Improving the Security of Mobile Devices Through Multi-Dimensional and Analog Authentication

Mobile devices are ubiquitous in today\u27s society, and the usage of these devices for secure tasks like corporate email, banking, and stock trading grows by the day. The first, and often only, defense against attackers who get physical access to the device is the lock screen: the authentication task required to gain access to the device. To date mobile devices have languished under insecure authentication scheme offerings like PINs, Pattern Unlock, and biometrics-- or slow offerings like alphanumeric passwords. This work addresses the design and creation of five proof-of-concept authentication schemes that seek to increase the security of mobile authentication without compromising memorability or usability. These proof-of-concept schemes demonstrate the concept of Multi-Dimensional Authentication, a method of using data from unrelated dimensions of information, and the concept of Analog Authentication, a method utilizing continuous rather than discrete information. Security analysis will show that these schemes can be designed to exceed the security strength of alphanumeric passwords, resist shoulder-surfing in all but the worst-case scenarios, and offer significantly fewer hotspots than existing approaches. Usability analysis, including data collected from user studies in each of the five schemes, will show promising results for entry times, in some cases on-par with existing PIN or Pattern Unlock approaches, and comparable qualitative ratings with existing approaches. Memorability results will demonstrate that the psychological advantages utilized by these schemes can lead to real-world improvements in recall, in some instances leading to near-perfect recall after two weeks, significantly exceeding the recall rates of similarly secure alphanumeric passwords

Towards Usable End-user Authentication

Authentication is the process of validating the identity of an entity, e.g., a person, a machine, etc.; the entity usually provides a proof of identity in order to be authenticated. When the entity - to be authenticated - is a human, the authentication process is called end-user authentication. Making an end-user authentication usable entails making it easy for a human to obtain, manage, and input the proof of identity in a secure manner. In machine-to-machine authentication, both ends have comparable memory and computational power to securely carry out the authentication process using cryptographic primitives and protocols. On the contrary, as a human has limited memory and computational power, in end-user authentication, cryptography is of little use. Although password based end-user authentication has many well-known security and usability problems, it is the de facto standard. Almost half a century of research effort has produced a multitude of end-user authentication methods more sophisticated than passwords; yet, none has come close to replacing passwords. In this dissertation, taking advantage of the built-in sensing capability of smartphones, we propose an end-user authentication framework for smartphones - called ePet - which does not require any active participation from the user most of the times; thus the proposed framework is highly usable. Using data collected from subjects, we validate a part of the authentication framework for the Android platform. For web authentication, in this dissertation, we propose a novel password creation interface, which helps a user remember a newly created password with more confidence - by allowing her to perform various memory tasks built upon her new password. Declarative and motor memory help the user remember and efficiently input a password. From a within-subjects study we show that declarative memory is sufficient for passwords; motor memory mostly facilitate the input process and thus the memory tasks have been designed to help cement the declarative memory for a newly created password. This dissertation concludes with an evaluation of the increased usability of the proposed interface through a between-subjects study

Cyber Security- A New Secured Password Generation Algorithm with Graphical Authentication and Alphanumeric Passwords Along With Encryption

Graphical passwords are always considered as an alternative of alphanumeric passwords for their better memorability and usability [1]. Alphanumeric passwords provide an adequate amount of satisfaction, but they do not offer better memorability compared to graphical passwords [1]. On the other hand, graphical passwords are considered less secured and provide better memorability [1]. Therefore many researchers have researched on graphical passwords to overcome the vulnerability. One of the most significant weaknesses of the graphical passwords is Shoulder Surfing Attack, which means, sneaking into a victim\u27s computer to learn the whole password or part of password or some confidential information. Such kind of attacks is called as Shoulder Surfing Attack. Many researchers have presented various ideas to curb the shoulder surfing attack. However, graphical passwords are still vulnerable to this attack. Therefore, in the present thesis, the solution for shoulder surfing attack is analyzed and a new algorithm is developed to provide better algorithm with memorability as well as very strong password using the encryption. For alphanumeric passwords, dictionary attack, and brute force attack are critical potential threats to be taken care off. Dictionary attacks mean, attacking every word from the dictionary to crack the password, whereas, brute force attack means, applying all different kind of combinations to crack the password. Thus, both protection methods have their pros and cons and, therefore in this thesis, the possible solution has been researched to provide more secure technique. Encryption is another essential technique in the field of cybersecurity. The history of encryption dates back to World War 2, where German forces used its encryption technique for the first time, and this encryption has been developed a lot with the consistent contribution of many researchers. Starting from the German encryption technique, the present encryption field has evolved a lot and compared to its primitive form; the current encryption techniques are more secured. In the encryption, various cryptosystems have been developed, and due to consistently developed computational power, attackers have compromised various cryptosystem. One of the essential cryptosystems is the MD family cryptosystem. In the MD family, a few members have been compromised whereas members such as MD5, had inbuilt algorithm flow and therefore they became vulnerable for different reasons. In this thesis, the research has been done with Whirlpool encryption, which is never compromised as of now. However, before using the Whirlpool encryption, the string has been processed with multiple steps, such as, perception, shifting of characters, splitting the string into chunks, and then each piece has been encrypted to populate 128 characters long password for each fragment and thus, the algorithm to generate 1280 characters long passwords is proposed which are immune to linear attacks, dictionary attacks, brute force attacks, and shoulder surfing attack. After the research, the computational time is also calculated for the modern computer (8 core, 2.8 GHz) as well as the present Supercomputers which are 100000 times faster than a modern computer. After all the research, the conclusion and future work are also mentioned for future research

Identifying the Strengths and Weaknesses of Over-the-Shoulder Attack Resistant Prototypical Graphical Authentication Schemes

Authentication verifies users’ identities to protect against costly attacks. Graphical authentication schemes utilize pictures as passcodes rather than strings of characters. Pictures have been found to be more memorable than the strings of characters used in alphanumeric passwords. However, graphical passcodes have been criticized for being susceptible to Over-the-Shoulder Attacks (OSA). To overcome this concern, many graphical schemes have been designed to be resistant to OSA. Security to this type of attack is accomplished by grouping targets among distractors, translating the selection of targets elsewhere, disguising targets, and using gaze-based input. Prototypical examples of graphical schemes that use these strategies to bolster security against OSAs were directly compared in within-subjects runoffs in studies 1 and 2. The first aim of this research was to discover the current usability limitations of graphical schemes. The data suggested that error rates are a common issue among graphical passcodes attempting to resist OSAs. Studies 3 and 4 investigated the memorability of graphical passcodes when users need to remember multiple passcodes or longer passcodes. Longer passcodes provide advantages to security by protecting against brute force attacks, and multiple passcodes need to be investigated as users need to authenticate for numerous accounts. It was found that participants have strong item retention for passcodes of up to eight images and for up to eight accounts. Also these studies leveraged context to facilitate memorability. Context slightly improved the memorability of graphical passcodes when participants needed to remember credentials for eight accounts. These studies take steps toward understanding the readiness of graphical schemes as an authentication option

Security and usability in a hybrid property based graphical authentication system

Alphanumeric text and PINs continue to be the dominant authentication methods in spite of the numerous concerns by security researchers of their inability to properly address usability and security flaws and to effectively combine usability and security. These flaws have, however, contributed to the growing research interest in the development and use of graphical authentication systems as alternatives to text based systems. Graphical passwords or graphical authentication systems are password systems that use images rather than characters or numbersin user authentication. The picture superiority effect, a belief that humans are better able to memorise images than text, has very much influenced the proliferation of and support for graphical authentication systems. In spite of their growing acceptance, however, empirical studies have shown that graphical authentication systems have also inherited some of the flaws of text based passwords. Theseflaws include predictability, vulnerability to observational attacks and the inability of systems to efficiently combine security with usability. Hence there is a continued quest among usable security researchers to find that hypothetical system that has both strong usability and strong security. In this research, a novel concept for hybrid graphical authentication systems is developed. This consists of a class of systems that are called ‘property based authentication systems’ which adopt the use of image properties for user authentication, rather than specific images as used in existing systems. Image properties are specified contents of images which gives the image a set of characteristics. Several implementations of these systems have been developed and evaluated. Significant empirical performance studies have been conducted to evaluate these systems in terms of usability and security. The usability evaluations conducted evaluate thesystems in terms effectiveness, efficiency and user satisfaction, while security evaluations measure their susceptibility to common attacks. The results from these studies suggests that property based systems have better usability and security when compared to commonly known and well researched graphical authentication systems

Risks and potentials of graphical and gesture-based authentication for touchscreen mobile devices

While a few years ago, mobile phones were mainly used for making phone calls and texting short messages, the functionality of mobile devices has massively grown. We are surfing the web, sending emails and we are checking our bank accounts on the go. As a consequence, these internet-enabled devices store a lot of potentially sensitive data and require enhanced protection. We argue that authentication often represents the only countermeasure to protect mobile devices from unwanted access. Knowledge-based concepts (e.g., PIN) are the most used authentication schemes on mobile devices. They serve as the main protection barrier for many users and represent the fallback solution whenever alternative mechanisms fail (e.g., fingerprint recognition). This thesis focuses on the risks and potentials of gesture-based authentication concepts that particularly exploit the touch feature of mobile devices. The contribution of our work is threefold. Firstly, the problem space of mobile authentication is explored. Secondly, the design space is systematically evaluated utilizing interactive prototypes. Finally, we provide generalized insights into the impact of specific design factors and present recommendations for the design and the evaluation of graphical gesture-based authentication mechanisms. The problem space exploration is based on four research projects that reveal important real-world issues of gesture-based authentication on mobile devices. The first part focuses on authentication behavior in the wild and shows that the mobile context makes great demands on the usability of authentication concepts. The second part explores usability features of established concepts and indicates that gesture-based approaches have several benefits in the mobile context. The third part focuses on observability and presents a prediction model for the vulnerability of a given grid-based gesture. Finally, the fourth part investigates the predictability of user-selected gesture-based secrets. The design space exploration is based on a design-oriented research approach and presents several practical solutions to existing real-world problems. The novel authentication mechanisms are implemented into working prototypes and evaluated in the lab and the field. In the first part, we discuss smudge attacks and present alternative authentication concepts that are significantly more secure against such attacks. The second part focuses on observation attacks. We illustrate how relative touch gestures can support eyes-free authentication and how they can be utilized to make traditional PIN-entry secure against observation attacks. The third part addresses the problem of predictable gesture choice and presents two concepts which nudge users to select a more diverse set of gestures. Finally, the results of the basic research and the design-oriented applied research are combined to discuss the interconnection of design space and problem space. We contribute by outlining crucial requirements for mobile authentication mechanisms and present empirically proven objectives for future designs. In addition, we illustrate a systematic goal-oriented development process and provide recommendations for the evaluation of authentication on mobile devices.Während Mobiltelefone vor einigen Jahren noch fast ausschließlich zum Telefonieren und zum SMS schreiben genutzt wurden, sind die Anwendungsmöglichkeiten von Mobilgeräten in den letzten Jahren erheblich gewachsen. Wir surfen unterwegs im Netz, senden E-Mails und überprüfen Bankkonten. In der Folge speichern moderne internetfähigen Mobilgeräte eine Vielfalt potenziell sensibler Daten und erfordern einen erhöhten Schutz. In diesem Zusammenhang stellen Authentifizierungsmethoden häufig die einzige Möglichkeit dar, um Mobilgeräte vor ungewolltem Zugriff zu schützen. Wissensbasierte Konzepte (bspw. PIN) sind die meistgenutzten Authentifizierungssysteme auf Mobilgeräten. Sie stellen für viele Nutzer den einzigen Schutzmechanismus dar und dienen als Ersatzlösung, wenn alternative Systeme (bspw. Fingerabdruckerkennung) versagen. Diese Dissertation befasst sich mit den Risiken und Potenzialen gestenbasierter Konzepte, welche insbesondere die Touch-Funktion moderner Mobilgeräte ausschöpfen. Der wissenschaftliche Beitrag dieser Arbeit ist vielschichtig. Zum einen wird der Problemraum mobiler Authentifizierung erforscht. Zum anderen wird der Gestaltungsraum anhand interaktiver Prototypen systematisch evaluiert. Schließlich stellen wir generelle Einsichten bezüglich des Einflusses bestimmter Gestaltungsaspekte dar und geben Empfehlungen für die Gestaltung und Bewertung grafischer gestenbasierter Authentifizierungsmechanismen. Die Untersuchung des Problemraums basiert auf vier Forschungsprojekten, welche praktische Probleme gestenbasierter Authentifizierung offenbaren. Der erste Teil befasst sich mit dem Authentifizierungsverhalten im Alltag und zeigt, dass der mobile Kontext hohe Ansprüche an die Benutzerfreundlichkeit eines Authentifizierungssystems stellt. Der zweite Teil beschäftigt sich mit der Benutzerfreundlichkeit etablierter Methoden und deutet darauf hin, dass gestenbasierte Konzepte vor allem im mobilen Bereich besondere Vorzüge bieten. Im dritten Teil untersuchen wir die Beobachtbarkeit gestenbasierter Eingabe und präsentieren ein Vorhersagemodell, welches die Angreifbarkeit einer gegebenen rasterbasierten Geste abschätzt. Schließlich beschäftigen wir uns mit der Erratbarkeit nutzerselektierter Gesten. Die Untersuchung des Gestaltungsraums basiert auf einem gestaltungsorientierten Forschungsansatz, welcher zu mehreren praxisgerechte Lösungen führt. Die neuartigen Authentifizierungskonzepte werden als interaktive Prototypen umgesetzt und in Labor- und Feldversuchen evaluiert. Im ersten Teil diskutieren wir Fettfingerattacken ("smudge attacks") und präsentieren alternative Authentifizierungskonzepte, welche effektiv vor diesen Angriffen schützen. Der zweite Teil beschäftigt sich mit Angriffen durch Beobachtung und verdeutlicht wie relative Gesten dazu genutzt werden können, um blickfreie Authentifizierung zu gewährleisten oder um PIN-Eingaben vor Beobachtung zu schützen. Der dritte Teil beschäftigt sich mit dem Problem der vorhersehbaren Gestenwahl und präsentiert zwei Konzepte, welche Nutzer dazu bringen verschiedenartige Gesten zu wählen. Die Ergebnisse der Grundlagenforschung und der gestaltungsorientierten angewandten Forschung werden schließlich verknüpft, um die Verzahnung von Gestaltungsraum und Problemraum zu diskutieren. Wir präsentieren wichtige Anforderungen für mobile Authentifizierungsmechanismen und erläutern empirisch nachgewiesene Zielvorgaben für zukünftige Konzepte. Zusätzlich zeigen wir einen zielgerichteten Entwicklungsprozess auf, welcher bei der Entwicklung neuartiger Konzepte helfen wird und geben Empfehlungen für die Evaluation mobiler Authentifizierungsmethoden

The Impact of Image Synonyms in Graphical-Based Authentication Systems

Traditional text-based passwords used for authentication in information systems have several known issues in the areas of usability and security. Research has shown that when users generate passwords for systems, they tend to create passwords that are subject to compromise more so than those created randomly by the computer. Research has also shown that users have difficulty remembering highly secure, randomly created, text-based passwords. Graphical-based passwords have been shown to be highly memorable for users when applied to system authentication. However, graphical-based authentication systems require additional cognitive load to recognize and enter a password compared to traditional text-based authentication that is more muscle-memory. This increase in cognitive load causes an increased security risk of shoulder-surfing created from the longer amount of time needed to input a password. Graphical-based authentication systems use the same images for each possible input value. This makes these authentication systems vulnerable to attackers. The attackers use their ability to remember visual information to compromise a graphical-based password. This study conducted research into a graphical-based authentication scheme that implemented pictorial synonyms. The goal is to decrease security risk of graphical-based authentication systems while maintaining (or even increasing) the usability of these systems. To accomplish this goal, a study to evaluate the impact on the cognitive load required using an image synonym authentication system compared to traditional graphical-based authentication schemes. The research found that there was not a significant difference in the areas of user cognitive load, shoulder-surfing threat, and user effectiveness. The research evaluated users\u27 accuracy, cognitive load, and time to authenticate and found to have significant impact of pictorial synonyms on graphical-based authentication systems. The research shows that the accuracy of pictorial synonyms was greater than word password. This appears to due to people\u27s ability to recall pictorial information over text information. Future research should look at the impact of pictorial synonyms on shoulder-surfing attackers and different ages

Usable, secure and deployable graphical passwords

PhD ThesisEvaluations of the usability and security of alphanumeric passwords and Personal Identification Numbers (PINs) have shown that users cannot remember credentials considered to be secure. However, the continued reliance upon these methods of user authentication has placed end-users and system designers in a coevolutionary struggle, with each defending competing concerns of usability and security. Graphical passwords have been proposed as an alternative, and their use is supported by cognitive theories such as the picture superiority effect which suggest that pictures, rather than words or numbers, could provide a stronger foundation upon which to design usable and secure knowledge-based authentication. Indeed, early usability studies of novel systems harnessing this effect appear to show promise, however, the uptake of graphical passwords in real-world systems is low. This inertia is likely related to uncertainty regarding the challenges that novel systems might bring to the already delicate interplay between usability and security; particularly the new challenges faced in scaffolding user behaviours that comply with context-specific security policies, uncertainty regarding the nature of new socio-technical attacks, and the impact of images themselves upon usability and security. In this thesis we present a number of case studies incorporating new designs, empirical methods and results, that begin to explore these aspects of representative graphical password systems. Specifically, we explore: (i) how we can implicitly support security-focused behaviours such as choosing high entropy graphical passwords and defending against observation attack; (ii) how to capture the likely extent of insecure behaviour in the social domain such as graphical password sharing and observation attack; and (iii) how through the selection of appropriate properties of the images themselves we can provide security and usability benefits. In doing so, we gen- erate new insights into the potential of graphical passwords to provide usable, secure and deployable user authentication.Microsoft Research