Gathering realistic authentication performance data through field trials

Most evaluations of novel authentication mechanisms have been conducted under laboratory conditions. We argue that the results of short-term usage under laboratory conditions do not predict user performance “in the wild”, because there is insufficient time between enrolment and testing, the number of authentications is low, and authentication is presented as a primary task, rather then the secondary task as it is “in the wild”. User generated reports of performance on the other hand provide subjective data, so reports on frequency of use, time intervals, and success or failure of authentication are subject to the vagaries of users ’ memories. Studies on authentication that provide objective performance data under real-world conditions are rare. In this paper, we present our experiences with a study method that tries to control frequency and timing of authentication, and collects reliable performance data, while maintaining ecological validity of the authentication context at the same time. We describe the development of an authentication server called APET, which allows us to prompt users enrolled in trial cohorts to authenticate at controlled intervals, and report our initial experiences with trials. We conclude by discussing remaining challenges in obtaining reliable performance data through a field trial method such as this one

Knowledge-driven Biometric Authentication in Virtual Reality

With the increasing adoption of virtual reality (VR) in public spaces, protecting users from observation attacks is becoming essential to prevent attackers from accessing context-sensitive data or performing malicious payment transactions in VR. In this work, we propose RubikBiom, a knowledge-driven behavioural biometric authentication scheme for authentication in VR. We show that hand movement patterns performed during interactions with a knowledge-based authentication scheme (e.g., when entering a PIN) can be leveraged to establish an additional security layer. Based on a dataset gathered in a lab study with 23 participants, we show that knowledge-driven behavioural biometric authentication increases security in an unobtrusive way. We achieve an accuracy of up to 98.91% by applying a Fully Convolutional Network (FCN) on 32 authentications per subject. Our results pave the way for further investigations towards knowledge-driven behavioural biometric authentication in VR

Keeping Secrets from Friends: Design Guidelines for Multiplexed Graphical Passwords

Background Entering passwords on mobile devices often takes place in public, situations in which input actions are exposed to the people around you and passwords can be compromised simply by sneaky glances over shoulders. However, the people who surround a user are typically not malicious attackers seeking to steal data, but rather friends and colleagues. This article characterizes such individuals as casual observers and describes the threats they pose to security and password integrity. Methods Based on an analysis of the literature and design space, we introduce a systematic framework for multiplexed authentication, a term we introduce to describe a class of systems that maintain security against the threats posed by casual observers through obsfuscated input. Building on this knowledge, we present a set of design dimensions and guidelines for multiplexed graphical passwords. Finally, we present ShaPIN, a multiplexed input prototype designed in light of these guidelines and that aims to protect users against casual observation. Results Evaluations of ShaPIN with a user study reveal it can be used rapidly, accurately and that it provides protection against in-person observation. ShaPIN also offers substantial performance imporvements over prior systems in its class, evidence that helps support and validate our design framework. Conclusion We believe that the framework of multiplexed authentication can inform and shape future work to ensure that passwords stay safe and secret in front of friends. By presenting design guidelines for multiplexed graphical passwords we also hope to raise awareness of the important issue of password security in the design community and to show how design research can innovate in this area to create more usable and effective password systems.clos

Strong Authentication for Web services with Mobile Universal Identity

To access services on the Web, users need quite often to have accounts, i.e. user names and passwords. This becomes a problem when the number of accounts keeps increasing at the same time password is a very weak form of authentication exposing the users to fraud and abuses. To address both mentioned issues we propose a Mobile Universal identity, which by combining Internet identifiers with mobile identifiers is capable of delivering strong authentication for Internet services. By introducing an identity provider, the solution enables the user to employ the Mobile Universal identity for multiple service providers. By federation with other identities, Mobile Universal identity can be used with service providers worldwide.© Springer International Publishing Switzerland 2015. This is the authors' accepted and refereed manuscript to the article. Locked until 2016-08-08