Infosec for everyone

Infosec for everyone
Library Risk Quotient

Wearable Security - Is it the future?

Posted on: 30-Oct-2013
Author: cmk
Wearable Security-online Imaging this. Your reach your office one morning. You remove your laptop from your bag and press the start button. It boots up to your login, without asking for your password. You navigate to your mail. It opens up your mails, again, without asking for your password. Like a good employee, the first thing you want to do, is check your Facebook account. You open the browser, and go to Facebook. You find yourself logged in to your account without being asked for a password. Poorly implemented security controls? Or the future of security? There is a lot of buzz around ‘wearable’ technology. The most awaited, of course, being the iWatch. The security fraternity cannot be far behind, can they now? It is the classic battle between ‘something I have’ and ‘something I know’. We already have security gadgets we can carry around with us. RSA has been giving us those little devices with numbers changing on them every minute in a bid to improve security. It uses both ‘something I have’ and ‘something I know’. The security is great! There are far fewer problems of data breach with this implemented. The problem, however,  is the simplicity. It can be secure only if users find it simple. How difficult is it to read a set of numbers from the token and enter it into the computer, you might ask? But simplicity also means lesser number of steps and lesser things to remember. What if you forget your token at home one day? Either you have to make an embarrassing call to IT and ask them for a temporary reprieve from all these new fangled gadgets, or you have to go through a series of esoteric steps online to ‘generate’ a static token for the next login. You will then vow never to forget it and promptly keep it in your laptop bag. Of course, the whole purpose is defeated. If you lose your laptop, you lose your token as well. You could keep it attached to your keys, but then, you do tend to forget your keys often. The next step to this kind of technology is, of course, having a gadget that will enter the details for you, and not just give you a screen with some numbers. And of course, the best technology for that is a USB. Enter companies like Yubico {ref:http://www.yubico.com}, that have interesting solutions to this problem. They focus on simplifying the process of reading numbers and entering them on websites. You can just insert your USB device into the slot and press a button. No more tedious number entering process. One more step towards simplification. The last I read, Google was working with Yubico’s USB key to release a keyring  that can also use near field communication (NFC). Another step towards simplifying the authentication process. No need to insert a USB device into the socket and press a button. It sounds like too much of work. I just keep the token with me. Now, this token need not be in the shape of a USB. It can be of any shape. A watch. A ring. Jewellery. Anything. In fact, you need not use boring PRNGs (Pseudo Random Number Generators) to generate random numbers to serve as seeds to the encryption. You can use anything from your own heartbeat {ref: http://www.bionym.com} to your running / walking style to generate the seed, or in fact, just authenticate you! It is a wonderful time to be alive! You are moving from ‘something I have’ and ‘something I know’ to ’something I am’ and ‘something I know’. Of course, while this reduces the chance that you might lose your device, it does not stop someone from putting you in duress and trying to get you to unlock your precious system. The key issue with this new simpler, wearable security is this - It either reduces your security by reducing one factor of authentication (the ‘something I know’ factor) or it increases the risk of a total compromise if the device is stolen / lost. Of course, if it works only using the owner’s heartbeat, then that takes care of everything. Can we be really far from embedding little chips into our body to ease the process of authentication?
Library Risk Quotient