Zero-Interaction Authentication

[powertoad5000]

Zero-Interaction Authentication

Leave an operating laptop unattended on your desk and your sensitive data is accessible to anyone who gets hold of it. To limit this risk many users configure their systems to fall into a "sleep" mode after a period of inactivity and ask for a password before the system can be awakened. This constant re-authentication proves to be a headache for many users. Now a Professor and his graduate student at at the University of Michigan have come up with a system called Zero-Interaction Authentication (ZIA), described in this article in The Age, to protect data on mobile devices. The system works by starting to encrypt data the moment the owner walks away from the system. The owners wear a token with a encrypted wireless link with the laptop. If the token moves out of range the ZIA re-encrypts all data within 5 seconds. If the cryptographic token moves within range the system decrypts the information for the owner. The token, which could take many forms, is currently a wristwatch with a processor running Linux designed by IBM.

Slashdot

The snoop-proof laptop - The Age

Sounds like a pretty good way to keep the data on your laptop secure. Usually increased usability comes at a cost to security, however this authentication process seems to improve security on top of making it easier for the end-user.

[phishphreek]

Its a pretty good idea... but what if you work at multiple PCs? you have to wear multiple tokens?

I'd be too worried that I'd forget my token...
I forget everything else.. cell phone, pda, wallet...

[dspeidel]

It is a great idea in concept but I see two problems with it. The first being ensuring that users wear the token and don't leave it on the desk -which defeats the prurpose of the security but is easy elevate if the token becomes part of the corporate ID.

The second problem I see is performance.

The system works by starting to encrypt data the moment the owner walks away from the system.

Imagine the time to encrypt an entire 20GB (small by todays standards) HD conversely imagine the time it would take to decyrpt it. Besides how does it know what to encrypt first? I imagine that is all configurable but imagine the time involved. It would make more sense to me to lock the system (just like a ctrl-alt-del Lock Computer) when they leave and unlock it when they return.

Cheers,
-D

[powertoad5000]

phishphreek80: although I would tend to agree that it is something that could be left lying around, if it's a wristwatch it shouldn't be too much trouble:

The effectiveness of this scheme depends on a token small enough to be worn unobtrusively, such as an IBM Linux watch. This makes the token much less vulnerable to loss or theft than a device that is carried and often set down.

However, if someone did leave their token lying around somewhere, data could be copied/viewed on the laptop invisibly by anybody with the token, they could then return the token to it's previous spot, and no-one would know they had accessed the laptop.

With a standard laptop:

These systems require an initial decryption key, usually supplied at login time, which is retained by the laptop for later use. As long as that key is retained, anyone holding the laptop has access to the data.

One positive point is that if the laptop working on this scheme is stolen, the data on the laptop will be encrypted and safe since the token will be outside the range of the laptop.

dspeidel:

With careful key management, ZIA imposes an overhead of only 9.3% for representative workloads. The largest file cache on our hardware can be re-encrypted within five seconds of the user's departure, and restored in just over six seconds after detecting the user's return. This secures the machine before an attacker can gain physical access, but recovers full performance before a returning user resumes work.

From the paper itself.

It sounds like it could work, but whether it's worth the trouble of implementing is another thing.

[Wizeman]

This sounds like a job for bluetooth! =)

On a similar note, new Mercedes-Benz automobiles now use a similar technology to start the car. Users bring a token into the car, and the car recognizes the token, and allows the user to start the car.