HOW TO WEAR YOUR PASSWORD

HOW TO WEAR YOUR PASSWORD

We introduce a new authentication paradigm that achieves both a desirable user experience and a high level of security. We describe and demo an implementation of an identity manager in the guise of a smart bracelet. This bracelet is equipped with a low-power processor, a Bluetooth LE transmitter, an accelerometer, and a clasp that is constructed so that opening and closing it breaks and closes a circuit, thereby allowing an automatic detection of when the bracelet is put on and taken off. However, for reasons of cost, design and error avoidance, the bracelet does not have any user interface, nor any biometric sensors: All user interaction is assisted by third-party devices, such as user phones and point of sale terminals.

Our approach is based on the principle of physical tethering of an identity manager to a user (e.g., by closing the clasp), where the identity manager represents its user's interests after an initial user authentication phase, and until the user causes a disassociation by untethering the device (e.g., by opening the clasp). The authentication phase can be based on any type of authentication, and - to allow for the greatest possible simplicity of design - is aided by a third-party device, such as the user's cell phone.

We describe the physical design, including aspects to protect against violent attacks on users. We also describe the lightweight security protocols needed for pairing, determination of user intent, and credential management, and give examples of usage scenarios- including automated login; simplified online and point-of-sale purchases; assisted appliance personalization; and automated event logging. We then detail the protocols associated with the example usage scenarios, and discuss the security implications of our proposed design.

Presented by