Security has become enough of a concern for phones, tablets, and computers that passwords or biometric scans have become mandatory for most devices, preventing unauthorized users from accessing their contents. But as AR and VR headsets evolve into standalone devices, typing or scanning might not be as simple for users, so a group of researchers is proposing an alternative: Zero-Trust Authentication, also known as ZeTA.

If you haven’t heard of ZeTA, you’re not alone. Unlike passwords, which rely upon users and devices to match a sequence of characters to unlock access, ZeTA privately shares a multi-factor “secret” with the user, later asking yes or no challenge questions to determine whether a user knows the secret. The secret could be “blue NOT green,” accepting yes to the challenge “sky?” and no to “grass?,” while “yellow OR wheel” could accept yes answers to “sunflower?” and “steering?” but no to “heart?” and “coal?” Depending on the number of challenges, ZeTA can scale from rudimentary security to typical PIN- or online guessing thresholds.

Securing AR and VR headsets hasn’t yet emerged as a major issue because today’s wearables largely rely on PCs, smartphones, or game consoles, all of which have their own security and input systems; even Facebook’s almost completely standalone Oculus Quest falls back to a paired smartphone app for some purposes. Some next-generation headsets, however, will move away from needing immediately adjacent hardware, perhaps even omitting input accessories in favor of whatever they can store inside their own frames. Thanks to recent updates, Quest’s inside-out cameras can already track hand gestures instead of requiring controllers and use microphones for voice commands.

While it would be easy for a headset to just ask you to speak or gesture a passcode, that might not be practical as people walk around in public with mixed reality glasses. So ZeTA relies on a human’s ability to understand semantic relationships between concepts, yet reduces input demands to simple binary responses. Signaling yes or no to several questions gives the headset confidence that you know the shared secret, unlocking full access. This contrasts with “zero-trust” security systems that heavily restrict a user’s access because the identity of the user can’t be guaranteed, instead enabling a user to indirectly qualify for full access even if the “password” input channel between the user and device isn’t private or secured.

Backed by the German Federal Ministry of Education and Research, the Karlsruhe Institute of Technology, the University of Denver, and Indiana University, the researchers are spread across Germany and the United States, and plan to present their work on August 7 at the Who Are You?! Adventures in Authentication (WAY) 2020 virtual conference. Their next stage of research is to determine user comfort, effectiveness, and efficiency with the three potential input schemes — voice, up/down or left/right head movements, and taps on a surface — with test groups in both countries. Taking into account that the “online guessing” threshold of protection could require up to 25 yes-no responses, the researchers may determine that simple binary answers are less than ideal for this purpose, making more complex responses more practical.