The fast evolving credential attacks have been a great security challenge to current password-based information systems. Recently, biometrics factors like facial, iris, or fingerprint that are difficult to forge rise as key elements for designing passwordless authentication. However, capturing and analyzing such factors usually require special devices, hindering their feasibility and practicality. To this end, we present WiASK, a device-free WiFi sensing enabled Authentication System exploring Keystroke dynamics. More specifically, WiASK captures keystrokes of a user typing a pre-defined easy-to-remember string leveraging the existing WiFi infrastructure. But instead of focusing on the string itself which are vulnerable to password attacks, WiASK interprets the way it is typed, i.e., keystroke dynamics, into user identity, based on the biologically validated correlation between them. We prototype WiASK on the low-cost off-the-shelf WiFi devices and verify its performance in three real environments. Empirical results show that WiASK achieves on average 93.7% authentication accuracy, 2.5% false accept rate, and 5.1% false reject rate.

This paper presents a series of secure PIN/password input methods resilient to shoulder hacking. When a person inputs a PIN or password to a smartphone, tablet, banking terminal, etc., there is a risk of shoulder hacking of the PIN or the password being stolen. To decrease the risk, we propose a method that erases key-top labels, moves them smoothly and simultaneously, and lets the user touch the target key after they stopped. The user only needs to trace a single key, but peepers have to trace the movements of all the keys at the same time. We extend the method by assigning different colors, shapes, and/or sizes to keys for enhancing distinguishability, which allows all the keys to be moved instantaneously after key-top labels are erased and the user to touch the target key. We also introduce a “move backward/forward” function that allows the user to play back the movements. This series of methods does not have the highest security, but it is easy to use and does not require any changes to the server side. Results of a performance evaluation demonstrate that this method has high resistance to shoulder hacking while providing satisfactory usability without large input errors.

This work aims to determine the propensity of password creation through the lens of language spheres. To this end, we consider four different countries, each with a different culture/language: China/Chinese, United Kingdom (UK) and India/English, and Japan/Japanese. We first employ a user study to verify whether language and culture are reflected in password creation. We found that users in India, Japan, and the UK prefer to create their passwords from base words, and the kinds of words they are incorporated into passwords vary between countries. We then test whether the findings obtained through the user study are reflected in a corpus of leaked passwords. We found that users in China and Japan prefer dates, while users in India, Japan, and the UK prefer names. We also found that cultural words (e.g., “sakura” in Japan and “football” in the UK) are frequently used to create passwords. Finally, we demonstrate that the knowledge on the linguistic background of targeted users can be exploited to increase the speed of the password guessing process.

Zero-effort bilateral authentication was introduced recently to use a trusted wristwear to continuously authenticate a smartphone user. A user is allowed to use the smartphone if both wristwear and smartphone are determined to be held by the same person by comparing the wristwear's motion with the smartphone's input or motion, depending on the grip — which hand holds the smartphone and which hand provides the input. Unfortunately, the scheme has several shortcomings. First, it may work improperly when the user is walking since the gait can conceal the wrist's motions of making touches. Second, it continuously compares the motions of the two devices, which incurs a heavy communication burden. Third, the acceleration-based grip inference, which assumes that the smartphone is horizontal with the ground is inapplicable in practice. To address these shortcomings, we propose WearAuth, wristwear-assisted user authentication for smartphones in this paper. WearAuth applies wavelet-based multi-resolution analysis to extract the desired touch-specific movements regardless of whether the user is stationary or moving; uses discrete Fourier transform-based approximate correlation to reduce the communication overhead; and takes a new approach to directly compute the relative device orientation without using acceleration to infer the grip more precisely. In two experiments with 50 subjects, WearAuth produced false negative rates of 3.6% or less and false positive rates of 1.69% or less. We conclude that WearAuth operates properly under various usage cases and is robust to sophisticated attacks.

Biometric authentication, namely using biometric features for authentication is gaining popularity in recent years as further modalities, such as fingerprint, iris, face, voice, gait, and others are exploited. We explore the effectiveness of three simple Electroencephalography (EEG) related biometric authentication tasks, namely resting, thinking about a picture, and moving a single finger. We present details of the data processing steps we exploit for authentication, including extracting features from the frequency power spectrum and MFCC, and training a multilayer perceptron classifier for authentication. For evaluation purposes, we record an EEG dataset of 27 test subjects. We use three setups, baseline, task-agnostic, and task-specific, to investigate whether person-specific features can be detected across different tasks for authentication. We further evaluate, whether different tasks can be distinguished. Our results suggest that tasks are distinguishable, as well as that our authentication approach can work both exploiting features from a specific, fixed, task as well as using features across different tasks.

With the rapid spread of smart devices, such as smartphones and tablet PCs, user authentication is becoming increasingly important because various kinds of data concerning user privacy are processed within them. At present, in the case of smart devices, password-based authentication is frequently used; however, biometric authentication has attracted more attention as a user authentication technology. A smart device is equipped with various sensors, such as cameras, microphones, and touch panels, many of which enable biometric information to be obtained. While the function of biometric authentication is available in many smart devices, there remain some problems to be addressed for more secure and convenient user authentication. In this paper, we summarize the current problems with user authentication on smart devices and propose a novel user authentication system based on the concept of context awareness to resolve these problems. We also present our evaluation of the performance of the system by using biometric information that was acquired from smart devices. The evaluation demonstrates the effectiveness of our system.

The Android pattern unlock is a widely adopted graphical password system that requires a user to draw a secret pattern connecting points arranged in a grid. The theoretical security of pattern unlock can be defined by the number of possible patterns. However, only upper bounds of the number of patterns have been known except for 3×3 and 4×4 grids for which the exact number of patterns was found by brute-force enumeration. In this letter, we present the first lower bound by computing the minimum number of visible points from each point in various subgrids.

The Android pattern unlock is a popular graphical password scheme, where a user is presented a 3×3 grid and required to draw a pattern on the onscreen grid. Each pattern is a sequence of at least four contact points with some restrictions. Theoretically, the security level of unlock patterns is determined by the size of the pattern space. However, the number of possible patterns is only known for 3×3 and 4×4 grids, which was computed by brute-force enumeration. The only mathematical formula for the number of possible patterns is a permutation-based upper bound. In this article, we present an improved upper bound by counting the number of “visible” points that can be directly reached by a point.

A dictionary attack against SSH is a common security threat. Many methods rely on network traffic to detect SSH dictionary attacks because the connections of remote login, file transfer, and TCP/IP forwarding are visibly distinct from those of attacks. However, these methods incorrectly judge the connections of automated operation tasks as those of attacks due to their mutual similarities. In this paper, we propose a new approach to identify user authentication methods on SSH connections and to remove connections that employ non-keystroke based authentication. This approach is based on two perspectives: (1) an SSH dictionary attack targets a host that provides keystroke based authentication; and (2) automated tasks through SSH need to support non-keystroke based authentication. Keystroke based authentication relies on a character string that is input by a human; in contrast, non-keystroke based authentication relies on information other than a character string. We evaluated the effectiveness of our approach through experiments on real network traffic at the edges in four campus networks, and the experimental results showed that our approach provides high identification accuracy with only a few errors.

As anonymity increasingly becomes a necessary and legitimate aim in many applications, a number of anonymous authentication schemes have been suggested over the years. Among the many schemes is Lee and Kwon's password-based authentication scheme for wireless environments. Compared with previous schemes, Lee and Kwon's scheme not only improves anonymity by employing random temporary IDs but also provides user-friendliness by allowing human-memorable passwords. In this letter, we point out that Lee and Kwon's scheme, despite its many merits, is vulnerable to off-line password guessing attacks and a forgery attack. In addition, we show how to eliminate these vulnerabilities.

Nowadays, a user authentication is very important in network environments. For safe authentication, they came up with six essential conditions in earlier studies. And a variety of mechanisms is presented by research scientists. However, they could not achieve the PFS. Because, though all these schemes are assumed that the communication between a smart card and a host is safe, actually it is not. Therefore, in this paper, we will point out what the communication between a smart card and a host is not safe, and propose a new user authentication mechanism that can reach to the PFS. And also, an encryption algorithm is used about 45% less than earlier studies in our proposed scheme. Thus, we can say that enhance the efficiency.

Recently, Kang et al. discussed some security flaws of Wu et al.'s and Wei et al.'s authentication schemes that guarantee user anonymity in wireless communications and showed how to overcome the problems regarding anonymity and the forged login messages. However, we will show that Kang et al.'s improved scheme still did not provide user anonymity as they claimed.

In this letter, anonymity problems of wireless communications are discussed. The weak points of previous studies is analyzed, then a user authentication scheme with anonymity enhanced for wireless communications is proposed.

In key-recovery methods using smart cards, a user can recover the disk encryption key in cooperation with the system administrator, even if the user has lost the smart card including the disk encryption key. However, the disk encryption key is known to the system administrator in advance in most key-recovery methods. Hence user's disk data may be read by the system administrator. Furthermore, if the disk encryption key is not known to the system administrator in advance, it is difficult to achieve a key authentication. In this paper, we propose a scheme which enables to recover the disk encryption key when the user's smart card is lost. In our scheme, the disk encryption key is not preserved anywhere and then the system administrator cannot know the key before key-recovery phase. Only someone who has a user's smart card and knows the user's password can decrypt that user's disk data. Furthermore, we measured the processing time required for user authentication in an experimental environment using a virtual machine monitor. As a result, we found that this processing time is short enough to be practical.

In 2004, Tsuji and Shimizu proposed a one-time password authentication protocol, named 2GR (Two-Gene-Relation password authentication protocol). The design goal of the 2GR protocol is to eliminate the stolen-verifier attack on SAS-2 (Simple And Secure password authentication protocol, ver.2) and the theft attack on ROSI (RObust and SImple password authentication protocol). Tsuji and Shimizu claimed that in the 2GR an attacker who has stolen the verifiers from the server cannot impersonate a legitimate user. This paper, however, will point out that the 2GR protocol is still vulnerable to an impersonation attack, in which any attacker can, without stealing the verifiers, masquerade as a legitimate user.

In 2002, Yeh, Shen, and Hwang proposed a one-time password authentication scheme using smart cards. However, Tsuji et al. and Ku et al. showed that it is vulnerable to the stolen verifier attack. Therefore, this paper proposes an improved one-time password authentication scheme, which not only keeps the security of the scheme of Yeh-Shen-Hwang but also can withstand the stolen verifier attack.

In 1998, Jan and Tseng proposed two integrated schemes of user authentication and access control which can be used to implement a protection system in distributed computer systems. This paper will analyze the security of both schemes and show that an intruder can easily forge a login, be accepted and logged in as a legal user, and access system resources. We will then propose a modified scheme to withstand our proposed attacks.