On the Evolution of Digital Authentication · The longest assassination attempt 2 1 Adams, Anne,...

On the Evolution of Digital Authentication

Patricia Arias-Cabarcos

[email protected]

mailto:[email protected]

The longest assassination attempt

2

1 Adams, Anne, and Martina Angela Sasse. "Users are not the enemy." Communications of the ACM 42.12 (1999): 40-46.2 Bonneau, Joseph, et al. "Passwords and the evolution of imperfect authentication." Communications of the ACM 58.7 (2015): 78-87.

• Security problems- Offline/Online Cracking

- Bad Usage: reuse, common words…- Bad Deployments: unprotected storage

- Phishing, social engineering, spyware, etc.• Poor usability

- memorize, type, follow complex policies- users can’t cope well with passwords 1

Password Authentication is dominant, despite…

Why?• Inertia

• Failure of research on convincingly better alternatives 2

The alternatives

are

FingerprintIrisFace

USB keySmart Card

USABILITY SECURITY

haveknowSomething you

Biometrics

Implicit AuthNContinuous AuthN

VoiceGaitTyping DynamicsApp usage patternsHeartbeat Eye-trackingBrain waves

3

Secret-based Token-based

+ Security

PhysiologicalBehavioral

Password ManagersFederated AuthN

PasswordPINPatternQuestions

MultifactorAuthN

+ Usability

4

Which is the best alternative to passwords?

It’s all about context

5

31

4

2

1

1

21

2

+

Location: Home

Location: Public Place

3 Beacons: Familiar Device

4 Light: Dark

2 Application: Low Risk

Application: Sensitive, e.g., online banking

Adaptive Authentication

642

20

08

20

10

20

13

20

16

20

12

20

15

20

16

Scope: User to appSAuthenticators: PIN, NFCTagContext: Location {Home,Work, Other}

Seifert et al. [2]-TreasurePhone

Scope: User to deviceAuthenticators:Password, PINContext: Location{Home, Work, Other}

Hayashi et al.[4]-CASA

Scope: User to deviceAuthenticators: face,voice, fingerprintContext: Sound, Vibration,Type of shakes, Movementspeed, Lighting, NoiseLevel, Type of Noise,Temperature, Movesensor, Peripheral deviceconnected

Scope: User to smartspaceAuthenticators:passwordContext: proximity ofaccredited devices

Lenzini et al. [1] Scope: User to appsAuthenticators:Continuous Multimodal:face, voice, proximity,placement, keystrokes,mouse, touch screen,login/logout actions,PIN.Context: Battery

Riva et al. [3]-Progressive Auth

Scope: User todeviceAuthenticators:Face, gaitContext: proximity toother user devices

Hinze et al.[5]-CORMORANT

Scope: User to applicationAuthenticators: Face, Iris, Coupled Face+Iris, Fingerprint, Hand , Periocular ,Mouse dynamics, Keystrokes, Touch, GaitSMS, Password, CAPTCHA

Context: Connection type,Device Type, Light, Noise, Motion

Dasgupta et al.[7]

61 Arias-Cabarcos, P., and Krupitzer, C. "On the design of distributed Adaptive Authentication Systems." WAY Workshop@SOUPS’17.

: very brief state-of-the-art survey1

Wòjtowicz et al.[6]

Adaptive Authentication

Observations

• Variety of authenticators and contexts

• Different metrics/algorithms for selection

• Ad-hoc designs:

• Hard to extend, re-configure

• Difficult to reproduce, to compare

642

20

08

20

10

20

13

20

16

20

12

20

15

20

16

Scope: User to appsAuthenticators: PIN, NFCTagContext: Location {Home,Work, Other}

Seifert et al. [2]-TreasurePhone

Scope: User to deviceAuthenticators:Password, PINContext: Location{Home, Work, Other}

Hayashi et al.[4]-CASA

Scope: User to deviceAuthenticators: face,voice, fingerprintContext: Sound, Vibration,Type of shakes, Movementspeed, Lighting, NoiseLevel, Type of Noise,Temperature, Movesensor, Peripheral deviceconnected

Scope: User to smartspaceAuthenticators:passwordContext: proximity ofaccredited devices

Lenzini et al. [1] Scope: User to appsAuthenticators:Continuous Multimodal:face, voice, proximity,placement, keystrokes,mouse, touch screen,login/logout actions,PIN.Context: Battery

Riva et al. [3]-Progressive Auth

Scope: User todeviceAuthenticators:Face, gaitContext: proximity toother user devices

Hinze et al.[5]-CORMORANT

Scope: User to applicationAuthenticators: Face, Iris, Coupled Face+Iris, Fingerprint, Hand , Periocular ,Mouse dynamics, Keystrokes, Touch, GaitSMS, Password, CAPTCHA

Context: Connection type,Device Type, Light, Noise, Motion

Dasgupta et al.[7]

71 Arias-Cabarcos, P., and Krupitzer, C. "On the design of distributed Adaptive Authentication Systems." WAY Workshop@SOUPS’17.

: very brief state-of-the-art survey1

Wòjtowicz et al.[6]EXAMPLE

HomeOfficeOther

LightMediumDark

Trusted Device

HighMediumLow

8

Location

Light

ApplicationSensitivity

Beacons

Flexible, easy to reconfigure for: - authenticators- contexts- selection algorithms

We need a Brain for Adaptive Authentication

How to design a Brain for Adaptive Authentication

9

Location

HomeOfficeOther

S

ESensor Effector

S

S

S

S

LightMediumDark

Light

HighMediumLow


Trusted Device

Beacons

S ES E S E

ADAPTATION LOGIC 1

Rules/PoliciesOptimization AlgorithmsUtility Models

Makes Decisions

Collect, Filter & CurateContext Data

Commands AuthenticatorsActivate/Deactivate/Adjust

Analyzer&

Planner

1 Cheng, B.H. et al. , 2009. “Software engineering for self-adaptive systems: A research roadmap”. In Software Engineering for Self-Adaptive Systems (pp. 1-26). Springer Berlin Heidelberg.

Knowledge

Executor

Monitor


10

Location

HomeOfficeOther

S

ESensor Effector

S

S

S

S

LightMediumDark

Light

HighMediumLow


Trusted Device

Beacons

S ES E S E

ADAPTATION LOGIC 1


Makes Decisions



Analyzer&

Planner

ABSTRACTION

?1 Cheng, B.H. et al. , 2009. “Software engineering for self-adaptive systems: A research roadmap”. In Software Engineering for Self-Adaptive Systems (pp. 1-26). Springer Berlin Heidelberg.

Knowledge

Executor

Monitor

S

S

S

S

S

S

S


11

Location

HomeOfficeOther

S

ESensor Effector

S

S

S

S

LightMediumDark

Light

HighMediumLow


Trusted Device

Beacons

S EE S E

ADAPTATION LOGIC 1


Makes Decisions



STANDARD INTERFACE

Analyzer&

Planner

ABSTRACTION


Knowledge

Executor

Monitor

Makes Decisions

S

S

S

S

S

S

S

S


12

Location

HomeOfficeOther

S

ESensor Effector

S

S

S

S

LightMediumDark

Light

HighMediumLow


Trusted Device

Beacons

S ES E S E

ADAPTATION LOGIC 1


Makes Decisions



STANDARD INTERFACE

Analyzer&

Planner

STANDARD

PROTOCOL

ABSTRACTION


Knowledge

Executor

Monitor

S

S

S

S

S

S

S

Potential benefits

• Independent research on different parts can be merged• Authentication mechanisms

• Decision making algorithms

• Context fusion

• Faster testing of different configurations for research studies, e.g.:• Which combinations of authenticators are more usable?

• Which configurations are more efficient?

• Easy deployment of adaptive authentication• Break “Silos of Authentication”

13

Challenges & open questions

14


- How to improve behavioral biometrics accuracy?- How to compute contextual risk?- Analyze new attack vectors, e.g.: simulating lower risk contexts - Security of distributed components

15


Orwellian scenarios:

-Unobtrusive user authentication is privacy intrusive

-Who collects behavioral data and how are they handled?


16


-Acceptance: will users trust highly unobtrusive (invisible) authentication

systems?

-Trade-offs privacy/usability




17



18

-Acceptance: will users trust highly unobtrusive (invisible) authentication

systems?

-Trade-offs privacy/usability

- How can we measure, fuse, and reason about authenticators’ strength?

- Which are the suitable math constructions for authenticators to operate on data without leaking personal information?

- Which optimization algorithms are suitable for Authenticator selection?





References[1] G. Lenzini, M. S. Bargh, and B. Hulsebosch. “Trust-enhanced security in location-based adaptive authentication”. Electronic Notes in Theoretical Computer Science, 197(2):105-119, 2008.

[2] J. Seifert, A. De Luca, B. Conradi, and H. Hussmann. “Treasurephone: Context-sensitive user data protection on mobile phones”. In International Conference on Pervasive Computing, pp. 130-137. Springer, 2010.

[3] O. Riva, C. Qin, K. Strauss, and D. Lymberopoulos. “Progressive authentication: Deciding when to authenticate on mobile phones”. In USENIX Security Symposium, pages 301-316, 2012.

[4] E. Hayashi, S. Das, S. Amini, J. Hong, and I. Oakley. “Casa: context-aware scalable authentication”. In Proceedings of the Ninth Symposium on Usable Privacy and Security, 2013.

[5] D. Hintze, R. D. Findling, M. Muaaz, E. Koch, and R. Mayrhofer. “Cormorant: towards continuous risk-aware multi-modal cross-device authentication”. In Adjunct Proceedings of the 2015 ACM International Joint Conference on Pervasive and Ubiquitous Computing and Proceedings of the 2015 ACM International Symposium on Wearable Computers, 2015.

[6] A. Wójtowicz and K. Joachimiak. “Model for adaptable context-based biometric authentication for mobile devices”. Personal and Ubiquitous Computing, 20(2):195-207, 2016.

[7] D. Dasgupta, A. Roy, and A. Nag. “Toward the design of adaptive selection strategies for multi-factor authentication”. Computers & Security, 2016.

19

On the Evolution of Digital Authentication

On the Evolution of Digital Authentication · The longest assassination attempt 2 1 Adams, Anne,...

Documents

Transcript of On the Evolution of Digital Authentication · The longest assassination attempt 2 1 Adams, Anne,...