6,147 research outputs found
Towards Baselines for Shoulder Surfing on Mobile Authentication
Given the nature of mobile devices and unlock procedures, unlock
authentication is a prime target for credential leaking via shoulder surfing, a
form of an observation attack. While the research community has investigated
solutions to minimize or prevent the threat of shoulder surfing, our
understanding of how the attack performs on current systems is less well
studied. In this paper, we describe a large online experiment (n=1173) that
works towards establishing a baseline of shoulder surfing vulnerability for
current unlock authentication systems. Using controlled video recordings of a
victim entering in a set of 4- and 6-length PINs and Android unlock patterns on
different phones from different angles, we asked participants to act as
attackers, trying to determine the authentication input based on the
observation. We find that 6-digit PINs are the most elusive attacking surface
where a single observation leads to just 10.8% successful attacks, improving to
26.5\% with multiple observations. As a comparison, 6-length Android patterns,
with one observation, suffered 64.2% attack rate and 79.9% with multiple
observations. Removing feedback lines for patterns improves security from
35.3\% and 52.1\% for single and multiple observations, respectively. This
evidence, as well as other results related to hand position, phone size, and
observation angle, suggests the best and worst case scenarios related to
shoulder surfing vulnerability which can both help inform users to improve
their security choices, as well as establish baselines for researchers.Comment: Will appear in Annual Computer Security Applications Conference
(ACSAC
A Dynamic Profile Questions Approach to Mitigate Impersonation in Online Examinations
© The Author(s) 2018 Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.Online examinations are an integral component of many online learning environments, which face many security challenges. Collusion is seen as a major security threat to such examinations, when a student invites a third party to impersonate or abet in a test. This work aims to strengthen the authentication of students via the use of dynamic profile questions. The study reported in this paper involved 31 online participants from five countries over a five-week period. The results of usability and security analysis are reported. The dynamic profile questions were more usable than both the text-based and image-based questions (p < 0.01). An impersonation abuse scenario was simulated using email and mobile phone. The impersonation attack via email was not successful, however, students were able to share answers to dynamic profile questions with a third party impersonator in real time, which resulted in 93% correct answers. The sharing of information via phone took place in real time during an online test and the response time of an impersonator was significantly different (p < 0.01) than a student. The study also revealed that a response time factor may be implemented to identify and report impersonation attacks.Peer reviewe
The Value of User-Visible Internet Cryptography
Cryptographic mechanisms are used in a wide range of applications, including
email clients, web browsers, document and asset management systems, where
typical users are not cryptography experts. A number of empirical studies have
demonstrated that explicit, user-visible cryptographic mechanisms are not
widely used by non-expert users, and as a result arguments have been made that
cryptographic mechanisms need to be better hidden or embedded in end-user
processes and tools. Other mechanisms, such as HTTPS, have cryptography
built-in and only become visible to the user when a dialogue appears due to a
(potential) problem. This paper surveys deployed and potential technologies in
use, examines the social and legal context of broad classes of users, and from
there, assesses the value and issues for those users
Challenges of Multi-Factor Authentication for Securing Advanced IoT (A-IoT) Applications
The unprecedented proliferation of smart devices together with novel
communication, computing, and control technologies have paved the way for the
Advanced Internet of Things~(A-IoT). This development involves new categories
of capable devices, such as high-end wearables, smart vehicles, and consumer
drones aiming to enable efficient and collaborative utilization within the
Smart City paradigm. While massive deployments of these objects may enrich
people's lives, unauthorized access to the said equipment is potentially
dangerous. Hence, highly-secure human authentication mechanisms have to be
designed. At the same time, human beings desire comfortable interaction with
their owned devices on a daily basis, thus demanding the authentication
procedures to be seamless and user-friendly, mindful of the contemporary urban
dynamics. In response to these unique challenges, this work advocates for the
adoption of multi-factor authentication for A-IoT, such that multiple
heterogeneous methods - both well-established and emerging - are combined
intelligently to grant or deny access reliably. We thus discuss the pros and
cons of various solutions as well as introduce tools to combine the
authentication factors, with an emphasis on challenging Smart City
environments. We finally outline the open questions to shape future research
efforts in this emerging field.Comment: 7 pages, 4 figures, 2 tables. The work has been accepted for
publication in IEEE Network, 2019. Copyright may be transferred without
notice, after which this version may no longer be accessibl
- …