Abstract
Virtual assistants, deployed on smartphone and smart speaker devices, enable hands-free financial transactions by voice commands. Even though these voice transactions are frictionless for end users, they are susceptible to typical attacks to authentication protocols (e.g., replay). Using traditional knowledge-based or possession-based authentication with additional invasive interactions raises users concerns regarding security and usefulness. State-of-the-art schemes for trusted devices with physical unclonable functions (PUF) have complex enrollment processes. We propose a scheme based on a challenge response protocol with a trusted Internet of Things (IoT) autonomous device for hands-free scenarios (i.e., with no additional user interaction), integrated with smart home behavior for continuous authentication. The protocol was validated with automatic formal security analysis. A proof of concept with websockets presented an average response time of 383 ms for mutual authentication using a 6-message protocol with a simple enrollment process. We performed hands-free activity recognition of a specific user, based on smart home testbed data from a 2-month period, obtaining an accuracy of 97% and a recall of 81%. Given the data minimization privacy principle, we could reduce the total number of smart home events time series from 7 to 5. When compared with existing invasive solutions, our non-invasive mechanism contributes to the efforts to enhance the usability of financial institutions’ virtual assistants, while maintaining security and privacy.
Highlights
Security is one of relevant emerging challenges for the Internet of Things [1,2,3]
The demand for resiliency against cyber attacks faced by Internet of Things (IoT) devices reveals resource limitations, which inhibit the use of existing asymmetric cryptography solutions [5]
The major research contribution of this paper is that of a non-invasive authentication mechanism for financial transactions by voice, in trusted connected locations, with an additional hardware autonomous device, presenting a comparable response time and security level to existing invasive solutions; it is integrated with a method for continuous authentication, based on behavior learning in a trusted connected location
Summary
Security is one of relevant emerging challenges for the Internet of Things [1,2,3]. Security attacks in daily life [4] raises user concerns about the technology maturity. Users choose to interact with smart speakers using voice commands because they perceive it as requiring less effort when compared with the smartphone alternative [20], so an invasive authentication that requires additional interaction with another device may be impractical for wide adoption To address these security concerns and the invasiveness in existing authentication mechanisms, this article presents a hands-free authentication scheme with a simple enrollment process. The major research contribution of this paper is that of a non-invasive authentication mechanism for financial transactions by voice, in trusted connected locations, with an additional hardware autonomous device, presenting a comparable response time and security level to existing invasive solutions; it is integrated with a method for continuous authentication, based on behavior learning in a trusted connected location (i.e., the smart home).
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
