Implicit Secondary Authentication for Sustainable SMS Authentication

Gwonsang Ryu,Seung-Hyun Kim,Daeseon Choi

doi:10.3390/su11010279

Gwonsang Ryu, Seung-Hyun Kim + Show 1 more

Open Access

https://doi.org/10.3390/su11010279

Copy DOI

Abstract

Short message service (SMS) is the most widely adopted multi-factor authentication method for consumer-facing accounts. However, SMS authentication is susceptible to vulnerabilities such as man-in-the-middle attack, smishing, and device theft. This study proposes implicit authentication based on behavioral pattern of users when they check an SMS verification code and environmental information of user proximity to detect device theft. User behavioral pattern is collected by using the accelerometer and gyroscope of a smart device such as a smartphone and smart watch. User environmental information is collected using device fingerprint, wireless access point, Bluetooth, and global positioning system information. To evaluate the performance of the proposed scheme, we perform experiments using a total of 1320 behavioral and environmental data collected from 22 participants. The scheme achieves an average equal error rate of 6.27% when using both behavioral and environmental data collected from only a smartphone. Moreover, it achieves an average equal error rate of 0% when using both behavioral and environmental data collected from a smartphone and smart watch. Therefore, the proposed scheme can be employed for more secure SMS authentication.

Highlights

Short message service (SMS) is the most widely adopted multi-factor authentication method for consumer-facing accounts
SMS authentication is excluded from the digital authentication guideline issued by the National Institute of Standards and Technology (NIST) [3]; instead, one-time password (OTP)-generating applications such as Google Authenticator and Authy, and biometric authentication such as fingerprint and iris authentication are recommended
The area under the ROC (AUROC) values were measured as 0.6503, 0.5542, and 0.8057 when the smartphone is on a table, in the user’s hand, and in the user’s pocket, respectively

Summary

Introduction

Short message service (SMS) is the most widely adopted multi-factor authentication method for consumer-facing accounts. SMS authentication is excluded from the digital authentication guideline issued by the National Institute of Standards and Technology (NIST) [3]; instead, one-time password (OTP)-generating applications such as Google Authenticator and Authy, and biometric authentication such as fingerprint and iris authentication are recommended. An OTP-generating application does not prevent device theft and biometric authentication is not replaceable when leaked and is vulnerable to smudge attacks [4,5]. To overcome these limitations, behavioral-based authentication techniques such as those using arm gestures when responding to calls or hand waving gestures have been studied

Methods

Results

Discussion

Conclusion