

data).

Server

12345

Terminal

User

smartcard

(password, key)

passwordbiometric

Key, location info

TPM

II. Public Kiosk

S. Garriss, R. Caceres, S. Berger, R Sailer, L. Doorn, X. Zhang. Trustworthy and Personalized Computing on Public kiosk, MobiSys’08

Server

Terminal

User

Personal device to verify that the kiosk has only loaded trustworthy software.

A. Oprea, D. Balfanz, G. Durfee and K.K. Smetters, Remote Terminal Application with a Mobile Trusted Device, ACSAC’04

Server

Terminal

User

tunnel connection

III. 2-factor Authentication

• Personal device as OTP token.

Server

Terminal User

12345

(password, key)

password

KeyMonetary Authority of Singapore expects banks to implement two-factor authentication at login in Internet Banking.

• Using an out-of-band channel. “Mobile authentication”

Server

Terminal

User

sms (text message)

password(password, OTP)

OTP

Can be made secure, but difficult to use.

Server

Internet Terminal

User

key

key

D.E. Clarke, B. Gassend, T. Kotwal, M. Burnside, M. Dijk, S. Devadas, and R.L. Rivest. The untrusted computer problem and camera-based authentication. International Conf. on Pervasive Computing, 2002

visual channel Using OCR to verify the messages and theirsignature

Server

Internet Terminal

User

Image from [Sharp2006] Sharp et al,Secure Mobile Computing Via Public Terminal.

key

key

R. Sharp, J. Scott, A. Beresford, Secure Mobile Computing via Public Terminals. International Conference on Pervasive Computing, 2006

Server

Internet Terminal

User

key, password

key

C. Fang, E.C.Chang, Securing Interactive Sessions Using Mobile Device through Visual Channel and Visual Inspection, ACSAC 2010.

visual channel password

Date

accoun

t

remark

amount

IV. Device honest but can be lost

Server

User

smartcard

key

Key

Terminal

Server

User

key, password

Key

Terminal

password

Device as the “biometric” scanner

Server

User

( k )

biometric

k= H(Key, biometric)

Terminal

the biometricdata are not stored inthe server

• Technical challenges in using biometric data: They are noisy. The key extracted by the cryptographic secure hash has to be consistent even under noise!

– Dodis, Y., Reyzin, L., Smith, A.: Fuzzy extractors: How to generate strong keys from biometrics and other noisy data, EUROCRYPT 2004.

– Linnartz, J.-P.M.G., Tuyls, P., New shielding functions to enhance privacy and prevent misuse of biometric templates. AVBPA 2003

V. Conclusion

• We can use the computing power of personal device to enhance security.

• Can location information help?