Liang Kou,Yiqi Shi,Liguo Zhang,Duo Liu,Qing Yang

DOI: https://doi.org/10.32604/cmc.2019.03760

2019-01-01

Abstract:With the development of computer hardware technology and network technology, the Internet of Things as the extension and expansion of traditional computing network has played an increasingly important role in all professions and trades and has had a tremendous impact on people lifestyle. The information perception of the Internet of Things plays a key role as a link between the computer world and the real world. However, there are potential security threats in the Perceptual Layer Network applied for information perception because Perceptual Layer Network consists of a large number of sensor nodes with weak computing power, limited power supply, and open communication links. We proposed a novel lightweight authentication protocol based on password, smart card and biometric identification that achieves mutual authentication among User, GWN and sensor node. Biometric identification can increase the non-repudiation feature that increases security. After security analysis and logical proof, the proposed protocol is proven to have a higher reliability and practicality.

JV Roig

DOI: https://doi.org/10.48550/arXiv.1805.02931

2018-05-08

Cryptography and Security

Abstract:The National Institute of Standards and Technology (NIST) released new guidelines in June of 2017 that recommended new standards for managing and accepting user passwords. Among the new guidelines is a requirement that verifiers should check if a user's supplied password is compromised - that is, already listed in previous breach corpuses. Using a corpus of 320M breached passwords, the researcher collected information regarding Asia Pacific College students using breached passwords. Correlating these with academic performance data from each student's grade history, the researcher found that the students in the highest GPA tier had the lowest % of terrible passwords. The difference is not that large, however, which suggests that weak passwords aren't mainly because of any level of intelligence, nor should it be assumed that highly-intelligent users will have good passwords.

Muhammad Bilal,Can Wang,Zhi Yu,Abid Bashir

DOI: https://doi.org/10.1109/icsess49938.2020.9237635

2020-01-01

Abstract:Identity management (IdM) plays a significant role in managing user identities (IDs). However, IdM is challenging to handle the rapidly rising numerous kinds of Web-based applications nowadays. The OpenID 2.0 communication protocol is an improved solution for managing a user's IDs based on the OpenID URL identity. OpenID URL identity is not very much secure in specific Web-based attacks; for instance, session hijacking and phishing attacks often occur. The earlier OpenID-based methods secure OpenID URL identity with single, double, and triple authentication schemes. But Identity Provider (IdP) side is still not secure in Web attacks: if an attacker steals the IdP-side legal user information, then existing OpenID-based security techniques are unreliable. The anticipated OpenID Reverse Authentication Authorizing and Accounting (RAAA) user authentication-based protocol secured OpenID URL identity by providing two beneficial fields Secret Alphanumeric String (SAS) and Special Innovative PIN (SIP) that utilize in testing website both sides in reverse and cost-effective way. In this experiment, IdP and Relying Party (RP), both sides are being used secretly. Therefore, experimental websites also test to check the proposed triple authentication protocol. In this paper, we have compared our RAAA user authentication protocol with already available SSO protocol methods. The tested websites and comparative results represent that the anticipated design protocol is very much secure and reliable solution. The advanced cryptographic Single-Sign-On (SSO) secure protocol reduces the higher-level session hijacking and phishing attacks risk in an OpenID-based environment. We suggest future SSO protocol methods will be needed more in terms of the authorized user's identity authentication in Web-based applications.

Nikhil Ghadge

DOI: https://doi.org/10.5121/ijci.2024.130401

2024-07-13

International Journal on Cybernetics & Informatics

Abstract:Ensuring the security of digital identities has become increasingly critical in today's interconnected world. This research investigates the intricate difficulties around securing digital identities, spanning technological, human, legal, and regulatory aspects. Key technological hurdles include vulnerabilities in authentication mechanisms, risks associated with biometric data, issues with multi-factor authentication, and challenges in implementing secure hardware. Human factors like social engineering threats, lack of awareness and education, insider threats, and psychological impacts of identity theft further complicate the landscape. Working though legal requirements and adhering to regulations, such as with data protection laws, cross-border data security issues, establishing digital identity standards, and balancing privacy and security concerns pose additional obstacles. The paper highlights the severe implications of unsecured digital identities and provides recommendations for enhancing security through a multi-pronged approach involving technological advancements, educational initiatives, and ethical considerations. The appeal underscores the pressing necessity for continued research. and collaborative efforts to bolster encryption, authentication protocols, and policy enforcement mechanisms in the digital domain.

Jan H. Klemmer,Marco Gutfleisch,Christian Stransky,Yasemin Acar,M. Angela Sasse,Sascha Fahl

DOI: https://doi.org/10.1145/3576915.3623072

2023-11-27

Abstract:Usable and secure authentication on the web and beyond is mission-critical. While password-based authentication is still widespread, users have trouble dealing with potentially hundreds of online accounts and their passwords. Alternatives or extensions such as multi-factor authentication have their own challenges and find only limited adoption. Finding the right balance between security and usability is challenging for developers. Previous work found that developers use online resources to inform security decisions when writing code. Similar to other areas, lots of authentication advice for developers is available online, including blog posts, discussions on Stack Overflow, research papers, or guidelines by institutions like OWASP or NIST. We are the first to explore developer advice on authentication that affects usable security for end-users. Based on a survey with 18 professional web developers, we obtained 406 documents and qualitatively analyzed 272 contained pieces of advice in depth. We aim to understand the accessibility and quality of online advice and provide insights into how online advice might contribute to (in)secure and (un)usable authentication. We find that advice is scattered and that finding recommendable, consistent advice is a challenge for developers, among others. The most common advice is for password-based authentication, but little for more modern alternatives. Unfortunately, many pieces of advice are debatable (e.g., complex password policies), outdated (e.g., enforcing regular password changes), or contradicting and might lead to unusable or insecure authentication. Based on our findings, we make recommendations for developers, advice providers, official institutions, and academia on how to improve online advice for developers.

Cryptography and Security

Gilbert Notoatmodjo,Clark D. Thomborson

2009-01-01

Abstract:The security of many computer systems hinges on the secrecy of a single word - if an adversary obtains knowledge of a password, they will gain access to the resources controlled by this password. Human users are the 'weakest link' in password control, due to our propensity to reuse passwords and to create weak ones. Policies which forbid such unsafe password practices are often violated, even if these policies are well-advertised. We have studied how users perceive their accounts and their passwords. Our participants mentally classified their accounts and passwords into a few groups, based on a small number of perceived similarities. Our participants used stronger passwords, and reused passwords less, in account groups which they considered more important. Our participants thus demonstrated awareness of the basic tenets of password safety, but they did not behave safely in all respects. Almost half of our participants reused at least one of the passwords in their high-importance accounts. Our findings add to the body of evidence that a typical computer user suffers from 'password overload'. Our concepts of password and account grouping point the way toward more intuitive user interfaces for password-and account-management systems.

Assumpta Ezugwu,Elochukwu Ukwandu,Celestine Ugwu,Modesta Ezema,Comfort Olebara,Juliana Ndunagu,Lizzy Ofusori,Uchenna Ome

2023-05-30

Abstract:Passwords are used majorly for end-user authentication in information and communication technology (ICT) systems due to its perceived ease of use. The use for end-user authentication extends through mobile, computers and network-based products and services. But with the attendant issues relating to password hacks, leakages, and theft largely due to weak, reuse and poor password habits of end-users, the call for passwordless authentication as alternative intensifies. All the same, there are missing knowledge of whether these password-based experiences are associated with societal economic status, educational qualification of citizens, their age and gender, technological advancements, and depth of penetration. In line with the above, understanding the experience of end-users in developing economy to ascertain their password-based experience has become of interest to the researchers. This paper aims at measuring the experience of staff and students in University communities within southeastern Nigeria on password-based authentication systems. These communities have population whose age brackets are majorly within the ages of 16 and 60 years; have people with requisite educational qualifications ranging from Diploma to Doctorate degrees and constitutes good number of ICT tools consumers. The survey had 291 respondents, and collected data about age, educational qualifications, and gender from these respondents. It also collected information about their password experience in social media network, online shopping, electronic health care services, and internet banking. Our analysis using SPSS and report by means of descriptive statistics, frequency distribution, and Chi-Square tests showed that account compromise in the geographical area is not common with the respondents reporting good experience with passwords usage.

Cryptography and Security

Steve Goliath,Pitso Tsibolane,Dirk Snyman

2024-11-06

Abstract:Cyberattacks frequently target higher educational institutions, making cybersecurity awareness and resilience critical for students. However, limited research exists on cybersecurity awareness, attitudes, and resilience among students in higher education. This study addresses this gap using the Theory of Planned Behavior as a theoretical framework. A modified Human Aspects of Information Security Questionnaire was employed to gather 266 valid responses from undergraduate and postgraduate students at a South African higher education institution. Key dimensions of cybersecurity awareness and behavior, including password management, email usage, social media practices, and mobile device security, were assessed. A significant disparity in cybersecurity awareness and practices, with postgraduate students demonstrating superior performance across several dimensions was noted. This research postulates the existence of a Cybersecurity-Education Inflection Point during the transition to postgraduate studies, coined as the Cybersecurity-Resilience Gap. These concepts provide a foundation for developing targeted cybersecurity education initiatives in higher education, particularly highlighting the need for earlier intervention at the undergraduate level.

Cryptography and Security

Suood Alroomi,Frank Li

DOI: https://doi.org/10.48550/arXiv.2309.03384

2023-09-06

Cryptography and Security

Abstract:Researchers have extensively explored how password creation policies influence the security and usability of user-chosen passwords, producing evidence-based policy guidelines. However, for web authentication to improve in practice, websites must actually implement these recommendations. To date, there has been limited investigation into what password creation policies are actually deployed by sites. Existing works are mostly dated and all studies relied on manual evaluations, assessing a small set of sites (at most 150, skewed towards top sites). Thus, we lack a broad understanding of the password policies used today. In this paper, we develop an automated technique for inferring a website's password creation policy, and apply it at scale to measure the policies of over 20K sites, over two orders of magnitude (135x) more sites than prior work. Our findings identify the common policies deployed, potential causes of weak policies, and directions for improving authentication in practice. Ultimately, our study provides the first large-scale understanding of password creation policies on the web.

Ahmad R. Pratama,Firman M. Firmansyah,Fayruz Rahma

DOI: https://doi.org/10.7717/peerj-cs.918

2022-03-11

PeerJ Computer Science

Abstract:Single sign-on (SSO) enables users to authenticate across multiple related but independent systems using a single username and password. While the number of higher education institutions adopting SSO continues to grow, little is known about the academic community’s security awareness regarding SSO. This paper aims to examine the security awareness of SSO across various demographic groups within a single higher education institution based on their age, gender, and academic roles. Additionally, we investigate some psychological factors (i.e., privacy concerns and personality traits) that may influence users’ level of SSO security awareness. Using survey data collected from 283 participants (faculty, staff, and students) and analyzed using a hierarchical linear regression model, we discovered a generational gap, but no gender gap, in security awareness of SSO. Additionally, our findings confirm that students have a significantly lower level of security awareness than faculty and staff. Finally, we discovered that privacy concerns have no effect on SSO security awareness on their own. Rather, they interact with the user’s personality traits, most notably agreeableness and conscientiousness. The findings of this study lay the groundwork for future research and interventions aimed at increasing cybersecurity awareness among users of various demographic groups as well as closing any existing gaps between them.

computer science, information systems, artificial intelligence, theory & methods

Elissa Mollakuqe,Vesna Dimitrova

DOI: https://doi.org/10.12688/openreseurope.16634.2

2024-07-29

Abstract:Background: This research delves into the critical aspects of identity management, access control, and authorization practices within the domains of public and private universities. Identity management involves the meticulous management and control of user identities, encompassing the establishment and maintenance of user profiles, role assignments, and access privileges. Access control is the practice of defining and enforcing policies that govern who can access an IT system or application and which resources they can interact with. Authorization, meanwhile, determines the specific actions and privileges granted to users based on their roles and permissions. Methods: To understand the variances in identity management and access control approaches, we conducted a comparative analysis between public and private universities. Our investigation scrutinized the user populations with access to university systems, the enforcement of access limitations, authentication methods, and password policies. Additionally, we examined the nuances of authorization processes, levels of authorization, access approval authorities, user status and role changes, unique user account management, account deletion procedures, user authentication methods, password complexity and expiration policies, password storage methods, and session termination policies. Results: This study revealed that both public and private universities prioritize these security measures, with a common categorization of these processes. Nevertheless, there exist disparities, such as the inclusion of contractors and vendors in the user population at private universities, the manual deletion of user accounts in private institutions, and variations in password policies and storage methods. Private universities tend to enforce stricter password policies, employ more secure password storage methods, and implement automatic session termination features. Conclusions: This research provides valuable insights into the practices and approaches adopted by public and private universities to safeguard their digital environments. The findings serve as a valuable resource for enhancing identity management, access control, and authorization protocols, enabling institutions to fortify their cybersecurity defenses in an ever-evolving threat landscape.

A. Jallad,Zakaria Al-Qudah,Mohammed Awad,Sahar Idwan

DOI: https://doi.org/10.1109/ICEDSA.2016.7818558

2016-12-01

Abstract:No matter how sophisticated and advanced an organization's security system is, it remains vulnerable due to the human factor. In this paper, we conducted a survey to analyze the patterns used by the faculty, staff, and students when generating passwords at a small sized university. We found that users are not as aware of security requirements and practices as they think. Moreover, the vast majority of users' passwords are breakable within days or shorter. Interestingly, we found that using numbers and uppercase letters is common among users. However, numbers are mostly used at the end of the passwords and uppercase letters are mostly used at the beginning of passwords. The existence of such trends makes it easier for attackers to generate more effective dictionaries. Based on the analysis in this paper, we make recommendations to IT personnel and the general public to harden the security of their passwords.

Computer Science

Ping Wang,Ding Wang,Xinyi Huang

DOI: https://doi.org/10.7544/issn1000-1239.2016.20160483

2016-01-01

Abstract:Identity authentication is the first line of defense for information systems ,and passwords are the most widely used authentication method .Though there are a number of issues in passwords regarding security and usability , and various alternative authentication methods have also been successively proposed , password‐based authentication will remain the dominant method in the foreseeable future due to its simplicity ,low cost and easiness to change .T hus ,this topic has attracted extensive interests from worldwide researchers ,and many important results have been revealed .This work begins with the introduction of users’ vulnerable behaviors and details the password characteristics ,distribution and reuse rate .Next we summarize the primary cracking algorithms that have appeared in the past 30 years , and classify them into groups in terms of the difference in dependence on what information is exploited by the attacker .Then ,we revisit the various statistical‐based evaluation metrics for measuring the strength of password distributions .Further ,we compare the state‐of‐the‐art password strength meters .Finally ,we summarize our results and outline some future research trends .

Yimin Guo,Yajun Guo,Ping Xiong,Fan Yang,Chengde Zhang

DOI: https://doi.org/10.1109/tifs.2024.3382934

IF: 7.231

2024-05-10

IEEE Transactions on Information Forensics and Security

Abstract:Designing an efficient and secure authentication scheme is a significant means to ensure the security of IoT systems. Hundreds of authentication schemes tailored for IoT environments have been proposed in recent years, and regrettably, many of them were soon found to have succumbed to security vulnerabilities. In an effort to investigate the underlying reason for this, Wang et al. (at TIFS'23) recently analyzed the vulnerability of authentication schemes from the perspective of provable security. However, we observe that some authentication schemes with sound security proofs and heuristic security analysis are also not resistant to certain attacks, and even those that have been improved several times are still not immune. To explore the deep-seated reasons for security vulnerabilities in IoT authentication schemes, we divide security attacks into explicit and implicit attacks and find that many authentication schemes exhibit security under explicit attacks but are rendered vulnerable under implicit attacks. Further, we propose the relationship between the design goals of security attributes of authentication schemes and implicit attacks, analyze the vulnerability of three typical authentication schemes under implicit attacks, and find that only the security attributes capable of resisting the strongest implicit attacks are secure. Finally, we offer some specific suggestions on how to achieve the security attribute goals.

computer science, theory & methods,engineering, electrical & electronic

Bo Lu,Xiaokuan Zhang,Ziman Ling,Yinqian Zhang,Zhiqiang Lin

DOI: https://doi.org/10.1145/3274694.3274714

2018-12-03

Abstract:Text passwords remain a primary means for user authentication on modern computer systems. However, recent studies have shown the promises of guessing user passwords efficiently with auxiliary information of the targeted accounts, such as the users' personal information, previously used passwords, or those used in other systems. Authentication rate-limiting mechanisms, such as account lockout and login throttling, are common methods to defeat online password cracking attacks. But to date, no published studies have investigated how authentication rate-limiting is implemented by popular websites. In this paper, we present a measurement study of such countermeasures against online password cracking. Towards this end, we propose a black-box approach to modeling and validating the websites' implementation of the rate-limiting mechanisms. We applied the tool to examine all 182 websites that we were able to analyze in the Alexa Top 500 websites in the United States. The results are rather surprising: 131 websites (72%) allow frequent, unsuccessful login attempts without account lockout or login throttling (though some of these websites force the adversary to lower the login frequency or constantly change his IP addresses to circumvent the rate-limiting enforcement). The remaining 51 websites are not absolutely secure either: 28 websites may block a legitimate user with correct passwords when the account is locked out, effectively enabling authentication denial-of-service attacks.

Easton Kelso,Ananta Soneji,Sazzadur Rahaman,Yan Soshitaishvili,Rakibul Hasan

2024-09-05

Abstract:The education technology (EdTech) landscape is expanding rapidly in higher education institutes (HEIs). This growth brings enormous complexity. Protecting the extensive data collected by these tools is crucial for HEIs as data breaches and misuses can have dire security and privacy consequences on the data subjects, particularly students, who are often compelled to use these tools. This urges an in-depth understanding of HEI and EdTech vendor dynamics, which is largely understudied. To address this gap, we conducted a semi-structured interview study with 13 participants who are in EdTech leadership roles at seven HEIs. Our study uncovers the EdTech acquisition process in the HEI context, the consideration of security and privacy issues throughout that process, the pain points of HEI personnel in establishing adequate protection mechanisms in service contracts, and their struggle in holding vendors accountable due to a lack of visibility into their system and power-asymmetry, among other reasons. We discuss certain observations about the status quo and conclude with recommendations for HEIs, researchers, and regulatory bodies to improve the situation.

Computers and Society

Sadaf Hina,P. Dhanapal Durai Dominic

DOI: https://doi.org/10.1080/08874417.2018.1432996

2018-03-30

Journal of Computer Information Systems

Abstract:This paper provides a systematic literature review in the information security policies’ compliance (ISPC) field, with respect to information security culture, information security awareness, and information security management exploring in various settings the research designs, methodologies, and frameworks that have evolved over the last decade. Studies conducted from 2006 to 2016 reporting results from data collected through diverse means have been explored; however, only a few studies have focused primarily on a sensitive infrastructure under risk, as is the case with higher education institutions (HEIs). This study reports that ISPC in HEIs remains scarce, as is the realization of security threats and dissemination of information security policies to end users (employees). This research makes a novel contribution to the body of knowledge as a unique study that has reviewed the influence of institutional governance in HEIs on protection motivation leading towards ISPC.

computer science, information systems

Harjinder Singh Lallie,Andrew Thompson,Elzbieta Titis,Paul Stephens

DOI: https://doi.org/10.48550/arXiv.2307.07755

2023-07-15

Cryptography and Security

Abstract:Universities hold and process a vast amount of valuable user and research data. This makes them a prime target for cyber criminals. Additionally, universities and other educational settings, such as schools and college IT systems, have become a prime target for some of their own students -- often motivated by an opportunity to cause damage to networks and websites, and/or improve their grades. This paper provides a focused assessment of the current cyber security threat to universities, colleges, and schools (`the education sector') worldwide, providing chronological sequencing of attacks and highlighting the insider threat posed by students. Fifty-eight attacks were identified, with ransomware being the most common type of external attack, and hacking motivated by personal gain showing as the most common form of internal attack. Students, who have become a significant internal threat by either aiding or carrying out attacks are not a homogeneous group, as students may be motivated by different factors, therefore calling for targeted responses. Furthermore, the education sector is increasingly reliant on third party IT service providers meaning attacks on third parties can impact the university and its users. There is very little research analysing this problem, even less research analysing the problem in the context of schools. Hence this paper provides one of the first known assessment of the cyber attacks against the education sector, focusing on insider threat posed by students and offering recommendations for mitigating wider cyber threats.

Michal Kepkowski,Maciej Machulak,Ian Wood,Dali Kaafar

DOI: https://doi.org/10.48550/arXiv.2308.08096

2023-08-16

Cryptography and Security

Abstract:Fast Identity Online 2 (FIDO2), a modern authentication protocol, is gaining popularity as a default strong authentication mechanism. It has been recognized as a leading candidate to overcome limitations (e.g., phishing resistance) of existing authentication solutions. However, the task of deprecating weak methods such as password-based authentication is not trivial and requires a comprehensive approach. While security, privacy, and end-user usability of FIDO2 have been addressed in both academic and industry literature, the difficulties associated with its integration with production environments, such as solution completeness or edge-case support, have received little attention. In particular, complex environments such as enterprise identity management pose unique challenges for any authentication system. In this paper, we identify challenging enterprise identity lifecycle use cases (e.g., remote workforce and legacy systems) by conducting a usability study, in which over 100 cybersecurity professionals shared their perception of challenges to FIDO2 integration from their hands-on field experience. Our analysis of the user study results revealed serious gaps such as account recovery (selected by over 60% of our respondents), and identify priority development areas for the FIDO2 community.

Sam Hays,Michael Sandborn,Dr. Jules White

2024-01-22

Abstract:Approximately 61% of cyber attacks involve adversaries in possession of valid credentials. Attackers acquire credentials through various means, including phishing, dark web data drops, password reuse, etc. Multi-factor authentication (MFA) helps to thwart attacks that use valid credentials, but attackers still commonly breach systems by tricking users into accepting MFA step up requests through techniques, such as ``MFA Bombing'', where multiple requests are sent to a user until they accept one. Currently, there are several solutions to this problem, each with varying levels of security and increasing invasiveness on user devices. This paper proposes a token-based enrollment architecture that is less invasive to user devices than mobile device management, but still offers strong protection against use of stolen credentials and MFA attacks.

Cryptography and Security