Non-intrusive continuous user authentication for mobile devices

Karatzouni, Sevasti

January 2014

The modern mobile device has become an everyday tool for users and business. Technological advancements in the device itself and the networks that connect them have enabled a range of services and data access which have introduced a subsequent increased security risk. Given the latter, the security requirements need to be re-evaluated and authentication is a key countermeasure in this regard. However, it has traditionally been poorly served and would benefit from research to better understand how authentication can be provided to establish sufficient trust. This thesis investigates the security requirements of mobile devices through literature as well as acquiring the user’s perspectives. Given the findings it proposes biometric authentication as a means to establish a more trustworthy approach to user authentication and considers the applicability and topology considerations. Given the different risk and requirements, an authentication framework that offers transparent and continuous is developed. A thorough end-user evaluation of the model demonstrates many positive aspects of transparent authentication. The technical evaluation however, does raise a number of operational challenges that are difficult to achieve in a practical deployment. The research continues to model and simulate the operation of the framework in an controlled environment seeking to identify and correlate the key attributes of the system. Based upon these results and a number of novel adaptations are proposed to overcome the operational challenges and improve upon the impostor detection rate. The new approach to the framework simplifies the approach significantly and improves upon the security of the system, whilst maintaining an acceptable level of usability.

005.8

Establishing Confidence Level Measurements for Remote User Authentication in Privacy-Critical Systems

Robertson, Matthew

January 2009

User Authentication is the process of establishing confidence in the User identities presented to an information system. This thesis establishes a method of assigning a confidence level to the output of a user authentication process based on what attacks and threats it is vulnerable to. Additionally, this thesis describes the results of an analysis where the method was performed on several different authentication systems and the confidence level in the authentication process of these systems determined. Final conclusions found that most systems lack confidence in their ability to authenticate users as the systems were unable to operate in the face of compromised authenticating information. Final recommendations were to improve on this inadequacy, and thus improve the confidence in the output of the authentication process, through the verification of both static and dynamic attributes of authenticating information. A system that operates confidently in the face of compromised authenticating information that utilizes voice verification is described demonstrating the ability of an authentication system to have complete confidence in its ability to authenticate a user through submitted data.

User Authentication

Biometrics

Cryptography

Electrical and Computer Engineering

Establishing Confidence Level Measurements for Remote User Authentication in Privacy-Critical Systems

Robertson, Matthew

January 2009

User Authentication is the process of establishing confidence in the User identities presented to an information system. This thesis establishes a method of assigning a confidence level to the output of a user authentication process based on what attacks and threats it is vulnerable to. Additionally, this thesis describes the results of an analysis where the method was performed on several different authentication systems and the confidence level in the authentication process of these systems determined. Final conclusions found that most systems lack confidence in their ability to authenticate users as the systems were unable to operate in the face of compromised authenticating information. Final recommendations were to improve on this inadequacy, and thus improve the confidence in the output of the authentication process, through the verification of both static and dynamic attributes of authenticating information. A system that operates confidently in the face of compromised authenticating information that utilizes voice verification is described demonstrating the ability of an authentication system to have complete confidence in its ability to authenticate a user through submitted data.

User Authentication

Biometrics

Cryptography

Electrical and Computer Engineering

Design and Implementation of User Authentication Based on Keystroke Dynamic

Hsin, Tsung-Chin

28 January 2008

In the traditional login systems, we use the username and the password to identify the legalities of users. It is a simple and convenient way to identify, but passwords could be stolen or copied by someone who tries to invade the system illegally. Adding one protective mechanism to identify users, the way of biometrics are brought out, such as keystroke dynamics, fingerprints, DNA, retinas and so on that are unique characteristics of each individuals, it could be more effective in preventing trespassing. This thesis uses keystroke biometrics as research aspects of user authentication. The advantages of this system are low-cost and high security to identify users using keyboard to calculate the time of keystrokes. In this thesis, we use statistical way to examine the researches and experiments. Chosen length of the username and password are greater than or equal to 9 characters, and learning sample sizes are 20 and adapting the sample adaptation mechanism, the results show that we achieved by False Acceptance Rate of 0.85%, False Rejection Rate of 1.51% and Average False Rate of 1.18%; all reach the high levels of safeties.

User Authentication

Biometrics Feature

Keystroke Dynamic

A Comparison of Three Verification Methods for Keystroke Dynamic

Chen, Hsiao-ying

11 February 2009

In login systems, a user is asked to enter his correct account and password in order to be allowed to enter to the system. The safety of systems is at the risk of leaking out the information, hence, the single mechanism of identity verification has not filled the bill at present. We study the personal typing behavior to get one¡¦s own specific features. In our thesis , we compare three methods and anlysis the advantages and shortcomings of those three. First one is to sort the twenty study data, and distribute the weights into the proper region. If the total weights is less than the threshold then this test data will be accepted, otherwise, it will be rejected. The second and third method are similar. Both of them are trying to rescale the data. The spirit of them is that the typing rate of a person will be faster when they type frequently and will be sloer when they are out of practice. However the relative positions of those keys, the lengths of ons¡¦s fingers, and the time that people making pauses in reading unpunctuated are unique. Those factors can be one¡¦s typing rhythm. There are twenty two individuals involved in this experiment. Each one choose his own proficient account and password to type and set up his typing model. The imposters are randomly choose legal user to imitate.

User Authentication

Keystroke Dynamic

Biometrics Feature

Next-generation user authentication schemes for IoT applications

Gupta, Sandeep

27 October 2020

The unprecedented rise of IoT has revolutionized every business vertical enthralling people to embrace IoT applications in their day-to-day lives to accrue multifaceted benefits. It is absolutely fair to say that a day without connected IoT systems, such as smart devices, smart enterprises, smart homes or offices, etc., would hamper our conveniences, drastically. Many IoT applications for these connected systems are safety-critical, and any unauthorized access could have severe consequences to their consumers and society. In the overall IoT security spectrum, human-to-machine authentication for IoT applications is a critical and foremost challenge owing to highly prescriptive characteristics of conventional user authentication schemes, i.e., knowledge-based or token-based authentication schemes, currently used in them. Furthermore, studies have reported numerous users’ concerns, from both the security and usability perspectives, that users are facing in using available authentication schemes for IoT applications. Therefore, an impetus is required to upgrade user authentication schemes for new IoT age applications to address any unforeseen incidents or unintended consequences. This dissertation aims at designing next-generation user authentication schemes for IoT applications to secure connected systems, namely, smart devices, smart enterprises, smart homes, or offices. To accomplish my research objectives, I perform a thorough study of ways and types of user authentication mechanisms emphasizing their security and usability ramifications. Subsequently, based on the substantive findings of my studies, I design, prototype, and validate our proposed user authentication schemes. I exploit both physiological and behavioral biometrics to design novel schemes that provide implicit (frictionless), continuous (active) or risk-based (non-static) authentication for multi-user scenarios. Afterward, I present a comparative analysis of the proposed schemes in terms of accuracy against the available state-of-the-art user authentication solutions. Also, I conduct SUS surveys to evaluate the usability of user authentication schemes.

E-invigilation of e-assessments

Ketab, Salam

January 2017

E-learning and particularly distance-based learning is becoming an increasingly important mechanism for education. A leading Virtual Learning Environment (VLE) reports a user base of 70 million students and 1.2 million teachers across 7.5 million courses. Whilst e-learning has introduced flexibility and remote/distance-based learning, there are still aspects of course delivery that rely upon traditional approaches. The most significant of these is examinations. The lack of being able to provide invigilation in a remote-mode has restricted the types of assessments, with exams or in-class test assessments proving difficult to validate. Students are still required to attend physical testing centres in order to ensure strict examination conditions are applied. Whilst research has begun to propose solutions in this respect, they fundamentally fail to provide the integrity required. This thesis seeks to research and develop an e-invigilator that will provide continuous and transparent invigilation of the individual undertaking an electronic based exam or test. The analysis of the e-invigilation solutions has shown that the suggested approaches to minimise cheating behaviours during the online test have varied. They have suffered from a wide range of weaknesses and lacked an implementation achieving continuous and transparent authentication with appropriate security restrictions. To this end, the most transparent biometric approaches are identified to be incorporated in an appropriate solution whilst maintaining security beyond the point-of-entry. Given the existing issues of intrusiveness and point-of-entry user authentication, a complete architecture has been developed based upon maintaining student convenience but providing effective identity verification throughout the test, rather than merely at the beginning. It also provides continuous system-level monitoring to prevent cheating, as well as a variety of management-level functionalities for creating and managing assessments including a prioritised and usable interface in order to enable the academics to quickly verify and check cases of possible cheating. The research includes a detailed discussion of the architecture requirements, components, and complete design to be the core of the system which captures, processes, and monitors students in a completely controlled e-test environment. In order to highlight the ease of use and lightweight nature of the system, a prototype was developed. Employing student face recognition as the most transparent multimodal (2D and 3D modes) biometrics, and novel security features through eye tracking, head movements, speech recognition, and multiple faces detection in order to enable a robust and flexible e-invigilation approach. Therefore, an experiment (Experiment 1) has been conducted utilising the developed prototype involving 51 participants. In this experiment, the focus has been mainly upon the usability of the system under normal use. The FRR of those 51 legitimate participants was 0 for every participant in the 2D mode; however, it was 0 for 45 of them and less than 0.096 for the rest 6 in the 3D mode. Consequently, for all the 51 participants of this experiment, on average, the FRR was 0 in 2D facial recognition mode, however, in 3D facial recognition mode, it was 0.048. Furthermore, in order to evaluate the robustness of the approach against targeted misuse 3 participants were tasked with a series of scenarios that map to typical misuse (Experiment 2). The FAR was 0.038 in the 2D mode and 0 in the 3D mode. The results of both experiments support the feasibility, security, and applicability of the suggested system. Finally, a series of scenario-based evaluations, involving the three separate stakeholders namely: Experts, Academics (qualitative-based surveys) and Students (a quantitative-based and qualitative-based survey) have also been utilised to provide a comprehensive evaluation into the effectiveness of the proposed approach. The vast majority of the interview/feedback outcomes can be considered as positive, constructive and valuable. The respondents agree with the idea of continuous and transparent authentication in e-assessments as it is vital for ensuring solid and convenient security beyond the point-of-entry. The outcomes have also supported the feasibility and practicality of the approach, as well as the efficiency of the system management via well-designed and smart interfaces.

Federated authentication using the Cloud (Cloud Aura)

Al Abdulwahid, Abdulwahid Abdullah

January 2017

Individuals, businesses and governments undertake an ever-growing range of activities online and via various Internet-enabled digital devices. Unfortunately, these activities, services, information and devices are the targets of cybercrimes. Verifying the user legitimacy to use/access a digital device or service has become of the utmost importance. Authentication is the frontline countermeasure of ensuring only the authorised user is granted access; however, it has historically suffered from a range of issues related to the security and usability of the approaches. Traditionally deployed in a point-of-entry mode (although a number of implementations also provide for re-authentication), the intrusive nature of the control is a significant inhibitor. Thus, it is apparent that a more innovative, convenient and secure user authentication solution is vital. This thesis reviews the authentication methods along with the current use of authentication technologies, aiming at developing a current state-of-the-art and identifying the open problems to be tackled and available solutions to be adopted. It also investigates whether these authentication technologies have the capability to fill the gap between the need for high security whilst maximising user satisfaction. This is followed by a comprehensive literature survey and critical analysis of the existing research domain on continuous and transparent multibiometric authentication. It is evident that most of the undertaken studies and proposed solutions thus far endure one or more shortcomings; for instance, an inability to balance the trade-off between security and usability, confinement to specific devices, lack or negligence of evaluating users’ acceptance and privacy measures, and insufficiency or absence of real tested datasets. It concludes that providing users with adequate protection and convenience requires innovative robust authentication mechanisms to be utilised in a universal manner. Accordingly, it is paramount to have a high level of performance, scalability, and interoperability amongst existing and future systems, services and devices. A survey of 302 digital device users was undertaken and reveals that despite the widespread interest in more security, there is a quite low number of respondents using or maintaining the available security measures. However, it is apparent that users do not avoid applying the concept of authentication security but avoid the inconvenience of its current common techniques (biometrics are having growing practical interest). The respondents’ perceptions towards Trusted Third-Party (TTP) enable utilising biometrics for a novel authentication solution managed by a TTP working on multiple devices to access multiple services. However, it must be developed and implemented considerately. A series of experimental feasibility analysis studies disclose that even though prior Transparent Authentication Systems (TAS) models performed relatively well in practice on real live user data, an enhanced model utilising multibiometric fusion outweighs them in terms of the security and transparency of the system within a device. It is also empirically established that a centralised federated authentication approach using the Cloud would help towards constructing a better user profile encompassing multibiometrics and soft biometric information from their multiple devices and thus improving the security and convenience of the technique beyond those of unimodal, the Non-Intrusive and Continuous Authentication (NICA), and the Weighted Majority Voting Fusion (WMVF) and what a single device can do by itself. Furthermore, it reduces the intrusive authentication requests by 62%-74% (of the total assumed intrusive requests without operating this model) in the worst cases. As such, the thesis proposes a novel authentication architecture, which is capable of operating in a transparent, continuous and convenient manner whilst functioning across a range of digital devices – bearing in mind it is desirable to work on differing hardware configurations, operating systems, processing capabilities and network connectivity but they are yet to be validated. The approach, entitled Cloud Aura, can achieve high levels of transparency thereby being less dependent on secret-knowledge or any other intrusive login and leveraging the available devices capabilities without requiring any external sensors. Cloud Aura incorporates a variety of biometrics from different types, i.e. physiological, behavioural, and soft biometrics and deploys an on-going identity confidence level based upon them, which is subsequently reflected on the user privileges and mapped to the risk level associated to them, resulting in relevant reaction(s). While in use, it functions with minimal processing overhead thereby reducing the time required for the authentication decision. Ultimately, a functional proof of concept prototype is developed showing that Cloud Aura is feasible and would have the provisions of effective security and user convenience.

005.8

Authentication aura : a cooperative and distributed approach to user authentication on mobile devices

Hocking, Christopher George

January 2015

As information technology pervades our lives we have increasingly come to rely on these evermore sophisticated and ubiquitous items of equipment. Portability and the desire to be connected around the clock has driven the rapid growth in adoption of mobile devices that enable us to talk, message, tweet and inform at will, whilst providing a means to shop and administer bank accounts. These high value, high risk, desirable devices are increasingly the target of theft and improvement in their protection is actively sought by Governments and security agencies. Although forms of security are in place they are compromised by human reluctance and inability to administer them effectively. With typical users operating across multiple devices, including traditional desktop PCs, laptops, tablets and smartphones, they can regularly find themselves having a variety of devices open concurrently. Even if the most basic security is in place, there is a resultant need to repeatedly authenticate, representing a potential source of hindrance and frustration. This thesis explores the need for a novel approach to user authentication, which will reduce the authentication burden whilst providing a secure yet adaptive security mechanism; a so called Authentication Aura. It proposes that the latent security potential contained in surrounding devices and possessions in everyday life can be leveraged to augment security, and provides a framework for a distributed and cooperative approach. An experiment was performed to ascertain the technological infrastructure, devices and inert objects that surround individuals throughout the day. Using twenty volunteers, over a fourteen-day period a dataset of 1.57 million recorded observations was gathered, which confirmed that between 6am and 12pm a significant device or possession is in near proximity 97.84% of the time. Using the data provided by the experiment as the basis for a simulation of the framework, it suggests a reduction of up to 80.36% in the daily number of required authentications for a user operating a device once every 30 minutes, with a 10 minute screen lock in place. Examining the influence of location alone indicated a reduction of 50.74% in user interventions lowering the average from 32 to 15.76, the addition of the surroundings reducing this further to 13.00. The analysis also investigated how a user’s own authentication status could be used to negate the need to repeatedly manually authenticate and it was found that it delayed the process for up to 90 minutes for an individual user. Ultimately, it confirms that during device activation it is possible to remove the need to authenticate with the Authentication Aura providing sufficient assurance.

005.25

CredProxy: A Password Manager for Online Authentication Environments

Golrang, Mohammad Saleh

20 December 2012

Internet users are increasingly required to sign up for online services and establish accounts before receiving service from websites. On the one hand, generation of strong usernames and passwords is a difficult task for the user. On the other hand, memorization of strong passwords is by far more problematic for the average user. Thus, the average user has a tendency to use weak passwords, and also reuse his passwords for more than one website, which makes several attacks feasible. Under the aforementioned circumstances, the use of password managers is beneficial, since they unburden the user from the task of memorizing user credentials. However, password managers have a number of weaknesses. This thesis is mainly aimed at alleviating some of the intrinsic weaknesses of password managers. We propose three cryptographic protocols which can improve the security of password managers while enhancing user convenience. We also present the design of a phishing and Man-in-the-Browser resistant password manger which best fits into our scheme. Furthermore, we present our novel virtual on-screen keyboard and keypad which are designed to provide strong protection mechanisms against threats such as keylogging and shoulder surfing.

Dictionary Attacks

Password Managers

Password Security

Website User Authentication

Virtual Keyboards

MITB Attacks