Post on 11-Jul-2020
On the Evolution of Digital Authentication
Patricia Arias-Cabarcos
pariasca@mail.uni-mannheim.de
The longest assassination attempt
2
1 Adams, Anne, and Martina Angela Sasse. "Users are not the enemy." Communications of the ACM 42.12 (1999): 40-46.2 Bonneau, Joseph, et al. "Passwords and the evolution of imperfect authentication." Communications of the ACM 58.7 (2015): 78-87.
• Security problems- Offline/Online Cracking
- Bad Usage: reuse, common words…- Bad Deployments: unprotected storage
- Phishing, social engineering, spyware, etc.• Poor usability
- memorize, type, follow complex policies- users can’t cope well with passwords 1
Password Authentication is dominant, despite…
Why?• Inertia
• Failure of research on convincingly better alternatives 2
The alternatives
are
FingerprintIrisFace
USB keySmart Card
USABILITY SECURITY
haveknowSomething you
Biometrics
Implicit AuthNContinuous AuthN
VoiceGaitTyping DynamicsApp usage patternsHeartbeat Eye-trackingBrain waves
3
Secret-based Token-based
+ Security
PhysiologicalBehavioral
Password ManagersFederated AuthN
PasswordPINPatternQuestions
MultifactorAuthN
+ Usability
4
Which is the best alternative to passwords?
It’s all about context
5
31
4
2
1
1
21
2
+
Location: Home
Location: Public Place
3 Beacons: Familiar Device
4 Light: Dark
2 Application: Low Risk
Application: Sensitive, e.g., online banking
Adaptive Authentication
642
20
08
20
10
20
13
20
16
20
12
20
15
20
16
Scope: User to appSAuthenticators: PIN, NFCTagContext: Location {Home,Work, Other}
Seifert et al. [2]-TreasurePhone
Scope: User to deviceAuthenticators:Password, PINContext: Location{Home, Work, Other}
Hayashi et al.[4]-CASA
Scope: User to deviceAuthenticators: face,voice, fingerprintContext: Sound, Vibration,Type of shakes, Movementspeed, Lighting, NoiseLevel, Type of Noise,Temperature, Movesensor, Peripheral deviceconnected
Scope: User to smartspaceAuthenticators:passwordContext: proximity ofaccredited devices
Lenzini et al. [1] Scope: User to appsAuthenticators:Continuous Multimodal:face, voice, proximity,placement, keystrokes,mouse, touch screen,login/logout actions,PIN.Context: Battery
Riva et al. [3]-Progressive Auth
Scope: User todeviceAuthenticators:Face, gaitContext: proximity toother user devices
Hinze et al.[5]-CORMORANT
Scope: User to applicationAuthenticators: Face, Iris, Coupled Face+Iris, Fingerprint, Hand , Periocular ,Mouse dynamics, Keystrokes, Touch, GaitSMS, Password, CAPTCHA
Context: Connection type,Device Type, Light, Noise, Motion
Dasgupta et al.[7]
61 Arias-Cabarcos, P., and Krupitzer, C. "On the design of distributed Adaptive Authentication Systems." WAY Workshop@SOUPS’17.
: very brief state-of-the-art survey1
Wòjtowicz et al.[6]
Adaptive Authentication
Observations
• Variety of authenticators and contexts
• Different metrics/algorithms for selection
• Ad-hoc designs:
• Hard to extend, re-configure
• Difficult to reproduce, to compare
642
20
08
20
10
20
13
20
16
20
12
20
15
20
16
Scope: User to appsAuthenticators: PIN, NFCTagContext: Location {Home,Work, Other}
Seifert et al. [2]-TreasurePhone
Scope: User to deviceAuthenticators:Password, PINContext: Location{Home, Work, Other}
Hayashi et al.[4]-CASA
Scope: User to deviceAuthenticators: face,voice, fingerprintContext: Sound, Vibration,Type of shakes, Movementspeed, Lighting, NoiseLevel, Type of Noise,Temperature, Movesensor, Peripheral deviceconnected
Scope: User to smartspaceAuthenticators:passwordContext: proximity ofaccredited devices
Lenzini et al. [1] Scope: User to appsAuthenticators:Continuous Multimodal:face, voice, proximity,placement, keystrokes,mouse, touch screen,login/logout actions,PIN.Context: Battery
Riva et al. [3]-Progressive Auth
Scope: User todeviceAuthenticators:Face, gaitContext: proximity toother user devices
Hinze et al.[5]-CORMORANT
Scope: User to applicationAuthenticators: Face, Iris, Coupled Face+Iris, Fingerprint, Hand , Periocular ,Mouse dynamics, Keystrokes, Touch, GaitSMS, Password, CAPTCHA
Context: Connection type,Device Type, Light, Noise, Motion
Dasgupta et al.[7]
71 Arias-Cabarcos, P., and Krupitzer, C. "On the design of distributed Adaptive Authentication Systems." WAY Workshop@SOUPS’17.
: very brief state-of-the-art survey1
Wòjtowicz et al.[6]EXAMPLE
HomeOfficeOther
LightMediumDark
Trusted Device
HighMediumLow
8
Location
Light
ApplicationSensitivity
Beacons
Flexible, easy to reconfigure for: - authenticators- contexts- selection algorithms
We need a Brain for Adaptive Authentication
How to design a Brain for Adaptive Authentication
9
Location
HomeOfficeOther
S
ESensor Effector
S
S
S
S
LightMediumDark
Light
HighMediumLow
ApplicationSensitivity
Trusted Device
Beacons
S ES E S E
ADAPTATION LOGIC 1
Rules/PoliciesOptimization AlgorithmsUtility Models
Makes Decisions
Collect, Filter & CurateContext Data
Commands AuthenticatorsActivate/Deactivate/Adjust
Analyzer&
Planner
1 Cheng, B.H. et al. , 2009. “Software engineering for self-adaptive systems: A research roadmap”. In Software Engineering for Self-Adaptive Systems (pp. 1-26). Springer Berlin Heidelberg.
Knowledge
Executor
Monitor
How to design a Brain for Adaptive Authentication
10
Location
HomeOfficeOther
S
ESensor Effector
S
S
S
S
LightMediumDark
Light
HighMediumLow
ApplicationSensitivity
Trusted Device
Beacons
S ES E S E
ADAPTATION LOGIC 1
Rules/PoliciesOptimization AlgorithmsUtility Models
Makes Decisions
Collect, Filter & CurateContext Data
Commands AuthenticatorsActivate/Deactivate/Adjust
Analyzer&
Planner
ABSTRACTION
?1 Cheng, B.H. et al. , 2009. “Software engineering for self-adaptive systems: A research roadmap”. In Software Engineering for Self-Adaptive Systems (pp. 1-26). Springer Berlin Heidelberg.
Knowledge
Executor
Monitor
S
S
S
S
S
S
S
How to design a Brain for Adaptive Authentication
11
Location
HomeOfficeOther
S
ESensor Effector
S
S
S
S
LightMediumDark
Light
HighMediumLow
ApplicationSensitivity
Trusted Device
Beacons
S EE S E
ADAPTATION LOGIC 1
Rules/PoliciesOptimization AlgorithmsUtility Models
Makes Decisions
Collect, Filter & CurateContext Data
Commands AuthenticatorsActivate/Deactivate/Adjust
STANDARD INTERFACE
Analyzer&
Planner
ABSTRACTION
?1 Cheng, B.H. et al. , 2009. “Software engineering for self-adaptive systems: A research roadmap”. In Software Engineering for Self-Adaptive Systems (pp. 1-26). Springer Berlin Heidelberg.
Knowledge
Executor
Monitor
Makes Decisions
S
S
S
S
S
S
S
S
How to design a Brain for Adaptive Authentication
12
Location
HomeOfficeOther
S
ESensor Effector
S
S
S
S
LightMediumDark
Light
HighMediumLow
ApplicationSensitivity
Trusted Device
Beacons
S ES E S E
ADAPTATION LOGIC 1
Rules/PoliciesOptimization AlgorithmsUtility Models
Makes Decisions
Collect, Filter & CurateContext Data
Commands AuthenticatorsActivate/Deactivate/Adjust
STANDARD INTERFACE
Analyzer&
Planner
STANDARD
PROTOCOL
ABSTRACTION
?1 Cheng, B.H. et al. , 2009. “Software engineering for self-adaptive systems: A research roadmap”. In Software Engineering for Self-Adaptive Systems (pp. 1-26). Springer Berlin Heidelberg.
Knowledge
Executor
Monitor
S
S
S
S
S
S
S
Potential benefits
• Independent research on different parts can be merged• Authentication mechanisms
• Decision making algorithms
• Context fusion
• Faster testing of different configurations for research studies, e.g.:• Which combinations of authenticators are more usable?
• Which configurations are more efficient?
• Easy deployment of adaptive authentication• Break “Silos of Authentication”
13
Challenges & open questions
14
Challenges & open questions
- How to improve behavioral biometrics accuracy?- How to compute contextual risk?- Analyze new attack vectors, e.g.: simulating lower risk contexts - Security of distributed components
15
Challenges & open questions
Orwellian scenarios:
-Unobtrusive user authentication is privacy intrusive
-Who collects behavioral data and how are they handled?
- How to improve behavioral biometrics accuracy?- How to compute contextual risk?- Analyze new attack vectors, e.g.: simulating lower risk contexts - Security of distributed components
16
Challenges & open questions
-Acceptance: will users trust highly unobtrusive (invisible) authentication
systems?
-Trade-offs privacy/usability
Orwellian scenarios:
-Unobtrusive user authentication is privacy intrusive
-Who collects behavioral data and how are they handled?
17
- How to improve behavioral biometrics accuracy?- How to compute contextual risk?- Analyze new attack vectors, e.g.: simulating lower risk contexts - Security of distributed components
Challenges & open questions
18
-Acceptance: will users trust highly unobtrusive (invisible) authentication
systems?
-Trade-offs privacy/usability
- How can we measure, fuse, and reason about authenticators’ strength?
- Which are the suitable math constructions for authenticators to operate on data without leaking personal information?
- Which optimization algorithms are suitable for Authenticator selection?
Orwellian scenarios:
-Unobtrusive user authentication is privacy intrusive
-Who collects behavioral data and how are they handled?
- How to improve behavioral biometrics accuracy?- How to compute contextual risk?- Analyze new attack vectors, e.g.: simulating lower risk contexts - Security of distributed components
References[1] G. Lenzini, M. S. Bargh, and B. Hulsebosch. “Trust-enhanced security in location-based adaptive authentication”. Electronic Notes in Theoretical Computer Science, 197(2):105-119, 2008.
[2] J. Seifert, A. De Luca, B. Conradi, and H. Hussmann. “Treasurephone: Context-sensitive user data protection on mobile phones”. In International Conference on Pervasive Computing, pp. 130-137. Springer, 2010.
[3] O. Riva, C. Qin, K. Strauss, and D. Lymberopoulos. “Progressive authentication: Deciding when to authenticate on mobile phones”. In USENIX Security Symposium, pages 301-316, 2012.
[4] E. Hayashi, S. Das, S. Amini, J. Hong, and I. Oakley. “Casa: context-aware scalable authentication”. In Proceedings of the Ninth Symposium on Usable Privacy and Security, 2013.
[5] D. Hintze, R. D. Findling, M. Muaaz, E. Koch, and R. Mayrhofer. “Cormorant: towards continuous risk-aware multi-modal cross-device authentication”. In Adjunct Proceedings of the 2015 ACM International Joint Conference on Pervasive and Ubiquitous Computing and Proceedings of the 2015 ACM International Symposium on Wearable Computers, 2015.
[6] A. Wójtowicz and K. Joachimiak. “Model for adaptable context-based biometric authentication for mobile devices”. Personal and Ubiquitous Computing, 20(2):195-207, 2016.
[7] D. Dasgupta, A. Roy, and A. Nag. “Toward the design of adaptive selection strategies for multi-factor authentication”. Computers & Security, 2016.
19
On the Evolution of Digital Authentication