Zero-Interaction Authentication

"Mobile devices are susceptible to loss and theft because they are small, light, and easy to carry. Unfortunately, they often contain sensitive data that their owners would prefer to keep private. The consequences of exposing such data range from the inconvenience of canceling credit cards to the public loss of state secrets. If a user were content that data on a missing [mobile device] could not be viewed by unprivileged eyes, he could simply replace the [mobile device] and restore from backup."*

Two researchers: Mark D. Corner and Brian D. Noble of the University of Michigan College of Engineering, have conceived of a solution to the security threats posed by the loss or theft of a mobile device called Zero-Interaction Authentication, or ZIA. Currently the solution is designed for use with a laptop but it could be adapted for all mobile devices in the future

The focus of their solution is against data security threats posed by the physical possession of a laptop or proximity to it. "Possession enables a wide range of exploits. If the user leaves his login session open, attacks are not even necessary; the attacker has all of the legitimate user's rights."

Zero-Interaction Authentication is deigned to eliminate the risks associated with the loss or theft of a mobile device. ZIA utilizes two pieces of hardware: the laptop and an authentication token connected by a short range wireless link to secure the data on the mobile device.

As long as the authentication token, which can be worn on a piece of clothing or clipped on to a labcoat pocket, is within range of the computer, the computer's systems function normally. But once the computer is separated from the token, its files automatically become encrypted. "When a user walks away from his laptop to get a cup of coffee, it will sense that he is leaving and begin securing the computer," Noble says. "As he returns, as soon as the user comes within radio range, the [authentication token] will begin unlocking the computer so that it is ready to resume work when the user sits down."

This figure shows the process for authenticating and interacting with the token. Once an unlocked token is bound to a laptop, ZIA negotiates session keys and can detect the departure of the token.

"There are two requirements for system security. First, a user's token cannot provide key decryption services to other users' laptops. Second, the token cannot send decrypted file keys over the wireless link in cleartext form. Therefore, the token and laptop use an authenticated, encrypted link.
Before the first use of a token, the user must unlock it using a PIN. Then he must bind the token and laptop, ensuring that his token only answers key requests from his laptop."*

ZIA uses common encryption protocols but it is the first know system that liberates the user from the requirements of continuously having to enter and/or update secerity passwords.

* Excerpts from the paper "Zero-Interaction Authentication" by Mark D. Corner & Brian D. Noble; Department of Electrical Engineering and Computer Science University of Michigan, Ann Arbor, MI


© PDA cortex. All Rights Reserved
IT's Cutting Edge