Security analysis and psychological study of authentication methods with PIN codes

Bultel, Xavier; Dreier, Jannik; Giraud, Matthieu; Izaute, Marie; Kheyrkhah, Timothée; Lafourcade, Pascal; Lakhzoum, Dounia; Marlin, Vincent; Mota, Ladislav

doi:10.1109/rcis.2018.8406648

Cited by 16 publications

(13 citation statements)

References 27 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…INTRODUCTION With the rapid rise in use of mobile devices, access security is becoming a global concern. As the most widely used and accepted method, password-based identity authentication [1] has many security loopholes, such as brute force cracking and smudge attacks [2]. Keystroke authentication can be a good alternative as it not only solves the insecurity of passwords but also has other advantages, such as low cost, high flexibility, and simpler hardware structure as compared to other biometric authentication methods [3][4][5], such as fingerprint and face identification.…”

Section: Imentioning

confidence: 99%

A User Authentication Enabled Piezoelectric Force Touch System for the Internet of Things

Huang¹,

Gao²,

Nathan³

2020

Preprint

View full text Add to dashboard Cite

In Internet of Things (IoT) applications, among various authentication techniques, keystroke authentication methods based on a user’s touch behavior have received increasing attention, due to their unique benefits. In this paper, we present a technique for obtaining high user authentication accuracy by utilizing a user’s touch time and force information, which are obtained from an assembled piezoelectric touch panel. After combining artificial neural networks with the user’s touch features, an equal error rate (EER) of 1.09% is achieved, and hence advancing the development of security techniques in the field of IoT.

show abstract

Section: Imentioning

confidence: 99%

A User Authentication Enabled Piezoelectric Force Touch System for the Internet of Things

Huang¹,

Gao²,

Nathan³

2020

Preprint

View full text Add to dashboard Cite

show abstract

“…In [6], the authors developed the idea that public-key infrastructure based systems, such as strong passwords in combination with physical tokens, for example, a cell phone, would be more likely to be used and largely deployed. Nonetheless, it is worth mentioning that the most common procedure for mobile devices authentication is still a code of four or six digits [7].…”

Section: Related Workmentioning

confidence: 99%

“…Since the gradient and the Hessian matrix are computed with finite differences, the only prerequisite for Paratuck2 tensor decomposition is the factorization equation (7). Thus, the method can be transposed to other decompositions, such as CP, by merely changing the tensor decomposition equation.…”

Section: B Aphen and Approximate Derivativesmentioning

confidence: 99%

User-Device Authentication in Mobile Banking Using APHEN for Paratuck2 Tensor Decomposition

Charlier

Falk

State

et al. 2018

2018 IEEE International Conference on Data Mining Workshops (ICDMW)

View full text Add to dashboard Cite

The new financial European regulations such as PSD2 are changing the retail banking services. Noticeably, the monitoring of the personal expenses is now opened to other institutions than retail banks. Nonetheless, the retail banks are looking to leverage the user-device authentication on the mobile banking applications to enhance the personal financial advertisement. To address the profiling of the authentication, we rely on tensor decomposition, a higher dimensional analogue of matrix decomposition. We use Paratuck2, which expresses a tensor as a multiplication of matrices and diagonal tensors, because of the imbalance between the number of users and devices. We highlight why Paratuck2 is more appropriate in this case than the popular CP tensor decomposition, which decomposes a tensor as a sum of rank-one tensors. However, the computation of Paratuck2 is computational intensive. We propose a new APproximate HEssian-based Newton resolution algorithm, APHEN, capable of solving Paratuck2 more accurately and faster than the other popular approaches based on alternating least square or gradient descent. The results of Paratuck2 are used for the predictions of users' authentication with neural networks. We apply our method for the concrete case of targeting clients for financial advertising campaigns based on the authentication events generated by mobile banking applications.

show abstract

“…For user convenience, PINs are often short (up to eight digits) to allow access to only authorised users. PINs are widely used for user authentication such as withdrawing cash from mobile money or withdrawing money from an automated teller machine (ATM) [84]. Mtaho [52], Islam [85], Ombiro [86], Singh and Jasmine [87], Fan et al [88], Islam et al [89], and Zadeh and Barati [90] employed authentication schemes using PINs to verify user identity.…”

mentioning

confidence: 99%

“…The PIN should be easy to remember, random, and hard to guess, while it should be changed frequently, distinct for different accounts, and not written down or stored in plaintext [52]. However, using a PIN in mobile money authentication is susceptible to shoulder surfing attacks, brute force attacks, and smudge attacks [83,84,91]. • OTP: Elganzoury, Abdelhafez, and Hegazy [92] defined OTP as a unique and time-sensitive string of alphanumeric characters generated and forwarded to the user's mobile phone via either email or SMS for a single authentication session.…”

mentioning

confidence: 99%

Two-Factor Authentication Scheme for Mobile Money: A Review of Threat Models and Countermeasures

2020

View full text Add to dashboard Cite

The proliferation of digital financial innovations like mobile money has led to the rise in mobile subscriptions and transactions. It has also increased the security challenges associated with the current two-factor authentication (2FA) scheme for mobile money due to the high demand. This review paper aims to determine the threat models in the 2FA scheme for mobile money. It also intends to identify the countermeasures to overcome the threat models. A comprehensive literature search was conducted from the Google Scholar and other leading scientific databases such as IEEE Xplore, MDPI, Emerald Insight, Hindawi, ACM, Elsevier, Springer, and Specific and International Journals, where 97 papers were reviewed that focused on the topic. Descriptive research papers and studies related to the theme were selected. Three reviewers extracted information independently on authentication, mobile money system architecture, mobile money access, the authentication scheme for mobile money, various attacks on the mobile money system (MMS), threat models in the 2FA scheme for mobile money, and countermeasures. Through literature analysis, it was found that the threat models in the 2FA scheme for mobile money were categorised into five, namely, attacks against privacy, attacks against authentication, attacks against confidentiality, attacks against integrity, and attacks against availability. The countermeasures include use of cryptographic functions (e.g., asymmetric encryption function, symmetric encryption function, and hash function) and personal identification (e.g., number-based and biometric-based countermeasures). This review study reveals that the current 2FA scheme for mobile money has security gaps that need to be addressed since it only uses a personal identification number (PIN) and a subscriber identity module (SIM) to authenticate users, which are susceptible to attacks. This work, therefore, will help mobile money service providers (MMSPs), decision-makers, and governments that wish to improve their current 2FA scheme for mobile money.

show abstract

Security analysis and psychological study of authentication methods with PIN codes

Cited by 16 publications

References 27 publications

A User Authentication Enabled Piezoelectric Force Touch System for the Internet of Things

A User Authentication Enabled Piezoelectric Force Touch System for the Internet of Things

User-Device Authentication in Mobile Banking Using APHEN for Paratuck2 Tensor Decomposition

Two-Factor Authentication Scheme for Mobile Money: A Review of Threat Models and Countermeasures

Contact Info

Product

Resources

About