December 18, 2013 •
Here at Cyphercor we do a lot of development work to bring you improvements in security and usability, but that doesn’t mean we’re always coding or reading the latest developments in mobile security. We’re not content to rest on our laurels, so we do a lot of brainstorming and innovating too. As part of our roadmap, we’ve been thinking about wearable devices, and how those could fit into the process of authenticating. In this article, we’ll be exploring what we think the near future of two factor authentication could look like.
One of the wearable devices that we currently have a few of in the office is the Pebble smartwatch. The nice thing about these is that all notifications intended for your phone also appear on the watch. This could be used to reduce the time you need to spend dealing with login requests you didn’t make.
Imagine you’re busy with something when your phone buzzes. You’ve got to grab your phone from your pocket or bag, unlock the screen, and view the notification. If it’s a notification for a request you didn’t make, you can deny it, but why should it take up your time? Now imagine that you’ve got the Pebble. When the notification arrives, you can check your wrist, and if you don’t want to deal with it, just dismiss the notification right there. This saves you the time you otherwise would have wasted dealing with your phone before you found out that you didn’t need to respond. On the other hand, if you want to accept the notification, you can do that on the Pebble too.
One of the methods that we use to secure LoginTC tokens is dynamic fingerprinting. The basic idea is that we include measurements of the environment, such as device IDs, as part of tokens. When a user wants to approve a request and log in, the app measures the environment again, to see if it’s the same. Wearables could help make those fingerprints much more interesting.
Years ago, a person might have carried an average of 0.2 mobile devices. Today, that number is higher, maybe 1.2 devices per person on average. In the future, it could be higher still, as devices like the Pebble smartwatch or the Nike+ Fuelband become commonplace. All these devices communicate wirelessly, forming what is known as a Body Area Network around a person. It would be possible to include this in the dynamic fingerprint, perhaps finding the devices that a person typically carries, or wears, and only authenticating if the right ones are present. In this way, you’re not only using the device the app is running on as the “something you have” factor, you’re using the other devices they have too.
Of course, no discussion about wearable tech today would be complete without at least mentioning Google Glass. There’s a lot you could do given access to a head mounted camera and display. Imagine an app able to sense when you were trying to log in legitimately, and when you weren’t, just based on what you were looking at. It could determine that any incoming requests don’t originate from you, and not bother you with them, or warn you that they might be fraudulent.
Wearable devices aren’t all sensors and displays though, there are a lot of other features for our developers to play with too. For example, storage onboard the wearable can help increase the security of LoginTC by acting as a second place to put token data. Since it’s possible to write apps for the Pebble, we’re planning to write a LoginTC Pebble app that interacts with the main LoginTC app on the phone. If we split up token data and store some on the phone, and some on the Pebble, then both devices would need to be present to successfully authenticate. Even if your phone is lost or stolen, your tokens are safe, because anyone with the phone presumably doesn’t also have the Pebble, which stays strapped to your wrist. This sort of active participation by smart wearables isn’t a user experience change so much as another way to strengthen the authentication guarantees offered by LoginTC.
Taking things a step further, what about moving the whole thing to the wearable? Perhaps we’ll have access to powerful new features on wearables in the future that will let us offer secure multi factor authentication without needing a phone app at all. Perhaps voice or gesture-based interfaces could allow the user to provide their PIN directly to the wearable, which would handle the entire authentication. “Ok Glass, log me in.”
LoginTC currently provides two factor authentication, both “something you know” and “something you have”, but there’s a third possible factor, “something you are”. This is the realm of biometrics. Whether it’s something like a fingerprint scanner, a heartbeat sensor, or an accelerometer measuring your gait, biometrics attempts to measure aspects of what you are, and those can be used for authentication. There are already wearables that do measure these things. Devices like the Nike+ Fuelband or the FitBit can do this sort of measurement and are already gaining popularity. Combining biometrics with existing authentication factors can result in a very secure system that is nearly impossible to fool.
Consumer wearable electronics are on the rise, and it would be unwise to ignore this trend. We are always pushing for new ways to bring the security of multi factor authentication to as many people as possible, and this is no exception.