New system may spell end for passwords

Researchers, led by an Indian-origin scientist, are developing an easy-to-use, secure login protection that eliminates the need to use a password.
Researchers from the University of Alabama at Birmingham are working on a secure login protection known as zero-interaction authentication.
Zero-interaction authentication enables a user to access a terminal, such as a laptop or a car, without interacting with the device.
Access is granted when the verifying system can detect the user's security token - such as a mobile phone or a car key - using an authentication protocol over a short-range, wireless communication channel, such as Bluetooth.
It eliminates the need for a password and diminishes the security risks that accompany them.

A common example of such authentication is a keyless entry and start system that unlocks a car door or starts the car engine based on the token's proximity to the car.

However, existing zero-interaction authentication schemes are vulnerable to relay attacks, commonly referred to as ghost-and-leech attacks, in which a hacker, or ghost, succeeds in authenticating to the terminal on behalf of the user by colluding with another hacker, or leech, who is close to the user at another location.
"The goal of our research is to examine the existing security measures that zero-interaction authentication systems employ and improve them," said Nitesh Saxena, associate professor in the Department of Computer and Information Sciences and co-leader of the Center for Information Assurance and Joint Forensics Research.

"We want to identify a mechanism that will provide increased security against relay attacks and maintain the ease of use," said Saxena, who led the research.
The researchers examined two types of sensor modalities that could protect zero-interaction systems against relay attacks without affecting usability.
First, they examined four sensor modalities that are commonly present on devices: Wi-Fi, Bluetooth, GPS and audio.
Second, they looked at the capabilities of using ambient physical sensors as a proximity-detection mechanism and focused on four: ambient temperature, precision gas, humidity and altitude.
Each of these modalities helps the authentication system verify that the two devices attempting to connect to each other are in the same location and thwart a ghost-and-leech attack.

The research, done in collaboration with the University of Helsinki and Aalto University in Finland, showed that sensor modalities, used in combination, provide added security.
"Users will be able to use an app on their phones to lock and unlock their laptops, desktops or even their cars, without passwords and without having to worry about relay attacks," said Babins Shrestha, a UAB doctoral student and co-author on the study.