Emerging Defense
Offensive Security

Latest Posts

Unbreakable Passwords Are Not Chosen By Users, They Are Derived From Their Lives


What if you could seamlessly generate passwords from your house, car, or room that transparently unlock data when you reside in these environments?

Mobile devices present unique password challenges that can be replaced by the many powerful sensors they possess. Today, passwords are a limiting factor in mobile security for two reasons:

  • They can be stolen (through malware, social engineering, etc)

  • They can be guessed (through brute force or dictionary attacks)

Most sensitive mobile apps employ user supplied input to derive encryption keys that grant access to sensitive data and/or functionality, making them the single weakest link in the mobile security chain. Mobile devices magnify the credential problem due to keyboard mechanics that greatly decrease keyspace, and the use of multiple passwords for different apps and the device itself result in excessive password re-use.

The driving force of mobile adoption is convenience, and users will more often than not choose the ‘easiest to type’ password they can think of to enable faster access to their data and apps. Regardless of password complexity requirements, users will choose a password based off of the first keyboard ‘screen’ and further reduce its entropy by selecting characters that are easily reached by dominant thumb.

Mobile app attackers know this and use it to compromise application credentials in a manner that is much faster than a typical “brute force” dictionary attack; limiting their guesses to a much smaller number of combinations based on a 90% probability that a user is right handed.

You are the Password

Behavioral authentication aims to solve this problem by incorporating sensory information into the password process and allowing users to authenticate without any interaction with the application. This is performed by generating profiles of known mobile device characteristics and combining the underlying data points to create an encryption key. The result is a password that is virtually impossible to crack or guess and can be provided to a requesting application without any user intervention. Any sensory information that can be acquired from the mobile device can be used in this process, such as:

  • Cellular and WiFi signals

  • Bluetooth devices

  • GPS Location

  • Activity/Motion (e.g., how you move)

  • Device grip (e.g., how you hold)

  • Access time

  • Light and magnetic fields

Jason Miller