John G. Brainard

Fourth-factor authentication: somebody you know

User authentication in computing systems traditionally depends on three factors: something you have (e.g., a hardware token), something you are (e.g., a fingerprint), and something you know (e.g., a password). In this paper, we explore a fourth factor, the social network of the user, that is, somebody you know.Human authentication through mutual acquaintance is an age-old practice. In the arena of computer security, it plays roles in privilege delegation, peer-level certification, help-desk assistance, and reputation networks. As a direct means of logical authentication, though, the reliance of human being on another has little supporting scientific literature or practice.In this paper, we explore the notion of vouching, that is, peer-level, human-intermediated authentication for access control. We explore its use in emergency authentication, when primary authenticators like passwords or hardware tokens become unavailable. We describe a practical, prototype vouching system based on SecurID, a popular hardware authentication token. We address traditional, cryptographic security requirements, but also consider questions of social engineering and user behavior.

Wireless Authentication and Transaction-Confirmation Token

Our new system combines Wi-Fi with user-authentication tokens to authenticate consumer financial transactions. To achieve this goal while maintaining maximum usability and compatibility, our token tunnels data through new side channels including the SSID field, packet timing, and packet length. These new point-to-point side-channels in Wi-Fi allow a token and PC to directly exchange messages – even while the PC is also connected to an access point. The result is a token that can authenticate transactions using only one touch by the user.

An X.509-Compatible Syntax for Compact Certificates

Given an identified need for a compact format for digital certificates in constrained environments like embedded or high-volume systems, an X.509 [22] compatible proposal is described and compared with previous and related work.