Article

Progressive authentication: deciding when to authenticate on mobile phones

Authors:

Dimitrios LymberopoulosAuthors Info & Claims

Security'12: Proceedings of the 21st USENIX conference on Security symposium

Page 15

Published: 08 August 2012 Publication History

Abstract

Mobile users are often faced with a trade-off between security and convenience. Either users do not use any security lock and risk compromising their data, or they use security locks but then have to inconveniently authenticate every time they use the device. Rather than exploring a new authentication scheme, we address the problem of deciding when to surface authentication and for which applications. We believe reducing the number of times a user is requested to authenticate lowers the barrier of entry for users who currently do not use any security. Progressive authentication, the approach we propose, combines multiple signals (biometric, continuity, possession) to determine a level of confidence in a user's authenticity. Based on this confidence level and the degree of protection the user has configured for his applications, the system determines whether access to them requires authentication. We built a prototype running on modern phones to demonstrate progressive authentication and used it in a lab study with nine users. Compared to the state-of-theart, the system is able to reduce the number of required authentications by 42% and still provide acceptable security guarantees, thus representing an attractive solution for users who do not use any security mechanism on their devices.

References

[1]

BERGADANO, F., GUNETTI, D., AND PICARDI, C. User authentication through keystroke dynamics. ACM Trans. Inf. Syst. Secur. 5 (November 2002), 367-397.

[2]

C.G. HOCKING, S.M. FURNELL, N.L. CLARKE, AND P.L. REYNOLDS. A distributed and cooperative user authentication framework. In Proc. of IAS'10 (August 2010), pp. 304-310.

[3]

CHANG, K.-H., HIGHTOWER, J., AND KVETON, B. Inferring identity using accelerometers in television remote controls. In Proc. of Pervasive'09 (2009), pp. 151-167.

[4]

CLARKE, N., KARATZOUNI, S., AND FURNELL, S. Towards a Flexible, Multi-Level Security Framework for Mobile Devices. In Proc. of the 10th Security Conference (May 4-6 2011).

[5]

CLARKE, N. L., AND FURNELL, S. M. Authentication of users on mobile telephones - A survey of attitudes and practices. Computers and Security 24, 7 (Oct. 2005), 519-527.

[6]

CORNER, M. D., AND NOBLE, B. Protecting applications with transient authentication. In Proc. of MobiSys '03 (2003), USENIX.

[7]

CORNER, M. D., AND NOBLE, B. D. Zero-interaction authentication. In Proc. of MobiCom'02 (2002), ACM, pp. 1-11.

[8]

CUERVO, E., BALASUBRAMANIAN, A., CHO, D.-K., WOLMAN, A., SAROIU, S., CHANDRA, R., AND BAHL, P. MAUI: making smartphones last longer with code o oad. In Proc. of MobiSys '10 (2010), ACM, pp. 49-62.

[9]

Gadgeteer. http://netmf.com/gadgeteer/.

[10]

GIURGIU, I., RIVA, O., JURIC, D., KRIVULEV, I., AND ALONSO, G. Calling the cloud: Enabling mobile phones as interfaces to cloud applications. In Proc. of Middleware'09 (November 30 - December 4 2009), Springer.

[11]

How Apple and Google will kill the password. http://www.computerworld.com/s/article/9206998/ How_Apple_and_Google_will_kill_the_password_.

[12]

GREENSTADT, R., AND BEAL, J. Cognitive security for personal devices. In Proc. of the 1st ACM workshop on AISec (2008), ACM, pp. 27-30.

[13]

HAYASHI, E., RIVA, O., BRUSH, A., STRAUSS, K., AND SCHECHTER, S. Goldilocks and the Two Mobile Devices: Going Beyond All-Or-Nothing Access to a Device's Applications. In Proc. of SOUPS'12 (July 11-13 2012), ACM.

[14]

HOLMES, G., DONKIN, A., AND WITTEN, I. Weka: A machine learning workbench. In Proc. of the 2nd Australia and New Zealand Conference on Intelligent Information Systems (December 1994), pp. 357-361.

[15]

HONG, L., AND JAIN, A. Integrating faces and fingerprints for personal identification. IEEE Trans. Pattern Anal. Mach. Intell. 20 (December 1998), 1295-1307.

[16]

JAIN, A., BOLLE, R., AND PANKANTI, S. Biometrics: Personal Identification in a Networked Society. Kluwer Academic Publ., 1999.

[17]

JAIN, A., HONG, L., AND PANKANTI, S. Biometric identification. Commun. ACM 43 (February 2000), 90-98.

[18]

KALAMANDEEN, A., SCANNELL, A., DE LARA, E., SHETH, A., AND LAMARCA, A. Ensemble: cooperative proximity-based authentication. In Proc. of MobiSys '10 (2010), pp. 331-344.

[19]

KARLSON, A. K., BRUSH, A. B., AND SCHECHTER, S. Can I borrow your phone?: Understanding concerns when sharing mobile phones. In Proc. of CHI '09 (2009), ACM, pp. 1647-1650.

[20]

LIU, Y., RAHMATI, A., HUANG, Y., JANG, H., ZHONG, L., ZHANG, Y., AND ZHANG, S. xShare: supporting impromptu sharing of mobile phones. In Proc. of MobiSys '09 (2009), ACM, pp. 15-28.

[21]

LU, H., BRUSH, A. J. B., PRIYANTHA, B., KARLSON, A. K., AND LIU, J. SpeakerSense: Energy Efficient Unobtrusive Speaker Identification on Mobile Phones. In Proc. of Pervasive 2011 (June 12-15 2011), pp. 188-205.

[22]

Mobile wallet offered to UK shoppers. http://www.bbc.co.uk/ news/technology-13457071.

[23]

NI, X., YANG, Z., BAI, X., CHAMPION, A. C., AND XUAN, D. Diffuser: Differentiated user access control on smartphone. In Proc. of MASS '09 (12-15 October 2009), IEEE, pp. 1012-1017.

[24]

NISENSON, M., YARIV, I., EL-YANIV, R., AND MEIR, R. Towards behaviometric security systems: Learning to identify a typist. In Proc. of PKDD '03 (2003), Springer, pp. 363-374.

[25]

24% of mobile users bank from a phone. Yet most don't have security measures in place. http://www.bullguard.com/news/ latest-press-releases/press-release-archive/2011-06-21. aspx.

[26]

Monsoon Power Monitor. http://www.msoon.com/ LabEquipment/PowerMonitor/.

[27]

PRABHAKAR, S., PANKANTI, S., AND JAIN, A. K. Biometric recognition: Security and privacy concerns. IEEE Security and Privacy 1 (2003), 33-42.

[28]

PRIYANTHA, B., LYMBEROPOULOS, D., AND LIU, J. LittleRock: Enabing Energy Efficient Continuous Sensing on Moble Phones. Tech. Rep. MSR-TR-2010-14, Microsoft Research, February 18 2010.

[29]

Priyantha, B., Lymberopoulos, D., and Liu, J. LittleRock: Enabling Energy-Efficient Continuous Sensing on Mobile Phones. IEEE Pervasive Computing 10 (2011), 12-15.

[30]

REYNOLDS, D. A. An overview of automatic speaker recognition technology. In Proc. of ICASSP '02 (2002), vol. 4, pp. IV-4072- IV-4075.

[31]

RSA SecurID. http://www.rsa.com/node.aspx?id=1156.

[32]

SEIFERT, J., DE LUCA, A., CONRADI, B., AND HUSSMANN, H. TreasurePhone: Context-Sensitive User Data Protection on Mobile Phones. In Proc. of Pervasive'10. 2010, pp. 130-137.

[33]

SHI, E., NIU, Y., JAKOBSSON, M., AND CHOW, R. Implicit authentication through learning user behavior. In Proc. of ISC '10 (October 2010), pp. 99-113.

[34]

STAJANO, F. One user, many hats; and, sometimes, no hat - towards a secure yet usable PDA. In In Proc. of Security Protocols Workshop (2004).

[35]

STAJANO, F. Pico: No more passwords! In Proc. of Security Protocols Workshop (March 28-30 2011).

[36]

STUDER, A., AND PERRIG, A. Mobile user location-specific encryption (MULE): using your office as your password. In Proc. of WiSec '10 (2010), ACM, pp. 151-162.

[37]

TEXAS INSTRUMENTS. OMAP™ 5 mobile applications platform, 13 July 2011. Product Bulletin.

Cited By

Mecke LRodriguez SBuschek DPrange SAlt F(2019)Communicating device confidence level and upcoming re-authentications in continuous authentication systems on mobile devicesProceedings of the Fifteenth USENIX Conference on Usable Privacy and Security10.5555/3361476.3361498(289-301)Online publication date: 12-Aug-2019
https://dl.acm.org/doi/10.5555/3361476.3361498
Hintze DFüller MScholz SFindling RMuaaz MKapfer PNüßer WMayrhofer R(2019)CORMORANTProceedings of the 17th International Conference on Advances in Mobile Computing & Multimedia10.1145/3365921.3365923(117-126)Online publication date: 2-Dec-2019
https://dl.acm.org/doi/10.1145/3365921.3365923
Hintze DFüller MScholz SFindling RMuaaz MKapfer PKoch EMayrhofer R(2019)CORMORANTProceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies10.1145/33512433:3(1-23)Online publication date: 9-Sep-2019
https://dl.acm.org/doi/10.1145/3351243
Show More Cited By

Progressive authentication: deciding when to authenticate on mobile phones
1. Security and privacy
  1. Security services

Recommendations

Unconditionally secure ring authentication
ASIACCS '07: Proceedings of the 2nd ACM symposium on Information, computer and communications security

We propose ring authentication in unconditionally secure setting. In a ring authentication system a sender can choose a set of users and construct an authenticated message for a receiver such that the receiver can verify authenticity of the message with ...
Verifiably encrypted cascade-instantiable blank signatures to secure progressive decision management

In this paper, we introduce the notion of verifiably encrypted cascade-instantiable blank signatures (CBS) in a multi-user setting. In CBS, there is a delegation chain that starts with an originator and is followed by a sequence of proxies. The ...
Practical Anonymous Password Authentication and TLS with Anonymous Client Authentication
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

Anonymous authentication allows one to authenticate herself without revealing her identity, and becomes an important technique for constructing privacy-preserving Internet connections. Anonymous password authentication is highly desirable as it enables ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

Security'12: Proceedings of the 21st USENIX conference on Security symposium

August 2012

43 pages

Program Chair:
Tadayoshi Kohno
University of Washington

Sponsors

NSF: National Science Foundation
Google Inc.
IBMR: IBM Research
Microsoft Research: Microsoft Research
Symantec: Symantec

Publisher

USENIX Association

United States

Publication History

Published: 08 August 2012

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

38
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 23 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Mecke LRodriguez SBuschek DPrange SAlt F(2019)Communicating device confidence level and upcoming re-authentications in continuous authentication systems on mobile devicesProceedings of the Fifteenth USENIX Conference on Usable Privacy and Security10.5555/3361476.3361498(289-301)Online publication date: 12-Aug-2019
https://dl.acm.org/doi/10.5555/3361476.3361498
Hintze DFüller MScholz SFindling RMuaaz MKapfer PNüßer WMayrhofer R(2019)CORMORANTProceedings of the 17th International Conference on Advances in Mobile Computing & Multimedia10.1145/3365921.3365923(117-126)Online publication date: 2-Dec-2019
https://dl.acm.org/doi/10.1145/3365921.3365923
Hintze DFüller MScholz SFindling RMuaaz MKapfer PKoch EMayrhofer R(2019)CORMORANTProceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies10.1145/33512433:3(1-23)Online publication date: 9-Sep-2019
https://dl.acm.org/doi/10.1145/3351243
Mainali PShepherd CPetitcolas F(2019)Privacy-Enhancing Context Authentication from Location-Sensitive DataProceedings of the 14th International Conference on Availability, Reliability and Security10.1145/3339252.3340334(1-10)Online publication date: 26-Aug-2019
https://dl.acm.org/doi/10.1145/3339252.3340334
Arias-Cabarcos PKrupitzer CBecker C(2019)A Survey on Adaptive AuthenticationACM Computing Surveys10.1145/333611752:4(1-30)Online publication date: 11-Sep-2019
https://dl.acm.org/doi/10.1145/3336117
Qiu LDe Luca AMuslukhov IBeznosov KBrewster SFitzpatrick GCox AKostakos V(2019)Towards Understanding the Link Between Age and Smartphone AuthenticationProceedings of the 2019 CHI Conference on Human Factors in Computing Systems10.1145/3290605.3300393(1-10)Online publication date: 2-May-2019
https://dl.acm.org/doi/10.1145/3290605.3300393
Ongun TOprea ANita-Rotaru CChristodorescu MSalajegheh NLie DMannan MBackes MWang X(2018)The House That Knows YouProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security10.1145/3243734.3278523(2255-2257)Online publication date: 15-Oct-2018
https://dl.acm.org/doi/10.1145/3243734.3278523
Ryu GPark SChoi DKim YKim SKim SKim DKwon DXu ZXie TXiao XQian ZFaloutsos M(2018)Active Authentication Experiments Using Actual Application Usage LogProceedings of the First Workshop on Radical and Experiential Security10.1145/3203422.3203424(9-16)Online publication date: 24-May-2018
https://dl.acm.org/doi/10.1145/3203422.3203424
Peris-Lopez PGonzlez-Manzano LCamara Cde Fuentes J(2018)Effect of attacker characterization in ECG-based continuous authentication mechanisms for Internet of ThingsFuture Generation Computer Systems10.1016/j.future.2017.11.03781:C(67-77)Online publication date: 1-Apr-2018
https://dl.acm.org/doi/10.1016/j.future.2017.11.037
Lee WLiu XShen YJin HLee RBertino ESandhu RWeippl E(2017)Secure Pick UpProceedings of the 22nd ACM on Symposium on Access Control Models and Technologies10.1145/3078861.3078870(67-78)Online publication date: 7-Jun-2017
https://dl.acm.org/doi/10.1145/3078861.3078870
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Table of Contents