CASA: context-aware scalable authentication

We introduce context-aware scalable authentication (CASA) as a way of balancing security and usability for authentication. Our core idea is to choose an appropriate form of active authentication (e.g., typing a PIN) based on the combination of multiple passive factors (e.g., a user's current location) for authentication. We provide a probabilistic framework for dynamically selecting an active authentication scheme that satisfies a specified security requirement given passive factors. We also present the results of three user studies evaluating the feasibility and users' receptiveness of our concept. Our results suggest that location data has good potential as a passive factor, and that users can reduce up to 68% of active authentications when using an implementation of CASA, compared to always using fixed active authentication. Furthermore, our participants, including those who do not using any security mechanisms on their phones, were very positive about CASA and amenable to using it on their phones.

[1]  Chuan Qin,et al.  Progressive Authentication: Deciding When to Authenticate on Mobile Phones , 2012, USENIX Security Symposium.

[2]  Lujo Bauer,et al.  Encountering stronger password requirements: user attitudes and behaviors , 2010, SOUPS.

[3]  Xian Ke,et al.  Typing patterns: a key to user identification , 2004, IEEE Security & Privacy Magazine.

[4]  Claudia Keser,et al.  Fuzzy Multi-Level Security: An Experiment on Quantified Risk-Adaptive Access Control , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[5]  N. Asokan,et al.  Intuitive Security Policy Configuration in Mobile Devices Using Context Profiling , 2012, 2012 International Conference on Privacy, Security, Risk and Trust and 2012 International Confernece on Social Computing.

[6]  Norman M. Sadeh,et al.  Caché: caching location-enhanced content to improve user privacy , 2011, MobiSys '11.

[7]  Ying Zhang,et al.  n-Gram Geo-trace Modeling , 2011, Pervasive.

[8]  John Krumm,et al.  Route Prediction from Trip Observations , 2008 .

[9]  Eyal de Lara,et al.  Ensemble: cooperative proximity-based authentication , 2010, MobiSys '10.

[10]  Brian D. Noble,et al.  Protecting applications with transient authentication , 2003, MobiSys '03.

[11]  Donald A. Norman,et al.  THE WAY I SEE ITWhen security gets in the way , 2009, INTR.

[12]  Jakob E. Bardram,et al.  Context-Aware User Authentication - Supporting Proximity-Based Login in Pervasive Computing , 2003, UbiComp.

[13]  Aniket Kittur,et al.  Bridging the gap between physical location and online social networks , 2010, UbiComp.

[14]  Markus Jakobsson,et al.  Implicit authentication for mobile devices , 2009 .

[15]  John Krumm,et al.  A Markov Model for Driver Turn Prediction , 2008 .

[16]  Jason I. Hong,et al.  A diary study of password usage in daily life , 2011, CHI.

[17]  Albert-László Barabási,et al.  Understanding individual human mobility patterns , 2008, Nature.

[18]  Ray A. Perlner,et al.  Electronic Authentication Guideline , 2014 .

[19]  M. Angela Sasse,et al.  The true cost of unusable password policies: password use in the wild , 2010, CHI.

[20]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[21]  Alfons H. Salden,et al.  Context sensitive access control , 2005, SACMAT '05.

[22]  Ling Huang,et al.  Short paper: smartphones: not smart enough? , 2012, SPSM '12.

[23]  Lujo Bauer,et al.  Of passwords and people: measuring the effect of password-composition policies , 2011, CHI.

[24]  Heinrich Hußmann,et al.  TreasurePhone: Context-Sensitive User Data Protection on Mobile Phones , 2010, Pervasive.

[25]  Jorge Lobo,et al.  Risk-based access control systems built on fuzzy inferences , 2010, ASIACCS '10.

[26]  Cormac Herley,et al.  So long, and no thanks for the externalities: the rational rejection of security advice by users , 2009, NSPW '09.

[27]  Gunela Astbrink,et al.  Password sharing: implications for security design based on social practice , 2007, CHI.

[28]  Gregory D. Abowd,et al.  The smart floor: a mechanism for natural user identification and tracking , 2000, CHI Extended Abstracts.