Researchers at Sandia National Laboratories have developed a new method for two-factor authentication that does not rely on time-based codes. The technique, invented by cybersecurity researcher Chris Jenkins, is designed to work on devices with limited computing power and no GPS connection.
The new approach could help secure a wide range of smart devices that currently lack the ability to support traditional two-factor authentication methods. These include drones, remote sensors, agricultural equipment, and industrial control systems.
Securing small internet-connected electronics has been an area of focus for the U.S. government. In 2024, the National Institute of Standards and Technology released draft standards addressing cryptography for “resource-constrained devices.”
“This work can build on top of those algorithms,” said Jenkins.
Two-factor authentication is commonly used to protect online accounts such as banking but can also be applied to physical devices like smart electric meters. Many such devices do not have enough processing power or network connectivity to use standard methods, leaving them vulnerable to cyberattacks.
Jenkins explained that his method allows even simple devices like thermostats to generate their own authentication codes without requiring a GPS timestamp and send them over low-data networks directly to authorized users.
His team tested the technique in a remote sensing application. The project received funding from Sandia’s Laboratory Directed Research and Development program.
Jenkins described how current two-factor authentication systems often involve multiple third parties and are dependent on accurate timing information: “While you might see a security code as coming from your bank, a lot of times your bank is using a third-party vendor,” he said. “And then the vendor even contacts a telecom provider, and then the telecom provider is who sends you the code to your phone. Then, the vendor also sends the code back to your bank.”
“And the code itself? It’s based on the time. Banks might get that from their servers, while environmental sensors and other remote devices frequently get their timing from GPS.”
The new method works directly between two devices without relying on third parties or extensive IT infrastructure. This makes it suitable for network connections that may experience disruptions or delays.
“Some of these are low-power systems that only wake up every so often,” Jenkins said.
Because it does not require knowledge of the time or significant computing resources, this approach fits well with devices designed for minimal size, weight, and power usage.
“Typically, a lot of these devices don’t have the same processing power as your cell phone or your computer,” Jenkins noted. “Their computing resources…are more like those in a thermostat or a washing machine.”
In 2016, approximately 100,000 routers and other small internet-connected devices were compromised by malware known as Mirai after being protected only by usernames and passwords. Devices continue to face risks from similar threats today.
The lightweight authentication system developed at Sandia offers additional protection by requiring malware to generate another code beyond username and password before gaining access.
Jenkins initially created this defense mechanism for military aircraft communications networks but later adapted it for broader use: “We had this already worked out for a weapons system. That was the original focus,” he said. “But we thought, couldn’t we change it and have it work for authentication of remote systems?”
