A new, simpler version of two-factor authentication could broaden its protection to many smart devices that currently cannot support it.
Researchers at Sandia National Laboratories have announced a more efficient way to generate and send temporary security codes. Unlike conventional methods, the new technique does not depend on the time, which could help secure small and remote network-connected devices, including drones, remote sensors, agricultural equipment and industrial control systems.
Securing small, internet-connected electronics has been a topic of interest within the U.S. government. In 2024, the National Institute of Standards and Technology issued draft standards for cryptography on what it terms "resource-constrained devices."
"This work can build on top of those algorithms," said Chris Jenkins, the Sandia cybersecurity researcher who invented the new method.
A temporary security code, also known as two-factor authentication, might be more commonly associated with online accounts, such as banking, but it can also protect physical devices, like smart electric meters that require users to log in to change settings. But many smart devices lack the processing power, network bandwidth or GPS connection to support it, leaving them vulnerable to cyberattacks.
Jenkins said his technique is so simple he believes it could enable a device as basic as a thermostat to generate its own authentication code, without a GPS timestamp, and pass it directly to an authorized user over a low-data network.
His team has successfully tested the new technique in a remote sensing application. The project is funded by Sandia's Laboratory Directed Research and Development program.
New technique simplifies a deceptively complex cyber defense
Two-factor authentication is a familiar security routine that requires users to provide an additional, temporary code to log in. The code usually shows up by text, email or an authenticator app. Behind the scenes, though, this is a surprisingly complex transaction, Jenkins said.
"While you might see a security code as coming from your bank, a lot of times your bank is using a third-party vendor," he said. "And then the vendor even contacts a telecom provider, and then the telecom provider is who sends you the code to your phone. Then, the vendor also sends the code back to your bank."
And the code itself? It's based on the time. Banks might get that from their servers, while environmental sensors and other remote devices frequently get their timing from GPS.
Jenkins' simpler version works directly between two devices without third parties or extensive IT infrastructure. This means devices can use it over network connections that are prone to disruptions or delays, whether unintentionally or by design.
"Some of these are low-power systems that only wake up every so often," Jenkins said.
The new method does not need to know the time, so devices do not need a GPS connection, and it uses minimal computing resources, which is ideal for devices designed to minimize size, weight and power use.
"Typically, a lot of these devices don't have the same processing power as your cell phone or your computer," so they cannot run complex cybersecurity software, Jenkins said. Their computing resources, he added, are more like those in a thermostat or a washing machine.
Love it or hate it, two-factor authentication stops cyberattacks
In 2016, about 100,000 routers, webcams and other small, internet-connected devices became infected with a nasty bit of malware called Mirai. Protected only by a username and password, the devices posed little challenge to the aggressive code which, after a little educated guesswork, logged itself in and reconfigured the devices to launch massive, coordinated cyberattacks on servers. Many devices are still vulnerable to malware like Mirai.
But the new, lightweight Sandia authentication is a simple way to protect them. Just like conventional, more complex two-factor authentication, it forces malware to come up with another code beyond a username and password, making the device much harder to log into and infect.
Jenkins originally designed the defense with a different application in mind: protecting military aircraft against would-be hackers. Many planes use a relatively basic communications network to connect different onboard systems, and so also require lightweight cyber defenses.
"We had this already worked out for a weapons system. That was the original focus," Jenkins said. "But we thought, couldn't we change it and have it work for authentication of remote systems?"
Now, he hopes his defense will help protect even the humblest internet-
connected device.
