Risk-Based User Authentication for Mobile Passenger ID Devices for Land and Sea Border Control

2022 IEEE 27th International Workshop on Computer Aided Modeling and Design of Communication Links and Networks (CAMAD)

Essop

et al. 2022

User Authentication in mobile devices acts as a first line of defense verifying the user´s identity to allow access to the resources of a device and typically was based on ''something the user knows'', known also as knowledge-based user authentication for several decades. However, recent studies point out that although knowledge-based user authentication has been the most popular for authenticating an individual, nowadays it is no more considered secure and convenient for the mobile user as it is imposing several limitations in terms of security and usability. These limitations stress the need for the development and implementation of more secure and usable user authentication methods. Toward this direction, user authentication based on the ''something the user is'' has caught the attention. This category includes authentication methods which make use of human physical characteristics (also referred to as physiological biometrics), or involuntary actions (also referred to as behavioral biometrics). In particular, risk-based user authentication based on behavioral biometrics appears to have the potential to increase the reliability of authentication without sacrificing usability. In this context, we focus on the estimation of the risk score, in a continuous mode, of the risk-based user authentication mechanism that we have proposed in our previous work for mobile passenger identification (ID) devices for land/sea border control.

Section: Discussionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Risk Estimation for a Secure & Usable User Authentication Mechanism for Mobile Passenger ID Devices

2022 IEEE 27th International Workshop on Computer Aided Modeling and Design of Communication Links and Networks (CAMAD)

Essop

et al. 2022

“…Shang et al [ 72 ] stated that fuzzy logic models can work as a complement to probability models, assessing risks in cases where there are insufficient data and incomplete knowledge. According to them, fuzzy logic models are able to provide a framework where human reasoning and imprecise data can contribute to efficient risk analysis [ 72 ] in various environments including risk-based user authentication [ 48 , 73 ].…”

Section: Quantitative Risk Estimation Approaches (Qreas)mentioning

confidence: 99%

A Survey on Quantitative Risk Estimation Approaches for Secure and Usable User Authentication on Smartphones

Pelekoudas-Oikonomou

et al. 2023

Sensors

Self Cite

Mobile user authentication acts as the first line of defense, establishing confidence in the claimed identity of a mobile user, which it typically does as a precondition to allowing access to resources in a mobile device. NIST states that password schemes and/or biometrics comprise the most conventional user authentication mechanisms for mobile devices. Nevertheless, recent studies point out that nowadays password-based user authentication is imposing several limitations in terms of security and usability; thus, it is no longer considered secure and convenient for the mobile users. These limitations stress the need for the development and implementation of more secure and usable user authentication methods. Alternatively, biometric-based user authentication has gained attention as a promising solution for enhancing mobile security without sacrificing usability. This category encompasses methods that utilize human physical traits (physiological biometrics) or unconscious behaviors (behavioral biometrics). In particular, risk-based continuous user authentication, relying on behavioral biometrics, appears to have the potential to increase the reliability of authentication without sacrificing usability. In this context, we firstly present fundamentals on risk-based continuous user authentication, relying on behavioral biometrics on mobile devices. Additionally, we present an extensive overview of existing quantitative risk estimation approaches (QREA) found in the literature. We do so not only for risk-based user authentication on mobile devices, but also for other security applications such as user authentication in web/cloud services, intrusion detection systems, etc., that could be possibly adopted in risk-based continuous user authentication solutions for smartphones. The target of this study is to provide a foundation for organizing research efforts toward the design and development of proper quantitative risk estimation approaches for the development of risk-based continuous user authentication solutions for smartphones. The reviewed quantitative risk estimation approaches have been divided into the following five main categories: (i) probabilistic approaches, (ii) machine learning-based approaches, (iii) fuzzy logic models, (iv) non-graph-based models, and (v) Monte Carlo simulation models. Our main findings are summarized in the table in the end of the manuscript.

“…Unlike traditional authentication methods, which are typically performed only at the beginning of the session (i.e., one-shot authentication) and, afterwards, any future changes and/or abnormalities in user identity/behavior remain undetected, increasing the risk of sensitive information leakage and user's privacy violation, behavioral biometrics can enhance continuous authentication throughout the user's session [37], [38]. In other words, if a user's behavior changes, the system can detect this and prompt reauthentication.…”

Section: Continuous Authentication Enhancementmentioning

confidence: 99%

Behavioral Biometrics for Mobile User Authentication: Benefits and Limitations

2023 IFIP Networking Conference (IFIP Networking)

Panaousis

et al. 2023

User authentication serves as the primary defense, also referred to as first line of defense, by verifying the identity of a mobile user, often as a requirement for accessing resources on a mobile device. For many years, user authentication relied on "something that the user knows," also known as knowledge-based user authentication. However, recent research indicates that knowledge-based user authentication is no longer considered secure or convenient for mobile users because it imposes several limitations. These limitations highlight the need for more secure and user-friendly user authentication methods. One promising solution is user authentication based on "something that the user is," which includes authentication methods that use physical characteristics of the mobile user (i.e., physiological biometrics) or their involuntary actions (i.e., behavioral biometrics). Although physiological biometrics have been successfully deployed for mobile user authentication over the last years, recent studies suggest that they show several weaknesses (e.g., vulnerable to various attacks such as impersonation). Consequently, experts in the security field are now focusing more on user authentication based on behavioral biometrics. Therefore, the aim of this work is to investigate the benefits, as well as the limitations of behavioral biometrics for mobile user authentication in order to provide a foundation for organizing research efforts toward the design and development of proper user authentication solutions based on behavioral biometrics for mobile devices.