ZITA: Zero-Interaction Two-Factor Authentication using Contact Traces and In-band Proximity Verification

Two-factor authentication (TFA) provides an additional layer of protection to commonly-occurring password breaches. However, existing TFA methods, often involve special hardware interfaces, or require human effort which is prone to errors and acts as an adoption detractor for older adults and novice technology users. To address these limitations, we propose a zero-interaction, two-factor authentication (ZITA) protocol. In ZITA, the first factor is implemented using the conventional username and password methods. The second factor is completed without any human effort provided that the user is not accessing the service from an unregistered public device and a designated secondary device is physically co-present. To automate the second factor, ZITA exploits the long-term contact between the login device and the secondary device such as a smartphone. Moreover, to thwart man-in-the-middle and co-located attacks, ZITA incorporates a proximity verification test that relies on the randomness of ambient RF signals. Compared with other zero-effort TFA protocols, ZITA remains secure against advanced threats and does not require out-of-band sensors such as microphones, speakers, or photoplethysmography (PPG) sensors.