Multi-Factor Authentication: A Survey

Today, digitalization decisively penetrates all the sides of the modern society. One of the key enablers to maintain this process secure is authentication. It covers many different areas of a hyper-connected world, including online payments, communications, access right management, etc. This work sheds light on the evolution of authentication systems towards Multi-Factor Authentication (MFA) starting from Single-Factor Authentication (SFA) and through Two-Factor Authentication (2FA). Particularly, MFA is expected to be utilized for human-to-everything interactions by enabling fast, user-friendly, and reliable authentication when accessing a service. This paper surveys the already available and emerging sensors (factor providers) that allow for authenticating a user with the system directly or by involving the cloud. The corresponding challenges from the user as well as the service provider perspective are also reviewed. The MFA system based on reversed Lagrange polynomial within Shamir’s Secret Sharing (SSS) scheme is further proposed to enable more flexible authentication. This solution covers the cases of authenticating the user even if some of the factors are mismatched or absent. Our framework allows for qualifying the missing factors by authenticating the user without disclosing sensitive biometric data to the verification entity. Finally, a vision of the future trends in MFA is discussed.Peer reviewe

Recent Application in Biometrics

In the recent years, a number of recognition and authentication systems based on biometric measurements have been proposed. Algorithms and sensors have been developed to acquire and process many different biometric traits. Moreover, the biometric technology is being used in novel ways, with potential commercial and practical implications to our daily activities. The key objective of the book is to provide a collection of comprehensive references on some recent theoretical development as well as novel applications in biometrics. The topics covered in this book reflect well both aspects of development. They include biometric sample quality, privacy preserving and cancellable biometrics, contactless biometrics, novel and unconventional biometrics, and the technical challenges in implementing the technology in portable devices. The book consists of 15 chapters. It is divided into four sections, namely, biometric applications on mobile platforms, cancelable biometrics, biometric encryption, and other applications. The book was reviewed by editors Dr. Jucheng Yang and Dr. Norman Poh. We deeply appreciate the efforts of our guest editors: Dr. Girija Chetty, Dr. Loris Nanni, Dr. Jianjiang Feng, Dr. Dongsun Park and Dr. Sook Yoon, as well as a number of anonymous reviewers

Platform Embedded Security Technology Revealed

Computer scienc

Social, Private, and Trusted Wearable Technology under Cloud-Aided Intermittent Wireless Connectivity

There has been an unprecedented increase in the use of smart devices globally, together with novel forms of communication, computing, and control technologies that have paved the way for a new category of devices, known as high-end wearables. While massive deployments of these objects may improve the lives of people, unauthorized access to the said private equipment and its connectivity is potentially dangerous. Hence, communication enablers together with highly-secure human authentication mechanisms have to be designed.In addition, it is important to understand how human beings, as the primary users, interact with wearable devices on a day-to-day basis; usage should be comfortable, seamless, user-friendly, and mindful of urban dynamics. Usually the connectivity between wearables and the cloud is executed through the user’s more power independent gateway: this will usually be a smartphone, which may have potentially unreliable infrastructure connectivity. In response to these unique challenges, this thesis advocates for the adoption of direct, secure, proximity-based communication enablers enhanced with multi-factor authentication (hereafter refereed to MFA) that can integrate/interact with wearable technology. Their intelligent combination together with the connection establishment automation relying on the device/user social relations would allow to reliably grant or deny access in cases of both stable and intermittent connectivity to the trusted authority running in the cloud.The introduction will list the main communication paradigms, applications, conventional network architectures, and any relevant wearable-specific challenges. Next, the work examines the improved architecture and security enablers for clusterization between wearable gateways with a proximity-based communication as a baseline. Relying on this architecture, the author then elaborates on the social ties potentially overlaying the direct connectivity management in cases of both reliable and unreliable connection to the trusted cloud. The author discusses that social-aware cooperation and trust relations between users and/or the devices themselves are beneficial for the architecture under proposal. Next, the author introduces a protocol suite that enables temporary delegation of personal device use dependent on different connectivity conditions to the cloud.After these discussions, the wearable technology is analyzed as a biometric and behavior data provider for enabling MFA. The conventional approaches of the authentication factor combination strategies are compared with the ‘intelligent’ method proposed further. The assessment finds significant advantages to the developed solution over existing ones.On the practical side, the performance evaluation of existing cryptographic primitives, as part of the experimental work, shows the possibility of developing the experimental methods further on modern wearable devices.In summary, the set of enablers developed here for wearable technology connectivity is aimed at enriching people’s everyday lives in a secure and usable way, in cases when communication to the cloud is not consistently available

Transparent User Authentication For Mobile Applications

The use of smartphones in our daily lives has grown steadily, due to the combination of mobility and round-the-clock multi-connectivity. In particular, smartphones are used to perform activities, such as sending emails, transferring money via mobile Internet banking, making calls, texting, surfing the Internet, viewing documents, storing medical, confidential and personal information, shopping online and playing games. Some active applications are considered sensitive and confidential and the risks are high in the event of the loss of any sensitive data or privacy breaches. In addition, after the point of entry, using techniques such as a PIN or password, the user of the device can perform almost all tasks, of different risk levels, without having to re-authenticate periodically to re-validate the user’s identity. Furthermore, the current point-of-entry authentication mechanisms consider all the applications on a mobile device to have the same level of importance and so do not apply any further access control rules. As a result, with the rapid growth of smartphones for use in daily life, securing the sensitive data stored upon them makes authentication of paramount importance. In this research, it is argued that within a single mobile application there are different processes operating on the same data but with differing risks attached. The unauthorised disclosure or modification of mobile data has the potential to lead to a number of undesirable consequences for the user. Thus, there is no single level of risk associated with a given application and the risk level changes during use. In this context, a novel mobile applications data risk assessment model is proposed to appreciate the risk involved within an application (intra-process security). Accordingly, there is a need to suggest a method to be applied continuously and transparently (i.e., without obstructing the user’s activities) to authenticate legitimate users, which is maintained beyond point of entry, without the explicit involvement of the user. To this end, a transparent and continuous authentication mechanism provides a basis for convenient and secure re-authentication of the user. The mechanism is used to gather user data in the background without requiring any dedicated activity, by regularly and periodically checking user behaviour to provide continuous monitoring for the protection of the smartphone. In order to investigate the feasibility of the proposed system, a study involving data collected from 76 participants over a one-month period using 12 mobile applications was undertaken. A series of four experiments were conducted based upon data from one month of normal device usage. The first experiment sought to explore the intra-process (i.e., within-app) and inter-process (i.e., access-only app) access levels across different time windows. The experimental results show that this approach achieved desirable outcomes for applying a transparent authentication system at an intra-process level, with an average of 6% intrusive authentication requests. Having achieved promising experimental results, it was identified that there were some users who undertook an insufficient number of activities on the device and, therefore, achieved a high level of intrusive authentication requests. As a result, there was a need to investigate whether a specific combination of time windows would perform better with a specific type of user. To do this, the numbers of intrusive authentication requests were computed based on three usage levels (high, medium and low) at both the intra- and inter-process access levels. This approach achieved better results when compared with the first set of results: the average percentage of intrusive authentication requests was 3%, which indicates a clear enhancement. The second and third experiments investigated only the intra-process and inter-process, respectively, to examine the effect of the access level. Finally, the fourth experiment investigated the impact of specific biometric modalities on overall system performance. In this research study, a Non-Intrusive Continuous Authentication (NICA) framework was applied by utilising two security mechanisms: Alert Level (AL) and Integrity Level (IL). During specific time windows, the AL process is used to seek valid samples. If there are no samples, the identity confidence is periodically reduced by a degradation function, which is 10% of current confidence in order to save power while the mobile device is inactive. In the case of the mobile user requesting to perform a task, the IL is applied to check the legitimacy of that user. If the identity confidence level is equal to or greater than the specified risk action level, transparent access is allowed. Otherwise, an intrusive authentication request is required in order to proceed with the service. In summary, the experimental results show that this approach achieved sufficiently high results to fulfil the security obligations. The shortest time window of AL= 2 min / IL = 5 min produced an average intrusive authentication request rate of 18%, whereas the largest time window (AL= 20 min / IL = 20 min) provided 6%. Interestingly, when the participants were divided into three levels of usage, the average intrusive authentication request rate was 12% and 3% for the shortest time window (AL = 2 min / IL = 5 min) and the largest time window (AL= 20 min / IL = 20), respectively. Therefore, this approach has been demonstrated to provide transparent and continuous protection to ensure the validity of the current user by understanding the risk involved within a given application.Royal Embassy of Saudi Arabia Cultural Bureau in U

Transparent User Authentication For Mobile Applications

The use of smartphones in our daily lives has grown steadily, due to the combination of mobility and round-the-clock multi-connectivity. In particular, smartphones are used to perform activities, such as sending emails, transferring money via mobile Internet banking, making calls, texting, surfing the Internet, viewing documents, storing medical, confidential and personal information, shopping online and playing games. Some active applications are considered sensitive and confidential and the risks are high in the event of the loss of any sensitive data or privacy breaches. In addition, after the point of entry, using techniques such as a PIN or password, the user of the device can perform almost all tasks, of different risk levels, without having to re-authenticate periodically to re-validate the user’s identity. Furthermore, the current point-of-entry authentication mechanisms consider all the applications on a mobile device to have the same level of importance and so do not apply any further access control rules. As a result, with the rapid growth of smartphones for use in daily life, securing the sensitive data stored upon them makes authentication of paramount importance. In this research, it is argued that within a single mobile application there are different processes operating on the same data but with differing risks attached. The unauthorised disclosure or modification of mobile data has the potential to lead to a number of undesirable consequences for the user. Thus, there is no single level of risk associated with a given application and the risk level changes during use. In this context, a novel mobile applications data risk assessment model is proposed to appreciate the risk involved within an application (intra-process security). Accordingly, there is a need to suggest a method to be applied continuously and transparently (i.e., without obstructing the user’s activities) to authenticate legitimate users, which is maintained beyond point of entry, without the explicit involvement of the user. To this end, a transparent and continuous authentication mechanism provides a basis for convenient and secure re-authentication of the user. The mechanism is used to gather user data in the background without requiring any dedicated activity, by regularly and periodically checking user behaviour to provide continuous monitoring for the protection of the smartphone. In order to investigate the feasibility of the proposed system, a study involving data collected from 76 participants over a one-month period using 12 mobile applications was undertaken. A series of four experiments were conducted based upon data from one month of normal device usage. The first experiment sought to explore the intra-process (i.e., within-app) and inter-process (i.e., access-only app) access levels across different time windows. The experimental results show that this approach achieved desirable outcomes for applying a transparent authentication system at an intra-process level, with an average of 6% intrusive authentication requests. Having achieved promising experimental results, it was identified that there were some users who undertook an insufficient number of activities on the device and, therefore, achieved a high level of intrusive authentication requests. As a result, there was a need to investigate whether a specific combination of time windows would perform better with a specific type of user. To do this, the numbers of intrusive authentication requests were computed based on three usage levels (high, medium and low) at both the intra- and inter-process access levels. This approach achieved better results when compared with the first set of results: the average percentage of intrusive authentication requests was 3%, which indicates a clear enhancement. The second and third experiments investigated only the intra-process and inter-process, respectively, to examine the effect of the access level. Finally, the fourth experiment investigated the impact of specific biometric modalities on overall system performance. In this research study, a Non-Intrusive Continuous Authentication (NICA) framework was applied by utilising two security mechanisms: Alert Level (AL) and Integrity Level (IL). During specific time windows, the AL process is used to seek valid samples. If there are no samples, the identity confidence is periodically reduced by a degradation function, which is 10% of current confidence in order to save power while the mobile device is inactive. In the case of the mobile user requesting to perform a task, the IL is applied to check the legitimacy of that user. If the identity confidence level is equal to or greater than the specified risk action level, transparent access is allowed. Otherwise, an intrusive authentication request is required in order to proceed with the service. In summary, the experimental results show that this approach achieved sufficiently high results to fulfil the security obligations. The shortest time window of AL= 2 min / IL = 5 min produced an average intrusive authentication request rate of 18%, whereas the largest time window (AL= 20 min / IL = 20 min) provided 6%. Interestingly, when the participants were divided into three levels of usage, the average intrusive authentication request rate was 12% and 3% for the shortest time window (AL = 2 min / IL = 5 min) and the largest time window (AL= 20 min / IL = 20), respectively. Therefore, this approach has been demonstrated to provide transparent and continuous protection to ensure the validity of the current user by understanding the risk involved within a given application.Royal Embassy of Saudi Arabia Cultural Bureau in U

Becoming Artifacts: Medieval Seals, Passports and the Future of Digital Identity

What does a digital identity token have to do with medieval seals? Is the history of passports of any use for enabling the discovery of Internet users\u27 identity when crossing virtual domain boundaries during their digital browsing and transactions? The agility of the Internet architecture and its simplicity of use have been the engines of its growth and success with the users worldwide. As it turns out, there lies also its crux. In effect, Internet industry participants have argued that the critical problem business is faced with on the Internet is the absence of an identity layer from the core protocols of its logical infrastructure. As a result, the cyberspace parallels a global territory without any identification mechanism that is reliable, consistent and interoperable across domains. This dissertation is an investigation of the steps being taken by Internet stakeholders in order to resolve its identity problems, through the lenses of historical instances where similar challenges were tackled by social actors. Social science research addressing the Internet identity issues is barely nascent. Research on identification systems in general is either characterized by a paucity of historical perspective, or scantily references digital technology and online identification processes. This research is designed to bridge that gap. The general question at its core is: How do social actors, events or processes enable the historical emergence of authoritative identity credentials for the public at large? This work is guided by that line of inquiry through three broad historical case studies: first, the medieval experience with seals used as identity tokens in the signing of deeds that resulted in transfers of rights, particularly estate rights; second, comes the modern, national state with its claim to the right to know all individuals on its territory through credentials such as the passport or the national identity card; and finally, viewed from the United States, the case of ongoing efforts to build an online digital identity infrastructure. Following a process-tracing approach to historical case study, this inquiry presents enlightening connections between the three identity frameworks while further characterizing each. We understand how the medieval doctrines of the Trinity and the Eucharist developed by schoolmen within the Church accommodated seals as markers of identity, and we understand how the modern state seized on the term `nationality\u27 - which emerged as late as in the 19th century - to make it into a legal fiction that was critical for its identification project. Furthermore, this investigation brings analytical insights which enable us to locate the dynamics driving the emergence of those identity systems. An ordering of the contributing factors in sequential categories is proposed in a sociohistorical approach to explain the causal mechanisms at work across these large phenomena. Finally this research also proposes historically informed projections of scenarios as possible pathways to the realization of authoritative digital identity. But that is the beginning of yet another story of identity

Authentication Protocols for Internet of Things: A Comprehensive Survey

In this paper, a comprehensive survey of authentication protocols for Internet of Things (IoT) is presented. Specifically more than forty authentication protocols developed for or applied in the context of the IoT are selected and examined in detail. These protocols are categorized based on the target environment: (1) Machine to Machine Communications (M2M), (2) Internet of Vehicles (IoV), (3) Internet of Energy (IoE), and (4) Internet of Sensors (IoS). Threat models, countermeasures, and formal security verification techniques used in authentication protocols for the IoT are presented. In addition a taxonomy and comparison of authentication protocols that are developed for the IoT in terms of network model, specific security goals, main processes, computation complexity, and communication overhead are provided. Based on the current survey, open issues are identified and future research directions are proposed

Authentication Aura: A cooperative and distributed approach to user authentication on mobile devices

As information technology pervades our lives we have increasingly come to rely on these evermore sophisticated and ubiquitous items of equipment. Portability and the desire to be connected around the clock has driven the rapid growth in adoption of mobile devices that enable us to talk, message, tweet and inform at will, whilst providing a means to shop and administer bank accounts. These high value, high risk, desirable devices are increasingly the target of theft and improvement in their protection is actively sought by Governments and security agencies. Although forms of security are in place they are compromised by human reluctance and inability to administer them effectively. With typical users operating across multiple devices, including traditional desktop PCs, laptops, tablets and smartphones, they can regularly find themselves having a variety of devices open concurrently. Even if the most basic security is in place, there is a resultant need to repeatedly authenticate, representing a potential source of hindrance and frustration. This thesis explores the need for a novel approach to user authentication, which will reduce the authentication burden whilst providing a secure yet adaptive security mechanism; a so called Authentication Aura. It proposes that the latent security potential contained in surrounding devices and possessions in everyday life can be leveraged to augment security, and provides a framework for a distributed and cooperative approach. An experiment was performed to ascertain the technological infrastructure, devices and inert objects that surround individuals throughout the day. Using twenty volunteers, over a fourteen-day period a dataset of 1.57 million recorded observations was gathered, which confirmed that between 6am and 12pm a significant device or possession is in near proximity 97.84% of the time. Using the data provided by the experiment as the basis for a simulation of the framework, it suggests a reduction of up to 80.36% in the daily number of required authentications for a user operating a device once every 30 minutes, with a 10 minute screen lock in place. Examining the influence of location alone indicated a reduction of 50.74% in user interventions lowering the average from 32 to 15.76, the addition of the surroundings reducing this further to 13.00. The analysis also investigated how a user’s own authentication status could be used to negate the need to repeatedly manually authenticate and it was found that it delayed the process for up to 90 minutes for an individual user. Ultimately, it confirms that during device activation it is possible to remove the need to authenticate with the Authentication Aura providing sufficient assurance.Orange/France Teleco