Alfred Kobsa, Rahim Sonawalla, Gene Tsudik, Ersin Uzun and Yang Wang
Secure device pairing refers to the pairing two or more devices in a manner that can be trusted such that the users pair the devices they believe they are pairing without allowing a malicious third-party to join in the process. Generally this has to be completed in a context where the devices have no shared secrets, the users are not security experts, and the devices as mass-market consumer devices so turning to highly expensive solutions is not an option.
Various methods have been proposed to solve this over the years, from physically attaching the devices with a cable, using laser transceivers, to confirming the match of a code displayed on each device. This study sought to evaluate the usability and security of the most promising methods, preemptively rejecting those already shown to have poor usability or security. The first methods compared were users comparing PINs on two devices to match them and similarly comparing two images displayed on the two devices. They also examined button-enabled methods such as pressing a button on one device as the LED flashes on the second device, when the second device vibrates, or when the second device beeps. The study also tested variants of Loud and Clear, where one device speaks out a sentence that the user confirms is displayed on the other device. Finally, they tested a method which used the camera on one device to capture the barcode on the second device, a similar approach using a video camera and a flashing LED on the second device, and HAPADEP audio pairing.
The study included twenty-two subjects. The participants were presented with a scenario and then tasked with completing pairing with each method, assigned in random order, after which they submitted a questionnaire to evaluate the pairings. The study also recorded the pairing attempts for later evaluation. The PIN-compare methods were found to be the quickest and most usable, followed by sentence, then image comparison. Pairing via audio and button pressing got the lowest scores. Subjects perceived PIN-comparison as the most secure method.