Making mobile phones the authentication hubs for smart homes

Each year, the National Institute of Standards and Technology funds pilot projects to advance the National Strategy for Trusted Identities in Cyberspace. The pilots address barriers to the identity ecosystem and seed the marketplace with “NSTIC-aligned” solutions to enhance privacy, security and convenience in online transactions.

This year, Galois, a computer science research and development company, received a $1.86 million grant to build a user-centric personal data storage system that enables next-generation IoT capabilities without sacrificing privacy. As part of the pilot, Galois will work with partners to integrate its secure system into an Internet of Things-enabled smart home and develop just-in-time transit ticketing on smart phones.

Galois’ authentication and mobile security subsidiary, Tozny, serves as the technical lead for the pilot programs and will build the data storage and sharing platform by tackling one of the weakest links in cybersecurity today: the password. Tozny’s solution replaces the username and password with something people use for almost everything: the smartphone, or wearable device.

Tozny is working with IOTAS, a developer of a home automation platform that integrates preinstalled hardware (light switches, outlets and sensors) with software to create a unique experience in which users learn from and interact with their homes.

Together, the companies are working to help users to log in to the IoT management console installed in their apartments without a password. Tozny is providing cryptographic authentication that is based on mobile phones.

“This is actually a really good idea because people who have tried to deploy authentication devices for smart homes have had a lot of trouble getting them to work, and they’re kind of expensive,” said Isaac Potoczny-Jones, computer security research lead at Galois.“Since a mobile phone can do cryptography, and because we can build beautiful and easy-to-use interfaces on mobile phones, we decided that that would be a much better way to log into a lot of systems -- and it’s easier to use than passwords,” Potoczny-Jones said.

IOTAS is already operating a smart-home pilot in apartment units in Portland, Ore., and San Francisco. IOTAS and Tozny will work to add transparent but privacy-preserving authentication and encryption to this pilot.

Secure mobile transit ticketing

GlobeSherpa, an Oregon-based company that provides a secure mobile ticketing platform for transit systems, is working with Tozny to develop a password-free authentication system that allows users to buy and display tickets on their mobile phones.

“With this you can use your phone to both buy and display tickets, and you don’t have to interface with these often-broken vending machines,” Potoczny-Jones said.

SRI International is also contributing to this project with a biometric authentication solution that will use a person’s walking gait as the biometric. This technology will work with the bus platform to ensure that the person holding the phone and showing the ticket is who he says he is.

“You’re walking up to the bus platform, get your phone, buy your ticket, and the phone has already has a pretty high confidence that you are who you claim to be because it was just observing your walking pattern,” Potoczny-Jones said. “It’s passive, it’s behind the scenes and it’s extremely fast and accurate as well.”

“Anything that you collect that’s behind the scenes or passive needs to have really strong privacy controls built into it,” Potoczny-Jones said. “So we’re very happy with the way these technologies are coming together to provide secure login, privacy controls and really advanced biometric technology.”