User Authentication for the Internet of Things

Having been talked about under a variety of names for two or three decades, the Internet of Things is finally coming to fruition. What is still missing, though, is a proper security architecture for it. That currently deployed IoT devices are insecure is testified by the plethora of vulnerabilities that are discovered and exploited daily: clearly “features” are higher priority than “security” in the eyes of the purchasers—and therefore of the manufacturers. But we are talking here of a more structural problem: not “this device is insecure” but “there is no strategic plan and no accepted blueprint to make IoT devices secure”. We should also bear in mind that if purchasers do not understand security vulnerabilities, or cannot articulate their understanding, then manufacturers are unlikely to address them. In this position paper we do not address IoT security in general: instead we focus specifically on the problem of user authentication, addressing which is a pre-requisite of any security architecture insofar as the three crucial security properties of Confidentiality, Integrity and Availability can only be defined in terms of the distinction between authorized and unauthorized users of the sys- tem. However, we should not be misled by the word “authorized”; authorized users may misbehave.ERC 30722

Passwords and the evolution of imperfect authentication

Theory on passwords has lagged practice, where large providers use back-end smarts to survive with imperfect technology.This is the author accepted manuscript. The final version is available from ACM via http://dx.doi.org/10.1145/269939

Explicit Delegation Using Configurable Cookies

Password sharing is widely used as a means of delegating access, but it is open to abuse and relies heavily on trust in the person being delegated to. We present a protocol for delegating access to websites as a natural extension to the Pico protocol. Through this we explore the potential characteristics of delegation mechanisms and how they interact. We conclude that security for the delegator against misbehaviour of the delegatee can only be achieved with the cooperation of the entity offering the service being delegated. To achieve this in our protocol we propose configurable cookies that capture delegated permissions.We are grateful to the European Research Council for funding this research through grant StG 307224 (Pico)

Zero-Knowledge User Authentication: An Old Idea Whose Time Has Come

User authentication can rely on various factors (e.g., a password, a cryptographic key, biometric data) but should not reveal any secret or private information. This seemingly paradoxical feat can be achieved through zero-knowledge proofs. Unfortunately, naive password-based approaches still prevail on the web. Multi-factor authentication schemes address some of the weaknesses of the traditional login process, but generally have deployability issues or degrade usability even further as they assume users do not possess adequate hardware. This assumption no longer holds: smartphones with biometric sensors, cameras, short-range communication capabilities, and unlimited data plans have become ubiquitous. In this paper, we show that, assuming the user has such a device, both security and usability can be drastically improved using an augmented password-authenticated key agreement (PAKE) protocol and message authentication codes.Comment: International Workshop on Security Protocols (SPW) 201

Red Button and Yellow Button: Usable Security for Lost Security Tokens

Currently, losing a security token places the user in a dilemma: reporting the loss as soon as it is discovered involves a significant burden which is usually overkill in the common case that the token is later found behind a sofa. Not reporting the loss, on the other hand, puts the security of the protected account at risk and potentially leaves the user liable. We propose a simple architectural solution with wide applicability that allows the user to reap the security benefit of reporting the loss early, but without paying the corresponding usability penalty if the event was later discovered to be a false alarm.The authors with a Cambridge affiliation are grateful to the European Research Council for funding this research through grant StG 307224 (Pico). Goldberg thanks NSERC for grant RGPIN-341529. We also thank the workshop attendees for comments

In Things We Trust? Towards trustability in the Internet of Things

This essay discusses the main privacy, security and trustability issues with the Internet of Things

Intentionality and Agency in Security

Weiser [13] said that the best software is that which just blends in and disap- pears. Security software has been at odds with this principle as it attempts to attract user attention whenever possible—it has been largely designed to be visible to the user and ask them to take action. For example, anti-virus software proudly notifies the user how many viruses it has stopped while websites dis- play padlocks and security seals. Users are disrupted in their work by security notifications, asked to read warnings and decide whether they want to heed or ignore them.ERC 30722