Conceivable security risks and authentication techniques for smart devices

With the rapidly escalating use of smart devices and fraudulent transaction of users’ data from their devices, efficient and reliable techniques for authentication of the smart devices have become an obligatory issue. This paper reviews the security risks for mobile devices and studies several authentication techniques available for smart devices. The results from field studies enable a comparative evaluation of user-preferred authentication mechanisms and their opinions about reliability, biometric authentication and visual authentication techniques

Review Paper on Various Methods of Implicit Authentication

The quest (search) for a reliable and convenient security system to authenticate a computer user has existed since the inadequacy of conventional password mechanism was realized, first by the security community, and then gradually by the public. Verifying the identity of a user before granting access to objects or services is an vital step in nearly all applications or environments. Some applications (e.g. pervasive environment) may impose additional requirements for user authentication mechanism, such as to be continuous and unobtrusive. New system is hoped being transparent and with very minimum user involvement denoted as implicit authentication system. This paper tackles the issue of ambient systems adaptation to users' needs while the environment and users' preferences evolve continuously. DOI: 10.17762/ijritcc2321-8169.150512

Data Behind Mobile Behavioural Biometrics – a Survey

Behavioural biometrics are becoming more and more popular. It is hard to find a sensor that is embedded in a mobile/wearable device, which can’t be exploited to extract behavioural biometric data. In this paper, we investigate data in behavioural biometrics and how this data is used in experiments, especially examining papers that introduce new datasets. We will not examine performance accomplished by the algorithms used since a system’s performance is enormously affected by the data used, its amount and quality. Altogether, 32 papers are examined, assessing how often they are cited, have databases published, what modality data are collected, and how the data is used. We offer a roadmap that should be taken into account when designing behavioural data collection and using collected data. We further look at the General Data Protection Regulation, and its significance to the scientific research in the field of biometrics. It is possible to conclude that there is a need for publicly available datasets with comprehensive experimental protocols, similarly established in facial recognition

Continuous and transparent multimodal authentication: reviewing the state of the art

Individuals, businesses and governments undertake an ever-growing range of activities online and via various Internet-enabled digital devices. Unfortunately, these activities, services, information and devices are the targets of cybercrimes. Verifying the user legitimacy to use/access a digital device or service has become of the utmost importance. Authentication is the frontline countermeasure of ensuring only the authorized user is granted access; however, it has historically suffered from a range of issues related to the security and usability of the approaches. They are also still mostly functioning at the point of entry and those performing sort of re-authentication executing it in an intrusive manner. Thus, it is apparent that a more innovative, convenient and secure user authentication solution is vital. This paper reviews the authentication methods along with the current use of authentication technologies, aiming at developing a current state-of-the-art and identifying the open problems to be tackled and available solutions to be adopted. It also investigates whether these authentication technologies have the capability to fill the gap between high security and user satisfaction. This is followed by a literature review of the existing research on continuous and transparent multimodal authentication. It concludes that providing users with adequate protection and convenience requires innovative robust authentication mechanisms to be utilized in a universal level. Ultimately, a potential federated biometric authentication solution is presented; however it needs to be developed and extensively evaluated, thus operating in a transparent, continuous and user-friendly manner

Insider Misuse Identification using Transparent Biometrics

Insider misuse is a key threat to organizations. Recent research has focused upon the information itself – either through its protection or approaches to detect the leakage. This paper seeks a different approach through the application of transparent biometrics to provide a robust approach to the identification of the individuals who are misusing systems and information. Transparent biometrics are a suite of modalities, typically behavioral-based that can capture biometric signals covertly or non-intrusively – so the user is unaware of their capture. Transparent biometrics are utilized in two phases a) to imprint digital objects with biometric-signatures of the user who last interacted with the object and b) uniquely applied to network traffic in order to identify users traffic (independent of the Internet Protocol address) so that users rather than machine (IP) traffic can be more usefully analyzed by analysts. Results from two experimental studies are presented and illustrate how reliably transparent biometrics are in providing this link-ability of information to identity.

Transparent User Authentication For Mobile Applications

The use of smartphones in our daily lives has grown steadily, due to the combination of mobility and round-the-clock multi-connectivity. In particular, smartphones are used to perform activities, such as sending emails, transferring money via mobile Internet banking, making calls, texting, surfing the Internet, viewing documents, storing medical, confidential and personal information, shopping online and playing games. Some active applications are considered sensitive and confidential and the risks are high in the event of the loss of any sensitive data or privacy breaches. In addition, after the point of entry, using techniques such as a PIN or password, the user of the device can perform almost all tasks, of different risk levels, without having to re-authenticate periodically to re-validate the user’s identity. Furthermore, the current point-of-entry authentication mechanisms consider all the applications on a mobile device to have the same level of importance and so do not apply any further access control rules. As a result, with the rapid growth of smartphones for use in daily life, securing the sensitive data stored upon them makes authentication of paramount importance. In this research, it is argued that within a single mobile application there are different processes operating on the same data but with differing risks attached. The unauthorised disclosure or modification of mobile data has the potential to lead to a number of undesirable consequences for the user. Thus, there is no single level of risk associated with a given application and the risk level changes during use. In this context, a novel mobile applications data risk assessment model is proposed to appreciate the risk involved within an application (intra-process security). Accordingly, there is a need to suggest a method to be applied continuously and transparently (i.e., without obstructing the user’s activities) to authenticate legitimate users, which is maintained beyond point of entry, without the explicit involvement of the user. To this end, a transparent and continuous authentication mechanism provides a basis for convenient and secure re-authentication of the user. The mechanism is used to gather user data in the background without requiring any dedicated activity, by regularly and periodically checking user behaviour to provide continuous monitoring for the protection of the smartphone. In order to investigate the feasibility of the proposed system, a study involving data collected from 76 participants over a one-month period using 12 mobile applications was undertaken. A series of four experiments were conducted based upon data from one month of normal device usage. The first experiment sought to explore the intra-process (i.e., within-app) and inter-process (i.e., access-only app) access levels across different time windows. The experimental results show that this approach achieved desirable outcomes for applying a transparent authentication system at an intra-process level, with an average of 6% intrusive authentication requests. Having achieved promising experimental results, it was identified that there were some users who undertook an insufficient number of activities on the device and, therefore, achieved a high level of intrusive authentication requests. As a result, there was a need to investigate whether a specific combination of time windows would perform better with a specific type of user. To do this, the numbers of intrusive authentication requests were computed based on three usage levels (high, medium and low) at both the intra- and inter-process access levels. This approach achieved better results when compared with the first set of results: the average percentage of intrusive authentication requests was 3%, which indicates a clear enhancement. The second and third experiments investigated only the intra-process and inter-process, respectively, to examine the effect of the access level. Finally, the fourth experiment investigated the impact of specific biometric modalities on overall system performance. In this research study, a Non-Intrusive Continuous Authentication (NICA) framework was applied by utilising two security mechanisms: Alert Level (AL) and Integrity Level (IL). During specific time windows, the AL process is used to seek valid samples. If there are no samples, the identity confidence is periodically reduced by a degradation function, which is 10% of current confidence in order to save power while the mobile device is inactive. In the case of the mobile user requesting to perform a task, the IL is applied to check the legitimacy of that user. If the identity confidence level is equal to or greater than the specified risk action level, transparent access is allowed. Otherwise, an intrusive authentication request is required in order to proceed with the service. In summary, the experimental results show that this approach achieved sufficiently high results to fulfil the security obligations. The shortest time window of AL= 2 min / IL = 5 min produced an average intrusive authentication request rate of 18%, whereas the largest time window (AL= 20 min / IL = 20 min) provided 6%. Interestingly, when the participants were divided into three levels of usage, the average intrusive authentication request rate was 12% and 3% for the shortest time window (AL = 2 min / IL = 5 min) and the largest time window (AL= 20 min / IL = 20), respectively. Therefore, this approach has been demonstrated to provide transparent and continuous protection to ensure the validity of the current user by understanding the risk involved within a given application.Royal Embassy of Saudi Arabia Cultural Bureau in U

Transparent User Authentication For Mobile Applications

The use of smartphones in our daily lives has grown steadily, due to the combination of mobility and round-the-clock multi-connectivity. In particular, smartphones are used to perform activities, such as sending emails, transferring money via mobile Internet banking, making calls, texting, surfing the Internet, viewing documents, storing medical, confidential and personal information, shopping online and playing games. Some active applications are considered sensitive and confidential and the risks are high in the event of the loss of any sensitive data or privacy breaches. In addition, after the point of entry, using techniques such as a PIN or password, the user of the device can perform almost all tasks, of different risk levels, without having to re-authenticate periodically to re-validate the user’s identity. Furthermore, the current point-of-entry authentication mechanisms consider all the applications on a mobile device to have the same level of importance and so do not apply any further access control rules. As a result, with the rapid growth of smartphones for use in daily life, securing the sensitive data stored upon them makes authentication of paramount importance. In this research, it is argued that within a single mobile application there are different processes operating on the same data but with differing risks attached. The unauthorised disclosure or modification of mobile data has the potential to lead to a number of undesirable consequences for the user. Thus, there is no single level of risk associated with a given application and the risk level changes during use. In this context, a novel mobile applications data risk assessment model is proposed to appreciate the risk involved within an application (intra-process security). Accordingly, there is a need to suggest a method to be applied continuously and transparently (i.e., without obstructing the user’s activities) to authenticate legitimate users, which is maintained beyond point of entry, without the explicit involvement of the user. To this end, a transparent and continuous authentication mechanism provides a basis for convenient and secure re-authentication of the user. The mechanism is used to gather user data in the background without requiring any dedicated activity, by regularly and periodically checking user behaviour to provide continuous monitoring for the protection of the smartphone. In order to investigate the feasibility of the proposed system, a study involving data collected from 76 participants over a one-month period using 12 mobile applications was undertaken. A series of four experiments were conducted based upon data from one month of normal device usage. The first experiment sought to explore the intra-process (i.e., within-app) and inter-process (i.e., access-only app) access levels across different time windows. The experimental results show that this approach achieved desirable outcomes for applying a transparent authentication system at an intra-process level, with an average of 6% intrusive authentication requests. Having achieved promising experimental results, it was identified that there were some users who undertook an insufficient number of activities on the device and, therefore, achieved a high level of intrusive authentication requests. As a result, there was a need to investigate whether a specific combination of time windows would perform better with a specific type of user. To do this, the numbers of intrusive authentication requests were computed based on three usage levels (high, medium and low) at both the intra- and inter-process access levels. This approach achieved better results when compared with the first set of results: the average percentage of intrusive authentication requests was 3%, which indicates a clear enhancement. The second and third experiments investigated only the intra-process and inter-process, respectively, to examine the effect of the access level. Finally, the fourth experiment investigated the impact of specific biometric modalities on overall system performance. In this research study, a Non-Intrusive Continuous Authentication (NICA) framework was applied by utilising two security mechanisms: Alert Level (AL) and Integrity Level (IL). During specific time windows, the AL process is used to seek valid samples. If there are no samples, the identity confidence is periodically reduced by a degradation function, which is 10% of current confidence in order to save power while the mobile device is inactive. In the case of the mobile user requesting to perform a task, the IL is applied to check the legitimacy of that user. If the identity confidence level is equal to or greater than the specified risk action level, transparent access is allowed. Otherwise, an intrusive authentication request is required in order to proceed with the service. In summary, the experimental results show that this approach achieved sufficiently high results to fulfil the security obligations. The shortest time window of AL= 2 min / IL = 5 min produced an average intrusive authentication request rate of 18%, whereas the largest time window (AL= 20 min / IL = 20 min) provided 6%. Interestingly, when the participants were divided into three levels of usage, the average intrusive authentication request rate was 12% and 3% for the shortest time window (AL = 2 min / IL = 5 min) and the largest time window (AL= 20 min / IL = 20), respectively. Therefore, this approach has been demonstrated to provide transparent and continuous protection to ensure the validity of the current user by understanding the risk involved within a given application.Royal Embassy of Saudi Arabia Cultural Bureau in U

Towards Usable End-user Authentication

Authentication is the process of validating the identity of an entity, e.g., a person, a machine, etc.; the entity usually provides a proof of identity in order to be authenticated. When the entity - to be authenticated - is a human, the authentication process is called end-user authentication. Making an end-user authentication usable entails making it easy for a human to obtain, manage, and input the proof of identity in a secure manner. In machine-to-machine authentication, both ends have comparable memory and computational power to securely carry out the authentication process using cryptographic primitives and protocols. On the contrary, as a human has limited memory and computational power, in end-user authentication, cryptography is of little use. Although password based end-user authentication has many well-known security and usability problems, it is the de facto standard. Almost half a century of research effort has produced a multitude of end-user authentication methods more sophisticated than passwords; yet, none has come close to replacing passwords. In this dissertation, taking advantage of the built-in sensing capability of smartphones, we propose an end-user authentication framework for smartphones - called ePet - which does not require any active participation from the user most of the times; thus the proposed framework is highly usable. Using data collected from subjects, we validate a part of the authentication framework for the Android platform. For web authentication, in this dissertation, we propose a novel password creation interface, which helps a user remember a newly created password with more confidence - by allowing her to perform various memory tasks built upon her new password. Declarative and motor memory help the user remember and efficiently input a password. From a within-subjects study we show that declarative memory is sufficient for passwords; motor memory mostly facilitate the input process and thus the memory tasks have been designed to help cement the declarative memory for a newly created password. This dissertation concludes with an evaluation of the increased usability of the proposed interface through a between-subjects study

Inferences from Interactions with Smart Devices: Security Leaks and Defenses

We unlock our smart devices such as smartphone several times every day using a pin, password, or graphical pattern if the device is secured by one. The scope and usage of smart devices\u27 are expanding day by day in our everyday life and hence the need to make them more secure. In the near future, we may need to authenticate ourselves on emerging smart devices such as electronic doors, exercise equipment, power tools, medical devices, and smart TV remote control. While recent research focuses on developing new behavior-based methods to authenticate these smart devices, pin and password still remain primary methods to authenticate a user on a device. Although the recent research exposes the observation-based vulnerabilities, the popular belief is that the direct observation attacks can be thwarted by simple methods that obscure the attacker\u27s view of the input console (or screen). In this dissertation, we study the users\u27 hand movement pattern while they type on their smart devices. The study concentrates on the following two factors; (1) finding security leaks from the observed hand movement patterns (we showcase that the user\u27s hand movement on its own reveals the user\u27s sensitive information) and (2) developing methods to build lightweight, easy to use, and more secure authentication system. The users\u27 hand movement patterns were captured through video camcorder and inbuilt motion sensors such as gyroscope and accelerometer in the user\u27s device

A practical application of a text-independent speaker authentication system on mobile devices

The growing market of mobile devices forces to question about how to protect users’ credentials and data stored on such devices. Authentication mechanisms remain the first layer of security in the use of mobile devices. However, several of such mechanisms that have been already proposed were designed in a machine point of view. As a matter of fact, they are not compatible with behaviors human have while using their mobile devices in the daily life. Consequently, users adopted unsafe habits that may compromise the proper functioning of authentication mechanisms according to the safety aspect. The first main objective of this research project is to highlight strengths and weaknesses of current authentication systems, from the simpler ones such as PIN (Personal Identification Number) to the more complex biometric systems such as fingerprint. Then, this thesis offers an exhaustive evaluation of existing schemes. For this evaluation, we rely on some existing criteria and we also propose some new ones. Suggested criteria are chiefly centered on the usability of these authentica-tion systems. Secondly, this thesis presents a practical implementation of a text-independent speaker au-thentication system for mobile devices. We place a special attention in the choice of algorithms with low-computational costs since we want that the system operates without any network communication. Indeed, the enrollment, as well as the identification process are achieved onto the device itself. To this end, our choice was based on the extraction of Linear Prediction Cepstral Coefficients (LPCCs) (Furui 1981; O'Shaughnessy 1988) to obtain relevant voice features and the Naïve Bayes classifier (Zhang 2004) to predict at which speaker a given utterance corresponds. Furthermore, the authenti-cation decision was enhanced in order to overcome misidentification. In that sense, we introduced the notion of access privileges (i.e. public, protected, private) that the user has to attribute to each appli-cation installed on his/her mobile device. Then, the safest authority is granted through the result of the speaker identification decision as well as the analysis of the user’s location and the presence of a headset. In order to evaluate the proposed authentication system, eleven participants were involved in the experiment, which was conducted in two different environments (i.e. quiet and noisy). Moreover, we also employed public speech corpuses to compare this implementation to existing methods. Results obtained have shown that our system is a relevant, accurate and efficient solution to authenticate users on their mobile devices. Considering acceptability issues which were pointed out by some users, we suggest that the proposed authentication system should be either employed as part of a multilayer authentication, or as a fallback mechanism, to cover most of the user needs and usages. La croissance du marché des dispositifs mobiles implique de se questionner au sujet de comment protéger l’identité ainsi que les données personnelles des utilisateurs qui sont stockées sur ces appareils. En ce sens, les mécanismes d’authentification demeurent la première couche de sécurité dans l’utilisation des mobiles. Cependant, il apparaît que la plupart des mécanismes d’authentification qui ont été proposés, ont été conçus suivant un point de vue orienté machine plutôt qu’humain. En effet, ceux-ci ne s’adaptent généralement pas avec l’usage quotidien qu’ont les utilisateurs lorsqu’ils se servent leur téléphone. En conséquence, ils ont adopté des habitudes dangereuses qui peuvent compromettre le bon fonctionnement des systèmes d’authentification. Celles-ci peuvent alors remettre en question la sécurité de leur identité ainsi que la confidentialité de leur contenu numérique. Le premier objectif principal de ce projet de recherche est de faire ressortir les forces et les faiblesses des méthodes d’authentification qui existent actuellement, des plus simples comme le NIP (Numéro d’Identification Personnel) aux solutions biométriques plus complexes comme l’empreinte digitale. Par la suite, ce mémoire offre une évaluation exhaustive de ces solutions, basée sur des critères existant ainsi que de nouveaux critères que nous suggérons. Ces derniers sont majoritairement centrés sur l’utilisabilité des mécanismes d’authentification qui ont été examinés. Dans un second temps, ce mémoire présente une implémentation pratique, pour périphériques mobiles, d’un système d’authentification d’orateur indépendant de ce qui est prononcé par l’utilisateur. Pour concevoir un tel système, nous avons porté une attention particulière dans le choix d’algorithmes admettant un faible temps d’exécution afin de se prémunir des communications réseau. En effet, ceci nous permet alors de réaliser le processus d’entraînement ainsi que la reconnaissance, directement sur le mobile. Les choix technologiques se sont arrêtés sur l’extraction de coefficients spectraux (Linear Prediction Cepstral Coefficients) (Furui 1981; O'Shaughnessy 1988) afin d’obtenir des caractéristiques vocales pertinentes, ainsi que sur une classification naïve bayésienne (Zhang 2004) pour prédire à quel utilisateur correspond un énoncé donné. La décision finale, quant à elle, a été améliorée afin de se prémunir des mauvaises identifications. En ce sens, nous avons introduit la notion de droits d’accès spécifiques (i.e. publique, protégé ou privé) que l’utilisateur doit attribuer à chacune des applications installées sur son mobile. Ensuite, l’autorisation d’accès la plus adaptée est accordée, grâce au résultat retournée par l’identification de l’orateur, ainsi que par l’analyse de la localisation de l’utilisateur et de l’emploi d’un micro-casque. Pour réaliser l’évaluation du système que nous proposons ici, onze participants ont été recrutés pour la phase d’expérimentation. Cette dernière a été menée dans deux types d’environnements différents (i.e. silencieux et bruyant). De plus, nous avons aussi exploité des corpus de voix publiques afin de comparer notre implémentation à celles qui ont été proposées par le passé. Par conséquent, les résultats que nous avons obtenus ont montré que notre système constitue une solution pertinente, précise et efficace pour authentifier les utilisateurs sur leurs périphériques mobiles. Compte tenu des problèmes d’acceptabilité qui ont été mis en avant par certains testeurs, nous suggérons qu’un tel système puisse être utilisé comme faisant part d’une authentification à plusieurs facteurs, mais aussi comme une solution de repli, en cas d’échec du mécanisme principal, afin de couvrir la majorité des besoins et des usages des utilisateurs