Due to the frequency with which smartphone owners use their devices, effortful authentication methods such as passwords and PINs are not an effective choice for smartphone authentication. Past research has offered solutions such as graphical passwords, biometrics and password hardening techniques. However, these solutions still require the user to authenticate frequently, which may become increasingly frustrating over time. Transparent authentication has been suggested as an alternative to such effortful solutions. It utilizes readily available behavioral biometrics to provide a method that runs in the background without requiring explicit user interaction. In this manner, transparent authentication delivers a less effortful solution with which the owner does not need to engage as frequently. We expand the current research into transparent authentication by surveying the user, an important stakeholder, regarding their opinions towards transparent authentication on a smartphone. We asked 30 participants to complete a series of tasks on a smartphone that was ostensibly protected with varying degrees of transparent authentication. We then surveyed participants regarding their opinions of transparent authentication, their opinions of the sensitivity of tasks and data on smartphones, and their perception of the level of protection provided to the data and apps on the device. We found that 90% of those surveyed would consider using transparent authentication on their mobile device should it become available. Furthermore, participants had widely varying opinions of the sensitivity of the experiment's tasks, showing that a more granular method of smartphone security is justified. Interestingly, we found that the complete removal of security barriers, which is commonly cited as a goal in authentication research, does not align with the opinions of our participants. Instead, we found that having a few barriers to device and data access aided the user in building a mental model of the on-device security provided by transparent authentication. These results provide a valuable understanding to inform development of transparent authentication on smartphones since they provide a glimpse into the needs and wants of the end user.
Internet-of-Things (IoT) devices implement weak authentication and access control schemes. The on-demand nature of IoT devices requires a responsive communications channel, which is often at odds with thorough authentication and access control. This paper seeks to better understand IoT device security by examining the design of authentication and access control schemes. In this work, we explore the challenge of propagating credential revocation and access control list modifications in a shared IoT ecosystem. We evaluate the vulnerability of 19 popular security cameras and doorbells against a straightforward user-interface bound adversary attack. Our results demonstrate that 16 of 19 surveyed devices suffer from flaws that enable unauthorized access after credential modification or revocation. We conclude by discussing these findings and propose a means for balancing authentication and access control schemes while still offering responsive communications channels.104 2020 Symposium on Security and Privacy Workshops (SPW)
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.