15,248 research outputs found
A new One-time Password Method
AbstractOne-Time Passwords (OTP) can provide complete protection of the login-time authentication mechanism against replay attacks. In this paper, we propose TSOTP: a new effective simple OTP method that generates a unique passcode for each use. The calculation uses both time stamps and sequence numbers. A two-factor authentication prototype for mobile phones using this method has been developed and has been used in practice for a year
Towards Baselines for Shoulder Surfing on Mobile Authentication
Given the nature of mobile devices and unlock procedures, unlock
authentication is a prime target for credential leaking via shoulder surfing, a
form of an observation attack. While the research community has investigated
solutions to minimize or prevent the threat of shoulder surfing, our
understanding of how the attack performs on current systems is less well
studied. In this paper, we describe a large online experiment (n=1173) that
works towards establishing a baseline of shoulder surfing vulnerability for
current unlock authentication systems. Using controlled video recordings of a
victim entering in a set of 4- and 6-length PINs and Android unlock patterns on
different phones from different angles, we asked participants to act as
attackers, trying to determine the authentication input based on the
observation. We find that 6-digit PINs are the most elusive attacking surface
where a single observation leads to just 10.8% successful attacks, improving to
26.5\% with multiple observations. As a comparison, 6-length Android patterns,
with one observation, suffered 64.2% attack rate and 79.9% with multiple
observations. Removing feedback lines for patterns improves security from
35.3\% and 52.1\% for single and multiple observations, respectively. This
evidence, as well as other results related to hand position, phone size, and
observation angle, suggests the best and worst case scenarios related to
shoulder surfing vulnerability which can both help inform users to improve
their security choices, as well as establish baselines for researchers.Comment: Will appear in Annual Computer Security Applications Conference
(ACSAC
Conceivable security risks and authentication techniques for smart devices
With the rapidly escalating use of smart devices and fraudulent transaction of users’ data from their devices, efficient and reliable techniques for authentication of the smart devices have become an obligatory issue. This paper reviews the security risks for mobile devices and studies several authentication techniques available for smart devices. The results from field studies enable a comparative evaluation of user-preferred authentication mechanisms and their opinions about reliability, biometric authentication and visual authentication techniques
S-Mbank: Secure Mobile Banking Authentication Scheme Using Signcryption, Pair Based Text Authentication, and Contactless Smartcard
Nowadays, mobile banking becomes a popular tool which consumers can conduct
financial transactions such as shopping, monitoring accounts balance,
transferring funds and other payments. Consumers dependency on mobile needs,
make people take a little bit more interest in mobile banking. The use of the
one-time password which is sent to the user mobile phone by short message
service (SMS) is a vulnerability which we want to solve with proposing a new
scheme called S-Mbank. We replace the authentication using the one-time
password with the contactless smart card to prevent attackers to use the
unencrypted message which is sent to the user's mobile phone. Moreover, it
deals vulnerability of spoofer to send an SMS pretending as a bank's server.
The contactless smart card is proposed because of its flexibility and security
which easier to bring in our wallet than the common passcode generators. The
replacement of SMS-based authentication with contactless smart card removes the
vulnerability of unauthorized users to act as a legitimate user to exploit the
mobile banking user's account. Besides that, we use public-private key pair and
PIN to provide two factors authentication and mutual authentication. We use
signcryption scheme to provide the efficiency of the computation. Pair based
text authentication is also proposed for the login process as a solution to
shoulder-surfing attack. We use Scyther tool to analyze the security of
authentication protocol in S-Mbank scheme. From the proposed scheme, we are
able to provide more security protection for mobile banking service.Comment: 6 page
Touchalytics: On the Applicability of Touchscreen Input as a Behavioral Biometric for Continuous Authentication
We investigate whether a classifier can continuously authenticate users based
on the way they interact with the touchscreen of a smart phone. We propose a
set of 30 behavioral touch features that can be extracted from raw touchscreen
logs and demonstrate that different users populate distinct subspaces of this
feature space. In a systematic experiment designed to test how this behavioral
pattern exhibits consistency over time, we collected touch data from users
interacting with a smart phone using basic navigation maneuvers, i.e., up-down
and left-right scrolling. We propose a classification framework that learns the
touch behavior of a user during an enrollment phase and is able to accept or
reject the current user by monitoring interaction with the touch screen. The
classifier achieves a median equal error rate of 0% for intra-session
authentication, 2%-3% for inter-session authentication and below 4% when the
authentication test was carried out one week after the enrollment phase. While
our experimental findings disqualify this method as a standalone authentication
mechanism for long-term authentication, it could be implemented as a means to
extend screen-lock time or as a part of a multi-modal biometric authentication
system.Comment: to appear at IEEE Transactions on Information Forensics & Security;
Download data from http://www.mariofrank.net/touchalytics
- …