two-factor authentication with cars

Some months have passed during which I sort of failed to realize that I have been using two-factor authentication with my car.

The way that my car works, there is a key fob.  If I have the key fob with me, I can walk up to the car and maybe it will permit me to get into the car.

A couple of months ago, the software in the car received an update.  With the update, the car owner is invited to set up a PIN number.  The idea is that when you walk up to the car, and you get into the car (using the key fob), this is not enough to be able to drive the car.  In addition, you are invited to punch in a PIN number.  Only then are you permitted to drive the car.

The idea is that a bad person might use a specialized radio receiver to figure out the signal from the key fob.  Such a person might be tempted to try to steal the car.  So with the PIN number, the bad person will not succeed.

It was some months before I realized this is really two-factor authentication.

I think the designer of this part of the software is worried about the possibility that the owner of the car might be absent-minded and might simply leave the key fob in the car.  This would make things really very inviting for a car thief.

What do you think about key fobs for cars?  What do you thing about two-factor authentication for cars?  Please post a comment below.

12 Replies to “two-factor authentication with cars”

  1. The combination of an electronic car key and a PIN is mandatory in Israel for decades for new cars.

    The rationale is that stealing your car is a good-enough reason for someone to break-in into your home to steal the car keys. Once a PIN is a standard requirement, there is one less reason to break into your home.

    This rationale requires that the PIN feature is standard, otherwise the burglar may end up disappointed at the car, but still visit your home.

    1. This is very interesting to learn. Thank you for posting. I wonder if maybe at some point the lawmakers in the US should take an example from the lawmakers in Israel.

    1. With garage door openers, I have read that some of them use a “rolling code”. The idea I guess is that even if a bad person with a specialized receiver picks up one signal, this signal will not work the next time. I do not know how sophisticated the rolling code is. But my impression is that most of the car key fobs do not have any rolling code function.

  2. On my 2007 Prius, which has a key fob of the type you describe – i.e., if you have the fob on your person, you may walk up to the locked car and it will unlock if you touch, say, the driver’s door handle – you need the key fob in the car to be able to drive it; so I don’t think it would be possible to drive the car just by stealing the fob signal and using it to unlock the door. Nor is it possible to lock the car by pushing the lock button on the outside of the driver’s door handle if the key fob is inside the car – the car is smart enough not to permit you to lock yourself out in that way. Of course, if you were to leave a house key in the car, that could be stolen.
    But the problem that Motti Teicher describes, which is the reverse problem, breaking into the house to steal the car, is independent of whether you use a key fob or a real key to start the car: it’s 2FA either way.
    My garage door opener has a rolling code – the opener needed to be “trained” initially to match the signal from the built-in-the-car garage door opener; but I don’t think the car key fob uses a rolling code.

  3. Passwords, password-changing, and passwords + PINS, are a dang nuisance, with obvious problems (hackable, guess-able, forget-able, phone for 2nd factor runs out of power, sometimes don’t work, and what fun to enter a PIN in a snowstorm). And requiring a password + a PIN (so: 2 passwords) isn’t that much more secure than one password, unless the number is generated (on your phone, for example).

    The future — actually increasingly the present — is biometric. Biometrics has the advantage of identifying the person, not the code. And biometrics will get increasingly seamless — faster and more secure (potentially multi-factor based on, say, a person’s gait measured by a camera, fingerprints on the door handle, face scan, voice).

    Tesla still uses cards, but since each card is driver specific it’s not just about gaining entry or using remote control. Get into the seat and all your favorite settings (a consisting of mirror and steering adjustment, heat preferences, etc.) immediately set up. And identification isn’t 2 step or even one step — no numbers to enter.

    Maybe one day we’ll live in that Minority Report world where it’s worth stealing a person’s fingers for their prints — or worse. And we’re already in the Minority Report world where identifying us provides an opportunity present personalized advertisements.

    The long term solution is to figure out how to live in a world where fewer people have a desperate need to steal things…

  4. Key fobs have been using a cryptographic challenge-response concept for years. Very unlikely a thief can break it. But the theoretical threat of a relay attack has become much more realistic. Relay the challenge from the car to the owner und the response from the owner to the car, and off you go.

    I remember discussions about using fingerprint sensors when I designed immobilizers back in the 90s. We decided against them because in some markets, chances were car jackers would simply cut off the finger or take our customer with the car. So if you use two-factor authentication, you probably want to make sure you can easily surrender both.

  5. In a fascinating Google Talk from several years ago (URL below) Frank Abagnale stated that passwords would be obsolete by now, mentioning a new technology called Trusona. I wish. I use a password manager, but I am still frustrated with the time I spend dealing with security. I hoped for far more sophisticated and less intrusive security by now.

    Thanks for reminding me to check it out! They do have a website.

    Full Talk:
    https://www.youtube.com/watch?v=FyZ5G2uxcVw
    Link to his statement:
    https://youtu.be/vsMydMDi3rI?t=3416

    Cheers, Phil
    PS: Thanks for the PCT seminars!

  6. Great idea. My impression is that a lot of cars are stolen because the fob is kept in the car, particularly in suburbs in the driveway.

Leave a Reply

Your email address will not be published. Required fields are marked *