Sandia Researchers Aim to Secure the Internet of Things with Lighter-Weight, Clock-Independent 2FA

Researchers at Sandia National Laboratories have come up with an alternative way of implementing two-factor authentication (2FA), building atop draft standards targeting resource-constrained devices and doing away with the need for a synchronized clock — making it applicable to any device, even something as simple as a thermostat.

"We had this already worked out for a weapons system. That was the original focus," Chris Jenkins, inventor of the new approach to 2FA, admits. "But we thought, couldn't we change it and have it work for authentication of remote systems? Some of these are low-power systems that only wake up every so often. Typically, a lot of these devices don’t have the same processing power as your cell phone or your computer."

That's an issue the National Institute of Science and Technology (NIST) had already looked to address, proposing draft standards in 2024 that targeted "resource-constrained devices" in order to bring 2FA — which requires users to provide "something they have" in addition to the "something they know" of a username and password, and traditionally took the form of physical security dongles before smartphone apps took over the role — to a wider audience.

Traditional 2FA systems work with a single secret shared between the remote system and the user's authenticator, which is used as a seed to generate pseudo-random verification codes. Compared to the older method of a long list of challenge-response shared secrets, it's a simpler approach that requires much less storage and is more resistant to leakage — but it relies on the two systems having accurate clocks, so that both ends generate the same codes at the same time. If either clock gets out of sync, so too do the codes — meaning simple devices with no accurate on-board clock can't take advantage of the additional security offered by 2FA.

That's where Jenkins' invention comes in. Building atop NIST's draft standards for resource-constrained devices, the simplified 2FA system doesn't require accurate timing nor the use of third-party authentication services — and can work on a direct connection between two devices, even when said devices lack the computational resources of a modern smartphone. This, Jenkins says, can extend 2FA to devices as simple as a washing machine or a thermostat, bringing 2FA to the world of home and industrial automation.

At the time of writing, Sandia National Laboratories had not published a roadmap to release and deployment of Jenkins' system.

Main article image courtesy of Craig Fritz/Sandia National Laboratories.