Addressing Smartphone-based Multi-factor Authentication via Hardware-rooted Technologies

Multi-factor authentication is a well-recognized access control method that enhances the security of users' sensitive data and identities. A successful authentication attempt requires a user to correctly present two or more authentication factors such as knowledge factors, possession factors and inherence factors. For smartphone-based multi-factor authentication, a promising way to authenticate a user is to verify his possession of a legitimate smartphone, which calls for secure and usable device authentication schemes. In this article, we propose to authenticate a device through tracking the hardware fingerprint of its built-in sensor. We first review the existing hardware rooted identification methods and discuss the merits of applying a hardware fingerprint as a smartphone's unique identity. Then, we analyze the security issues underlying these methods and identify two security requirements for the identification methods to be used in an authentication scheme: Fingerprint Leakage Resilience and Fingerprint Forgery Resilience. Finally, we look into a specific hardware fingerprint originally used for digital cameras. We analyze the feasibility of applying this fingerprint to differentiate off-the-shelf smartphones and list several challenging practical issues underlying this methods.