Visible to the public CRII: SaTC: Multi-User Authentication and Access Control in the Internet of ThingsConflict Detection Enabled

Project Details

Lead PI

Performance Period

Jul 01, 2018 - Jun 30, 2020

Institution(s)

University of Chicago

Sponsor(s)

National Science Foundation

Award Number


Computing is transitioning from single-user devices, such as laptops and phones, to the Internet of Things (IoT), in which numerous users interact with a particular device, such as an Amazon Echo or Internet-connected door lock. The desired level of access to particular capabilities, such as ordering items using a shared voice assistant, likely differs across members of a household (e.g., children and parents). Widely deployed devices and the existing research literature lack mechanisms for specifying who should be able to perform which actions with which household Internet-connected devices. Complicating matters, the users of a given device often have complex social relationships to each other. Our goal is to develop techniques and interfaces that enable non-technical users to specify who should be able to perform what actions using which Internet-connected devices in the home, as well as to verify the identity of the person trying to perform those actions. Misconfigured devices can open the home to attackers, yet may also disenfranchise members of the household. Our approach to authentication and authorization directly impacts security for consumers of an array of household IoT devices. A core objective of this proposal is also to train first-time student researchers in a tangible domain that is ideal for a first research experience.

On a technical level, the work comprises three phases. The first phase aims to characterize the access-control policies users will want to express for multi-user IoT devices, focusing on the unique characteristics and capabilities of the IoT. To do so, we will conduct an online user study that elicits users' desired access-control policies for the home IoT, that is, who should be allowed to use particular capabilities, as well as in what circumstances. Having identified the primitives necessary for users to express their desired access-control policies for the home IoT, the second phase will systematize authentication mechanisms and authorization interfaces appropriate for the constraints of these home IoT environments, proposing mechanisms commensurate with the risks of unauthorized use of different capabilities. In the third phase of the research, we will implement our proposed mechanisms and evaluate them through an in-situ field study, allowing us to gauge how effectively these interfaces and mechanisms minimize both unauthorized access and incorrect access denials in the realistic setting of users' homes.