A Survey on Quantitative Risk Estimation Approaches for Secure and Usable User Authentication on Smartphones

Mobile user authentication acts as the first line of defense, establishing confidence in the claimed identity of a mobile user, which it typically does as a precondition to allowing access to resources in a mobile device. NIST states that password schemes and/or biometrics comprise the most conventional user authentication mechanisms for mobile devices. Nevertheless, recent studies point out that nowadays password-based user authentication is imposing several limitations in terms of security and usability; thus, it is no longer considered secure and convenient for the mobile users. These limitations stress the need for the development and implementation of more secure and usable user authentication methods. Alternatively, biometric-based user authentication has gained attention as a promising solution for enhancing mobile security without sacrificing usability. This category encompasses methods that utilize human physical traits (physiological biometrics) or unconscious behaviors (behavioral biometrics). In particular, risk-based continuous user authentication, relying on behavioral biometrics, appears to have the potential to increase the reliability of authentication without sacrificing usability. In this context, we firstly present fundamentals on risk-based continuous user authentication, relying on behavioral biometrics on mobile devices. Additionally, we present an extensive overview of existing quantitative risk estimation approaches (QREA) found in the literature. We do so not only for risk-based user authentication on mobile devices, but also for other security applications such as user authentication in web/cloud services, intrusion detection systems, etc., that could be possibly adopted in risk-based continuous user authentication solutions for smartphones. The target of this study is to provide a foundation for organizing research efforts toward the design and development of proper quantitative risk estimation approaches for the development of risk-based continuous user authentication solutions for smartphones. The reviewed quantitative risk estimation approaches have been divided into the following five main categories: (i) probabilistic approaches, (ii) machine learning-based approaches, (iii) fuzzy logic models, (iv) non-graph-based models, and (v) Monte Carlo simulation models. Our main findings are summarized in the table in the end of the manuscript.

[1]  Luigi Lo Iacono,et al.  Pump Up Password Security! Evaluating and Enhancing Risk-Based Authentication on a Real-World Large-Scale Online Service , 2022, ACM Trans. Priv. Secur..

[2]  Y. Zolotavkin,et al.  Examining the Current Status and Emerging Trends in Continuous Authentication Technologies through Citation Network Analysis , 2022, ACM Comput. Surv..

[3]  G. Zachos,et al.  Novelty Detection for Risk-based User Authentication on Mobile Devices , 2022, GLOBECOM 2022 - 2022 IEEE Global Communications Conference.

[4]  N. Aaraj,et al.  Risk Estimation for a Secure & Usable User Authentication Mechanism for Mobile Passenger ID Devices , 2022, 2022 IEEE 27th International Workshop on Computer Aided Modeling and Design of Communication Links and Networks (CAMAD).

[5]  Filippos Pelekoudas Oikonomou,et al.  Blockchain-Based Security Mechanisms for IoMT Edge Networks in IoMT-Based Healthcare Monitoring Systems , 2022, Sensors.

[6]  Ioannis C. Stylios,et al.  Key factors driving the adoption of behavioral biometrics and continuous authentication technology: an empirical research , 2022, Inf. Comput. Secur..

[7]  S. Gupta,et al.  IDeAuth: A novel behavioral biometric-based implicit deauthentication scheme for smartphones , 2022, Pattern Recognit. Lett..

[8]  Jonathan Rodriguez,et al.  A Survey on Security Threats and Countermeasures in Internet of Medical Things (IoMT) , 2020, Trans. Emerg. Telecommun. Technol..

[9]  G. Zachos,et al.  Toward a Secure and Usable User Authentication Mechanism for Mobile Passenger ID Devices for Land/Sea Border Control , 2022, IEEE Access.

[10]  Gregory A. Witte,et al.  Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management , 2021 .

[11]  Luigi Lo Iacono,et al.  Verify It’s You: How Users Perceive Risk-Based Authentication , 2021, IEEE Security & Privacy.

[12]  Georgios Mantas,et al.  A Privacy-Preserving User Authentication Mechanism for Smart City Mobile Apps , 2021, 2021 IEEE 26th International Workshop on Computer Aided Modeling and Design of Communication Links and Networks (CAMAD).

[13]  M. Papaioannou,et al.  Risk-Based User Authentication for Mobile Passenger ID Devices for Land and Sea Border Control , 2021, 2021 IEEE International Mediterranean Conference on Communications and Networking (MeditCom).

[14]  Mohammed Amin Almaiah,et al.  Cybersecurity Concerns in Smart-phones and applications: A survey , 2021, 2021 International Conference on Information Technology (ICIT).

[15]  Sotirios P. Chatzis,et al.  Behavioral biometrics & continuous user authentication on mobile devices: A survey , 2021, Inf. Fusion.

[16]  Luigi Lo Iacono,et al.  What's in Score for Website Users: A Data-driven Long-term Study on Risk-based Authentication Characteristics , 2021, Financial Cryptography.

[17]  Ahmed A. Abusnaina,et al.  Sensor-Based Continuous Authentication of Smartphones’ Users Using Behavioral Biometrics: A Contemporary Survey , 2020, IEEE Internet of Things Journal.

[18]  Mohammed Amin Almaiah,et al.  Classification of Cyber Security Threats on Mobile Devices and Applications , 2021 .

[19]  Martín Ochoa,et al.  Risk-based Authentication Based on Network Latency Profiling , 2020, AISec@CCS.

[20]  Aythami Morales,et al.  BeCAPTCHA: Bot Detection in Smartphone Interaction using Touchscreen Biometrics and Mobile Sensors , 2020, ArXiv.

[21]  Ajay Kumar,et al.  A Systematic Review of Hidden Markov Models and Their Applications , 2020, Archives of Computational Methods in Engineering.

[22]  John V. Monaco,et al.  TypeNet: Scaling up Keystroke Biometrics , 2020, 2020 IEEE International Joint Conference on Biometrics (IJCB).

[23]  Aythami Morales,et al.  Be-CAPTCHA: Detecting Human Behavior in Smartphone Interaction using Multiple Inbuilt Sensors , 2020, ArXiv.

[24]  Raed A. Abd-Alhameed,et al.  An Autonomous Host-Based Intrusion Detection System for Android Mobile Devices , 2019, Mobile Networks and Applications.

[25]  Georgios Mantas,et al.  HIDROID: Prototyping a Behavioral Host-Based Intrusion Detection and Prevention System for Android , 2020, IEEE Access.

[26]  Minyue Fu,et al.  Multi-sensor State Estimation over Lossy Channels using Coded Measurements , 2019, Autom..

[27]  Kun Wang,et al.  A Risk Assessment Method based on Software Behavior , 2019, 2019 IEEE International Conference on Intelligence and Security Informatics (ISI).

[28]  Markus Dürmuth,et al.  Is This Really You? An Empirical Study on Risk-Based Authentication Applied in the Wild , 2019, SEC.

[29]  Xiaojiang Du,et al.  Privacy-Preserving Authentication and Data Aggregation for Fog-Based Smart Grid , 2019, IEEE Communications Magazine.

[30]  Arun Ross,et al.  Actions Speak Louder Than (Pass)words: Passive Authentication of Smartphone* Users via Deep Temporal Features , 2019, 2019 International Conference on Biometrics (ICB).

[31]  Ana Paula Cabral Seixas Costa,et al.  Cybersecurity risk analysis model using fault tree analysis and fuzzy decision theory , 2018, Int. J. Inf. Manag..

[32]  Bruno Crispo,et al.  Demystifying Authentication Concepts in Smartphones: Ways and Types to Secure Access , 2018, Mob. Inf. Syst..

[33]  Rajesh Kumar,et al.  Continuous authentication using one-class classifiers and their fusion , 2017, 2018 IEEE 4th International Conference on Identity, Security, and Behavior Analysis (ISBA).

[34]  Pilsung Kang,et al.  Keystroke dynamics-based user authentication using freely typed text based on user-adaptive feature extraction and novelty detection , 2018, Appl. Soft Comput..

[35]  Habtamu Abie,et al.  Risk-based adaptive authentication for internet of things in smart home eHealth , 2017, ECSA.

[36]  B. S. Bindhumadhava,et al.  Design of a risk based authentication system using machine learning techniques , 2017, 2017 IEEE SmartWorld, Ubiquitous Intelligence & Computing, Advanced & Trusted Computed, Scalable Computing & Communications, Cloud & Big Data Computing, Internet of People and Smart City Innovation (SmartWorld/SCALCOM/UIC/ATC/CBDCom/IOP/SCI).

[37]  Georgios Mantas,et al.  Towards a Hybrid Intrusion Detection System for Android-based PPDR terminals , 2017, 2017 IFIP/IEEE Symposium on Integrated Network and Service Management (IM).

[38]  Gary B. Wills,et al.  An Overview of Risk Estimation Techniques in Risk-based Access Control for the Internet of Things , 2017, IoTBDS.

[39]  René Mayrhofer,et al.  Location-based risk assessment for mobile authentication , 2016, UbiComp Adjunct.

[40]  Douglas W. Hubbard,et al.  How to Measure Anything in Cybersecurity Risk , 2016 .

[41]  Rama Chellappa,et al.  Continuous User Authentication on Mobile Devices: Recent progress and remaining challenges , 2016, IEEE Signal Processing Magazine.

[42]  Sakshi Jain,et al.  Who Are You? A Statistical Approach to Measuring User Authenticity , 2016, NDSS.

[43]  Doreen Eichel,et al.  Learning And Soft Computing Support Vector Machines Neural Networks And Fuzzy Logic Models , 2016 .

[44]  Margit Antal,et al.  Biometric Authentication Based on Touchscreen Swipe Patterns , 2016 .

[45]  Benjamin Naumann,et al.  Learning And Soft Computing Support Vector Machines Neural Networks And Fuzzy Logic Models , 2016 .

[46]  Johan J. Smit,et al.  Monte Carlo simulation applied to support risk-based decision making in electricity distribution networks , 2015, 2015 IEEE Eindhoven PowerTech.

[47]  Margit Antal,et al.  An Evaluation of One-Class and Two-Class Classification Algorithms for Keystroke Dynamics Authentication on Mobile Devices , 2015, 2015 20th International Conference on Control Systems and Computer Science.

[48]  Hicham Medromi,et al.  Information Security Risk Assessment — A Practical Approach with a Mathematical Formulation of Risk , 2014 .

[49]  Ming Yang,et al.  DeepFace: Closing the Gap to Human-Level Performance in Face Verification , 2014, 2014 IEEE Conference on Computer Vision and Pattern Recognition.

[50]  Alexander De Luca,et al.  It's a Hard Lock Life: A Field Study of Smartphone (Un)Locking Behavior and Risk Perception , 2014, SOUPS.

[51]  Kailan Shang,et al.  Applying Fuzzy Logic to Risk Assessment and Decision-Making Sponsored by CAS/CIA/SOA Joint Risk Management Section , 2013 .

[52]  Youtian Du,et al.  User Authentication Through Mouse Dynamics , 2013, IEEE Transactions on Information Forensics and Security.

[53]  Zhi Xiao,et al.  The trapezoidal fuzzy soft set and its application in MCDM , 2012 .

[54]  Günther Pernul,et al.  Trust, Privacy and Security in Digital Business , 2012, Lecture Notes in Computer Science.

[55]  Nathan L. Clarke,et al.  Risk Assessment for Mobile Devices , 2011, TrustBus.

[56]  J. Initiative SP 800-39. Managing Information Security Risk: Organization, Mission, and Information System View , 2011 .

[57]  Xin Luo,et al.  Improving multiple-password recall: an empirical study , 2009, Eur. J. Inf. Syst..

[58]  H. K. Huang,et al.  Online Risk Assessment of Intrusion Scenarios Using D-S Evidence Theory , 2008, ESORICS.

[59]  Svein J. Knapskog,et al.  Fuzzy Online Risk Assessment for Distributed Intrusion Prediction and Prevention Systems , 2008, Tenth International Conference on Computer Modeling and Simulation (uksim 2008).

[60]  Wayne Jansen,et al.  Guidelines on Active Content and Mobile Code , 2008 .

[61]  Svein J. Knapskog,et al.  Real-Time Risk Assessment with Network Sensors and Intrusion Detection Systems , 2005, CIS.

[62]  Lazaros S. Iliadis,et al.  A decision support system applying an integrated fuzzy model for long-term forest fire risk estimation , 2005, Environ. Model. Softw..

[63]  Ashish Gehani,et al.  RheoStat: Real-Time Risk Management , 2004, RAID.

[64]  염흥렬,et al.  [서평]「Applied Cryptography」 , 1997 .

[65]  George J. Klir,et al.  Fuzzy Sets, Fuzzy Logic, and Fuzzy Systems - Selected Papers by Lotfi A Zadeh , 1996, Advances in Fuzzy Systems - Applications and Theory.

[66]  Lotfi A. Zadeh,et al.  Fuzzy Algorithms , 1968, Inf. Control..