Security experts have devised a novel authentication system that exploits quantum effects to make fraud-proof credit cards or IDs. Called Quantum-Secure Authentication (QSA), the technology relies on the quantum properties of single light beams, called photons, including their ability to be in multiple places at once.

Quantum physics keys

Credit: Dennis Pierce

“We experimentally demonstrate quantum-secure authentication (QSA) of a classical multiple-scattering key. The key is authenticated by illuminating it with a light pulse containing fewer photons than spatial degrees of freedom and verifying the spatial shape of the reflected light,” explained the researchers in journal Optica.

The researchers at University of Twente and Eindhoven University of Technology coated a credit card with a thin layer of white paint containing millions of nanoparticles. This wasn’t some rough paint job, though – the nanoparticles were carefully placed so that photons might scatter in a predictable manner. When light hits the nanoparticles, it bounces around until it escapes, creating a unique pattern that depends on the precise position of the particles in the paint. Each card has its own, signature way of reflecting light and this is how it’s enrolled in the system. When the card is inserted in an ATM, it’s flushed with a pulse of light that is unique to each transaction. Once the response matches that expected by the ATM machine, the user can freely make whatever financial transaction he may wish.

Credit: University of Twente

“Even if somebody has the full information of how the card is built, technology does not allow him to build a copy,” lead author Pepijn Pinkse of the University of Twente said via email. “The nanoparticles are too small and there are too many of them which need to be positioned with too high accuracy.”

The innovation lies in how the system makes the authentication key impossible to copy due to technological limitations (you’d need a lab like the one used by the researchers) and the fact that it can’t be digitally replicated. Because the system is based on quantum physics, hackers can’t discern the incident light pulse so that they cannot emulate the key by digitally constructing the expected optical response, even if all information about the key is publicly known. That’s because  due to the characteristics of quantum physics, an attempt to observe the question and answer process between a reader and the card would destroy the information in the transmission. As such, QSA isn’t just another multi-factor verification. It goes beyond asking you “what’s your mother’s maiden name” or other trivial road blocks for hackers. It’s a veritable dead end.

Components and principle of operation for the QSA system. Credit: University of Twente

“The problem is that even if the attacker were to obtain a correct challenge response, for a single challenge, it would be impossible for them to recreate that response in a way that would authenticate due to the properties of Quantum Physics,” said Malwarebytes’s head of malware intelligence, Adam Kujawa.

“In addition, they would need to know that the challenge response would be used again in a lock that has dynamically generated keyholes.”

In practice, the paint the researchers used for this demonstration won’t appear in the final mass-produced product because it’s too vulnerable to degradation. Instead, ceramics will be used and as far as price is concerned, a readout device wouldn’t cost more than a projector phone at about $1,000 since it has the necessary components. But will this be actually “unhackable”? Experience has thought us that there’s no such thing, but it sure got a heck of a lot harder that’s for sure!