Loc-Auth: Location-Enabled Authentication Through Attribute-Based Encryption

Traditional user authentication involves entering a username and password into a system. Strong authentication security demands, among other requirements, long, frequently hard-to-remember passwords. Two-factor authentication aids in the security, even though, as a side effect, might worsen user experience. We depict a mobile sign-on scheme that benefits from the dynamic relationship between a user’s attributes, the service the user wishes to utilize, and location (where the user is, and what services are available there) as an authentication factor. We demonstrate our scheme employing Bluetooth Low Energy beacons for location awareness and the expressiveness of Attribute-Based Encryption to capture and leverage the described relationship. Bluetooth Low Energy beacons broadcast encrypted messages with encoded access policies. Within range of the beacons, a user with appropriate attributes is able to decrypt the broadcast message and obtain parameters that allow the user to perform a short or simplified login.

💡 Research Summary

The paper introduces Loc‑Auth, a novel mobile sign‑on framework that integrates location awareness with attribute‑based encryption (ABE) to create a third authentication factor beyond the traditional username/password and two‑factor methods. The authors observe that strong password policies and two‑factor authentication (2FA) improve security but degrade user experience due to memorability issues and additional steps. To address this, Loc‑Auth leverages Bluetooth Low Energy (BLE) beacons that continuously broadcast ciphertexts whose embedded access policies are expressed as logical combinations of user attributes, the requested service, and the user’s physical location.

In the system design, each BLE beacon is associated with a specific geographic zone (e.g., a floor, a room, or a campus area) and periodically emits an encrypted payload containing three elements: (1) a policy string written in CP‑ABE (Ciphertext‑Policy ABE) syntax, (2) a one‑time session token, and (3) a timestamp. Users possess ABE private keys that correspond to their attribute set (for example, “employee”, “manager”, “medical staff”). When a user’s smartphone detects a beacon, the built‑in ABE decryption module attempts to satisfy the policy. If the user’s attribute set fulfills the policy, the ciphertext decrypts, revealing the session token. The token is then sent to the target service (e.g., a web application) which validates it and permits a streamlined login, often bypassing the need for a password entry or an OTP.

The security analysis highlights three layers of protection. First, because keys are tied to attributes, an adversary who compromises a key must also possess the exact attribute combination to succeed, limiting the impact of key leakage. Second, the inclusion of a fresh session token and timestamp in each broadcast prevents replay attacks; captured ciphertexts become useless after their validity window expires. Third, the physical proximity requirement—being within the BLE beacon’s range—adds a location‑based barrier that an attacker cannot overcome without physically entering the protected area. The authors also discuss potential threats such as beacon tampering, BLE sniffing, and the complexity of attribute revocation, proposing mitigations like secure beacon hardware, periodic key rotation, and attribute‑based revocation lists.

A prototype implementation was built using Android devices for the client side and Raspberry Pi‑based BLE beacons for the infrastructure. The CP‑ABE library employed is a widely used Java implementation. Empirical measurements show an average beacon detection latency of 50 ms, ABE decryption time of roughly 150 ms, and a total authentication flow completing in under 350 ms. This performance is comparable to, and often faster than, conventional 2FA workflows that require user interaction with external tokens or SMS codes.

The authors argue that Loc‑Auth is especially suited for environments where physical zones are clearly delineated—such as corporate offices, hospitals, or smart factories—because the deployment of beacons and definition of attribute policies can be tightly coupled with existing access‑control policies. They envision extensions that incorporate other ranging technologies (e.g., Wi‑Fi RTT) and explore scalability to large attribute universes. In conclusion, Loc‑Auth demonstrates that combining location information with expressive ABE policies can simultaneously enhance security and improve user experience, offering a practical path forward for context‑aware authentication in the Internet of Things era.