A Secure Mobile-based Authentication System

Financial information is extremely sensitive. Hence, electronic banking must provide a robust system to authenticate its customers and let them access their data remotely. On the other hand, such system must be usable, affordable, and portable.We propose a challengeresponse based one-time password (OTP) scheme that uses symmetric cryptography in combination with a hardware security module. The proposed protocol safeguards passwords from keyloggers and phishing attacks. Besides, this solution provides convenient mobility for users who want to bank online anytime and anywhere, not just from their own trusted computers.La informació financera és extremadament sensible. Per tant, la banca electrònica ha de proporcionar un sistema robust per autenticar als seus clients i fer-los accedir a les dades de forma remota. D'altra banda, aquest sistema ha de ser usable, accessible, i portàtil. Es proposa una resposta al desafiament basat en una contrasenya única (OTP), esquema que utilitza la criptografia simètrica en combinació amb un mòdul de maquinari de seguretat. Amés, aquesta solució ofereix mobilitat convenient per als usuaris que volen bancària en línia en qualsevol moment i en qualsevol lloc, no només des dels seus propis equips de confiança.La información financiera es extremadamente sensible. Por lo tanto, la banca electrónica debe proporcionar un sistema robusto para autenticar a sus clientes y hacerles acceder a sus datos de forma remota. Por otra parte, dicho sistema debe ser usable, accesible, y portátil. Se propone una respuesta al desafío basado en una contraseña única (OTP), esquema que utiliza la criptografía simétrica en combinación con un módulo hardware de seguridad hardware. Además, esta solución ofrece una movilidad conveniente para los usuarios que quieren la entidad bancaria en línea en cualquier momento y en cualquier lugar, no sólo des de sus propios equipos de confianza

Strengthening e-banking security using keystroke dynamics

This paper investigates keystroke dynamics and its possible use as a tool to prevent or detect fraud in the banking industry. Given that banks are constantly on the lookout for improved methods to address the menace of fraud, the paper sets out to review keystroke dynamics, its advantages, disadvantages and potential for improving the security of e-banking systems. This paper evaluates keystroke dynamics suitability of use for enhancing security in the banking sector. Results from the literature review found that keystroke dynamics can offer impressive accuracy rates for user identification. Low costs of deployment and minimal change to users modus operandi make this technology an attractive investment for banks. The paper goes on to argue that although this behavioural biometric may not be suitable as a primary method of authentication, it can be used as a secondary or tertiary method to complement existing authentication systems

Evaluating Security and Usability of Profile Based Challenge Questions Authentication in Online Examinations

© 2014 Ullah et al.; licensee Springer. This is an Open Access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/2.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly credited.Student authentication in online learning environments is an increasingly challenging issue due to the inherent absence of physical interaction with online users and potential security threats to online examinations. This study is part of ongoing research on student authentication in online examinations evaluating the potential benefits of using challenge questions. The authors developed a Profile Based Authentication Framework (PBAF), which utilises challenge questions for students’ authentication in online examinations. This paper examines the findings of an empirical study in which 23 participants used the PBAF including an abuse case security analysis of the PBAF approach. The overall usability analysis suggests that the PBAF is efficient, effective and usable. However, specific questions need replacement with suitable alternatives due to usability challenges. The results of the current research study suggest that memorability, clarity of questions, syntactic variation and question relevance can cause usability issues leading to authentication failure. A configurable traffic light system was designed and implemented to improve the usability of challenge questions. The security analysis indicates that the PBAF is resistant to informed guessing in general, however, specific questions were identified with security issues. The security analysis identifies challenge questions with potential risks of informed guessing by friends and colleagues. The study was performed with a small number of participants in a simulation online course and the results need to be verified in a real educational context on a larger sample sizePeer reviewedFinal Published versio

Deceptive security based on authentication profiling

Passwords are broken. Multi-factor Authentication overcomes password insecurities, but its potentials are often not realised. This article presents InSight, a system to actively identify perpetrators by deceitful adaptation of the accessible system resources using Multi-factor Authentication profiles. This approach improves authentication reliability and attributes users by computing trust scores against profiles. Based on this score, certain functionality is locked, unlocked, buffered, or redirected to a deceptive honeypot, which is used for attribution. The novelty of this approach is twofold; a profile-based multi-factor authentication approach that is combined with a gradient, deceptive honeypot

An investigation into the usability and acceptability of multi-channel authentication to online banking users in Oman

Authentication mechanisms provide the cornerstone for security for many distributed systems, especially for increasingly popular online applications. For decades, widely used, traditional authentication methods included passwords and PINs that are now inadequate to protect online users and organizations from ever more sophisticated attacks. This study proposes an improvement to traditional authentication mechanisms. The solution introduced here includes a one-time-password (OTP) and incorporates the concept of multiple levels and multiple channels – features that are much more successful than traditional authentication mechanisms in protecting users' online accounts from being compromised. This research study reviews and evaluates current authentication classes and mechanisms and proposes an authentication mechanism that uses a variety of techniques, including multiple channels, to resist attacks more effectively than most commonly used mechanisms. Three aspects of the mechanism were evaluated: 1. The security of multi-channel authentication (MCA) was evaluated in theoretical terms, using a widely accepted methodology. 2. The usability was evaluated by carrying out a user study. 3. Finally, the acceptability thereof was evaluated by asking the participants in study (2) specific questions which aligned with the technology acceptance model (TAM). The study’s analysis of the data, gathered from online questionnaires and application log tables, showed that most participants found the MCA mechanism superior to other available authentication mechanisms and clearly supported the proposed MCA mechanism and the benefits that it provides. The research presents guidelines on how to implement the proposed mechanism, provides a detailed analysis of its effectiveness in protecting users' online accounts against specific, commonly deployed attacks, and reports on its usability and acceptability. It represents a significant step forward in the evolution of authentication mechanisms meeting the security needs of online users while maintaining usability

Continuous and transparent multimodal authentication: reviewing the state of the art

Individuals, businesses and governments undertake an ever-growing range of activities online and via various Internet-enabled digital devices. Unfortunately, these activities, services, information and devices are the targets of cybercrimes. Verifying the user legitimacy to use/access a digital device or service has become of the utmost importance. Authentication is the frontline countermeasure of ensuring only the authorized user is granted access; however, it has historically suffered from a range of issues related to the security and usability of the approaches. They are also still mostly functioning at the point of entry and those performing sort of re-authentication executing it in an intrusive manner. Thus, it is apparent that a more innovative, convenient and secure user authentication solution is vital. This paper reviews the authentication methods along with the current use of authentication technologies, aiming at developing a current state-of-the-art and identifying the open problems to be tackled and available solutions to be adopted. It also investigates whether these authentication technologies have the capability to fill the gap between high security and user satisfaction. This is followed by a literature review of the existing research on continuous and transparent multimodal authentication. It concludes that providing users with adequate protection and convenience requires innovative robust authentication mechanisms to be utilized in a universal level. Ultimately, a potential federated biometric authentication solution is presented; however it needs to be developed and extensively evaluated, thus operating in a transparent, continuous and user-friendly manner

A Framework for Aggregating Private and Public Web Archives

Personal and private Web archives are proliferating due to the increase in the tools to create them and the realization that Internet Archive and other public Web archives are unable to capture personalized (e.g., Facebook) and private (e.g., banking) Web pages. We introduce a framework to mitigate issues of aggregation in private, personal, and public Web archives without compromising potential sensitive information contained in private captures. We amend Memento syntax and semantics to allow TimeMap enrichment to account for additional attributes to be expressed inclusive of the requirements for dereferencing private Web archive captures. We provide a method to involve the user further in the negotiation of archival captures in dimensions beyond time. We introduce a model for archival querying precedence and short-circuiting, as needed when aggregating private and personal Web archive captures with those from public Web archives through Memento. Negotiation of this sort is novel to Web archiving and allows for the more seamless aggregation of various types of Web archives to convey a more accurate picture of the past Web.Comment: Preprint version of the ACM/IEEE Joint Conference on Digital Libraries (JCDL 2018) full paper, accessible at the DO

Privacy and Usability of Image and Text Based Challenge Questions Authentication in Online Examination

In many online examinations, physical invigilation is often replaced with traditional authentication approaches for student identification. Secure and usable authentication approaches are important for high stake online examinations. A Profile Based Authentication Framework (PBAF) was developed and implemented in a real online learning course embedded with summative online examination. Based on users’ experience of using the PBAF in an online course, online questionnaires were used to collect participants' feedback on effectiveness, layout and appearance, user satisfaction, distraction and privacy concerns. Based on overall findings of the quantitative analysis, there was a positive feedback on the use of a hybrid approach utilizing image and text based challenge questions for better usability. However, the number of questions presented during learning and examination processes were reported to be too many and caused distraction. Participants expressed a degree of concern on sharing personal and academic information with little or no privacy concern on using favorite question

A Trust Model Based on Service Classification in Mobile Services

Internet of Things (IoT) and B3G/4G communication are promoting the pervasive mobile services with its advanced features. However, security problems are also baffled the development. This paper proposes a trust model to protect the user's security. The billing or trust operator works as an agent to provide a trust authentication for all the service providers. The services are classified by sensitive value calculation. With the value, the user's trustiness for corresponding service can be obtained. For decision, three trust regions are divided, which is referred to three ranks: high, medium and low. The trust region tells the customer, with his calculated trust value, which rank he has got and which authentication methods should be used for access. Authentication history and penalty are also involved with reasons.Comment: IEEE/ACM Internet of Things Symposium (IOTS), in conjunction with GreenCom 2010, IEEE, Hangzhou, China, December 18-20, 201