25 research outputs found
Frictionless Authentication Systems: Emerging Trends, Research Challenges and Opportunities
Authentication and authorization are critical security layers to protect a
wide range of online systems, services and content. However, the increased
prevalence of wearable and mobile devices, the expectations of a frictionless
experience and the diverse user environments will challenge the way users are
authenticated. Consumers demand secure and privacy-aware access from any
device, whenever and wherever they are, without any obstacles. This paper
reviews emerging trends and challenges with frictionless authentication systems
and identifies opportunities for further research related to the enrollment of
users, the usability of authentication schemes, as well as security and privacy
trade-offs of mobile and wearable continuous authentication systems.Comment: published at the 11th International Conference on Emerging Security
Information, Systems and Technologies (SECURWARE 2017
Traditional SETA No More: Investigating the Intersection Between Cybersecurity and Cognitive Neuroscience
We investigated the role automated behavior plays in contributing to security breaches. Using different forms of phishing, combined with multiple neurophysiological tools, we were able to more fully understand the approaches participants took when they engaged with a phishing campaign. The four participants of this pilot study ranged in their individual characteristics of gender and IT experience while controlling for age. It seems the biggest factor for awareness and successfully resisting a phishing campaign may be proximity of security training to engagement with that campaign. Neurophysiological tools helped illustrate the thought processes behind participantsâ statements and actions; combined with consideration of individual characteristics, these tools help shed more light on human behavior. In the future, we plan to further enhance our testing environment by incorporating an emergent model that considers work task complexity and incorporate more industry participants with a range of IT experience
Authentication and transaction verification using QR codes with a mobile device
User authentication and the verification of online transactions that are performed on an untrusted computer or device is an important and challenging problem. This paper presents an approach to authentication and transaction verification using a trusted mobile device, equipped with a camera, in conjunction with QR codes. The mobile device does not require an active connection (e.g., Internet or cellular network), as the required information is obtained by the mobile device through its camera, i.e. solely via the visual channel. The proposed approach consists of an initial user authentication phase, which is followed by a transaction verification phase. The transaction verification phase provides a mechanism whereby important transactions have to be verified by both the user and the server. We describe the adversarial model to capture the possible attacks to the system. In addition, this paper analyzes the security of the propose scheme, and discusses the practical issues and mechanisms by which the scheme is able to circumvent a variety of security threats including password stealing, man-in-the-middle and man-in-the-browser attacks. We note that our technique is applicable to many practical applications ranging from standard user authentication implementations to protecting online banking transactions
Passwords and the evolution of imperfect authentication
Theory on passwords has lagged practice, where large providers use back-end smarts to survive with imperfect technology.This is the author accepted manuscript. The final version is available from ACM via http://dx.doi.org/10.1145/269939
Challenges with Passwordless FIDO2 in an Enterprise Setting: A Usability Study
Fast Identity Online 2 (FIDO2), a modern authentication protocol, is gaining
popularity as a default strong authentication mechanism. It has been recognized
as a leading candidate to overcome limitations (e.g., phishing resistance) of
existing authentication solutions. However, the task of deprecating weak
methods such as password-based authentication is not trivial and requires a
comprehensive approach. While security, privacy, and end-user usability of
FIDO2 have been addressed in both academic and industry literature, the
difficulties associated with its integration with production environments, such
as solution completeness or edge-case support, have received little attention.
In particular, complex environments such as enterprise identity management pose
unique challenges for any authentication system. In this paper, we identify
challenging enterprise identity lifecycle use cases (e.g., remote workforce and
legacy systems) by conducting a usability study, in which over 100
cybersecurity professionals shared their perception of challenges to FIDO2
integration from their hands-on field experience. Our analysis of the user
study results revealed serious gaps such as account recovery (selected by over
60% of our respondents), and identify priority development areas for the FIDO2
community.Comment: to be published in the IEEE Secure Development Conference 202
DSCOT: An NFT-Based Blockchain Architecture for the Authentication of IoT-Enabled Smart Devices in Smart Cities
Smart city architecture brings all the underlying architectures, i.e.,
Internet of Things (IoT), Cyber-Physical Systems (CPSs), Internet of
Cyber-Physical Things (IoCPT), and Internet of Everything (IoE), together to
work as a system under its umbrella. The goal of smart city architecture is to
come up with a solution that may integrate all the real-time response
applications. However, the cyber-physical space poses threats that can
jeopardize the working of a smart city where all the data belonging to people,
systems, and processes will be at risk. Various architectures based on
centralized and distributed mechanisms support smart cities; however, the
security concerns regarding traceability, scalability, security services,
platform assistance, and resource management persist. In this paper, private
blockchain-based architecture Decentralized Smart City of Things (DSCoT) is
proposed. It actively utilizes fog computing for all the users and smart
devices connected to a fog node in a particular management system in a smart
city, i.e., a smart house or hospital, etc. Non-fungible tokens (NFTs) have
been utilized for representation to define smart device attributes. NFTs in the
proposed DSCoT architecture provide devices and user authentication (IoT)
functionality. DSCoT has been designed to provide a smart city solution that
ensures robust security features such as Confidentiality, Integrity,
Availability (CIA), and authorization by defining new attributes and functions
for Owner, User, Fog, and IoT devices authentication. The evaluation of the
proposed functions and components in terms of Gas consumption and time
complexity has shown promising results. Comparatively, the Gas consumption for
minting DSCoT NFT showed approximately 27%, and a DSCoT approve() was
approximately 11% more efficient than the PUF-based NFT solution.Comment: 18 pages, 15 figures, 5 tables, journa