ABSTRACT
We introduce context-aware scalable authentication (CASA) as a way of balancing security and usability for authentication. Our core idea is to choose an appropriate form of active authentication (e.g., typing a PIN) based on the combination of multiple passive factors (e.g., a user's current location) for authentication. We provide a probabilistic framework for dynamically selecting an active authentication scheme that satisfies a specified security requirement given passive factors. We also present the results of three user studies evaluating the feasibility and users' receptiveness of our concept. Our results suggest that location data has good potential as a passive factor, and that users can reduce up to 68% of active authentications when using an implementation of CASA, compared to always using fixed active authentication. Furthermore, our participants, including those who do not using any security mechanisms on their phones, were very positive about CASA and amenable to using it on their phones.
- eToken. http://www.aladdin.com/etoken/.Google Scholar
- RSA securID http://www.rsa.com/node.aspx?id=1156.Google Scholar
- Advanced sign-in security for your Google account. http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.htmlGoogle Scholar
- Facebook Social Authentication. http://facebook.com/blog/blog.php?post=486790652130Google Scholar
- Lax Passwords Expose Quater of PC Users to Theft. http://www.washingtonpost.com/wp-dyn/content/article/2007/10/09/AR2007100901896.htmlGoogle Scholar
- When Security Gets in the Way. http://jnd.org/dn.mss/when_security_gets_in_the_way.htmlGoogle Scholar
- Adams A. and Sasse A. M. 1999. Users are not the enemy. Commun. ACM 42, 12 (December 1999), 40--46. Google ScholarDigital Library
- Amini S., Lindqvist J., Hong I. J., Lin J., Sadeh N., and Toch E. 2011. Caché: Caching Location-Enhanced Content to Improve User Privacy. In Proc. of MobiSys. Google ScholarDigital Library
- Bardram J. E., Kjær R. E., Pedersen MØ. 2003. Context-Aware User Authentication Supporting Proximity-Based Login in Pervasive Computing. In Proc. of UbiComp.Google ScholarCross Ref
- Burr W. E., Dodson D. F., and Polk. W. T. 2006 Electronic authentication guideline. Tech report, NIST Google ScholarDigital Library
- Buthpitiya S., Zhang Y., Dey A. and Griss M, n-gram Geo-Trace Modeling, In Proc. of Pervasive Computing. Google ScholarDigital Library
- Cheng P., Rohatgi P., Keser C., Karger P., Wagner G., and Reninger A. 2007. Fuzzy Multi--Level Security: An Experiment on Quantified Risk--Adaptive Access Control. In Proc. of IEEE Symposium on Security and Privacy Google ScholarDigital Library
- Corner M. D. and Noble B. D. 2003. Protecting applications with transient authentication. In Proc. of MobiSys. Google ScholarDigital Library
- Cranshaw J, Toch E., Hong J. I., Kittur A., and Sadeh N. 2010. Bridging the gap between physical location and online social networks. In Proc. of UbiComp. Google ScholarDigital Library
- Fischer I., Kuo C., Huang L., and Frank M. 2012. Short Paper: Smartphones: Not Smart Enough? In Proc. of SPSM. Google ScholarDigital Library
- Froehlich J. and Krumm J. 2008. Route Prediction from Trip Observations. Society of Automotive Engineers.Google Scholar
- Gupta A., Miettinen M., Asokan N., amd Nagy M. 2012. Intuitive security policy configuration in mobile devices using context profiling. In Proc. of PASSAT.González M. C., Hidalgo C. A., Barabási L. A. 2008. Understanding individual human mobility patterns. Nature 453, 779--782. Google ScholarDigital Library
- Hayashi E. and Hong J. I. 2011. A diary study of password usage in daily life. In Proc. of SIGCHI. Google ScholarDigital Library
- Herley C. 2009. So long, and no thanks for the externalities: the rational rejection of security advice by users. In Proc. of NSPW. Google ScholarDigital Library
- Hulsebosch J. R., Salden H. A., Bargh S. M., Ebben P. W. G, and Reitsma J. 2005. Context sensitive access control. In Proc. of SACMAT. Google ScholarDigital Library
- Inglesant P. G. and Sasse A. M. 2010. The true cost of unusable password policies: password use in the wild. In Proc. of SIGCHI. Google ScholarDigital Library
- Jakobsson M., Shi E., Golle P., and Chow R. 2009. Implicit authentication for mobile devices. In Proc. of USENIX. Google ScholarDigital Library
- Kalamandeen A., Scannell A., Lara E., Sheth A. and LaMarca A. 2010. Ensemble: cooperative proximity-based authentication. In Proc. of Mobisys. Google ScholarDigital Library
- Komanduri S., Shay R., Kelley P. G., Mazurek M. L., Bauer L., Christin N., Cranor L. F., and Egelman S. 2011. Of passwords and people: measuring the effect of password-composition policies. In Proc. of SIGCHI. Google ScholarDigital Library
- Krumm J. 2008. A Markov Model for Driver Turn Prediction. Society of Automotive Engineers.Google Scholar
- Ni Q., Bertino E., and Lobo J. 2010. Risk-based Access Control System Built on Fuzzy Inferences. In Proc. of ASIACCS Google ScholarDigital Library
- Riva, O., Qin, C., Strauss, K., Lymberopoulos, D. 2012. Progressive authentication: deciding when to authenticate on mobile phones. In Proc. of USENIX. Google ScholarDigital Library
- Orr, R. J. and Abowd, G. D. 2000. The Smart Floor: A Mechanism for Natural User Identification and Tracking. ACM Press, New York, New York, USA.Google Scholar
- Peacock, A., Xian K., Wilkerson, M. 2004. Typing patterns: a key to user identification, Security & Privacy, IEEE, vol.2, no.5, pp.40--47, Sept.-Oct. 2004 Google ScholarDigital Library
- Philip G. Inglesant and M. Angela Sasse. 2010. The true cost of unusable password policies: password use in the wild. In Proc. of SIGCHI. Google ScholarDigital Library
- Shay R., Komanduri S., Kelley P. G., Leon P. G., Mazurek M. L., Bauer L., Christin N., and Cranor L. F. 2010. Encountering stronger password requirements: user attitudes and behaviors. In Proc. of SOUPS. Google ScholarDigital Library
- Seifert J., De Luca A., Conradi B. and Hussmann H. 2010. TreasurePhone: Context-Sensitive User Data Protection on Mobile Phones. In Proc. of Pervasive. Google ScholarDigital Library
- Supriya Singh, Anuja Cabraal, Catherine Demosthenous, Gunela Astbrink, and Michele Furlong. 2007. Password sharing: implications for security design based on social practice. In Proc. of the SIGCHI Google ScholarDigital Library
Index Terms
- CASA: context-aware scalable authentication
Recommendations
A hash-based strong-password authentication scheme without using smart cards
So far, many strong-password authentication schemes have been proposed, however, none is secure enough. In 2003, Lin, Shen, and Hwang proposed a strong-password authentication scheme using smart cards, and claimed that their scheme can resist the ...
Remarks on fingerprint-based remote user authentication scheme using smart cards
In 2002, Lee, Ryu, and Yoo proposed a fingerprint-based remote user authentication scheme using smart cards. The scheme makes it possible for authenticating the legitimacy of each login user without any password table. In addition, the authors claimed ...
An Improved and Effective Secure Password-Based Authentication and Key Agreement Scheme Using Smart Cards for the Telecare Medicine Information System
Recently Lee and Liu proposed an efficient password based authentication and key agreement scheme using smart card for the telecare medicine information system [J. Med. Syst. (2013) 37:9933]. In this paper, we show that though their scheme is efficient, ...
Comments