June 7, 2012
Pattern unlock sucks. Everyone knows it. Pattern unlock provides security benefits that are dubious at best. Anyone can shoulder surf your pattern, or even your PIN, since most PINs are displayed at least momentarily in cleartext. Phone manufacturers have noticed the problem, and tried to create new lock technologies that don’t suck: Motorola had a fingerprint reader on the Atrix, and Google’s ICS includes face-unlock. While either of these options are better than PIN or pattern unlock, I think we can do better.
Every day there are new gadgets released to work with smartphones. Mostly, these devices are curiosities or toys; smart balls that can be controlled by phone, or remote control airplanes. All of these toys include the raw components to fix the problem with PIN/pattern unlocks forever. Combine a wireless interface (Bluetooth, NFC, or WIFI) with certificate based authentication, and we’ve just created a second factor for authenticating to your phone. Multi-factor authentication relies on two different pieces to prove your identity: something you have (a physical device, which will authenticate your phone) and something you know (your pin or gesture).
Actually, this technology is pretty similar to modern cars that don’t have a key, but rather radio keys that allow the car to be started whenever the key is inside the cab. Imagine that instead of/addition to unlocking your phone with a PIN or pattern, you had a keychain dongle to activate. Press a button, or pass the phone within NFC distance, and the phone and your new authentication device exchange cryptographic signatures to validate each other’s presence. Your phone now knows with some degree of certainty that it’s in the presence of a physical token separate from your phone. Using modern cryptographic signatures, this process wouldn’t be vulnerable to mere replay attacks; using encryption with signatures can prevent Man-in-the-middle attacks.
That isn’t to say this system wouldn’t have any issues at all. Obviously, if someone steals your phone, there is potential for them to steal your keys. Especially if you’re robbed, mugged or your house is broken into. I’m not super sure that the security of your phone should be your top priority in those instances, however. Luckily, since your phone has a constant internet connection, it’s even possible to create a method for deactivating an authentication token remotely. Much like how SSL certificates can be revoked, if the authentication device is designed correctly a central authority may be able to prevent a stolen token from authentication to your phone.