Voiceprint Vault : voice authentication service

Henderson, Paul Martin

09 December 2013

In a world dominated by smartphones, cloud computing, and online accounts, security of personal and corporate data is a critical concern. Voiceprint Vault provides a voice authentication service that can be used in a multitude of applications to secure sensitive data. Voiceprint Vault includes the following high-level features: - Cloud-based voice authentication using trusted signal processing algorithms - Multifactor authentication with use of optional password - Cross-platform compatibility using secure web requests to authenticate - Built-in storage and synching of private user data - Java library to facilitate integration with Android applications The Voiceprint Vault service allows users of an application to create an account, provide a voice sample, and then access the account with a simple spoken phrase. When users access their account, their voice sample is analyzed and compared to their training recordings. This system can be tailored to the needs of a particular user with per-user security options. It provides the convenience of voice access, but also allows for a password to be used for increased security. The Voiceprint Vault service is designed to allow application developers to integrate an existing, tested authentication system into their app rather than creating their own authentication system. The Voiceprint Vault server provides application specific repositories that developers can create to hold all user data, cryptographic information, and voice samples. The user data stored on the Voiceprint Vault server provides built-in synchronization across all connected devices. A reference implementation is provided that demonstrates the use of Voiceprint Vault authentication. The reference implementation is an Android app that uses the voice authentication service to protect access to personal notes, tasks, and dates that are synched across devices. Detailed instructions for integrating Voiceprint Vault into an existing application are also provided with the reference implementation. The accuracy of voiceprint authentication was investigated and optimized for a set of sample users and recordings. The security features and dangers of such a system are described along with recommendations for safe use. The optimal parameters to be used in the voice authentication algorithms are also presented in this report. / text

Voiceprint

Biometric

Security

Authentication

Combating phishing through zero-knowledge authentication /

Knickerbocker, Paul,

January 2008

Thesis (M.S.)--University of Oregon, 2008. / Typescript. Includes vita and abstract. Includes bibliographical references (leaves 55-62). Also available online.

Guessing human-chosen secrets

Bonneau, Joseph

January 2012

Authenticating humans to computers remains a notable weak point in computer security despite decades of effort. Although the security research community has explored dozens of proposals for replacing or strengthening passwords, they appear likely to remain entrenched as the standard mechanism of human-computer authentication on the Internet for years to come. Even in the optimistic scenario of eliminating passwords from most of today's authentication protocols using trusted hardware devices or trusted servers to perform federated authentication, passwords will persist as a means of 'last-mile' authentication between humans and these trusted single sign-on deputies. This dissertation studies the difficulty of guessing human-chosen secrets, introducing a sound mathematical framework modeling human choice as a skewed probability distribution. We introduce a new metric, alpha-guesswork, which accurately models the resistance of a distribution against all possible guessing attacks. We also study the statistical challenges of estimating this metric using empirical data sets which can be modeled as a large random sample from the underlying probability distribution. This framework is then used to evaluate several representative data sets from the most important categories of human-chosen secrets to provide reliable estimates of security against guessing attacks. This includes collecting the largest-ever corpus of user-chosen passwords, with nearly 70 million, the largest list of human names ever assembled for research, the largest data sets of real answers to personal knowledge questions and the first data published about human choice of banking PINs. This data provides reliable numbers for designing security systems and highlights universal limitations of human-chosen secrets.

005.8

Passwords ; Authentication

Weak and strong authentication in computer networks

Choi, Taehwan

22 February 2013

In this dissertation, we design and analyze five authentication protocols that answer to the a firmative the following fi ve questions associated with the authentication functions in computer networks. 1. The transport protocol HTTP is intended to be lightweight. In particular, the execution of applications on top of HTTP is intended to be relatively inexpensive and to take full advantage of the middle boxes in the Internet. To achieve this goal, HTTP does not provide any security guarantees, including any authentication of a server by its clients. This situation raises the following question. Is it possible to design a version of HTTP that is still lightweight and yet provides some security guarantees including the authentication of servers by their clients? 2. The authentication protocol in HTTPS, called TLS, allows a client to authenti- cate the server with which it is communicating. Unfortunately, this protocol is known to be vulnerable to human mistakes and Phishing attacks and Pharm- ing attacks. Is it possible to design a version of TLS that can successfully defend against human mistakes and Phishing attacks and Pharming attacks? 3. In both HTTP and HTTPS, a server can authenticate a client, with which it is communicating, using a standard password protocol. However, standard password protocols are vulnerable to the mistake of a client that uses the same password with multiple servers and to Phishing and Pharming attacks. Is it possible to design a password protocol that is resilient to client mistakes (of using the same password with multiple servers) and to Phishing and Pharming attacks? 4. Each sensor in a sensor network needs to store n - 1 symmetric keys for secure communication if the sensor network has n sensor nodes. The storage is constrained in the sensor network and the earlier approaches succeeded to reduce the number of keys, but failed to achieve secure communications in the face of eavesdropping, impersonation, and collusion. Is it possible to design a secure keying protocol for sensor networks, which is e fficient in terms of computation and storage? 5. Most authentication protocols, where one user authenticates a second user, are based on the assumption that the second user has an "identity", i.e. has a name that is (1) fi xed for a relatively long time, (2) unique, and (3) ap- proved by a central authority. Unfortunately, the adoption of user identities in a network does create some security holes in that network, most notably anonymity loss, identity theft, and misplaced trust. This situation raises the following question. Is it possible to design an authentication protocol where the protocol users have no identities? / text

Authentication

Authentication protocols

Server authentication

Client authentication

Integrity

HTTP

HTTPS

Password protocol

TLS

Anonymous authentication

Sensor networks

Keying protocol

Location Based Authentication

Sharma, Seema

20 May 2005

With the growth of wireless technologies in sectors like the military, aviation, etc, there is a need to determine the authenticity of a genuine user. Today's conventional authentication mechanisms are based on three factors: knowledge, possession and biometrics. These factors are prone to theft, hardware failure, expensive, etc. Consequently, there is a need of a stronger solution. One such solution is Location Based Authentication that considers the location information of a user. The location information is time based and thus hard to steal. However, accuracy of the GPS, signal strength inside the building, etc, affects its potential. Consequently, there is a need to address alternatives. One such alternative is to implement a puzzle-based authentication scheme based on the location information. In the proposed scheme, the server asks dynamic location-based questions and the client answers them based on the proposed route of travel. This scheme strengthens the current authentication mechanisms.

Authentication

Use of strong authentication

Authentication factors

Location based authentication

Security in wireless systems

Travel plan puzzle

Federated authentication using the Cloud (Cloud Aura)

Al Abdulwahid, Abdulwahid Abdullah

January 2017

Individuals, businesses and governments undertake an ever-growing range of activities online and via various Internet-enabled digital devices. Unfortunately, these activities, services, information and devices are the targets of cybercrimes. Verifying the user legitimacy to use/access a digital device or service has become of the utmost importance. Authentication is the frontline countermeasure of ensuring only the authorised user is granted access; however, it has historically suffered from a range of issues related to the security and usability of the approaches. Traditionally deployed in a point-of-entry mode (although a number of implementations also provide for re-authentication), the intrusive nature of the control is a significant inhibitor. Thus, it is apparent that a more innovative, convenient and secure user authentication solution is vital. This thesis reviews the authentication methods along with the current use of authentication technologies, aiming at developing a current state-of-the-art and identifying the open problems to be tackled and available solutions to be adopted. It also investigates whether these authentication technologies have the capability to fill the gap between the need for high security whilst maximising user satisfaction. This is followed by a comprehensive literature survey and critical analysis of the existing research domain on continuous and transparent multibiometric authentication. It is evident that most of the undertaken studies and proposed solutions thus far endure one or more shortcomings; for instance, an inability to balance the trade-off between security and usability, confinement to specific devices, lack or negligence of evaluating users’ acceptance and privacy measures, and insufficiency or absence of real tested datasets. It concludes that providing users with adequate protection and convenience requires innovative robust authentication mechanisms to be utilised in a universal manner. Accordingly, it is paramount to have a high level of performance, scalability, and interoperability amongst existing and future systems, services and devices. A survey of 302 digital device users was undertaken and reveals that despite the widespread interest in more security, there is a quite low number of respondents using or maintaining the available security measures. However, it is apparent that users do not avoid applying the concept of authentication security but avoid the inconvenience of its current common techniques (biometrics are having growing practical interest). The respondents’ perceptions towards Trusted Third-Party (TTP) enable utilising biometrics for a novel authentication solution managed by a TTP working on multiple devices to access multiple services. However, it must be developed and implemented considerately. A series of experimental feasibility analysis studies disclose that even though prior Transparent Authentication Systems (TAS) models performed relatively well in practice on real live user data, an enhanced model utilising multibiometric fusion outweighs them in terms of the security and transparency of the system within a device. It is also empirically established that a centralised federated authentication approach using the Cloud would help towards constructing a better user profile encompassing multibiometrics and soft biometric information from their multiple devices and thus improving the security and convenience of the technique beyond those of unimodal, the Non-Intrusive and Continuous Authentication (NICA), and the Weighted Majority Voting Fusion (WMVF) and what a single device can do by itself. Furthermore, it reduces the intrusive authentication requests by 62%-74% (of the total assumed intrusive requests without operating this model) in the worst cases. As such, the thesis proposes a novel authentication architecture, which is capable of operating in a transparent, continuous and convenient manner whilst functioning across a range of digital devices – bearing in mind it is desirable to work on differing hardware configurations, operating systems, processing capabilities and network connectivity but they are yet to be validated. The approach, entitled Cloud Aura, can achieve high levels of transparency thereby being less dependent on secret-knowledge or any other intrusive login and leveraging the available devices capabilities without requiring any external sensors. Cloud Aura incorporates a variety of biometrics from different types, i.e. physiological, behavioural, and soft biometrics and deploys an on-going identity confidence level based upon them, which is subsequently reflected on the user privileges and mapped to the risk level associated to them, resulting in relevant reaction(s). While in use, it functions with minimal processing overhead thereby reducing the time required for the authentication decision. Ultimately, a functional proof of concept prototype is developed showing that Cloud Aura is feasible and would have the provisions of effective security and user convenience.

005.8

A Theoretical Proposal of Two-Factor Authentication in Smartphones

Persson, Oskar, Wermelin, Erik

January 2017

Context. For a user to gain access to a protected resource on the web,the user needs to get authenticated. There are different forms of authenti-cation, among the most common is the ordinary user name and passwordscheme. This scheme is very simple to implement, but it suffers from se-curity vulnerabilities and requires the user to remember passwords to allaccounts. Two-factor authentication could be one answer to increase thesecurity where one-factor authentication is lacking. However, depending onthe implementation, two-factor authentication could still be insecure andeven more user-unfriendly. Objectives.  In this study, we investigate if our implementation of two-factor authentication has any advantages to existing ones. Our goal is topresent a secure and user-friendly authentication scheme that uses bothpassword and fingerprint. Methods. A literary study was performed in order to collect informationon similar systems and subjects in order to build a comparable authentica-tion model. The collected information and proposed model was then usedto analyze possible drawbacks and to answer research questions. Results. Results derive from the comparison between our proposed modeland two Google two-factor authentication solutions. Conclusions. The results yielded from the literary study and analysisshows that our proposed model does not add any advantages concerningsecurity. Our model does however provide better ease of use in comparisonwith similar two-factor authentication solutions from Google.

Two-factor authentication

smartphone

fingerprint authentication

Computer Sciences

Datavetenskap (datalogi)

Authentication aura : a cooperative and distributed approach to user authentication on mobile devices

Hocking, Christopher George

January 2015

As information technology pervades our lives we have increasingly come to rely on these evermore sophisticated and ubiquitous items of equipment. Portability and the desire to be connected around the clock has driven the rapid growth in adoption of mobile devices that enable us to talk, message, tweet and inform at will, whilst providing a means to shop and administer bank accounts. These high value, high risk, desirable devices are increasingly the target of theft and improvement in their protection is actively sought by Governments and security agencies. Although forms of security are in place they are compromised by human reluctance and inability to administer them effectively. With typical users operating across multiple devices, including traditional desktop PCs, laptops, tablets and smartphones, they can regularly find themselves having a variety of devices open concurrently. Even if the most basic security is in place, there is a resultant need to repeatedly authenticate, representing a potential source of hindrance and frustration. This thesis explores the need for a novel approach to user authentication, which will reduce the authentication burden whilst providing a secure yet adaptive security mechanism; a so called Authentication Aura. It proposes that the latent security potential contained in surrounding devices and possessions in everyday life can be leveraged to augment security, and provides a framework for a distributed and cooperative approach. An experiment was performed to ascertain the technological infrastructure, devices and inert objects that surround individuals throughout the day. Using twenty volunteers, over a fourteen-day period a dataset of 1.57 million recorded observations was gathered, which confirmed that between 6am and 12pm a significant device or possession is in near proximity 97.84% of the time. Using the data provided by the experiment as the basis for a simulation of the framework, it suggests a reduction of up to 80.36% in the daily number of required authentications for a user operating a device once every 30 minutes, with a 10 minute screen lock in place. Examining the influence of location alone indicated a reduction of 50.74% in user interventions lowering the average from 32 to 15.76, the addition of the surroundings reducing this further to 13.00. The analysis also investigated how a user’s own authentication status could be used to negate the need to repeatedly manually authenticate and it was found that it delayed the process for up to 90 minutes for an individual user. Ultimately, it confirms that during device activation it is possible to remove the need to authenticate with the Authentication Aura providing sufficient assurance.

005.25

A structured approach to electronic authentication assurance level derivation

Yao, Li

January 2010

We envisage a fine-grained access control solution that allows a user's access privilege to be linked to the confidence level (hereafter referred to as the assurance level) in identifying the user. Such a solution would be particularly attractive to a large-scale distributed resource sharing environment, where resources are likely to be more diversified and may have varying levels of sensitivity and resource providers may wish to adjust security protection levels to adapt to resource sensitivity levels or risk levels in the underlying environment. However, existing electronic authentication systems largely identify users through the verification of their electronic identity (ID) credentials. They take into account neither assurance levels of the credentials, nor any other factors that may affect the assurance level of an authentication process, and this binary approach to access control may not provide cost-effective protection to resources with varying sensitivity levels. To realise the vision of assurance level linked access control, there is a need for an authentication framework that is able to capture the confidence level in identifying a user, expressed as an authentication Level of Assurance (LoA), and link this LoA value to authorisation decision-making. This research investigates the feasibility of estimating a user's LoA at run-time by designing, prototyping and evaluating an authentication model that derives an LoA value based upon not only users' ID credentials, but also other factors such as access location, system environment and authentication protocol used. To this aim, the thesis has identified and analysed authentication attributes, processes and procedures that may influence the assurance level of an authentication environment. It has examined various use-case scenarios of authentication in Grid environments (a well-known distributed system) and investigated the relationships among the attributes in these scenarios. It has then proposed an authentication model, namely a generic e-authentication LoA derivation model (GEA-LoADM). The GEA-LoADM takes into account multiple authentication attributes along with their relationships, abstracts the composite effect by the multiple attributes into a generic value called the authentication LoA, and provides algorithms for the run-time derivation of LoA values. The algorithms are tailored to reflect the relationships among the attributes involved in an authentication instance. The model has a number of valuable properties, including flexibility and extensibility; it can be applied to different application contexts and supports easy addition of new attributes and removal of obsolete ones. The prototypes of the algorithms and the model have been developed. The performance and security properties of the LoA derivation algorithms and the model are analysed here and evaluated based on the prototypes. The performance costs of the GEA-LoADM are also investigated and compared against conventional authentication mechanisms, and the security of the model is tested against various attack scenarios. A case study has also been conducted using a live system, the Multi-Agency Information Sharing (MAIS) system.

621.382

Continuous user authentication using multi-modal biometrics

Saevanee, Hataichanok

January 2014

It is commonly acknowledged that mobile devices now form an integral part of an individual’s everyday life. The modern mobile handheld devices are capable to provide a wide range of services and applications over multiple networks. With the increasing capability and accessibility, they introduce additional demands in term of security. This thesis explores the need for authentication on mobile devices and proposes a novel mechanism to improve the current techniques. The research begins with an intensive review of mobile technologies and the current security challenges that mobile devices experience to illustrate the imperative of authentication on mobile devices. The research then highlights the existing authentication mechanism and a wide range of weakness. To this end, biometric approaches are identified as an appropriate solution an opportunity for security to be maintained beyond point-of-entry. Indeed, by utilising behaviour biometric techniques, the authentication mechanism can be performed in a continuous and transparent fashion. This research investigated three behavioural biometric techniques based on SMS texting activities and messages, looking to apply these techniques as a multi-modal biometric authentication method for mobile devices. The results showed that linguistic profiling; keystroke dynamics and behaviour profiling can be used to discriminate users with overall Equal Error Rates (EER) 12.8%, 20.8% and 9.2% respectively. By using a combination of biometrics, the results showed clearly that the classification performance is better than using single biometric technique achieving EER 3.3%. Based on these findings, a novel architecture of multi-modal biometric authentication on mobile devices is proposed. The framework is able to provide a robust, continuous and transparent authentication in standalone and server-client modes regardless of mobile hardware configuration. The framework is able to continuously maintain the security status of the devices. With a high level of security status, users are permitted to access sensitive services and data. On the other hand, with the low level of security, users are required to re-authenticate before accessing sensitive service or data.

005.8