A practical application of a text-independent speaker authentication system on mobile devices

The growing market of mobile devices forces to question about how to protect users’ credentials and data stored on such devices. Authentication mechanisms remain the first layer of security in the use of mobile devices. However, several of such mechanisms that have been already proposed were designed in a machine point of view. As a matter of fact, they are not compatible with behaviors human have while using their mobile devices in the daily life. Consequently, users adopted unsafe habits that may compromise the proper functioning of authentication mechanisms according to the safety aspect. The first main objective of this research project is to highlight strengths and weaknesses of current authentication systems, from the simpler ones such as PIN (Personal Identification Number) to the more complex biometric systems such as fingerprint. Then, this thesis offers an exhaustive evaluation of existing schemes. For this evaluation, we rely on some existing criteria and we also propose some new ones. Suggested criteria are chiefly centered on the usability of these authentica-tion systems. Secondly, this thesis presents a practical implementation of a text-independent speaker au-thentication system for mobile devices. We place a special attention in the choice of algorithms with low-computational costs since we want that the system operates without any network communication. Indeed, the enrollment, as well as the identification process are achieved onto the device itself. To this end, our choice was based on the extraction of Linear Prediction Cepstral Coefficients (LPCCs) (Furui 1981; O'Shaughnessy 1988) to obtain relevant voice features and the Naïve Bayes classifier (Zhang 2004) to predict at which speaker a given utterance corresponds. Furthermore, the authenti-cation decision was enhanced in order to overcome misidentification. In that sense, we introduced the notion of access privileges (i.e. public, protected, private) that the user has to attribute to each appli-cation installed on his/her mobile device. Then, the safest authority is granted through the result of the speaker identification decision as well as the analysis of the user’s location and the presence of a headset. In order to evaluate the proposed authentication system, eleven participants were involved in the experiment, which was conducted in two different environments (i.e. quiet and noisy). Moreover, we also employed public speech corpuses to compare this implementation to existing methods. Results obtained have shown that our system is a relevant, accurate and efficient solution to authenticate users on their mobile devices. Considering acceptability issues which were pointed out by some users, we suggest that the proposed authentication system should be either employed as part of a multilayer authentication, or as a fallback mechanism, to cover most of the user needs and usages. La croissance du marché des dispositifs mobiles implique de se questionner au sujet de comment protéger l’identité ainsi que les données personnelles des utilisateurs qui sont stockées sur ces appareils. En ce sens, les mécanismes d’authentification demeurent la première couche de sécurité dans l’utilisation des mobiles. Cependant, il apparaît que la plupart des mécanismes d’authentification qui ont été proposés, ont été conçus suivant un point de vue orienté machine plutôt qu’humain. En effet, ceux-ci ne s’adaptent généralement pas avec l’usage quotidien qu’ont les utilisateurs lorsqu’ils se servent leur téléphone. En conséquence, ils ont adopté des habitudes dangereuses qui peuvent compromettre le bon fonctionnement des systèmes d’authentification. Celles-ci peuvent alors remettre en question la sécurité de leur identité ainsi que la confidentialité de leur contenu numérique. Le premier objectif principal de ce projet de recherche est de faire ressortir les forces et les faiblesses des méthodes d’authentification qui existent actuellement, des plus simples comme le NIP (Numéro d’Identification Personnel) aux solutions biométriques plus complexes comme l’empreinte digitale. Par la suite, ce mémoire offre une évaluation exhaustive de ces solutions, basée sur des critères existant ainsi que de nouveaux critères que nous suggérons. Ces derniers sont majoritairement centrés sur l’utilisabilité des mécanismes d’authentification qui ont été examinés. Dans un second temps, ce mémoire présente une implémentation pratique, pour périphériques mobiles, d’un système d’authentification d’orateur indépendant de ce qui est prononcé par l’utilisateur. Pour concevoir un tel système, nous avons porté une attention particulière dans le choix d’algorithmes admettant un faible temps d’exécution afin de se prémunir des communications réseau. En effet, ceci nous permet alors de réaliser le processus d’entraînement ainsi que la reconnaissance, directement sur le mobile. Les choix technologiques se sont arrêtés sur l’extraction de coefficients spectraux (Linear Prediction Cepstral Coefficients) (Furui 1981; O'Shaughnessy 1988) afin d’obtenir des caractéristiques vocales pertinentes, ainsi que sur une classification naïve bayésienne (Zhang 2004) pour prédire à quel utilisateur correspond un énoncé donné. La décision finale, quant à elle, a été améliorée afin de se prémunir des mauvaises identifications. En ce sens, nous avons introduit la notion de droits d’accès spécifiques (i.e. publique, protégé ou privé) que l’utilisateur doit attribuer à chacune des applications installées sur son mobile. Ensuite, l’autorisation d’accès la plus adaptée est accordée, grâce au résultat retournée par l’identification de l’orateur, ainsi que par l’analyse de la localisation de l’utilisateur et de l’emploi d’un micro-casque. Pour réaliser l’évaluation du système que nous proposons ici, onze participants ont été recrutés pour la phase d’expérimentation. Cette dernière a été menée dans deux types d’environnements différents (i.e. silencieux et bruyant). De plus, nous avons aussi exploité des corpus de voix publiques afin de comparer notre implémentation à celles qui ont été proposées par le passé. Par conséquent, les résultats que nous avons obtenus ont montré que notre système constitue une solution pertinente, précise et efficace pour authentifier les utilisateurs sur leurs périphériques mobiles. Compte tenu des problèmes d’acceptabilité qui ont été mis en avant par certains testeurs, nous suggérons qu’un tel système puisse être utilisé comme faisant part d’une authentification à plusieurs facteurs, mais aussi comme une solution de repli, en cas d’échec du mécanisme principal, afin de couvrir la majorité des besoins et des usages des utilisateurs

Authorization and authentication strategy for mobile highly constrained edge devices

The rising popularity of mobile devices has driven the need for faster connection speeds and more flexible authentication and authorization methods. This project aims to develop and implement an innovative system that provides authentication and authorization for both the device and the user. It also facilitates real-time user re-authentication within the application, ensuring transparency throughout the process. Additionally, the system aims to establish a secure architecture that minimizes the computational requirements on the client's device, thus optimizing the device's battery life. The achieved results have demonstrated satisfactory outcomes, validating the effectiveness of the proposed solution. However, there is still potential for further improvement to enhance its overall performance

Biometrics

Biometrics uses methods for unique recognition of humans based upon one or more intrinsic physical or behavioral traits. In computer science, particularly, biometrics is used as a form of identity access management and access control. It is also used to identify individuals in groups that are under surveillance. The book consists of 13 chapters, each focusing on a certain aspect of the problem. The book chapters are divided into three sections: physical biometrics, behavioral biometrics and medical biometrics. The key objective of the book is to provide comprehensive reference and text on human authentication and people identity verification from both physiological, behavioural and other points of view. It aims to publish new insights into current innovations in computer systems and technology for biometrics development and its applications. The book was reviewed by the editor Dr. Jucheng Yang, and many of the guest editors, such as Dr. Girija Chetty, Dr. Norman Poh, Dr. Loris Nanni, Dr. Jianjiang Feng, Dr. Dongsun Park, Dr. Sook Yoon and so on, who also made a significant contribution to the book

Acoustic-channel attack and defence methods for personal voice assistants

Personal Voice Assistants (PVAs) are increasingly used as interface to digital environments. Voice commands are used to interact with phones, smart homes or cars. In the US alone the number of smart speakers such as Amazon’s Echo and Google Home has grown by 78% to 118.5 million and 21% of the US population own at least one device. Given the increasing dependency of society on PVAs, security and privacy of these has become a major concern of users, manufacturers and policy makers. Consequently, a steep increase in research efforts addressing security and privacy of PVAs can be observed in recent years. While some security and privacy research applicable to the PVA domain predates their recent increase in popularity and many new research strands have emerged, there lacks research dedicated to PVA security and privacy. The most important interaction interface between users and a PVA is the acoustic channel and acoustic channel related security and privacy studies are desirable and required. The aim of the work presented in this thesis is to enhance the cognition of security and privacy issues of PVA usage related to the acoustic channel, to propose principles and solutions to key usage scenarios to mitigate potential security threats, and to present a novel type of dangerous attack which can be launched only by using a PVA alone. The five core contributions of this thesis are: (i) a taxonomy is built for the research domain of PVA security and privacy issues related to acoustic channel. An extensive research overview on the state of the art is provided, describing a comprehensive research map for PVA security and privacy. It is also shown in this taxonomy where the contributions of this thesis lie; (ii) Work has emerged aiming to generate adversarial audio inputs which sound harmless to humans but can trick a PVA to recognise harmful commands. The majority of work has been focused on the attack side, but there rarely exists work on how to defend against this type of attack. A defence method against white-box adversarial commands is proposed and implemented as a prototype. It is shown that a defence Automatic Speech Recognition (ASR) can work in parallel with the PVA’s main one, and adversarial audio input is detected if the difference in the speech decoding results between both ASR surpasses a threshold. It is demonstrated that an ASR that differs in architecture and/or training data from the the PVA’s main ASR is usable as protection ASR; (iii) PVAs continuously monitor conversations which may be transported to a cloud back end where they are stored, processed and maybe even passed on to other service providers. A user has limited control over this process when a PVA is triggered without user’s intent or a PVA belongs to others. A user is unable to control the recording behaviour of surrounding PVAs, unable to signal privacy requirements and unable to track conversation recordings. An acoustic tagging solution is proposed aiming to embed additional information into acoustic signals processed by PVAs. A user employs a tagging device which emits an acoustic signal when PVA activity is assumed. Any active PVA will embed this tag into their recorded audio stream. The tag may signal a cooperating PVA or back-end system that a user has not given a recording consent. The tag may also be used to trace when and where a recording was taken if necessary. A prototype tagging device based on PocketSphinx is implemented. Using Google Home Mini as the PVA, it is demonstrated that the device can tag conversations and the tagging signal can be retrieved from conversations stored in the Google back-end system; (iv) Acoustic tagging provides users the capability to signal their permission to the back-end PVA service, and another solution inspired by Denial of Service (DoS) is proposed as well for protecting user privacy. Although PVAs are very helpful, they are also continuously monitoring conversations. When a PVA detects a wake word, the immediately following conversation is recorded and transported to a cloud system for further analysis. An active protection mechanism is proposed: reactive jamming. A Protection Jamming Device (PJD) is employed to observe conversations. Upon detection of a PVA wake word the PJD emits an acoustic jamming signal. The PJD must detect the wake word faster than the PVA such that the jamming signal still prevents wake word detection by the PVA. An evaluation of the effectiveness of different jamming signals and overlap between wake words and the jamming signals is carried out. 100% jamming success can be achieved with an overlap of at least 60% with a negligible false positive rate; (v) Acoustic components (speakers and microphones) on a PVA can potentially be re-purposed to achieve acoustic sensing. This has great security and privacy implication due to the key role of PVAs in digital environments. The first active acoustic side-channel attack is proposed. Speakers are used to emit human inaudible acoustic signals and the echo is recorded via microphones, turning the acoustic system of a smartphone into a sonar system. The echo signal can be used to profile user interaction with the device. For example, a victim’s finger movement can be monitored to steal Android unlock patterns. The number of candidate unlock patterns that an attacker must try to authenticate herself to a Samsung S4 phone can be reduced by up to 70% using this novel unnoticeable acoustic side-channel

Platform Embedded Security Technology Revealed

Computer scienc

Bioelectrical User Authentication

There has been tremendous growth of mobile devices, which includes mobile phones, tablets etc. in recent years. The use of mobile phone is more prevalent due to their increasing functionality and capacity. Most of the mobile phones available now are smart phones and better processing capability hence their deployment for processing large volume of information. The information contained in these smart phones need to be protected against unauthorised persons from getting hold of personal data. To verify a legitimate user before accessing the phone information, the user authentication mechanism should be robust enough to meet present security challenge. The present approach for user authentication is cumbersome and fails to consider the human factor. The point of entry mechanism is intrusive which forces users to authenticate always irrespectively of the time interval. The use of biometric is identified as a more reliable method for implementing a transparent and non-intrusive user authentication. Transparent authentication using biometrics provides the opportunity for more convenient and secure authentication over secret-knowledge or token-based approaches. The ability to apply biometrics in a transparent manner improves the authentication security by providing a reliable way for smart phone user authentication. As such, research is required to investigate new modalities that would easily operate within the constraints of a continuous and transparent authentication system. This thesis explores the use of bioelectrical signals and contextual information for non-intrusive approach for authenticating a user of a mobile device. From fusion of bioelectrical signals and context awareness information, three algorithms where created to discriminate subjects with overall Equal Error Rate (EER of 3.4%, 2.04% and 0.27% respectively. Based vii | P a g e on the analysis from the multi-algorithm implementation, a novel architecture is proposed using a multi-algorithm biometric authentication system for authentication a user of a smart phone. The framework is designed to be continuous, transparent with the application of advanced intelligence to further improve the authentication result. With the proposed framework, it removes the inconvenience of password/passphrase etc. memorability, carrying of token or capturing a biometric sample in an intrusive manner. The framework is evaluated through simulation with the application of a voting scheme. The simulation of the voting scheme using majority voting improved to the performance of the combine algorithm (security level 2) to FRR of 22% and FAR of 0%, the Active algorithm (security level 2) to FRR of 14.33% and FAR of 0% while the Non-active algorithm (security level 3) to FRR of 10.33% and FAR of 0%

Integrating a usable security protocol for user authentication into the requirements and design process

L'utilisabilité et la sécurité sont des éléments cruciaux dans le processus d'authentification des utilisateurs. L'un des défis majeurs auquel font face les organisations aujourd'hui est d'offrir des systèmes d'accès aux ressources logiques (par exemple, une application informatique) et physiques (par exemple, un bâtiment) qui soient à la fois sécurisées et utilisables. Afin d'atteindre ces objectifs, il faut d'abord mettre en œuvre les trois composantes indispensables que sont l'identification (c.-à-d., définir l'identité d'un utilisateur), l'authentification (c.-à-d., vérifier l'identité d'un utilisateur) et l'autorisation (c.-à-d., accorder des droits d'accès à un utilisateur). Plus particulièrement, la recherche en authentification de l'utilisateur est essentielle. Sans authentification, par exemple, des systèmes informatiques ne sont pas capables de vérifier si un utilisateur demandant l'accès à une ressource possède les droits de le faire. Bien que plusieurs travaux de recherche aient porté sur divers mécanismes de sécurité, très peu de recherches jusqu'à présent ont porté sur l'utilisabilité et la sécurité des méthodes d'authentification des utilisateurs. Pour cette raison, il nous paraît nécessaire de développer un protocole d'utilisabilité et de sécurité pour concevoir les méthodes d'authentification des utilisateurs. La thèse centrale de ce travail de recherche soutient qu'il y a un conflit intrinsèque entre la création de systèmes qui soient sécurisés et celle de systèmes qui soient facile d'utilisation. Cependant, l'utilisabilité et la sécurité peuvent être construites de manière synergique en utilisant des outils d'analyse et de conception qui incluent des principes d'utilisabilité et de sécurité dès l'étape d'Analyse et de Conception de la méthode d'authentification. Dans certaines situations il est possible d'améliorer simultanément l'utilisabilité et la sécurité en revisitant les décisions de conception prises dans le passé. Dans d'autres cas, il est plus avantageux d'aligner l'utilisabilité et la sécurité en changeant l'environnement régulateur dans lequel les ordinateurs opèrent. Pour cette raison, cette thèse a comme objectif principal non pas d'adresser l'utilisabilité et la sécurité postérieurement à la fabrication du produit final, mais de faire de la sécurité un résultat naturel de l'étape d'Analyse et de Conception du cycle de vie de la méthode d'authentification. \ud ______________________________________________________________________________ \ud MOTS-CLÉS DE L’AUTEUR : authentification de l'utilisateur, utilisabilité, sécurité informatique, contrôle d'accès