Two-Factor Authentication Just Got Simpler

Two-factor authentication is a cornerstone of modern digital security, protecting banking, email, and many other kinds of accounts worldwide. Now scientists at Sandia National Laboratories in Albuquerque have developed a new, simpler form of two-factor authentication that, unlike conventional methods, does not require generating authentication codes based on the current time. They say it could help bring two-factor authentication to many new types of devices that currently cannot support it, including drones, remote sensors, farm equipment and industrial control systems.

Two-factor authentication (TFA) is a security routine that requires both a password and an additional, temporary code to log into an account, typically sent via text, email, or an authenticator app. This kind of authentication is more difficult to crack than one that uses only a password because it requires a combination of different types of information.

Usually, TFA generates these codes based on the current time. Banks might get that from their servers, while remote devices often get it from GPS.

All kinds of applications could, in principle, use TFA, such as smart electric meters that require users to log in to change their settings. However, many devices lack the processing power, network bandwidth, or GPS connection to support it, leaving them vulnerable to potential cyberattacks, says Chris Jenkins, a cybersecurity researcher at Sandia.

Moreover, as simple as TFA might seem, it often requires a complex set of transactions behind the scenes. For example, authentication codes from banks often come from third-party vendors, which in turn rely on telecom providers to send codes to phones, Jenkins says.

Simplifying Two-Factor Authentication

Jenkins and his colleagues have devised a simpler variation of TFA that does not require a time stamp and can work directly between two devices without third parties or extensive telecom infrastructures. They suggest it could enable a device as basic as a thermostat to generate its own authentication code.

Chris Jenkins, a Sandia cybersecurity researcher, developed a new, simpler two-factor authentication method that does not depend on the current time to generate an additional verification code.Craig Fritz

“When this work first started, it was focused on military weapons systems, which can be in GPS-denied environments,” Jenkins says. “So we wanted TFA or something similar where knowing the time wasn’t going to be a requirement.”

Instead of using the current time, the new TFA variant uses a random number generator. “Nothing about TFA in and of itself requires using time,” Jenkins says. “It was just easy, when implementing TFA systems, to use time to generate one-time passwords because of the infrastructure that was already in place.”

This new work “doesn’t imply that we should abandon current TFA,” says Eric Vugrin, a senior cybersecurity scientist at Sandia. “It’s just that current TFA does not work for everything.”

The new system uses minimal computing resources, and so may prove ideal for devices designed to minimize size, weight, and power use. Such electronics typically lack the kind of processing power needed to run complex security software, Jenkins says.

“Our system can be used in resource-constrained devices,” Jenkins says. “Conventional TFA is always generating new codes as time passes—say, every minute or so. Our system performs the computation once. So for systems that might, say, save energy by waking up just once a day, they don’t have to burn energy every minute performing computations. They can just do everything up front.”

That said, “there’s no reason our system can’t be used for all kinds of applications,” Jenkins says.

Jenkins says that Sandia has a copyright on the code, so anyone interested in using it for TFA would have to go through Sandia’s Licensing and Tech Transfer department to discuss licensing it or establishing a Cooperative Research and Development Agreement.

The scientists found their new system resisted machine-learning-based attacks. In the future, they hope to make it more robust with codes that can be updated dynamically during authentication. “When hackers steal passwords, those secrets don’t change if leaked,” Jenkins says. “So we’re looking for ways to update those secrets in the event that databases get compromised.”