Smartphone as a biometric service for web authentication

Authentication is a crucial solution to be considered for securing an application or user's personal data. It is a mechanism that plays a role to allow only the rightful user to access an application and the corresponding data, without allowing any kind of impersonation. To avoid this impersonation, biometric mechanisms have been used to read some biological characteristic from the user. However, the extra hardware needed for reading the biometric feature is usually a problem. Besides, in some scenarios, this will definitely avoid its adoption. Nonetheless, nowadays, this problem may be reduced since almost every adult person possesses a smartphone, which contains several sensors that can be used to read biometric information from a user. This work proposes a mechanism to allow a smartphone to act as a biometric reader for different levels of task/data available in a web application. In order to bind a smartphone to a web application, we use QR-Code sent from a web server to a web client, which will have to be read by a smartphone and then be sent back to the web server, so the web server knows that the actual user is close to the web client. This paper also provides a discussion on how to evaluate the usability of the proposed mechanism.

[1]  S. Liu,et al.  A practical guide to biometric security technology , 2001 .

[2]  Benjamin B. M. Shao,et al.  The usability of passphrases for authentication: An empirical field study , 2007, Int. J. Hum. Comput. Stud..

[3]  J. B. Brooke,et al.  SUS: A 'Quick and Dirty' Usability Scale , 1996 .

[4]  David M'Raïhi,et al.  Designing a Trade-Off Between Usability and Security: A Metrics Based-Model , 2007, INTERACT.

[5]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[6]  Steven Furnell,et al.  Surveying the Development of Biometric User Authentication on Mobile Phones , 2015, IEEE Communications Surveys & Tutorials.

[7]  Tim Storer,et al.  A framework for continuous, transparent mobile device authentication , 2013, Comput. Secur..

[8]  René Mayrhofer,et al.  Towards face unlock: on the difficulty of reliably detecting faces on mobile phones , 2012, MoMM '12.

[9]  Hyotaek Lim,et al.  Online banking authentication system using mobile-OTP with QR-code , 2010, 5th International Conference on Computer Sciences and Convergence Information Technology.

[10]  Sandeep Kumar,et al.  ProActive Approach for Generating Random Passwords for Information Protection , 2012 .

[11]  A. Ant Ozok,et al.  A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords , 2006, SOUPS '06.

[12]  Frank Stajano,et al.  The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes , 2012, 2012 IEEE Symposium on Security and Privacy.

[13]  Rana Tassabehji,et al.  Evaluating biometrics for online banking: The case for usability , 2012, Int. J. Inf. Manag..