Identity, Vulnerability Management, Endpoint/Device Security

How to secure cross-device flows when the weak point is human decision-making

Visitors walk past a sign for the Identiverse Conference in Denver. (Joe Uchill/SC Media)

DENVER — Cross-device flows are the magical three-way tango that allow you to rent a scooter by scanning a QR code or log into Netflix on a TV by entering a code from your laptop. One device logs into a service and provides details of a third system to be included in the circle of trust.

But as Microsoft's Pieter Kasselman noted at the Identiverse Conference on Friday, one step has a security flaw. The 2022 edition of Identiverse, an annual conference held by SC Media's parent company Cyber Risk Alliance, just wrapped up in Denver.

There are a ton of benefits for cross-device flows. It is much easier to scan a QR code than type a password into a scooter, for example. The problem is that, while the connection between the TV and the scooter-sharing service is very secure and the connection between the cellphone app scanning the code and the service is secure, a person scanning a QR code is subject to the social engineering frailties of a human being. Swap some QR codes around and the person the next parking space over could be paying your bill. Human decision-making remains the weak cog in the system.

Click here for more SC Media coverage from the Identiverse Conference.

"How can we help the user to make fewer decisions? How can we help them to make better decisions, because they have to make decisions, but also help them when they make a bad decision? How do we protect them? Right, because as long as we have homo sapiens around, we will have to take into account the failed cases, as well," said Kasselman.

Kasselman said there were quite a few potential solutions. One would be verifying the proximity between the QR code or laptop and the scooter or TV showing Netflix. Another is filtering for access information being used in spam emails. A third would be requiring the use of trusted devices or more robust systems verifying the identity of the scooter or TV.

Finally, he said, there is interesting research being done in re-architecting the three-way system into a more secure for way one.

"What we really want to do here is start describing these known attacks, published on best practices, documents, also the idea of cross-device protocols. Explore that idea further, and then work with researchers. So also a call to action for folks here in this room or anybody who may watch this recording. We're looking for help," said Kasselman.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.