A novel transparent user authentication approach for mobile applications

ABSTRACT

With the rapid growth of smartphones and tablets in our daily lives, securing the sensitive data stored upon them makes authentication of paramount importance. Current authentication approaches do not re-authenticate in order to re-validate the user’s identity after accessing a mobile phone. Accordingly, there is a security benefit if authentication can be applied continually and transparently (i.e., without obstructing the user’s activities) to authenticate legitimate users, which is maintained beyond the point of entry. To this end, this paper suggests a novel transparent user authentication method for mobile applications by applying biometric authentication on each service within a single application in a secure and usable manner based on the risk level. A study involving data collected from 76 users over a one-month period using 12 mobile applications was undertaken to examine the proposed approach. The experimental results show that this approach achieved desirable outcomes for applying a transparent authentication system at an intra-process level, with an average of 6% intrusive authentication requests. Interestingly, when the participants were divided into three levels of usage (high, medium and low), the average intrusive authentication request was 3% which indicates a clear enhancement and suggests that the system would add a further level of security without imposing significant inconvenience upon the user.     

A Behavioral Authentication Method for Mobile Based on Browsing Behaviors

The passwords for unlocking the mobile devices are relatively simple, easier to be stolen, which causes serious potential security problems. An important research direction of identity authentication is to establish user behavior models to authenticate users. In this paper, a mobile terminal APP browsing behavioral authentication system architecture which synthesizes multiple factors is designed. This architecture is suitable for users using the mobile terminal APP in the daily life. The architecture includes data acquisition, data processing, feature extraction, and sub model training. We can use this architecture for continuous authentication when the user uses APP at the mobile terminal.      

Seed-based authentication for mobile clients across multiple devices

Authenticating users for mobile cloud apps has been a major security issue in recent years. Traditional passwords ensure the security of mobile applications, but it also requires extra effort from users to memorize complex passwords. Seed-based authentication can simplify the process of authentication for mobile users. In the seed-based authentication, images can be used as credentials for a mobile app. A seed is extracted from an image and used to generate one-time tokens for login. Compared to complex passwords, images are more friendly to mobile users. Previous work had been done in seed-based authentication which focused on providing authentication from a single device. It is common that a mobile user may have two or more mobile devices. Authenticating the same user on different devices is challenging due to several aspects, such as maintaining the same credential for multiple devices and distinguishing different users. In this article, we aimed at developing a solution to address these issues. We proposed multiple-device authentication algorithms to identify users. We adopted a one-time token paradigm to ensure the security of mobile applications. In addition, we tried to minimize the authentication latency for better performance. Our simulation showed that the proposed algorithms can improve the average latency of authentication for 40% at most, compared to single-device solutions.     

Bend Passwords: using gestures to authenticate on flexible devices

Upcoming mobile devices will have flexible displays, allowing us to explore alternate forms of user authentication. On flexible displays, users can interact with the device by deforming the surface of the display through bending. In this paper, we present Bend Passwords, a new type of user authentication that uses bend gestures as its input modality. We ran three user studies to evaluate the usability and security of Bend Passwords and compared it to PINs on a mobile phone. Our first two studies evaluated the creation and memorability of user-chosen and system-assigned passwords. The third study looked at the security problem of shoulder-surfing passwords on mobile devices. Our results show that bend passwords are a promising authentication mechanism for flexible display devices. We provide eight design recommendations for implementing Bend Passwords on flexible display devices.     

移动网络与云环境下的重认证和访问控制策略研究

随着手机、电脑等移动设备的普遍使用,人们越来越习惯于用智能设备存储个人信息。但近些年来,由于移动设备丢失导致的用户隐私泄露事件屡见不鲜,如何实现互联网云环境下身份认证以及信息安全性的提高已经成为人们极为关注的问题。基于这个问题本文提出了一种访问策略的更新,设计动态演化的隐式重认证方法,使得智能终端能够持续地识别用户是否合法,对抗恶意用户的模拟攻击,防止未授权用户造成数据泄露。通过分析及研究以期为相关工作者提供一定的帮助。     

From desktop to mobile: Examining the security experience

The use of mobile devices is becoming more commonplace, with data regularly able to make the transition from desktop systems to pocket and handheld devices such as smartphones and PDAs. However, although these devices may consequently contain or manipulate the same data, their security capabilities are not as mature as those offered in fully-fledged desktop operating systems. This paper explores the availability of security mechanisms from the perspective of a user who is security-aware in the desktop environment and wishes to consider utilising similar protection in a mobile context. Key issues of concern are whether analogous functionality can be found, and if so, whether it is offered in a manner that parallels the desktop experience (i.e. to ensure understanding and usability). The discussion is supported by an examination of the Windows XP and Windows Mobile environments, with specific consideration given to the facilities available for user authentication, secure connectivity, and content protection on the devices. It is concluded that although security aspects receive some attention, the provided means generally suffer from usability issues or limitations that would prevent a user from achieving the same level of protection that they might enjoy in the desktop environment.     

云环境下基于混合密码体系的跨域控制方案

针对当前云环境下用户跨域控制方案不能满足不同密码体系之间的相互跨域访问的需求,借鉴PKI（public key infrastructure）认证体系的思想构造了一种基于混合密码体系的跨域控制方案。该方案以PKI认证体系为不同密码体系安全域的管理框架,以CA（certificate authority）为不同安全域用户的公共跨域认证中心,对不同安全域的用户进行认证,并根据验证结果为其分配公共跨域身份和身份控制标签。它不仅实现了对不同密码体系之间的相互访问,并且根据签发的身份控制标签完成用户的实时控制,一旦发现恶意用户便撤销用户公共跨域身份,并对恶意用户的实名身份进行标注。分析结果表明,新方案在满足正确性、不可伪造性、高安全性的同时可以抵抗重放攻击、替换攻击和中间人攻击,并且降低了计算开销。     

A user friendly authentication scheme with anonymity for wireless communications

Secure user authentication is an important issue for wireless environment such as GSM, CDPD, and 3G and 4G wireless systems. Especially, anonymity of the mobile users should be guaranteed to protect the privacy of the mobile users. This paper proposes a user friendly authentication scheme with anonymity for wireless communications that not only can overcome the weaknesses of the previous related schemes, but also can provide efficiency and security to suitable for battery-powered mobile devices in wireless communication systems.     

An empirical study examining the perceptions and behaviours of security-conscious users of mobile authentication

The purpose of this study is to better understand, from an explorative qualitative perspective, the motivations and practices of highly security-conscious users of mobile authentication, and their underlying mental models of those behaviours. Mobile authentication studies have largely overlooked the mindset of these users in the upper bound of security experience, who have considered their behaviour in terms of detailed knowledge of mobile authentication risk. Twenty IT professionals who self-identified as security-conscious mobile device users, many with decades of intensive security-specific experience, were interviewed for this study regarding their opinions and experiences with mobile device authentication and security. These users described usability and situational impairment issues, as well as a deep concern for their identity and data security arising from highly contextual combinations of distrust towards underlying technologies and situational risk. Derived implications for development of security methods adapted to these informed perspectives are discussed and will be the basis for follow-on research comparing these findings with everyday users.     

A strong user authentication scheme with smart cards for wireless communications

Seamless roaming over wireless network is highly desirable to mobile users, and security such as authentication of mobile users is challenging. Recently, due to tamper-resistance and convenience in managing a password file, some smart card based secure authentication schemes have been proposed. This paper shows some security weaknesses in those schemes. As the main contribution of this paper, a secure and light-weight authentication scheme with user anonymity is presented. It is simple to implement for mobile user since it only performs a symmetric encryption/decryption operation. Having this feature, it is more suitable for the low-power and resource-limited mobile devices. In addition, it requires four message exchanges between mobile user, foreign agent and home agent. Thus, this protocol enjoys both computation and communication efficiency as compared to the well-known authentication schemes. As a special case, we consider the authentication protocol when a user is located in his/her home network. Also, the session key will be used only once between the mobile user and the visited network. Besides, security analysis demonstrates that our scheme enjoys important security attributes such as preventing the various kinds of attacks, single registration, user anonymity, no password/verifier table, and high efficiency in password authentication, etc. Moreover, one of the new features in our proposal is: it is secure in the case that the information stored in the smart card is disclosed but the user password of the smart card owner is unknown to the attacker. To the best of our knowledge, until now no user authentication scheme for wireless communications has been proposed to prevent from smart card breach. Finally, performance analysis shows that compared with known smart card based authentication protocols, our proposed scheme is more simple, secure and efficient.     

基于教育区块链与无证书签名的身份认证方案

针对当前教育资源共享安全性低和身份认证困难的问题, 提出了一种区块链技术与无证书签名相结合的可跨域身份认证方案, 将无证书签名技术的高安全性、无密钥托管问题等优点应用到区块链的分布式网络中, 实现了身份认证过程中用户安全、跨域认证、恶意用户可追溯、注册信息不可篡改. 首先, 基于教育区块链与无证书签名的身份认证方案是建...     

基于PKI的移动OA安全模型研究

文章研究了移动OA模型中的安全问题。首先,该文详细分析了目前可用于移动OA的VPN技术和CDMA1X-VPDN等技术以及基于PKI的移动OA安全模型框架,然后提出了应用于海关OA中的基于PKI的移动OA安全模型MOASM,并根据它进行了海关移动OA接入服务平台、应用服务平台的设计、应用开发平台的选择、功能设计、数据设计以及用户身份认证、访问权限控制和网络安全隔离等安全设计,并将其成功应用于海关系统。     

面向移动终端的隐式身份认证机制综述

面向移动终端的隐式身份认证机制通过监测移动终端环境以及用户行为等信息对用户进行透明且持续地认证,能够增强现有身份认证机制的可用性与安全性。该文对隐式身份认证技术的研究现状进行介绍。介绍了基于本地与基于网络的隐式身份认证框架;归纳总结出五类数据采集方式;对基于机器学习等多种用户分类算法进行了介绍,分析比较了各算法的正确率;归纳出两类访问控制机制,并对隐式身份认证所面临的模拟行为攻击以及用户隐私泄漏安全问题进行了讨论。     

可信移动平台身份管理框架*

针对网络用户身份管理难题及现有的身份管理方案存在的不足,基于可信移动平台完整性校验、保护存储、域隔离和访问控制以及远程平台校验等安全特性,提出了可信移动平台身份管理方案和协议;构建了对应于口令、证书、指纹等认证方式的身份矩阵;实现了多种方式的身份认证、身份认证审计记录,主密钥、审计密钥、平台AIK私钥的加密存储,以及移动平台的可信验证、加密身份的还原和服务提供者身份标志的查找定位,并实现了身份信息和认证数据的加密传输;进行了安全性分析,结果表明该方案在保护用户身份信息安全的前提下,大大减轻了用户身份管理的     

Enhanced authentication scheme with anonymity for roaming service in global mobility networks

User authentication is an important security mechanism for recognizing legal roaming users. In 2006, Lee, Hwang, and Liao proposed an enhanced authentication scheme with user anonymity for roaming environments. This article shows that Lee–Hwang–Liao’s scheme cannot provide anonymity under the forgery attack. Moreover, the heavy computation cost may consume battery power expeditiously for mobile devices. Therefore, we propose a novel authentication scheme to overcome these weaknesses that is efficient, secure, and suitable for battery-powered mobile devices in global mobility networks.     

Authenticating mobile phone users using keystroke analysis

Mobile handsets have found an important place in modern society, with hundreds of millions currently in use. The majority of these devices use inherently weak authentication mechanisms, based upon passwords and PINs. This paper presents a feasibility study into a biometric-based technique, known as keystroke analysis – which authenticates the user based upon their typing characteristic. In particular, this paper identifies two typical handset interactions, entering telephone numbers and typing text messages, and seeks to authenticate the user during their normal handset interaction. It was found that neural network classifiers were able to perform classification with average equal error rates of 12.8%. Based upon these results, the paper concludes by proposing a flexible and robust framework to permit the continuous and transparent authentication of the user, thereby maximising security and minimising user inconvenience, to service the needs of the insecure and evermore functional mobile handset.     

A parameterized model to select discriminating features on keystroke dynamics authentication on smartphones

Nowadays, smartphones work not only as personal devices, but also as distributed IoT edge devices uploading information to a cloud. Their secure authentications become more crucial as information from them can spread wider. Keystroke dynamics is one of prominent candidates for authentications factors. Combined with PIN/pattern authentications, keystroke dynamics provide a user-friendly multi-factor authentication for smartphones and other IoT devices equipped with keypads and touch screens. There have been many studies and researches on keystroke dynamics authentication with various features and machine-learning classification methods. However, most of researches extract the same features for the entire user and the features used to learn and authenticate the user’s keystroke dynamics pattern. Since the same feature is used for all users, it may include features that express the users’ keystroke dynamics well and those that do not. The authentication performance may be deteriorated because only the discriminative feature capable of expressing the keystroke dynamics pattern of the user is not selected. In this paper, we propose a parameterized model that can select the most discriminating features for each user. The proposed technique can select feature types that better represent the user’s keystroke dynamics pattern using only the normal user’s collected samples. In addition, performance evaluation in previous studies focuses on average EER(equal error rate) for all users. EER is the value at the midpoint between the FAR(false acceptance rate) and FRR(false rejection rate), FAR is the measure of security, and FRR is the measure of usability. The lower the FAR, the higher the authentication strength of keystroke dynamics. Therefore, the performance evaluation is based on the FAR. Experimental results show that the FRR of the proposed scheme is improved by at least 10.791% from the maximum of 31.221% compared with the other schemes.     

无线PKI中具有安全代理的新型CA方案

无线PKI是WAP Forum提出的用于保护无线通信安全的协议。通过使用WPKI,手持设备客户端能够利用公开密钥技术来保护数据的保密性和完整性。由于手持设备存储容量和计算速度都相当受限,只有少量的手持设备能流畅的完成WPKI所必须的计算任务。即使采用了具有强计算能力的手持设备,用户也仅能与采用了WPKI技术的部分服务器进行安全通信。手持设备用户仍然无法和Internet上的任意用户之间建立可靠的连接。通过对现有的无线PKI系统进行分析,提出了无线PKI的一种可选的运行方式。新的运行方式将客户端难以承担的计算任务移植到可信安全代理服务器端,并采用密码协议保证安全代理的正确运行。新协议降低了WPKI框架对无线手持设备的计算和存储能力的要求,同时系统的安全性也得到了进一步的保障。而无线手持设备用户也能够和Internet上的用户进行安全的通信。     

An efficient user authentication and key exchange protocol for mobile client–server environment

Considering the low-power computing capability of mobile devices, the security scheme design is a nontrivial challenge. The identity (ID)-based public-key system with bilinear pairings defined on elliptic curves offers a flexible approach to achieve simplifying the certificate management. In the past, many user authentication schemes with bilinear pairings have been proposed. In 2009, Goriparthi et al. also proposed a new user authentication scheme for mobile client–server environment. However, these schemes do not provide mutual authentication and key exchange between the client and the server that are necessary for mobile wireless networks. In this paper, we present a new user authentication and key exchange protocol using bilinear pairings for mobile client–server environment. As compared with the recently proposed pairing-based user authentication schemes, our protocol provides both mutual authentication and key exchange. Performance analysis is made to show that our presented protocol is well suited for mobile client–server environment. Security analysis is given to demonstrate that our proposed protocol is provably secure against previous attacks.     

一种基于证书的统一身份管理技术研究

文章提出了一种移动安全接入方案,并针对移动安全接入方案中存在终端登陆、无线VPDN接入、IPSecVPN接入和应用访问等多类用户认证过程,采用基于数字证书的统一身份管理,对用户和智能手机终端进行用户信息标识,可提高移动终端安全接入系统的可管理性和安全性,