Frictionless Authentication Systems: Emerging Trends, Research Challenges and Opportunities

Authentication and authorization are critical security layers to protect a wide range of online systems, services and content. However, the increased prevalence of wearable and mobile devices, the expectations of a frictionless experience and the diverse user environments will challenge the way users are authenticated. Consumers demand secure and privacy-aware access from any device, whenever and wherever they are, without any obstacles. This paper reviews emerging trends and challenges with frictionless authentication systems and identifies opportunities for further research related to the enrollment of users, the usability of authentication schemes, as well as security and privacy trade-offs of mobile and wearable continuous authentication systems.Comment: published at the 11th International Conference on Emerging Security Information, Systems and Technologies (SECURWARE 2017

PIVOT:Private and effective contact tracing

We propose, design, and evaluate PIVOT, a privacy-enhancing and effective contact tracing solution that aims to strike a balance between utility and privacy: one that does not collect sensitive information yet allowing effective tracing and notifying the close contacts of diagnosed users. PIVOT requires a considerably lower degree of trust in the entities involved compared to centralised alternatives while retaining the necessary utility. To protect users\u27 privacy, it uses local proximity tracing based on broadcasting and recording constantly changing anonymous public keys via short-range communication. These public keys are used to establish a shared secret key between two people in close contact. The three keys (i.e., the two public keys and the established shared key) are then used to generate two unique per-user-per-contact hashes: one for infection registration and one for exposure score query. These hashes are never revealed to the public. To improve utility, user exposure score computation is performed centrally, which provides health authorities with minimal, yet insightful and actionable data. Data minimisation is achieved by the use of per-user-per-contact hashes and by enforcing role separation: the health authority act as a mixing node, while the matching between reported and queried hashes is outsourced to a third entity, an independent matching service. This separation ensures that out-of-scope information, such as users\u27 social interactions, is hidden from the health authorities, whereas the matching service does not learn users\u27 sensitive information. To sustain our claims, we conduct a practical evaluation that encompasses anonymity guarantees and energy requirements

Improving resilience of behaviometric based continuous authentication with multiple accelerometers

Behaviometrics in multi-factor authentication schemes continuously assess behavior patterns of a subject to recognize and verify his identity. In this work we challenge the practical feasibility and the resilience of accelerometer-based gait analysis as a behaviometric under sensor displacement conditions. To improve misauthentication resistance, we present and evaluate a solution using multiple accelerometers on 7 positions on the body during different activities and compare the effectiveness with Gradient-Boosted Trees classification. From a security point of view, we investigate the feasibility of zero and non-zero effort attacks on gait analysis as a behaviometric. Our experimental results with data from 12 individuals show an improvement in terms of EER with about 2% (from 5% down to 3%), with an increased resilience against observation attacks. When trained to defend against such attacks, we observe no decrease in classification performance.status: accepte

Managing distributed trust relationships for multi-modal authentication

© 2018 Elsevier Ltd Multi-modal active authentication schemes fuse decisions of multiple behavioral biometrics (behaviometrics) to reduce identity verification errors. The challenge that we address in this work is the security risk caused by these decision fusion schemes making invalid assumptions, such as a fixed probability of (in)correct recognition and a temporal congruence of behaviometrics. To mitigate this risk, this paper presents a formal trust model that drives the behaviometric selection and composition. Our trust model adopts a hybrid approach combining policy and reputation based knowledge representation techniques. Our model and framework (1) externalizes trust knowledge from the authentication logic to achieve loosely coupled trust management, and (2) formalizes this knowledge in description logic to reason upon and broker complex distributed trust relationships to make risk-adaptive decisions for multi-modal authentication. The evaluation of our proof-of-concept illustrates an acceptable performance overhead while lifting the burden of manual trust and behaviometric management for multi-modal authentication.status: publishe

Bayesian optimisation of existing object detection methods for new contexts

Pre-trained object detectors exhibit strong variations in performance when applied in different contexts, e.g., daytime vs. nighttime performance, up-close vs. long range detection. These variations limit the usefulness of pre-trained detectors for safety critical applications like autonomous driving, which require consistent decision making in every context. Retraining for all contexts is often impossible or prohibitively expensive due to the need for large amounts of labels in each context. Instead, we propose a probabilistic calibration layer which takes these context dependencies into account to translate the detection score produced by a pre-trained detector into a conditional probability of presence. As a proof of concept, we demonstrate that reinterpreting the confidence scores of three commonly used detectors based on the estimated distance to the supposed object yields an improvement in average precision of pedestrian detection of up to 3\% on the NuScenes dataset

A Siamese Adversarial Anonymizer for Data Minimization in Biometric Applications

status: publishe

Ego-motion estimation with a low power millimeter wave radar on a UAV

Radar sensors have been shown to be capable of performing simultaneous localization and mapping (SLAM) tasks. However, single-chip mmWave radar sensors have received little attention because of their limited resolution. In this paper, we present a novel approach to obtain a robust ego-motion estimation of a UAV using a low power single-chip millimeter wave (mmWave) FMCW radar sensor. By using a novel method to match local radar signal descriptors, we are able to achieve a robust trajectory estimation. We then propose to optimise the trajectory by extracting loop closures from low-dimensional latent space descriptors. We validate our solution in an industrial IoT lab with a drone, but it can be applied more broadly in power contrained platforms

Gait template protection using HMM-UBM

© 2018 Gesellschaft fuer Informatik. This paper presents a hidden Markov model-Universal background model gait authentication system, which is also incorporated into a template protection based on a fuzzy commitment scheme. We show that with limited enrollment data the HMM-UBM system achieves a very competitive equal error rate of ≈ 1% using one sensor. The proposed template protection scheme benefits from eigenfeatures coming from multiple Universal background model systems fused with a novel technique that minimizes the bit error rate for genuine attempts. This allows the protected system to achieve a false rejection rate below 5% with an effective key length of 64 bits.status: Published onlin

Fishy Faces: Crafting Adversarial Images to Poison Face Authentication

status: Published onlin

A Systematic Comparison of Age and Gender Prediction on IMU Sensor-Based Gait Traces

Sensors provide the foundation of many smart applications and cyber–physical systems by measuring and processing information upon which applications can make intelligent decisions or inform their users. Inertial measurement unit (IMU) sensors—and accelerometers and gyroscopes in particular—are readily available on contemporary smartphones and wearable devices. They have been widely adopted in the area of activity recognition, with fall detection and step counting applications being prominent examples in this field. However, these sensors may also incidentally reveal sensitive information in a way that is not easily envisioned upfront by developers. Far worse, the leakage of sensitive information to third parties, such as recommender systems or targeted advertising applications, may cause privacy concerns for unsuspecting end-users. In this paper, we explore the elicitation of age and gender information from gait traces obtained from IMU sensors, and systematically compare different feature engineering and machine learning algorithms, including both traditional and deep learning methods. We describe in detail the prediction methods that our team used in the OU-ISIR Wearable Sensor-based Gait Challenge: Age and Gender (GAG 2019) at the 12th IAPR International Conference on Biometrics. In these two competitions, our team obtained the best solutions amongst all international participants, and this for both the age and gender predictions. Our research shows that it is feasible to predict age and gender with a reasonable accuracy on gait traces of just a few seconds. Furthermore, it illustrates the need to put in place adequate measures in order to mitigate unintended information leakage by abusing sensors as an unanticipated side channel for sensitive information or private traits