Seed-based authentication for mobile clients across multiple devices

Authenticating users for mobile cloud apps has been a major security issue in recent years. Traditional passwords ensure the security of mobile applications, but it also requires extra effort from users to memorize complex passwords. Seed-based authentication can simplify the process of authentication for mobile users. In the seed-based authentication, images can be used as credentials for a mobile app. A seed is extracted from an image and used to generate one-time tokens for login. Compared to complex passwords, images are more friendly to mobile users. Previous work had been done in seed-based authentication which focused on providing authentication from a single device. It is common that a mobile user may have two or more mobile devices. Authenticating the same user on different devices is challenging due to several aspects, such as maintaining the same credential for multiple devices and distinguishing different users. In this article, we aimed at developing a solution to address these issues. We proposed multiple-device authentication algorithms to identify users. We adopted a one-time token paradigm to ensure the security of mobile applications. In addition, we tried to minimize the authentication latency for better performance. Our simulation showed that the proposed algorithms can improve the average latency of authentication for 40% at most, compared to single-device solutions.     

A Behavioral Authentication Method for Mobile Based on Browsing Behaviors

The passwords for unlocking the mobile devices are relatively simple, easier to be stolen, which causes serious potential security problems. An important research direction of identity authentication is to establish user behavior models to authenticate users. In this paper, a mobile terminal APP browsing behavioral authentication system architecture which synthesizes multiple factors is designed. This architecture is suitable for users using the mobile terminal APP in the daily life. The architecture includes data acquisition, data processing, feature extraction, and sub model training. We can use this architecture for continuous authentication when the user uses APP at the mobile terminal.      

Always connected,but are smart mobile users getting more security savvy? A survey of smart mobile device users

Smart mobile devices are a potential attack vector for cyber criminal activities. Two hundred and fifty smart mobile device owners from the University of South Australia were surveyed. Not surprisingly, it was found that smart mobile device users in the survey generally underestimated the value that their collective identities have to criminals and how these can be sold. For example, participants who reported jail-breaking/rooting their devices were also more likely to exhibit risky behaviour (e.g. downloading and installing applications from unknown providers), and the participants generally had no idea of the value of their collective identities to criminals which can be sold to the highest bidder. In general, the participants did not understand the risks and may not have perceived cyber crime to be a real threat. Findings from the survey and the escalating complexities of the end-user mobile and online environment underscore the need for regular ongoing training programs for basic online security and the promotion of a culture of security among smart mobile device users. For example, targeted education and awareness programmes could be developed to inform or educate smart mobile device users and correct misconceptions or myths in order to bring about changes in attitudes and usage behaviour (e.g. not taking preventative measures such as strong passwords to protect their devices). Such initiatives would enable all end users (including senior University management who use such devices to access privileged corporate data and accounts) to maintain current knowledge of the latest cyber crime activities and the best cyber security protection measures available.     

基于SM9算法的移动互联网身份认证方案研究

移动互联网单服务器环境下传统身份认证方案存在用户需要针对不同的服务器记忆相应的不同口令,以及传统认证方式中的口令泄漏等安全问题.为解决以上问题,文章提出一种移动互联网单服务器环境下基于SM9算法的身份认证方案.用户针对不同的应用系统,仅需记忆统一的标识和口令,即可在不同的应用系统中通过身份认证,从而获得应用服务和访问资...     

A novel transparent user authentication approach for mobile applications

ABSTRACT

With the rapid growth of smartphones and tablets in our daily lives, securing the sensitive data stored upon them makes authentication of paramount importance. Current authentication approaches do not re-authenticate in order to re-validate the user’s identity after accessing a mobile phone. Accordingly, there is a security benefit if authentication can be applied continually and transparently (i.e., without obstructing the user’s activities) to authenticate legitimate users, which is maintained beyond the point of entry. To this end, this paper suggests a novel transparent user authentication method for mobile applications by applying biometric authentication on each service within a single application in a secure and usable manner based on the risk level. A study involving data collected from 76 users over a one-month period using 12 mobile applications was undertaken to examine the proposed approach. The experimental results show that this approach achieved desirable outcomes for applying a transparent authentication system at an intra-process level, with an average of 6% intrusive authentication requests. Interestingly, when the participants were divided into three levels of usage (high, medium and low), the average intrusive authentication request was 3% which indicates a clear enhancement and suggests that the system would add a further level of security without imposing significant inconvenience upon the user.     

Discovering determinants of users perception of mobile device functionality fit

In recent years, there has been an explosive growth in the use of mobile devices. The ubiquitous and multifunctional nature of these devices with internet connectivity and personalization features make them a unique context to investigate what factors shape mobile users perception of their mobile device functionality fit with their needs. In order to answer this question, we proposed a research model in which we introduced multifunctional use and perceived device-functionality fit as two new constructs. The results of our study show that a significant portion of individuals’ perceived device-functionality fit can be explained by their perceived enjoyment, perceived ease of use, perceived usefulness, and symbolic value of the device. In terms of the theoretical contribution, our research suggests revamping the concept of device-functionality fit when it comes to mobile devices by accounting for both hedonic and utilitarian aspects of mobile devices. In terms of practical implications, our study highlights the importance of the social image that mobile devices create in the society for their users as well as the importance of look-and-feel aspects of mobile devices in shaping users perception of fit between functionalities of their mobile devices and their needs.     

移动通信网鉴权认证综述

随着移动通信网技术的演进,网络安全问题日益突出,如何在提供高质量通信服务的同时保护合法用户的隐私不被非法窃取、运营商网络不被入侵成为移动通信安全领域的一个重要问题。用户与网络的相互鉴权是用户和网络彼此判定对方合法性的重要手段,鉴权手段也随着网络演进而不断演进,从历代移动通信网络（GSM、CDMA、UMTS、LTE）鉴权认证技术入手,分析鉴权技术优缺点,并重点剖析了即将商用的第五代（5G）移动通信的鉴权技术、统一认证技术,最后对未来鉴权技术的发展进行了展望。     

面向移动终端的隐式身份认证机制综述

面向移动终端的隐式身份认证机制通过监测移动终端环境以及用户行为等信息对用户进行透明且持续地认证,能够增强现有身份认证机制的可用性与安全性。该文对隐式身份认证技术的研究现状进行介绍。介绍了基于本地与基于网络的隐式身份认证框架;归纳总结出五类数据采集方式;对基于机器学习等多种用户分类算法进行了介绍,分析比较了各算法的正确率;归纳出两类访问控制机制,并对隐式身份认证所面临的模拟行为攻击以及用户隐私泄漏安全问题进行了讨论。     

User behaviours after critical mobile application incidents: the relationship with situational context

Users occasionally have critical incidents with information systems (IS). A critical IS incident is an IS product or service experience that a user considers to be unusually positive or negative. Critical IS incidents are highly influential in terms of users' overall perceptions and customer relationships; thus, they are crucial for IS product and service providers. Therefore, it is important to study user behaviours after such incidents. Within IS, the relationships between the situational context and user behaviours after critical incidents have not been addressed at all. Prior studies on general mobile use as a related research area have recognized the influence of the situational context, but they have not covered the relationships between specific situational characteristics and different types of user behaviours. To address this gap, we examine 605 critical mobile incidents that were collected from actual mobile application users. Based on our results, we extend current theoretical knowledge by uncovering and explaining the relationships between specific situational characteristics (interaction state, place, sociality and application type) and user behaviours (use continuance, word‐of‐mouth and complaints). We have found, for example, that users are less likely to engage in negative behaviours after negative incidents that take place outdoors or in vehicles than after indoor incidents. This is because users often consider indoor environments to be familiar and treat them with established expectations and low uncertainty: users are accustomed to the notion that the applications function indoors just like before. Further, we present practical implications for mobile application providers by suggesting to them which positive critical incidents are the most beneficial to promote and which negative critical incidents are the most crucial to avoid.     

A privacy preserving three-factor authentication protocol for e-Health clouds

E-Health clouds are gaining increasing popularity by facilitating the storage and sharing of big data in healthcare. However, such an adoption also brings about a series of challenges, especially, how to ensure the security and privacy of highly sensitive health data. Among them, one of the major issues is authentication, which ensures that sensitive medical data in the cloud are not available to illegal users. Three-factor authentication combining password, smart card and biometrics perfectly matches this requirement by providing high security strength. Recently, Wu et al. proposed a three-factor authentication protocol based on elliptic curve cryptosystem which attempts to fulfill three-factor security and resist various existing attacks, providing many advantages over existing schemes. However, we first show that their scheme is susceptible to user impersonation attack in the registration phase. In addition, their scheme is also vulnerable to offline password guessing attack in the login and password change phase, under the condition that the mobile device is lost or stolen. Furthermore, it fails to provide user revocation when the mobile device is lost or stolen. To remedy these flaws, we put forward a robust three-factor authentication protocol, which not only guards various known attacks, but also provides more desired security properties. We demonstrate that our scheme provides mutual authentication using the Burrows–Abadi–Needham logic.     

Bend Passwords: using gestures to authenticate on flexible devices

Upcoming mobile devices will have flexible displays, allowing us to explore alternate forms of user authentication. On flexible displays, users can interact with the device by deforming the surface of the display through bending. In this paper, we present Bend Passwords, a new type of user authentication that uses bend gestures as its input modality. We ran three user studies to evaluate the usability and security of Bend Passwords and compared it to PINs on a mobile phone. Our first two studies evaluated the creation and memorability of user-chosen and system-assigned passwords. The third study looked at the security problem of shoulder-surfing passwords on mobile devices. Our results show that bend passwords are a promising authentication mechanism for flexible display devices. We provide eight design recommendations for implementing Bend Passwords on flexible display devices.     

可信移动平台身份管理框架

针对网络用户身份管理难题及现有的身份管理方案存在的不足,基于可信移动平台完整性校验、保护存储、域隔离和访问控制以及远程平台校验等安全特性,提出了可信移动平台身份管理方案和协议;构建了对应于口令、证书、指纹等认证方式的身份矩阵;实现了多种方式的身份认证、身份认证审计记录,主密钥、审计密钥、平台AIK私钥的加密存储,以及移动平台的可信验证、加密身份的还原和服务提供者身份标志的查找定位,并实现了身份信息和认证数据的加密传输;进行了安全性分析,结果表明该方案在保护用户身份信息安全的前提下,大大减轻了用户身份管理的     

Studying the effect of perceived hedonic mobile device quality on user experience evaluations of mobile applications

When people interact with digital artefacts they perceive their pragmatic and hedonic qualities. In the case of interacting with mobile devices and applications, users seek utility as they try to satisfy certain needs, but at the same time they have certain feelings and emotions when, for example, they feel attached to their personal phone and/or trust its brand. Due to this strong relation between users and mobile devices a significant problem occurs when researchers want to evaluate the user experience of a mobile application in laboratory settings: the selection of an appropriate mobile device. Towards this end, this paper aims to unveil the effect of perceived hedonic quality of a mobile device on the user experience evaluation results of an application. Our results show that the perceived hedonic quality of a mobile device significantly affected the perceived pragmatic quality of the application, but not the hedonic one.     

基于push机制的MDM平台研究

移动互联网的飞速发展,对企业业务运营和管理模式的变革具有深刻影响。大量的智能移动终端在企业移动信息化中得到了普及和应用,移动应用的管理、控制和安全,已经成为企业迫切需要解决的问题,企业对智能移动终端的管控已是大势所趋。介绍了基于push机制的MDM平台的关键技术,并对平台架构和功能进行了分析。     

利用声波技术的高精度移动设备选择方法

传统的移动设备选择机制是通过设备扫描获得周边设备ID,再选择预先知道的目标设备ID并进行交互,用户体验不够友好。提出了一种高精度的设备选择方法,用户选定目标设备,手持源设备持续发出超声波信号,并对目标设备甩动,源设备将直接获得具有最大多普勒频移的目标设备ID并进行交互。当存在相同多普勒频移时,通过互模糊函数运算获得设备之间的高精度频差,从而确定唯一的最大频移的目标设备。仿真结果表明,当目标设备和其他接收设备与源设备之间的夹角[W]小于10°时,该方法获得的目标设备选择准确率是Spartacus的2倍左右。     

EPA设备鉴别安全机制的研究

在EPA控制网络中,为防止非法设备的物理接入而产生网络攻击的风险,提出了一种新的设备鉴别安全机制.该设备鉴别机制利用现场设备的惟一设备标识符、设备安全序列号以及本地时间戳,由哈希运算生成鉴别码,鉴别服务器通过比较鉴别码来判断现场设备是否为合法接入设备.对EPA控制网络的实际测试表明,该安全机制很好地保证了EPA控制网络的接入设备为合法设备,从而提高了EPA控制网络运行的安全性能.     

基于ECC的密钥协商及双向认证方案

针对当前移动通信系统中认证和密钥协商协议存在的安全缺陷,提出一种基于椭圆曲线密码体制的双向认证和密钥协商方案,用于移动网络中任意用户之间,或用户与网络之间进行双向认证和会话密钥的安全协商.该方案采用ECC技术,能够在更小的密钥量下提供更大的安全性,减少对带宽的需求,降低移动终端的计算负担和存储要求.     

Secure mobile device structure for trust IoT

In the IoT environment, all devices are connected to each other, and mobile device is considered as key device. But hacking into mobile devices is increasing rapidly with the increase in mobile device users. As the market share of Android OS increases, hacking of mobile devices has focused on Android devices. Although there are many security solutions for mobile devices, they are fragmentary for mobile threats; that is, they are solutions for only several threats rather than comprehensive solutions. There is hence a limit to protecting user’s and company’s data stored or used on mobile devices from various types of hacking. To address this, we propose a mobile device protection technology based on domain isolation. Virtualization technology has emerged to increase CPU utilization in server-class PCs and to run various OSs in one system. As these virtualization technologies become lightweight, they are beginning to be applied to embedded devices. In this paper, we applied this lightweight embedded virtualization technology to mobile devices to divide mobile devices into two areas. Therefore, users can have hidden area from hacker attack in addition to Android OS area which can use same as existing mobile device. There is a hardware-based mobile security solution using an secure element, but this has to be reflected in the manufacturing process of the mobile device. However, since the domain separation technology using the virtualization, proposed in this paper, is a software solution, it has an advantage that it can be applied to a device that is already in use. In addition, to protect the hidden area, application authentication/authorization and user authentication technology were applied. And we use white-box cryptography to get root of trust of the key which is used for secure storage and data encryption/decryption. We believe this is a fundamental solution for protecting the mobile device users from hacking. We implemented and tested various mobile applications operating on a mobile device that incorporates our proposed structure based on domain isolation. There is some performance degradation caused by the domain separation, but it is negligible. According to https://www.wired.com/insights/2012/11/mobile-supercomputers/, the chips for mobile phones have evolved and mobile phones will soon become supercomputers. In this case, the addition of virtualization to the mobile device will have less impact on the computing power of the mobile device, and data protection stored in mobile devices and secure execution environment of security programs will become more important issues. Therefore, our TeeMo structure is a necessary technology to protect mobile device users.