Two-factor authentication in VR using near-range extended reality and smartphones

Abstract

Modern smartphones have a wide variety of authentication and authorization measures: from drawing a simple pattern to a fingerprint scan system. However, the whole “password” is always contained inside of the device’s memory. In case of information leak, the possible malefactor/attacker has access to the whole password, therefore information security is at risk. Enhancing security measures is essential to develop a robust tool that ensures the safety of both head-mounted devices and smartphones. Users wearing headsets are vulnerable to real-world security threats, such as unauthorized individuals attempting to access their personal information or belongings. Furthermore, the necessity of removing the headset to interact with the smartphone can lead to potential security breaches. Thus, it is crucial to address these vulnerabilities to protect users effectively, both in VR and the immediate environment. This thesis proposes a novel approach to two-step authentication by “splitting” the password authentication process between two independent devices. In this method, one half of the password is displayed on a smartphone screen, while the other half is delivered through a head-mounted device (HMD). This design ensures that only an individual with access to both devices can successfully combine the two halves to form the complete password. The research suggests that this dual-authentication measure could effectively enhance security in systems that utilize both HMDs and smartphones simultaneously. A prototype was developed and tested, enabling users to interact with their smartphone content in a virtual reality (VR) environment. This system facilitates authentication through various challenges, such as CAPTCHA, numeric passwords, or game-like interfaces, requiring users to input specific passwords. Success in these tasks hinges on the effective communication and combination of inputs from both the HMD and smartphone, making it impossible to bypass the authentication process without both devices. The findings of this research are supported by two publications detailing the experiments and user studies conducted on the password-splitting method and the integration of smartphone content into the VR setting.