Frictionless Authentication Systems: Emerging Trends, Research Challenges and Opportunities

Authentication and authorization are critical security layers to protect a wide range of online systems, services and content. However, the increased prevalence of wearable and mobile devices, the expectations of a frictionless experience and the diverse user environments will challenge the way users are authenticated. Consumers demand secure and privacy-aware access from any device, whenever and wherever they are, without any obstacles. This paper reviews emerging trends and challenges with frictionless authentication systems and identifies opportunities for further research related to the enrollment of users, the usability of authentication schemes, as well as security and privacy trade-offs of mobile and wearable continuous authentication systems.Comment: published at the 11th International Conference on Emerging Security Information, Systems and Technologies (SECURWARE 2017

Traditional SETA No More: Investigating the Intersection Between Cybersecurity and Cognitive Neuroscience

We investigated the role automated behavior plays in contributing to security breaches. Using different forms of phishing, combined with multiple neurophysiological tools, we were able to more fully understand the approaches participants took when they engaged with a phishing campaign. The four participants of this pilot study ranged in their individual characteristics of gender and IT experience while controlling for age. It seems the biggest factor for awareness and successfully resisting a phishing campaign may be proximity of security training to engagement with that campaign. Neurophysiological tools helped illustrate the thought processes behind participants’ statements and actions; combined with consideration of individual characteristics, these tools help shed more light on human behavior. In the future, we plan to further enhance our testing environment by incorporating an emergent model that considers work task complexity and incorporate more industry participants with a range of IT experience

Authentication and transaction verification using QR codes with a mobile device

User authentication and the verification of online transactions that are performed on an untrusted computer or device is an important and challenging problem. This paper presents an approach to authentication and transaction verification using a trusted mobile device, equipped with a camera, in conjunction with QR codes. The mobile device does not require an active connection (e.g., Internet or cellular network), as the required information is obtained by the mobile device through its camera, i.e. solely via the visual channel. The proposed approach consists of an initial user authentication phase, which is followed by a transaction verification phase. The transaction verification phase provides a mechanism whereby important transactions have to be verified by both the user and the server. We describe the adversarial model to capture the possible attacks to the system. In addition, this paper analyzes the security of the propose scheme, and discusses the practical issues and mechanisms by which the scheme is able to circumvent a variety of security threats including password stealing, man-in-the-middle and man-in-the-browser attacks. We note that our technique is applicable to many practical applications ranging from standard user authentication implementations to protecting online banking transactions

Passwords and the evolution of imperfect authentication

Theory on passwords has lagged practice, where large providers use back-end smarts to survive with imperfect technology.This is the author accepted manuscript. The final version is available from ACM via http://dx.doi.org/10.1145/269939

Challenges with Passwordless FIDO2 in an Enterprise Setting: A Usability Study

Fast Identity Online 2 (FIDO2), a modern authentication protocol, is gaining popularity as a default strong authentication mechanism. It has been recognized as a leading candidate to overcome limitations (e.g., phishing resistance) of existing authentication solutions. However, the task of deprecating weak methods such as password-based authentication is not trivial and requires a comprehensive approach. While security, privacy, and end-user usability of FIDO2 have been addressed in both academic and industry literature, the difficulties associated with its integration with production environments, such as solution completeness or edge-case support, have received little attention. In particular, complex environments such as enterprise identity management pose unique challenges for any authentication system. In this paper, we identify challenging enterprise identity lifecycle use cases (e.g., remote workforce and legacy systems) by conducting a usability study, in which over 100 cybersecurity professionals shared their perception of challenges to FIDO2 integration from their hands-on field experience. Our analysis of the user study results revealed serious gaps such as account recovery (selected by over 60% of our respondents), and identify priority development areas for the FIDO2 community.Comment: to be published in the IEEE Secure Development Conference 202

DSCOT: An NFT-Based Blockchain Architecture for the Authentication of IoT-Enabled Smart Devices in Smart Cities

Smart city architecture brings all the underlying architectures, i.e., Internet of Things (IoT), Cyber-Physical Systems (CPSs), Internet of Cyber-Physical Things (IoCPT), and Internet of Everything (IoE), together to work as a system under its umbrella. The goal of smart city architecture is to come up with a solution that may integrate all the real-time response applications. However, the cyber-physical space poses threats that can jeopardize the working of a smart city where all the data belonging to people, systems, and processes will be at risk. Various architectures based on centralized and distributed mechanisms support smart cities; however, the security concerns regarding traceability, scalability, security services, platform assistance, and resource management persist. In this paper, private blockchain-based architecture Decentralized Smart City of Things (DSCoT) is proposed. It actively utilizes fog computing for all the users and smart devices connected to a fog node in a particular management system in a smart city, i.e., a smart house or hospital, etc. Non-fungible tokens (NFTs) have been utilized for representation to define smart device attributes. NFTs in the proposed DSCoT architecture provide devices and user authentication (IoT) functionality. DSCoT has been designed to provide a smart city solution that ensures robust security features such as Confidentiality, Integrity, Availability (CIA), and authorization by defining new attributes and functions for Owner, User, Fog, and IoT devices authentication. The evaluation of the proposed functions and components in terms of Gas consumption and time complexity has shown promising results. Comparatively, the Gas consumption for minting DSCoT NFT showed approximately 27%, and a DSCoT approve() was approximately 11% more efficient than the PUF-based NFT solution.Comment: 18 pages, 15 figures, 5 tables, journa