Implicit Authentication Research Articles

MWIoTAuth: Multi-wearable data-driven implicit IoT authentication

Due to the advancement of wearables and the Internet of Things (IoT), end-users are using a range of wearables, such as smartwatches, fitness bands, and smart glasses, to receive a range of services, e.g., bank transactions and access several physical objects, e.g., smart cars/homes. While wearables collect various information, e.g., physiological and behavioral data of an IoT end-user, to provide different services, market-wearables often have no authentication or have knowledge-based authentications. This limitation brings additional security challenges. However, similar types of data, e.g., heart rate (source: both Wellue and Fitbit), or different types of data, e.g., oxygen saturation values (source: Wellue) and calorie burn (source: Fitbit), obtained from multiple IoT-connected wearables could contain complementary information (due to positional variation of different wearables on different body parts), which can be helpful in uniquely identifying a user. Therefore, in this work, we propose an implicit IoT end-user authentication (mWIoTAuth) approach utilizing data from two market wearables, i.e., Wellue (providing heart rate and oxygen saturation values) and Fitbit (providing heart rate, calorie burn, and step count). From our detailed analysis of a 2-phase study conducted with two separate cohorts of 40 subjects wearing Wellue and Fitbit in their daily life for continuous 8 h, we find that models developed from two wearables have 5%–14% higher accuracy and F1 score compared to the single-wearable models. These findings show the promise to develop multi-wearable implicit authentication for end-users to secure the IoT world accessible via wearables.

Bag of On-Phone ANNs to Secure IoT Objects Using Wearable and Smartphone Biometrics

The introduction of the Internet of Things (IoT) has made several emerging applications, from financial transactions to property access, possible through IoT-connected smart wearables (smartwatches). This creates an immediate need for an authentication system that can validate a user seamlessly, compared to knowledge-based approaches. In this work, we present an implicit authentication system that utilizes a bag of on-phone artificial neural network (ANN) models to validate a user based on the availability of three soft-biometrics (heart rate, gait, and breathing patterns) collected from smartphones and Fitbits. We find that using all three biometrics we can achieve an average accuracy of up to <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><tex-math notation="LaTeX">$.973 \pm . 004$</tex-math></inline-formula> . Next, we implement the bag of models on smartphones using Google's TensorFlow Lite framework-supported <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">TFL Auth</i> application, which requires around 56-65 KB memory and can verify a user in 5 seconds. Finally, we evaluate the system <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">TFL Auth</i> using two cohorts of 25 subjects in total, and we find that the system has average understandability and importance scores of around 4.0 and 4.3 on a 1 – 5 scale.

ONE3A: one-against-all authentication model for smartphone using GAN network and optimization techniques.

This study focuses on addressing computational limits in smartphones by proposing an efficient authentication model that enables implicit authentication without requiring additional hardware and incurring less computational cost. The research explores various wrapper feature selection strategies and classifiers to enhance authentication accuracy while considering smartphone limitations such as hardware constraints, battery life, and memory size. However, the available dataset is small; thus, it cannot support a general conclusion. In this article, a novel implicit authentication model for smartphone users is proposed to address the one-against-all classification problem in smartphone authentication. This model depends on the integration of the conditional tabular generative adversarial network (CTGAN) to generate synthetic data to address the imbalanced dataset and a new proposed feature selection technique based on the Whale Optimization Algorithm (WOA). The model was evaluated using a public dataset (RHU touch mobile keystroke dataset), and the results showed that the WOA with the random forest (RF) classifier achieved the best reduction rate compared to the Harris Hawks Optimization (HHO) algorithm. Additionally, its classification accuracy was found to be the best in mobile user authentication from their touch behavior data. WOA-RF achieved an average accuracy of 99.62±0.40% with a reduction rate averaging 87.85% across ten users, demonstrating its effectiveness in smartphone authentication.

MotionID: Towards practical behavioral biometrics-based implicit user authentication on smartphones

Traditional one-time authentication mechanisms cannot authenticate smartphone users’ identities throughout the session — the concept of using behavioral-based biometrics captured by the built-in motion sensors and touch data is a candidate to solve this issue. Many studies proposed solutions for behavioral-based continuous authentication; however, they are still far from practicality and generality for real-world usage. To date, no commercially deployed implicit user authentication scheme exists because most of those solutions were designed to improve detection accuracy without addressing real-world deployment requirements. To bridge this gap, we tackle the limitations of existing schemes and reach towards developing a more practical implicit authentication scheme, dubbed MotionID, based on a one-class detector using behavioral data from motion sensors when users touch their smartphones. Compared with previous studies, our work addresses the following challenges: ① Global mobile average to dynamically adjust the sampling rate for sensors on any device and mitigate the impact of using sensors’ fixed sampling rate; ② Over-all-apps to authenticate a user across all the mobile applications, not only on-specific application; ③ Single-device-evaluation to measure the performance with multiple users’ (i.e., genuine users and imposters) data collected from the same device; ④ Rapid authentication to quickly identify users’ identities using a few samples collected within short durations of touching (1–5 s) the device; ⑤ Unconditional settings to collect sensor data from real-world smartphone usage rather than a laboratory study. To show the feasibility of MotionID for those challenges, we evaluated the performance of MotionID with ten users’ motion sensor data on five different smartphones under various settings. Our results show the impracticality of using a fixed sampling rate across devices that most previous studies have adopted. MotionID is able to authenticate users with an F1-score up to 98.5% for some devices under practical requirements and an F1-score up to roughly 90% when considering the drift concept and rapid authentication settings. Finally, we investigate time efficiency, power consumption, and memory usage considerations to examine the practicality of MotionID.

Quantum Mutual Implicit Authentication Key Agreement Protocol without Entanglement with Key Recycling

Quantum Mutual Implicit Authentication Key Agreement Protocol without Entanglement with Key Recycling

SHRIMPS: A framework for evaluating multi-user, multi-modal implicit authentication systems

Smart devices are commonly used in multi-user scenarios, such as shared household devices and shared corporate devices for front-line workers. A multi-user device requires both identification and authentication to defend against unauthorized access and distinguish between legitimate users in real-time, especially when multiple users participate in the same session. Although implicit authentication (IA) has been proposed to provide continuous and transparent authentication throughout a session, most existing IA solutions are optimized for single-user scenarios. The challenges of designing multi-user IA systems include fusing multiple modalities for good accuracy, segmenting and labeling behavioral data while authenticating, and adapting IA models to new users and new incoming data. We propose SHRIMPS, an evaluation framework to support IA researchers in the design of multi-user, multi-modal IA systems. SHRIMPS allows the evaluation of multi-user IA solutions that incorporate multiple modalities and supports adding new users and automatically labeling new incoming data for model updating. SHRIMPS supports different score fusion strategies, including a novel score fusion strategy based on Dempster-Shafer (D-S) theory to improve accuracy with considering uncertainties among different IA mechanisms. SHRIMPS enables composing tasks with public datasets to evaluate and compare different IA schemes. We present and evaluate two sample use cases to showcase how SHRIMPS helps address practical design questions of multi-user, multi-modal IA systems. The evaluation results show that D-S theory based score fusion methods can effectively reject attackers and detect user switches for the multi-user scenario in real-time.

Enhancing Sensor-Based Mobile User Authentication in a Complex Environment by Deep Learning

With the advent of smart mobile devices, end users get used to transmitting and storing their individual privacy in them, which, however, has aroused prominent security concerns inevitably. In recent years, numerous researchers have primarily proposed to utilize motion sensors to explore implicit authentication techniques. Nonetheless, for them, there are some significant challenges in real-world scenarios. For example, depending on the expert knowledge, the authentication accuracy is relatively low due to some difficulties in extracting user micro features, and noisy labels in the training phrase. To this end, this paper presents a real-time sensor-based mobile user authentication approach, ST-SVD, a semi-supervised Teacher–Student (TS) tri-training algorithm, and a system with client–server (C-S) architecture. (1) With S-transform and singular value decomposition (ST-SVD), we enhance user micro features by transforming time-series signals into 2D time-frequency images. (2) We employ a Teacher–Student Tri-Training algorithm to reduce label noise within the training sets. (3) To obtain a set of robust parameters for user authentication, we input the well-labeled samples into a CNN (convolutional neural network) model, which validates our proposed system. Experimental results on large-scale datasets show that our approach achieves authentication accuracy of 96.32%, higher than the existing state-of-the-art methods.

BubbleMap: Privilege Mapping for Behavior-Based Implicit Authentication Systems

Leveraging users' behavioral data sampled by various sensors during the identification process, implicit authentication (IA) relieves users from explicit actions such as remembering and entering passwords. Various IA schemes have been proposed based on different behavioral and contextual features such as gait, touch, and GPS. However, existing IA schemes suffer from false positives, i.e., falsely accepting an adversary, and false negatives, i.e., falsely rejecting the legitimate user due to users' behavior change and noise. To deal with this problem, we propose BubbleMap (BMap), a framework that can be seamlessly incorporated into any existing IA system to balance between security (reducing false positives) and usability (reducing false negatives) as well as reducing the equal error rate (EER). To evaluate the proposed framework, we implemented BMap on five state-of-the-art IA systems. We also conducted an experiment in a real-world environment from 2016 to 2020. Most of the experimental results show that BMap can greatly enhance the IA schemes' performances in terms of the EER, security, and usability, with a small amount of penalty on energy consumption.

A biometric‐based implicit authentication protocol with privacy protection for ubiquitous communication environments

SummaryDue to the proliferation of the wireless communication technologies, we are now in the era of ubiquitous computing. People can enjoy services almost in any time and any location based on the mobile intelligent devices. Meanwhile, more and more personal information are transmitted through the network. To protect these sensitive information, authentication and privacy protection are primary concerns in ubiquitous communication environments. However, traditional physical‐based biometric authentication scheme usually requires explicit cooperation of the user, which is inconvenient to the users. In order to solve this problem, a behavior biometric authentication protocol with privacy protection is designed using matrix multiplication and homomorphic encryption for ubiquitous communication environments. The correctness, security, and privacy protection properties are proved with security analysis. Performance evaluation shows that our protocol achieves stronger security and higher communication efficiency compared with other related protocols, which makes it very suitable for ubiquitous communication environments because communication consumes much more energy than computation does in mobile communication.

A strengthened eCK secure identity based authenticated key agreement protocol based on the standard CDH assumption

An Authenticated Key Agreement (AKA) protocol enables two communicating parties to compute a session key with equal partnership, such that each entity is assured of the authenticity of its peer. Identity-based AKA (ID-AKA) protocols facilitate implicit authentication of the participating entities, without certificate verification. However, most of the existing ID-AKA schemes are proven secure based on the strong Gap Diffie-Hellman (GDH) assumption. Currently, there are no known implementation methods to realize the GDH assumption without using bilinear pairings. Further, none of the existing ID-AKA protocols have provable security against practical attacks due to intermediate result leakages. To this end, we propose a purely pairing-free ID-AKA protocol based on the Computational Diffie-Hellman assumption. The protocol offers provable security under the strengthened eCK (seCK) model that captures attacks resulting from intermediate result leakages. Comparative analysis with other ID-AKA protocols suggests that the proposed protocol satisfies stronger security requirements, without the gap assumption.

Sensor-based implicit authentication through learning user physiological and behavioral characteristics

Nowadays, a large amount of users’privacy data is stored in mobile intelligent devices, and authentication systems have become an important defense to protect that data. The traditional explicit authentication, however, is under significant threat from a great deal of side channel attacks, such as those based on computer vision and touch screen attacks. Users’authentication keys are facing a high risk of leakage, whereas implicit authentication is one of the effective methods to resist various side channel attacks. Nevertheless, existing user implicit authentication approaches still have weaknesses in security and usability, which increase users’authentication burdens and pose potential safety issues. To address this problem, our paper proposes a user implicit authentication approach based on physiological and behavioral characteristics, using the most commonly performed actions in daily life to pre-authenticate users. In our method, multiple sensors are utilized to extract physiological and behavioral characteristics of users, and the sensor data is fused by aligning the extracted characteristic data and using the Kalman filter to reduce its noise. Users’authentication results can be determined by comparing the similarities between their reference and authentication samples using the siamese neural network. The experimental results show that our approach improves the performance of implicit authentication while ensuring its security and usability.

A Comprehensive Survey of Context-Aware Continuous Implicit Authentication in Online Learning Environments

User authentication is crucial in the digital learning environment to preserve the integrity and reliability of the learning process. Implicit authentication using biometrics has been proposed to improve the user experience while resolving the issues that password dominant authentication faces. Implicit authentication does not require explicit user actions as it is a background process that implicitly acquires a user’s identifying information through sensors embedded within the authenticating devices. To accommodate a variety of user contexts, context-aware implicit authentication has gained attention especially in the mobile device domain, but it has not been fully explored in digital learning environments. This study is motivated to determine how implicit authentication can observe students’ behaviour without causing disruption to the learning activity. The study provides a structured systematic review of the existing literature to identify and discuss the structure of context-aware continuous implicit authentication systems and future directions. The study found that requirements in the future will be: 1) to consider diverse authenticators to cover all possible user interactions with online learning environments, including coverage of course participants not engaged with online exams; 2) to investigate template adaptation to overcome template ageing issues with biometrics; and 3) to explore evaluation approaches of context-aware implicit authentication systems.

PresSafe: Barometer-Based On-Screen Pressure-Assisted Implicit Authentication for Smartphones

Graphic-pattern-based implicit authentication has been successfully exploited to elevate the security of smartphones. On-screen pressure is one of the key features in such an approach since it can reveal users’ touch pattern. However, state-of-the-art approaches rely on a system API to obtain on-screen pressure, which is not adequately accurate and cannot meet the demands of robust implicit authentication. To bridge this gap, we propose PresSafe, a novel implicit authentication system that utilizes the smartphone’s built-in barometer sensor to measure pressure during the unlocking process, and to utilize the pressure data in authentication. A key technical challenge in utilizing barometer sensing, however, is to understand the user activity through measured pressure. To overcome this challenge, PresSafe leverages barometer data along with data from other conventional but heterogeneous ambient sensors to produce accurate and robust user activity descriptions. PresSafe utilizes a transfer-learning-based hybrid workflow to integrate user activity representation learning with a lightweight classical authentication algorithm to obtain a unified model. This approach offloads the computational cost from the terminal and addresses privacy concerns. To ensure applicability of our approach despite data heterogeneity and insufficient training data, we utilize a channel-adaptive data processing mechanism. Extensive experiments utilizing more than 70000 records from 23 volunteers in six different locations show that PresSafe achieves an FAR of 0.45%, an FRR of 0.49%, and an EER of 0.47%, which clearly demonstrate its superiority over several existing solutions.

Grey Wolf-Based Method for an Implicit Authentication of Smartphone Users

Smartphones have now become an integral part of our everyday lives. User authentication on smartphones is often accomplished by mechanisms (like face unlock, pattern, or pin password) that authenticate the user’s identity. These technologies are simple, inexpensive, and fast for repeated logins. However, these technologies are still subject to assaults like smudge assaults and shoulder surfing. Users’ touch behavior while using their cell phones might be used to authenticate them, which would solve the problem. The performance of the authentication process may be influenced by the attributes chosen (from these behaviors). The purpose of this study is to present an effective authentication technique that implicitly offers a better authentication method for smartphone usage while avoiding the cost of a particular device and considering the constrained capabilities of smartphones. We began by concentrating on feature selection methods utilizing the grey wolf optimization strategy. The random forest classifier is used to evaluate these tactics. The testing findings demonstrated that the grey wolf-based methodology works as a better optimum feature selection for building an implicit authentication mechanism for the smartphone environment when using a public dataset. It achieved a 97.89% accuracy rate while utilizing just 16 of the 53 characteristics like utilizing minimum mobile resources mainly; processing power of the device and memory to validate individuals. Simultaneously, the findings revealed that our approach has a lower equal error rate (EER) of 0.5104, a false acceptance rate (FAR) of 1.00, and a false rejection rate (FRR) of 0.0209 compared to the methods discussed in the literature. These promising results will be used to create a mobile application that enables implicit validation of authorized users yet avoids current identification concerns and requires fewer mobile resources.

Implicit authentication with sensor normalization and multi-modal domain adaption based on mobile crowd sensing

Implicit authentication with sensor normalization and multi-modal domain adaption based on mobile crowd sensing

Use It-No Need to Shake It!

Implicit authentication for traditional objects, such as doors and dumbbells, has rich applications but is rarely studied. An ongoing trend is that traditional objects are retrofitted to smart environments; for instance, a contact sensor is attached to a door to detect door opening (but cannot tell "who is opening the door"). We present the first accurate implicit-authentication system for retrofitted everyday objects, named MoMatch. It makes an authentication decision based on a single natural object use, unlike prior work that requires shaking objects. MoMatch is built on the observation that an object has a motion typically because a human hand moves it; thus, the object's motion and the legitimate user's hand movement should correlate. The main challenge is, given the small amount of data collected during one object use, how to measure the correlation accurately. We convert the correlation measurement problem into an image comparison problem and resolve it using neural networks successfully. MoMatch does not need to profile the user's biometric information and is resilient to mimicry attacks.

Fuzzy logic based authentication in cognitive radio networks

&lt;p&gt;Security is a critical issue in cognitive radio networks because the cognitive node enters and variably leaves the spectrum, so it is difficult to process communication secretly. We suggested a fuzzy logic-based implicit authentication mechanism to be a solution for the confusion if there were any cognitive node doubts it to be unauthentic, and to improve user privacy in cognitive radio networks. Using a fuzzy logic technique, the proposed scheme computed certification based on proposed feedback. When a cognitive node needs to join the network, it is verified by using fuzzy logic if the node was authenticated or not. Our proposed fuzzy logic's results implicit authentication proved that it was a very successful and applicable scheme on cognitive radio networks, and it will be able to make an effective final decision in the context of incompleteness, ambiguity, and heterogeneity&lt;/p&gt;

SAuth: a hierarchical implicit authentication mechanism for service robots

With advances in networks, Artificial Intelligence (AI), and the Internet of Things, humanoid robots are rising in many areas, including elderly care, companion, education, and services in public sectors. Given their sensing and communication functionality, information leakage and unauthorized access will be of big concern. Very often, authentication techniques for service robots, especially those related to behavioral identification, have been developed, in which behavior models are created using raw data from sensors. However, behavioral-based authentication and re-authentication is still an open area for research, including cold start problems, accuracy, and uncertainty. This paper proposes a hierarchical implicit authentication system by joint built-in sensors and trust evaluation, coined sAuth, which exploits sensor data-based sliding window trust model to identify the service robot and its expected users. In order to mitigate the fluctuations of identification results in the real world environment, the trust evaluation is computed via combining the weighted intermediate identification probability of various small sliding windows. The performance of sAuth is evaluated under different scenarios where we show that (i) approximately 5–7% higher accuracy and 2–18% lower equal error rate can be achieved by our method compared to other works; and (ii) the hierarchical scheme with joint sensors and trust sliding windows improves the authentication accuracy significantly by comparing it with only sensor-based authentication.

EchoIA: A Cloud-Based Implicit Authentication Leveraging User Feedback

Implicit authentication (IA) transparently authenticates users by utilizing their behavioral data sampled from various sensors. Identifying the illegitimate user through constantly analyzing current users’ behavior, IA adds another layer of protection to the smart device. Due to the diversity of human behavior, existing research tends to utilize multiple features to identify users, which is less efficient. Irrelevant features may increase the system delay and reduce the authentication accuracy. However, dynamically choosing the best suitable features for each user (personal features) requires a massive calculation, making it infeasible in the real environment. In this paper, we propose EchoIA to find personal features with a small amount of calculation by leveraging user feedback derived from the correct rate of inputted passwords. By analyzing the feedback, EchoIA can deduce the true identities of current users and achieve a human-centered implicit authentication. In the authentication phase, our approach maintains transparency, which is the major advantage of IA. In the past two years, we conducted a comprehensive experiment to evaluate EchoIA. We compared it with four state-of-the-art IA schemes in the aspect of authentication accuracy and efficiency. The experiment results show that EchoIA has better authentication accuracy (93%) and less energy consumption (23-h battery lifetimes) than other IA schemes.

Beyond Passwords—Challenges and Opportunities of Future Authentication

The usable security community seems ready for another attempt to move beyond passwords. We shed light on current scientific developments in implicit authentication—that is, authentication approaches in which physiological features and behavior authenticate users—and discuss opportunities and obstacles.