Jing Tian,Chengzhang Qu,Wenyuan Xu,Song Wang

2013-01-01

Abstract:Password-based authentication is easy to use but its security is bounded by how much a user can remember. Biometrics-based authentication requires no memorization but ‘resetting’ a biometric password may not always be possible. In this paper, we propose a user-friendly authentication system (KinWrite) that allows users to choose arbitrary, short and easy-to-memorize passwords while providing resilience to password cracking and password theft. KinWrite lets users write their passwords in 3D space and captures the handwriting motion using a low cost motion input sensing device—Kinect. The low resolution and noisy data captured by Kinect, combined with low consistency of in-space handwriting, have made it challenging to verify users. To overcome these challenges, we exploit the Dynamic Time Warping (DTW) algorithm to quantify similarities between handwritten passwords. Our experimental results involving 35 signatures from 18 subjects and a brute-force attacker have shown that KinWrite can achieve a 100% precision and a 70% recall (the worst case) for verifying honest users, encouraging us to carry out a much larger scale study towards designing a foolproof system.

Yuanchao Shu,Yu (Jason) Gu,Jiming Chen

DOI: https://doi.org/10.1109/tpds.2013.153

IF: 5.3

2014-01-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:Access card authentication is critical and essential for many modern access control systems, which have been widely deployed in various government, commercial, and residential environments. However, due to the static identification information exchange among the access cards and access control clients, it is very challenging to fight against access control system breaches due to reasons such as loss, stolen or unauthorized duplications of the access cards. Although advanced biometric authentication methods such as fingerprint and iris identification can further identify the user who is requesting authorization, they incur high system costs and access privileges cannot be transferred among trusted users. In this work, we introduce a dynamic authentication with sensory information for the access control systems. By combining sensory information obtained from onboard sensors on the access cards as well as the original encoded identification information, we are able to effectively tackle the problems such as access card loss, stolen, and duplication. Our solution is backward-compatible with existing access control systems and significantly increases the key spaces for authentication. We theoretically demonstrate the potential key space increases with sensory information of different sensors and empirically demonstrate simple rotations can increase key space by more than 1,000,000 times with an authentication accuracy of 90 percent. We performed extensive simulations under various environment settings and implemented our design on WISP to experimentally verify the system performance.

朱明,周津,王继康

DOI: https://doi.org/10.3969/j.issn.1000-3428.2002.10.053

2002-01-01

Abstract:Password plays an important part in security management for most computers and networks. How to prevent illegal intrusion due to password stealing is always one open question. A new approach which identifies user by utilizing keystroke features is proposed when user inputs his password. The key pressure and keystroke frequency when user strikes the keyboard to enter his password are used to construct a peculiar keystroke vector representing each user respectively. A new algorithm is put forward to classify positive and negative examples only by a limited positive examples. The related experiment indicates this approach has a good discerning ability.

Hai-Rong Lv,Wen-Yuan Wang

DOI: https://doi.org/10.1109/tce.2006.1706507

2006-01-01

IEEE Transactions on Consumer Electronics

Abstract:This paper presents a novel biologic verification method based on pressure sensor keyboards and classifier fusion techniques. The pressure sensor keyboard is a new product that occurs in the market recently. It produces a pressure sequence when keystroke occurs. The analysis of the pressure sequence should be a novel research area. In this paper, we use the pressure sequence and traditional keystroke dynamics in user authentication. Three methods (global features of pressure sequences, dynamic time warping, and traditional keystroke dynamics) are proposed for the authentication task. We combined the three methods together using a classifier fusion technique at last. Several experiments were performed on a database containing 5000 samples of 100 individuals and the best result were achieved utilizing all the method, obtaining an equal error rate of 1.41%. To make a comparison, the equal error rate is 2.04% when we use only the traditional keystroke dynamics. This approach can be used to improve the usual login-password authentication when the password is no more a secret

Man Zhou,Qian Wang,Xiu Lin,Yi Zhao,Peipei Jiang,Qi Li,Chao Shen,Cong Wang

DOI: https://doi.org/10.1109/tdsc.2022.3151889

2022-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:PIN authentication is widely used on mobile devices due to its usability and simplicity. However, it is known to be susceptible to shoulder surfing attacks, where an adversary spies the user’s PIN by direct human observation or camera-based recording. This paper proposes PressPIN, a novel enhanced PIN authenticator on mobile devices by sensing pressures from the user’s finger. Since pressure-sensitive touch screens are unavailable on most phones, we leverage the structure-borne propagation of sounds to estimate the pressure on the screen. When the user inputs the PINs, the pressure is extracted from each number to form the $n$ -bit pressure code, where $n$ corresponds to the length of the PIN sequence. The pressure code is difficult to be inferred by snooping or videotaping, and increases the entropy of passwords. In this way, PressPIN provides a low-cost, user-friendly, and more secure solution resistant to shoulder surfing attacks. Our extensive experiments with 30 participants and three types of smartphones demonstrate that PressPIN can authenticate legitimate users with high accuracy (e.g., as high as 96.7% within two trials), and is robust to various types of attacks (e.g., only 2.5% attack success rate even when the adversary can observe the legitimate user’s PIN sequence and finger pressing clearly). Additionally, PressPIN requires no additional hardware (e.g., the pressure sensor) and can be readily integrated into existing authentication systems of mobile devices.

Xin Su,Bingying Wang,Xuewu Zhang,Yupeng Wang,Dongmin Choi

DOI: https://doi.org/10.1002/cpe.4150

2018-01-01

Abstract:Secure mechanisms have been adapted to satisfy the needs of mobile subscribers; however, the mobile environment is quite different from a desktop PC or laptop-based environment. The existing attack patterns in mobile environments are also quite different, and the countermeasures applied should be enhanced. In regards to usability, the mobile environment is based on mobility, and thus, mobile devices are designed and developed to enhance the owner's efficiency. To avoid forgetting passwords, people are willing to adopt simple alphanumeric-character combinations, which are easy to remember and convenient to enter. As a result, the passwords have a high probability of being cracked or exposed. In this paper, we study the potential security problems caused by simple and weak passwords, discuss drawbacks of some conventional works, and propose 3 creative schemes to increase the complexity and strength of passwords by applying the envisioned features. Note that our proposals are based on the assumption that the textual passwords are not difficult for users to remember or enter and do not cause inconvenience to users. In other words, the proposed methods can increase the complexity of simple passwords without the awareness of users.

Qingli Guo,Jing Ye,Bing Li,Yu Hu,Xiaowei Li,Yazhu Lan,Guohe Zhang

DOI: https://doi.org/10.1016/j.vlsi.2018.10.003

IF: 1.345

2019-01-01

Integration

Abstract:Secure passwords need high entropy, but are difficult for users to remember. Password managers minimize the memory burden by storing site passwords locally or generating secure site passwords from a master password through hashing or key stretching. Unfortunately, they are threatened by the single point of failure introduced by the master password which is vulnerable to various attacks such as offline attack and shoulder surfing attack. To handle these issues, this paper proposes the PUFPass, a secure password management mechanism based on software/hardware codesign. By introducing the hardware primitive, Physical Unclonable Function (PUF), into PUFPass, the random physical disorder is exploited to strengthen site passwords. An illustration of PUFPass in the Android operating system is given. PUFPass is evaluated from aspects of both security and preliminary usability. The security of the passwords is evaluated using a compound heuristic algorithm based PUF attack software and an open source password cracking software, respectively. Finally, PUFPass is compared with other password management mechanisms using the Usability-Deployability-Security (UDS) framework. The results show that PUFPass has great advantages in security while maintaining most benefits in usability.

zhang min,brendan ryan,sarah atkinson

DOI: https://doi.org/10.1007/978-94-007-2792-2_4

2012-01-01

Abstract:Nowadays alphanumeric passwords are still widely used, even though it causes the well-known ‘password problem’. There are a lot of studies on alternative user authentication schemes which try to take place of the textual password. PixelPin is one of the picture-based authentication systems, which are base on Blonder’s patent (Graphical Passwords. United States Patent 55599611996). This paper is the report on our evaluation of the PixelPin by conducting four experiments. In specific, we summarized the issues of PixelPin’s usability and security via web-based user study and focus group. We also tried to understand users’ choice of picture and the way of their memorization of the click-points. A cursor effect was studies in the last experiment. Finally, some issues are proposed to be solved in the future work.

Yuchen Su,Guoqing Jiang,Yicong Du,Yuefeng Chen,Hongbo Liu,Yanzhi Ren,Huan Dai,Yan Wang,Shuai Li,Yingying Chen

DOI: https://doi.org/10.1109/icdcs57875.2023.00074

2023-01-01

Abstract:Personal Identification Number (PIN), as one of the primary means of protecting digital properties and privacy on mobile devices, has been suffering from shoulder surfing attacks and weak password guessing for the long term. Recent years witness the growing interest in two-factor authentication that takes advantage of two different ways for mutual verification, thereby strengthening user authentication's accuracy and reliability. Especially with the popularity of smartwatches, more physiological signals are readily available to facilitate two-factor authentication. This paper presents a lightweight and unobtrusive two-factor authentication scheme, P 2 Auth, integrating the PIN and unique keystroke-related Photoplethysmography (PPG) measurement on wearables. Specifically, we propose the transformation of the multivariate PPG signal induced by the keystrokes to extract reliable biometric features. We develop short-time energy-based methods to identify the input cases, thus enabling support the authentication for both one-handed and two-handed input cases. Furthermore, we also consider the situation where there is no fixed PIN and design a new enhanced privacy scheme by combining the PPG measurements of different keystrokes to improve authentication security. The experiments involving 15 volunteers demonstrate that our prototype system can achieve an average authentication accuracy of over 95% for one-handed cases and over 90% for two-handed cases.

Simon Parkinson,Saad Khan,Andrew Crampton,Qing Xu,Weizhi Xie,Na Liu,Kyle Dakin

DOI: https://doi.org/10.1049/bme2.12017

2021-01-25

IET Biometrics

Abstract:Behavioural biometrics have the potential to provide an additional or alternative authentication mechanism to those involving a shared secret (i.e. a password). Keystroke timings are the focus of this study, where key press and release timings are acquired whilst monitoring a user typing a known phrase. Many studies exist in keystroke biometrics, but there is an absence of literature aiming to understand the relationship between characteristics of password policies and the potential of keystroke biometrics. Furthermore, benchmark datasets used in keystroke biometric research do not enable useful insights into the relationship between their capability and password policy. Herein, substitutions of uppercase, numeric, special characters, and their combination of passwords derived from English words are considered. Timings for 42 participants for the same 40 passwords are acquired. A matching system using the Manhattan distance measure with seven different feature sets is implemented, culminating in an Equal Error Rate of between 6% and 11% and accuracy values between 89% and 94%, demonstrating comparable accuracy to other threshold‐based systems. Further analysis suggests that the best feature sets are those containing all timings and trigraph press to press. Evidence also suggests that phrases containing fewer characters have greater accuracy, except for those with special character substitutions.

computer science, artificial intelligence

Yanyan Li,Junshuang Yang,Mengjun Xie,Dylan Carlson,Han Gil Jang,Jiang Bian

DOI: https://doi.org/10.1109/milcom.2015.7357627

2015-01-01

Abstract:Personal identification numbers (PIN) and unlock patterns are highly popular authentication mechanisms on smart mobile devices but they are not sufficiently secure. PIN or pattern mechanisms enhanced by additional, implicit behavioral biometric authentication can offer stronger authentication assurance while preserving usability, therefore becoming very attractive. Individual studies on PIN- and pattern-based behavioral biometric authentication on smartphones were conducted but their results cannot be directly compared. In this work, we present a comparison study on the authentication accuracy between PIN-based and pattern-based behavioral biometric authentication using both smartphone and tablet. We developed a uniform framework for both PIN-based and pattern-based schemes and used two representative methods-Histogram and DTW-for user verification. We recruited 15 users and collected behavioral biometric data for both simple and complex PINs and patterns. Our experimental results show that PIN-based and pattern-based behavioral biometric authentication schemes can achieve about the same level of accuracy but not all verification methods are equal. The Histogram method can achieve more consistent results and handle template aging better than the DTW method based on our results. Our findings are expected to shed light on the exploration and analysis of effective behavioral biometric verification methods and facilitate more comprehensive investigation on behavioral biometric authentication for mobile devices.

Matin Fallahi,Patricia Arias Cabarcos,Thorsten Strufe

2024-02-23

Abstract:Passwords remain a widely-used authentication mechanism, despite their well-known security and usability limitations. To improve on this situation, next-generation authentication mechanisms, based on behavioral biometric factors such as eye movement and brainwave have emerged. However, their usability remains relatively under-explored. To fill this gap, we conducted an empirical user study (n=32 participants) to evaluate three brain-based and three eye-based authentication mechanisms, using both qualitative and quantitative methods. Our findings show good overall usability according to the System Usability Scale for both categories of mechanisms, with average SUS scores in the range of 78.6-79.6 and the best mechanisms rated with an "excellent" score. Participants particularly identified brainwave authentication as more secure yet more privacy-invasive and effort-intensive compared to eye movement authentication. However, the significant number of neutral responses indicates participants' need for more detailed information about the security and privacy implications of these authentication methods. Building on the collected evidence, we identify three key areas for improvement: privacy, authentication interface design, and verification time. We offer recommendations for designers and developers to improve the usability and security of next-generation authentication mechanisms.

Human-Computer Interaction,Cryptography and Security

Maro Choi,Shincheol Lee,Minjae Jo,Ji Sun Shin

DOI: https://doi.org/10.3390/s21062242

2021-03-23

Abstract:Authentication methods using personal identification number (PIN) and unlock patterns are widely used in smartphone user authentication. However, these authentication methods are vulnerable to shoulder-surfing attacks, and PIN authentication, in particular, is poor in terms of security because PINs are short in length with just four to six digits. A wide range of research is currently underway to examine various biometric authentication methods, for example, using the user's face, fingerprint, or iris information. However, such authentication methods provide PIN-based authentication as a type of backup authentication to prepare for when the maximum set number of authentication failures is exceeded during the authentication process such that the security of biometric authentication equates to the security of PIN-based authentication. In order to overcome this limitation, research has been conducted on keystroke dynamics-based authentication, where users are classified by analyzing their typing patterns while they are entering their PIN. As a result, a wide range of methods for improving the ability to distinguish the normal user from abnormal ones have been proposed, using the typing patterns captured during the user's PIN input. In this paper, we propose unique keypads that are assigned to and used by only normal users of smartphones to improve the user classification performance capabilities of existing keypads. The proposed keypads are formed by randomly generated numbers based on the Mersenne Twister algorithm. In an attempt to demonstrate the superior classification performance of the proposed unique keypad compared to existing keypads, all tests except for the keypad type were conducted under the same conditions in earlier work, including collection-related features and feature selection methods. Our experimental results show that when the filtering rates are 10%, 20%, 30%, 40%, and 50%, the corresponding equal error rates (EERs) for the proposed keypads are improved by 4.15%, 3.11%, 2.77%, 3.37% and 3.53% on average compared to the classification performance outcomes in earlier work.

Ping Wang,Ding Wang,Xinyi Huang

DOI: https://doi.org/10.7544/issn1000-1239.2016.20160483

2016-01-01

Abstract:Identity authentication is the first line of defense for information systems ,and passwords are the most widely used authentication method .Though there are a number of issues in passwords regarding security and usability , and various alternative authentication methods have also been successively proposed , password‐based authentication will remain the dominant method in the foreseeable future due to its simplicity ,low cost and easiness to change .T hus ,this topic has attracted extensive interests from worldwide researchers ,and many important results have been revealed .This work begins with the introduction of users’ vulnerable behaviors and details the password characteristics ,distribution and reuse rate .Next we summarize the primary cracking algorithms that have appeared in the past 30 years , and classify them into groups in terms of the difference in dependence on what information is exploited by the attacker .Then ,we revisit the various statistical‐based evaluation metrics for measuring the strength of password distributions .Further ,we compare the state‐of‐the‐art password strength meters .Finally ,we summarize our results and outline some future research trends .

Ding Wang,Ping Wang

DOI: https://doi.org/10.1007/978-3-319-23829-6_11

2015-01-01

Abstract:Smart-card-based password authentication, known as two-factor authentication, is one of the most widely used security mechanisms to validate the legitimacy of a remote client, who must hold a valid smart card and the correct password in order to successfully login the server. So far the research on this domain has mainly focused on developing more secure, privacy-preserving and efficient protocols, which has led to numerous efficient proposals with a diversity of security provisions, yet little attention has been directed towards another important aspect, i.e. the usability of a scheme. This paper focuses on the study of two specific security threats on usability in two-factor authentication. Using two representative protocols as case studies, we demonstrate two types of security threats on usability: (1) Password change attack, which may easily render the smart card completely unusable by changing the password to a random value; and (2) De-synchronization attack, which breaks the consistence of the pseudo-identities between the user and the server. These threats, though realistic in practice, have been paid little attention in the literature. In addition to revealing the vulnerabilities, we discuss how to thwart these security threats and secure the protocols.

Junjie Yan,Kevin Huang,Tamara Bonaci,Howard J. Chizeck

DOI: https://doi.org/10.1109/iros.2015.7353521

2015-01-01

Abstract:Haptic technologies have made it possible for human users to interact with cyber systems not only via traditional interfaces like keyboards and mice but also by applying force and motion. With these extra information channels, how a user haptically interacts with a system potentially presents unique user dependent features and can thus be used for authentication purposes. In this paper, we propose a new biometric technology based on haptic interaction. Our technique leverages artificial neural network (ANN) based wavelet analysis to perform user identification. Identification and authentication are done in two steps: a discrete wavelet transform (DWT) is applied to extract features, and then the neural network is used to perform identification and authentication. The performance of the model is evaluated based on identification and authentication accuracies. The results show that our proposed haptic password system has a high identification accuracy and that it is resistant to forgery attacks.

Chao Shen,Tianwen Yu,Haodi Xu,Gengshan Yang,Xiaohong Guan

DOI: https://doi.org/10.1016/j.cose.2016.05.007

IF: 5.105

2016-01-01

Computers & Security

Abstract:Due to increasing security awareness of password from the public and little attention on the characteristics of real-life passwords, it is thus natural to understand the current state of characteristics of real-life passwords, and to explore how password characteristics change over time and how earlier password practice is understood in current context. In this work, we attempt to present an in-depth and comprehensive understanding of user practice in real-life passwords, and to see whether the previous observations can be confirmed or reversed, based on large-scale measurements rather than anecdotal knowledge or user surveys. Specifically, we measure password characteristics on over 6 million passwords, in terms of password length, password composition, and password selection. We then make informed comparisons of the findings between our investigation and previously reported results. Our general findings include: (1) average password length is at least 12% longer than previous results, and 75% of our passwords have the length between 8 and 10 characters; (2) there is a significant increase of using only numbers as passwords, and easy-to-reach symbols are always the first choice when users added symbols into passwords; (3) there observes a remarkable increase (about 40%) of using combo-meaningful data as passwords, and a striking proportion of using the most common passwords or login names as passwords. Our investigation also includes collecting statistics about the use of symbols, letter-case, and meaningful details, which presents a systematic analysis of password usage. The comparative results indicate that the password characteristics and password practice on this massive password data set are somewhat inconsistent with those from anecdotal knowledge and user surveys, and exhibit a substantial change over time in some ways. Further research needs to build upon this understanding for gaining insight into how password security can be improved.

Ruben Tolosana,Ruben Vera-Rodriguez,Julian Fierrez

DOI: https://doi.org/10.1109/TMC.2019.2911506

2022-05-03

Abstract:This work enhances traditional authentication systems based on Personal Identification Numbers (PIN) and One-Time Passwords (OTP) through the incorporation of biometric information as a second level of user authentication. In our proposed approach, users draw each digit of the password on the touchscreen of the device instead of typing them as usual. A complete analysis of our proposed biometric system is carried out regarding the discriminative power of each handwritten digit and the robustness when increasing the length of the password and the number of enrolment samples. The new e-BioDigit database, which comprises on-line handwritten digits from 0 to 9, has been acquired using the finger as input on a mobile device. This database is used in the experiments reported in this work and it is available together with benchmark results in GitHub. Finally, we discuss specific details for the deployment of our proposed approach on current PIN and OTP systems, achieving results with Equal Error Rates (EERs) ca. 4.0% when the attacker knows the password. These results encourage the deployment of our proposed approach in comparison to traditional PIN and OTP systems where the attack would have 100% success rate under the same impostor scenario.

Cryptography and Security,Computer Vision and Pattern Recognition,Human-Computer Interaction

Kim-Phuong L. Vu,Robert W. Proctor,Abhilasha Bhargav-Spantzel,Bik-Lam Tai,Joshua Cook,E. Eugene Schultz,Bik-Lam (Belin) Tai

DOI: https://doi.org/10.1016/j.ijhcs.2007.03.007

2007-08-01

Abstract:Personal information and organizational information need to be protected, which requires that only authorized users gain access to the information. The most commonly used method for authenticating users who attempt to access such information is through the use of username–password combinations. However, this is a weak method of authentication because users tend to generate passwords that are easy to remember but also easy to crack. Proactive password checking, for which passwords must satisfy certain criteria, is one method for improving the security of user-generated passwords. The present study evaluated the time and number of attempts needed to generate unique passwords satisfying different restrictions for multiple accounts, as well as the login time and accuracy for recalling those passwords. Imposing password restrictions alone did not necessarily lead to more secure passwords. However, the use of a technique for which the first letter of each word of a sentence was used coupled with a requirement to insert a special character and digit yielded more secure passwords that were more memorable.

computer science, cybernetics,ergonomics,psychology, multidisciplinary

Wang Qiang,Qin Zhiguang

DOI: https://doi.org/10.1109/ICACTE.2010.5579457

2010-01-01

Abstract:Passwords are the most popular authentication mechanism on the Internet. People have to remember many passwords for their many online accounts. However, selecting and keeping track of all the passwords that are required to maintain a person's online identity becomes a cumbersome task. In this paper, we propose a password protocol that allows a user to securely login multiple web accounts using the same password. Our aim is to make web authentication more secure and more convenient. Each online account of a user is protected by a unique password generated from the user's single password using a combination of the password entered by the user, data associated with the web site, and a random string generated by the extension itself from a pass phrase entered by the user. Compromising a user's password at one site does not allow the attacker to login at another site. Our method is secure against dictionary attacks, password phishing, and many other exploits. Working transparently, our method minimizes changes to user experience. It is easy to deploy as it can be implemented as a browser extension and requires no change on web servers. © 2010 IEEE.