4,084 research outputs found
Conceivable security risks and authentication techniques for smart devices
With the rapidly escalating use of smart devices and fraudulent transaction of users’ data from their devices, efficient and reliable techniques for authentication of the smart devices have become an obligatory issue. This paper reviews the security risks for mobile devices and studies several authentication techniques available for smart devices. The results from field studies enable a comparative evaluation of user-preferred authentication mechanisms and their opinions about reliability, biometric authentication and visual authentication techniques
InShopnito: an advanced yet privacy-friendly mobile shopping application
Mobile Shopping Applications (MSAs) are rapidly gaining popularity. They enhance the shopping experience, by offering customized recommendations or incorporating customer loyalty programs. Although MSAs are quite effective at attracting new customers and binding existing ones to a retailer's services, existing MSAs have several shortcomings. The data collection practices involved in MSAs and the lack of transparency thereof are important concerns for many customers. This paper presents inShopnito, a privacy-preserving mobile shopping application. All transactions made in inShopnito are unlinkable and anonymous. However, the system still offers the expected features from a modern MSA. Customers can take part in loyalty programs and earn or spend loyalty points and electronic vouchers. Furthermore, the MSA can suggest personalized recommendations even though the retailer cannot construct rich customer profiles. These profiles are managed on the smartphone and can be partially disclosed in order to get better, customized recommendations. Finally, we present an implementation called inShopnito, of which the security and performance is analyzed. In doing so, we show that it is possible to have a privacy-preserving MSA without having to sacrifice practicality
ConXsense - Automated Context Classification for Context-Aware Access Control
We present ConXsense, the first framework for context-aware access control on
mobile devices based on context classification. Previous context-aware access
control systems often require users to laboriously specify detailed policies or
they rely on pre-defined policies not adequately reflecting the true
preferences of users. We present the design and implementation of a
context-aware framework that uses a probabilistic approach to overcome these
deficiencies. The framework utilizes context sensing and machine learning to
automatically classify contexts according to their security and privacy-related
properties. We apply the framework to two important smartphone-related use
cases: protection against device misuse using a dynamic device lock and
protection against sensory malware. We ground our analysis on a sociological
survey examining the perceptions and concerns of users related to contextual
smartphone security and analyze the effectiveness of our approach with
real-world context data. We also demonstrate the integration of our framework
with the FlaskDroid architecture for fine-grained access control enforcement on
the Android platform.Comment: Recipient of the Best Paper Awar
Forgery-Resistant Touch-based Authentication on Mobile Devices
Mobile devices store a diverse set of private user data and have gradually
become a hub to control users' other personal Internet-of-Things devices.
Access control on mobile devices is therefore highly important. The widely
accepted solution is to protect access by asking for a password. However,
password authentication is tedious, e.g., a user needs to input a password
every time she wants to use the device. Moreover, existing biometrics such as
face, fingerprint, and touch behaviors are vulnerable to forgery attacks.
We propose a new touch-based biometric authentication system that is passive
and secure against forgery attacks. In our touch-based authentication, a user's
touch behaviors are a function of some random "secret". The user can
subconsciously know the secret while touching the device's screen. However, an
attacker cannot know the secret at the time of attack, which makes it
challenging to perform forgery attacks even if the attacker has already
obtained the user's touch behaviors. We evaluate our touch-based authentication
system by collecting data from 25 subjects. Results are promising: the random
secrets do not influence user experience and, for targeted forgery attacks, our
system achieves 0.18 smaller Equal Error Rates (EERs) than previous touch-based
authentication.Comment: Accepted for publication by ASIACCS'1
GTmoPass: Two-factor Authentication on Public Displays Using Gaze-touch Passwords and Personal Mobile Devices
As public displays continue to deliver increasingly private and personalized content, there is a need to ensure that only the legitimate users can access private information in sensitive contexts. While public displays can adopt similar authentication concepts like those used on public terminals (e.g., ATMs), authentication in public is subject to a number of risks. Namely, adversaries can uncover a user's password through (1) shoulder surfing, (2) thermal attacks, or (3) smudge attacks. To address this problem we propose GTmoPass, an authentication architecture that enables Multi-factor user authentication on public displays. The first factor is a knowledge-factor: we employ a shoulder-surfing resilient multimodal scheme that combines gaze and touch input for password entry. The second factor is a possession-factor: users utilize their personal mobile devices, on which they enter the password. Credentials are securely transmitted to a server via Bluetooth beacons. We describe the implementation of GTmoPass and report on an evaluation of its usability and security, which shows that although authentication using GTmoPass is slightly slower than traditional methods, it protects against the three aforementioned threats
Seamless and Secure VR: Adapting and Evaluating Established Authentication Systems for Virtual Reality
Virtual reality (VR) headsets are enabling a wide range of new
opportunities for the user. For example, in the near future users
may be able to visit virtual shopping malls and virtually join
international conferences. These and many other scenarios pose
new questions with regards to privacy and security, in particular
authentication of users within the virtual environment. As a first
step towards seamless VR authentication, this paper investigates
the direct transfer of well-established concepts (PIN, Android
unlock patterns) into VR. In a pilot study (N = 5) and a lab
study (N = 25), we adapted existing mechanisms and evaluated
their usability and security for VR. The results indicate that
both PINs and patterns are well suited for authentication in
VR. We found that the usability of both methods matched the
performance known from the physical world. In addition, the
private visual channel makes authentication harder to observe,
indicating that authentication in VR using traditional concepts
already achieves a good balance in the trade-off between usability
and security. The paper contributes to a better understanding of
authentication within VR environments, by providing the first
investigation of established authentication methods within VR,
and presents the base layer for the design of future authentication
schemes, which are used in VR environments only
- …