A Location-Based Authentication System Leveraging Smartphones

This paper investigates a location-based authentication system where authentication questions are generated based on users' locations tracked by smartphones. More specifically, the system builds a location profile for a user based on periodically logged Wi-Fi access point beacons over time, and leverages this location profile to generate authentication questions. To evaluate the various aspects of this location-based authentication approach, we deployed the application on users' smartphones and conducted a real-life study for one month with 14 users. To simulate various kinds of adversaries (e.g., Naive vs. Knowledgeable), in our study, we recruited volunteers in pairs (e.g., Friends), in addition to single participants. Over the course of the experiment, each user is periodically presented with two sets of authentication questions. The first set is generated based on a user's own data. The second set is generated based on a randomly selected user's data. Additionally, in cases of paired participants, each user is presented with a third set of questions which is generated based on the user's friend's data. In each case, three different kinds of questions of varying difficulty levels are generated and presented to the user. Finally, we present a Bayesian classifier based authentication algorithm that can authenticate legitimate users with high accuracy by leveraging individual response patterns. We also discuss various aspects of location-based authentication mechanisms based on our findings in this paper.

[1]  Richard C. H. Connor,et al.  Question-based authentication using context data , 2006, NordiCHI '06.

[2]  Jason I. Hong,et al.  Exploring capturable everyday memory for autobiographical authentication , 2013, UbiComp.

[3]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[4]  Wendy Moncur,et al.  Pictures at the ATM: exploring the usability of multiple graphical passwords , 2007, CHI.

[5]  Sotirios Terzis,et al.  A Study in Authentication Via Electronic Personal History Questions , 2010, ICEIS.

[6]  Gary W. Heiman,et al.  Basic statistics for the behavioral sciences , 2002 .

[7]  Mike Just,et al.  Designing and evaluating challenge-question systems , 2004, IEEE Security & Privacy Magazine.

[8]  Joseph Bonneau,et al.  The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords , 2012, 2012 IEEE Symposium on Security and Privacy.

[9]  Mike Just,et al.  Personal choice and challenge questions: a security and usability assessment , 2009, SOUPS.

[10]  Robert Biddle,et al.  A second look at the usability of click-based graphical passwords , 2007, SOUPS '07.

[11]  A. Ant Ozok,et al.  A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords , 2006, SOUPS '06.

[12]  Mark D. Dunlop,et al.  Internet authentication based on personal history - a feasibility test , 2005 .

[13]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[14]  Hans-Peter Kriegel,et al.  A Density-Based Algorithm for Discovering Clusters in Large Spatial Databases with Noise , 1996, KDD.

[15]  Ying Zhu,et al.  Graphical passwords: a survey , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[16]  Andreas Uhl,et al.  A survey on biometric cryptosystems and cancelable biometrics , 2011, EURASIP J. Inf. Secur..