Liang Kou,Yiqi Shi,Liguo Zhang,Duo Liu,Qing Yang

DOI: https://doi.org/10.32604/cmc.2019.03760

2019-01-01

Abstract:With the development of computer hardware technology and network technology, the Internet of Things as the extension and expansion of traditional computing network has played an increasingly important role in all professions and trades and has had a tremendous impact on people lifestyle. The information perception of the Internet of Things plays a key role as a link between the computer world and the real world. However, there are potential security threats in the Perceptual Layer Network applied for information perception because Perceptual Layer Network consists of a large number of sensor nodes with weak computing power, limited power supply, and open communication links. We proposed a novel lightweight authentication protocol based on password, smart card and biometric identification that achieves mutual authentication among User, GWN and sensor node. Biometric identification can increase the non-repudiation feature that increases security. After security analysis and logical proof, the proposed protocol is proven to have a higher reliability and practicality.

Jiaqi Pan,Xinyan Zhou,Yue Hou,Xiaoyu Ji,Haiming Chen

DOI: https://doi.org/10.1109/jsen.2024.3443914

IF: 4.3

2024-01-01

IEEE Sensors Journal

Abstract:With the popularity of wearable devices, verifying the user identity of wearable devices is critical for system security, especially when performing sensitive operations such as financial payments. In this paper, we propose M-PPG, which uses photoplethysmography (PPG) measurements with motor vibrations to authenticate user identities. Specifically, our observations reveal a strong correlation between PPG measurements and users, such as the user’s heartbeat characteristics and wearing habits reflected by PPG measurements are implicitly associated with users’ identities, and the motor vibration provides stable excitation signals for better security performance. M-PPG requires zero user effort with a built-in sensor and actuator in most wearable devices, i.e., PPG sensor and motor. Additionally, we reveal that indoor lighting strobe noise is an unavoidable noise in PPG-based authentication methods, and a noise reduction mechanism is designed to mitigate such phenomenon. Moreover, a multiple authentication scheme and an adaptive update scheme are proposed to keep a long-term authentication in M-PPG. The experimental results among 20 participants demonstrate that M-PPG achieves an average accuracy of 94:5% in daily situations. With a well-designed authentication mechanism, the pass rate of legitimate users can reach 99:9%, while the pass rate of attackers is only 0:6%.

Jongkil Jay Jeong,Syed Wajid Ali Shah,Ashish Nanda,Robin Doss,Mohammad Nosouhi,Jeb Webb

DOI: https://doi.org/10.1109/thms.2024.3421538

2024-09-21

IEEE Transactions on Human-Machine Systems

Abstract:Physical authentication devices (PADs) offer a higher level of security than other authentication technologies commonly used in multifactor authentication (MFA) schemes because they are much less vulnerable to attack. However, PAD uptake remains significantly lower than that for SMS and app-based approaches, accounting for only 10% of all authentication technologies currently being utilized in MFA. Prior studies indicate that the primary reason for this low adoption rate is due to negative users' perceptions and attitudes toward the usability of PADs; many of these studies often skew toward a particular set of users (e.g., young university students, etc.), often creating a bias toward what usable security entails. To address this limitation, we have formulated an original research methodology that segments users into specific groups based on their user characteristics (i.e., age, education, and experience) and examines how each group defines usability and ranks their preferences regarding certain security features. Based on a survey of 410 participants, our results indicate that there are indeed different usable security preferences for each user group, and we, therefore, provide recommendations on how existing PADs might be enhanced to support usability and improve adoption rates.

computer science, cybernetics, artificial intelligence

Jamie Seto,Ye Wang,Xiaodong Lin

DOI: https://doi.org/10.1109/GLOCOM.2014.7036976

2014-01-01

Abstract:Mobile device security has become increasingly important as we become more dependent on mobile devices. One fundamental security problem is user authentication, and if not executed correctly, leaves the mobile user vulnerable to harm like impersonation. Although many user authentication mechanisms have presented in the past, studies have shown mobile users prefer usability over security and, unfortunately, a higher level of security often entails sacrificing usability. Moreover, mobile users often unlock their devices in public spaces, inevitably resulting in a high possibility of user credentials disclosure. Motivated by the above, we introduce a novel user-habit-oriented authentication model, where mobile users can integrate their own habits with user authentication on mobile devices. The user-habit-oriented authentication turns a tedious security action into an enjoyable experience. Also, we propose a rhythm based authentication scheme, providing the first proof of concept toward secure user-habit-oriented authentication for mobile devices. Experimental results show that the proposed scheme has high accuracy in terms of false rejection rate. Also, the proposed scheme is able to protect from attacks caused by credential disclosure, which could be fatal to the traditional schemes.

Verena Zimmermann,Paul Gerber,Alina Stöver

DOI: https://doi.org/10.48550/arXiv.2209.13958

IF: 6.4588

2022-09-28

Human-Computer Interaction

Abstract:Choosing authentication schemes for a specific purpose is challenging for service providers, developers, and researchers. Previous ratings of technical and objective aspects showed that available schemes all have strengths and limitations. Yet, the security of authentication also relies on user perceptions which affect acceptance and user behaviour and can deviate from technical aspects. To shine light on the issue and support researchers, developers, and service-providers confronted with authentication choice, we conducted an in-depth analysis of user perceptions of the password, fingerprint, and a smartphone-based scheme in an online study with 201 participants. As authentication is a secondary task that needs to be evaluated in the context of authentication purpose, we also compared perceptions across four contexts of use with varying sensitivity levels: email accounts, online banking, social networks, and smart homes. The results revealed how perceptions of usability, security, privacy, trust, effort, and qualitative features of the schemes are related to user preferences. The results increase awareness for the influence of subjective perceptions and have practical implications for decision-makers. They can inform a) the choice between several adequate schemes, b) the authentication design to reduce concerns or security-related misconceptions, and c) the development of context-dependent authentication.

zhang min,brendan ryan,sarah atkinson

DOI: https://doi.org/10.1007/978-94-007-2792-2_4

2012-01-01

Abstract:Nowadays alphanumeric passwords are still widely used, even though it causes the well-known ‘password problem’. There are a lot of studies on alternative user authentication schemes which try to take place of the textual password. PixelPin is one of the picture-based authentication systems, which are base on Blonder’s patent (Graphical Passwords. United States Patent 55599611996). This paper is the report on our evaluation of the PixelPin by conducting four experiments. In specific, we summarized the issues of PixelPin’s usability and security via web-based user study and focus group. We also tried to understand users’ choice of picture and the way of their memorization of the click-points. A cursor effect was studies in the last experiment. Finally, some issues are proposed to be solved in the future work.

Ding Wang,Ping Wang

DOI: https://doi.org/10.1109/tdsc.2016.2605087

2016-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:As the most prevailing two-factor authentication mechanism, smart-card-based password authentication has been a subject of intensive research in the past two decades, and hundreds of this type of schemes have wave upon wave been proposed. In most of these studies, there is no comprehensive and systematical metric available for schemes to be assessed objectively, and the authors present new schemes with assertions of the superior aspects over previous ones, while overlooking dimensions on which their schemes fare poorly. Unsurprisingly, most of them are far from satisfactory—either are found short of important security goals or lack of critical properties, especially being stuck with the security-usability tension. To overcome this issue, in this work we first explicitly define a security model that can accurately capture the practical capabilities of an adversary and then suggest a broad set of twelve properties framed as a systematic methodology for comparative evaluation, allowing schemes to be rated across a common spectrum. As our main contribution, a new scheme is advanced to resolve the various issues arising from user corruption and server compromise, and it is formally proved secure under the harshest adversary model so far. In particular, by integrating “honeywords”, traditionally the purview of system security, with a “fuzzy-verifier”, our scheme hits “two birds”: it not only eliminates the long-standing security-usability conflict that is considered intractable in the literature, but also achieves security guarantees beyond the conventional optimal security bound.

Hassan Khan,Jason Ceci,Jonah Stegman,Adam J. Aviv,Rozita Dara,Ravi Kuber

DOI: https://doi.org/10.48550/arXiv.2008.10697

2020-08-25

Abstract:Personal Identification Numbers (PINs) are widely used as an access control mechanism for digital assets (e.g., smartphones), financial assets (e.g., ATM cards), and physical assets (e.g., locks for garage doors or homes). Using semi-structured interviews (n=35), participants reported on PIN usage for different types of assets, including how users choose, share, inherit, and reuse PINs, as well as behaviour following the compromise of a PIN. We find that memorability is the most important criterion when choosing a PIN, more so than security or concerns of reuse. Updating or changing a PIN is very uncommon, even when a PIN is compromised. Participants reported sharing PINs for one type of asset with acquaintances but inadvertently reused them for other assets, thereby subjecting themselves to potential risks. Participants also reported using PINs originally set by previous homeowners for physical devices (e.g., alarm or keypad door entry systems). While aware of the risks of not updating PINs, this did not always deter participants from using inherited PINs, as they were often missing instructions on how to update them. %While aware of the risks of not updating PINs, participants continued using these PINs, as they were often missing instructions on how to update <a class="link-external link-http" href="http://them.Given" rel="external noopener nofollow">this http URL</a> the expected increase in PIN-protected assets (e.g., loyalty cards, smart locks, and web apps), we provide suggestions and future research directions to better support users with multiple digital and non-digital assets and more secure human-device interaction when utilizing PINs.

Human-Computer Interaction,Cryptography and Security

Yuchen Su,Guoqing Jiang,Yicong Du,Yuefeng Chen,Hongbo Liu,Yanzhi Ren,Huan Dai,Yan Wang,Shuai Li,Yingying Chen

DOI: https://doi.org/10.1109/icdcs57875.2023.00074

2023-01-01

Abstract:Personal Identification Number (PIN), as one of the primary means of protecting digital properties and privacy on mobile devices, has been suffering from shoulder surfing attacks and weak password guessing for the long term. Recent years witness the growing interest in two-factor authentication that takes advantage of two different ways for mutual verification, thereby strengthening user authentication's accuracy and reliability. Especially with the popularity of smartwatches, more physiological signals are readily available to facilitate two-factor authentication. This paper presents a lightweight and unobtrusive two-factor authentication scheme, P 2 Auth, integrating the PIN and unique keystroke-related Photoplethysmography (PPG) measurement on wearables. Specifically, we propose the transformation of the multivariate PPG signal induced by the keystrokes to extract reliable biometric features. We develop short-time energy-based methods to identify the input cases, thus enabling support the authentication for both one-handed and two-handed input cases. Furthermore, we also consider the situation where there is no fixed PIN and design a new enhanced privacy scheme by combining the PPG measurements of different keystrokes to improve authentication security. The experiments involving 15 volunteers demonstrate that our prototype system can achieve an average authentication accuracy of over 95% for one-handed cases and over 90% for two-handed cases.

Xinyan Zhou,Jiaqi Pan,Zenan Zhang,Xiaoyu Ji,Haiming Chen

DOI: https://doi.org/10.1109/icpads56603.2022.00039

IF: 4.3

2023-01-01

IEEE Sensors Journal

Abstract:Verifying the user identity of wearable devices is crucial for system security, especially for sensitive operations like making financial payments. A photoplethys-mography (PPG)-based two-factor authentication can be a promising solution with widely deployed PPG sensors within wearable devices. Our observations find PPG readings reveal a significant relevance to the user's hand motions, that is, gestures, while the user's heartbeat characteristics and wearing habits are also implicitly related, which can be utilized for user authentication. In this article, we design G-PPG, a gesture-related PPG-based two-factor authentication mechanism that can nonintrusively validate the user's identity. In G-PPG, a gesture detection and segmentation module and a specific feature set are designed for accurate gesture-related PPG characteristic extraction. Moreover, a user-defined security level and an adaptive update scheme are proposed for the high accuracy of long-term authentication. The experimental results among 15 participants demonstrate that G-PPG can achieve over 90% accuracy in different scenarios on average. With a carefully designed authentication mechanism, the pass rate for legitimate users can reach up to 96.67%, while the value is only 0.62% for attackers.

Brain Glass,Graeme Jenkinson,Yuqi Liu,M. Angela Sasse,Frank Stajano

DOI: https://doi.org/10.48550/arXiv.1607.03417

IF: 6.4588

2016-07-12

Human-Computer Interaction

Abstract:Over the past 15 years, researchers have identified an increasing number of security mechanisms that are so unusable that the intended users either circumvent them or give up on a service rather than suffer the security. With hindsight, the reasons can be identified easily enough: either the security task itself is too cumbersome and/or time-consuming, or it creates high friction with the users` primary task. The aim of the research presented here is to equip designers who select and implement security mechanisms with a method for identifying the ``best fit`` security mechanism at the design stage. Since many usability problems have been identified with authentication, we focus on ``best fit`` authentication, and present a framework that allows security designers not only to model the workload associated with a particular authentication method, but more importantly to model it in the context of the user`s primary task. We draw on results from cognitive psychology to create a method that allows a designer to understand the impact of a particular authentication method on user productivity and satisfaction. In a validation study using a physical mockup of an airline check-in kiosk, we demonstrate that the model can predict user performance and satisfaction. Furthermore, design experts suggested personalized order recommendations which were similar to our model`s predictions. Our model is the first that supports identification of a holistic fit between the task of user authentication and the context in which it is performed. When applied to new systems, we believe it will help designers understand the usability impact of their security choices and thus develop solutions that maximize both.

Kat Krol,Eleni Philippou,Emiliano De Cristofaro,M. Angela Sasse

DOI: https://doi.org/10.48550/arXiv.1501.04434

2015-01-19

Cryptography and Security

Abstract:To prevent password breaches and guessing attacks, banks increasingly turn to two-factor authentication (2FA), requiring users to present at least one more factor, such as a one-time password generated by a hardware token or received via SMS, besides a password. We can expect some solutions -- especially those adding a token -- to create extra work for users, but little research has investigated usability, user acceptance, and perceived security of deployed 2FA. This paper presents an in-depth study of 2FA usability with 21 UK online banking customers, 16 of whom had accounts with more than one bank. We collected a rich set of qualitative and quantitative data through two rounds of semi-structured interviews, and an authentication diary over an average of 11 days. Our participants reported a wide range of usability issues, especially with the use of hardware tokens, showing that the mental and physical workload involved shapes how they use online banking. Key targets for improvements are (i) the reduction in the number of authentication steps, and (ii) removing features that do not add any security but negatively affect the user experience.

Mahdi Nikooghadam,Haleh Amintoosi,Saru Kumari

DOI: https://doi.org/10.1007/s11277-021-08430-2

IF: 2.017

2021-04-03

Wireless Personal Communications

Abstract:The advent of smart and pervasive devices have paved the way for the development of Internet of Things in which, various smart devices collect information about the daily life of people and share it to the scientists and specialists. There are numerous applications in the domain of IoT such as smart healthcare systems in which, wearable devices collect health-related data from the users and transmit it for further processes. However, security challenges are a major concern in the success of smart healthcare applications. Specifically, to protect the security of communications among the wearable sensor devices and the gateways/servers, a secure and lightweight authentication scheme is needed. Recently, Li et al. proposed a lightweight authentication scheme for smart wearable systems (IEEE Internet Things J. 10.1109/JIOT.2020.2984618). Their protocol makes use of fuzzy extractor technique and lightweight operations such as bitwise XOR operations and cryptographic hash function. However, in this comment, we prove that Li et al.'s scheme is prone to the stolen wearable device attack and user impersonation attack. We also discuss the causes and provide some suggestions as the remedy.

telecommunications

Sanchari Das,Bingxing Wang,Zachary Tingle,L. Jean Camp

DOI: https://doi.org/10.48550/arXiv.1908.05901

2019-08-16

Cryptography and Security

Abstract:Security vulnerabilities of traditional single factor authentication has become a major concern for security practitioners and researchers. To mitigate single point failures, new and technologically advanced Multi-Factor Authentication (MFA) tools have been developed as security solutions. However, the usability and adoption of such tools have raised concerns. An obvious solution can be viewed as conducting user studies to create more user-friendly MFA tools. To learn more, we performed a systematic literature review of recently published academic papers (N = 623) that primarily focused on MFA technologies. While majority of these papers (m = 300) proposed new MFA tools, only 9.1% of papers performed any user evaluation research. Our meta-analysis of user focused studies (n = 57) showed that researchers found lower adoption rate to be inevitable for MFAs, while avoidance was pervasive among mandatory use. Furthermore, we noted several reporting and methodological discrepancies in the user focused studies. We identified trends in participant recruitment that is indicative of demographic biases.

Tao Feng,Nicholas DeSalvo,Lei Xu,Xi Zhao,Xi Wang,Weidong Shi

DOI: https://doi.org/10.4108/icst.mobicase.2014.257767

2014-01-01

Abstract:With the rise of Internet connected mobile devices, applications have migrated from PCs to mobile computing platforms. An important aspect, payment processing, faces new security challenges from these developments. Inasmuch, these advancements demand efforts from researchers and industry to meet increasing security needs. Threats can ensue from data loss, theft from lost, stolen, or decommissioned devices, information-stealing malware, and password peeping. We propose a secure framework for sensitive session driven applications which combines biometric-based continuous and implicit tracking of user identities, and TrustZone. This framework is accomplished through monitoring fingerprint authentication logs as well as detecting events when the phone has left the user's hands, all while in TrustZone, a platform for secure computation and storage on mobile devices. This solution leverages multiple onboard sensors as well as the ARM architecture to accomplish these feats. We conducted two user-studies acquiring smartphone users' usage statistics to investigate security and usability needs of our identity-tracking solution. To monitor these subtle gestures in real-world uncontrolled environments, multi-session data collection has been conducted to iteratively improve system performance. The evaluation results have demonstrated the feasibility of this framework as a secure session-based payment system.

Marc Saideh,Jean-Paul Jamont,Laurent Vercouter

DOI: https://doi.org/10.3390/s24144621

2024-07-18

Abstract:Communication between connected objects in the Internet of Things (IoT) often requires secure and reliable authentication mechanisms to verify identities of entities and prevent unauthorized access to sensitive data and resources. Unlike other domains, IoT offers several advantages and opportunities, such as the ability to collect real-time data through numerous sensors. These data contains valuable information about the environment and other objects that, if used, can significantly enhance authentication processes. In this paper, we propose a novel idea to building opportunistic sensor-based authentication factors by leveraging existing IoT sensors in a system of systems approach. The objective is to highlight the promising prospects of opportunistic authentication factors in enhancing IoT security. We claim that sensors can be utilized to create additional authentication factors, thereby reinforcing existing object-to-object authentication mechanisms. By integrating these opportunistic sensor-based authentication factors into multi-factor authentication schemes, IoT security can be substantially improved. We demonstrate the feasibility and effectivenness of our idea through illustrative experiments in a parking entry scenario, involving both mobile robots and cars, achieving high identification accuracy. We highlight the potential of this novel method to improve IoT security and suggest future research directions for formalizing and comparing our approach with existing techniques.

Cryptography and Security

Ding Wang,Ping Wang

DOI: https://doi.org/10.1007/978-3-319-23829-6_11

2015-01-01

Abstract:Smart-card-based password authentication, known as two-factor authentication, is one of the most widely used security mechanisms to validate the legitimacy of a remote client, who must hold a valid smart card and the correct password in order to successfully login the server. So far the research on this domain has mainly focused on developing more secure, privacy-preserving and efficient protocols, which has led to numerous efficient proposals with a diversity of security provisions, yet little attention has been directed towards another important aspect, i.e. the usability of a scheme. This paper focuses on the study of two specific security threats on usability in two-factor authentication. Using two representative protocols as case studies, we demonstrate two types of security threats on usability: (1) Password change attack, which may easily render the smart card completely unusable by changing the password to a random value; and (2) De-synchronization attack, which breaks the consistence of the pseudo-identities between the user and the server. These threats, though realistic in practice, have been paid little attention in the literature. In addition to revealing the vulnerabilities, we discuss how to thwart these security threats and secure the protocols.

Shanshan Li,Chunxiang Xu,Yuan Zhang,Jianying Zhou

DOI: https://doi.org/10.1109/tifs.2022.3209886

IF: 7.231

2022-01-01

IEEE Transactions on Information Forensics and Security

Abstract:We investigate existing “password+hardware token”-based authentication schemes deployed in real-world applications and observe that they are vulnerable to critical threats. Specifically, a compromised manufacturer may issue a backdoored hardware token to a user and later recover the user’s secret, which is well known as backdoor attacks. Additionally, an authentication credential in these schemes consists of two parts: the one is derived from the password, the other one is derived from the hardware token. However, since the two parts are independent of each other, if an adversary can physically access the hardware token of a victim, he is able to break security of these schemes by performing dictionary-guessing attacks (DGA), which is called mislaying-then-DGA. In this paper, we design a non-interactively re-randomizable reverse firewall signature mechanism for securing hardware tokens, such that the user’s secret is well protected even if a backdoor is embedded. We also utilize a servers-aided password-based encryption mechanism to harden hardware tokens, so as to “seamlessly” integrate the two factors into one credential. Based on the above mechanisms, we develop a secure two-factor authentication scheme, dubbed ATTACH. We evaluate ATTACH in terms of security and efficiency to demonstrate it achieves a strong security guarantee with high efficiency.

Vanesa Daza,Matteo Signorini

DOI: https://doi.org/10.1007/978-3-319-09885-2_19

2014-08-22

Abstract:Market analysis predicts that in a few years, companies, universities, government agencies as well as common people in they daily life will increasingly adopt mobile computing systems thus increasingly enjoying the benefits of online, Internet-based services. However, such scenario will also expose user data privacy to severe attacks. This situation has led to the development of authentication approaches aimed at preventing unauthorized access to user data. Many different authentication approaches have been proposed over the last years, starting from basic password to more complex biometric solutions but all of them have proven to suffer from the same weaknesses. This issue drove us to design a solution based upon hardware intrinsic security features and aimed at guaranteeing a high level of data privacy while providing a user friendly authentication process. Our solution shows advanced features of data privacy policies definition making it a good candidate for the construction of future data privacy policies.

Mozhgan Azimpourkivi,Umut Topkara,Bogdan Carbunar

DOI: https://doi.org/10.1145/3131904

2017-10-21

Abstract:We introduce Pixie, a novel, camera based two factor authentication solution for mobile and wearable devices. A quick and familiar user action of snapping a photo is sufficient for Pixie to simultaneously perform a graphical password authentication and a physical token based authentication, yet it does not require any expensive, uncommon hardware. Pixie establishes trust based on both the knowledge and possession of an arbitrary physical object readily accessible to the user, called trinket. Users choose their trinkets similar to setting a password, and authenticate by presenting the same trinket to the camera. The fact that the object is the trinket, is secret to the user. Pixie extracts robust, novel features from trinket images, and leverages a supervised learning classifier to effectively address inconsistencies between images of the same trinket captured in different circumstances. Pixie achieved a false accept rate below 0.09% in a brute force attack with 14.3 million authentication attempts, generated with 40,000 trinket images that we captured and collected from public datasets. We identify master images, that match multiple trinkets, and study techniques to reduce their impact. In a user study with 42 participants over 8 days in 3 sessions we found that Pixie outperforms text based passwords on memorability, speed, and user preference. Furthermore, Pixie was easily discoverable by new users and accurate under field use. Users were able to remember their trinkets 2 and 7 days after registering them, without any practice between the 3 test dates.

Cryptography and Security