- 1-CASA : Context-Aware Scalable Authentication

We introduce context-aware scalable authentication (CASA) as a way of balancing security and usability for authentication. Our core idea is to choose an appropriate form of active authentication (e.g., typing a PIN) based on the combination of multiple passive factors (e.g., a user’s current location) for authentication. We provide a probabilistic framework for dynamically selecting an active authentication scheme that satisfies a specified security requirement given passive factors. We also present the results of three user studies evaluating the feasibility and users’ receptiveness of our concept. Our results suggest that location data has good potential as a passive factor, and that users can reduce up to 68% of active authentications when using an implementation of CASA, compared to always using fixed active authentication. Furthermore, our participants, including those who do not using any security mechanisms on their phones, were very positive about CASA and amenable to using it on their phones.

[1]  Ray A. Perlner,et al.  Electronic Authentication Guideline , 2014 .

[2]  Ling Huang,et al.  Short paper: smartphones: not smart enough? , 2012, SPSM '12.

[3]  N. Asokan,et al.  Intuitive Security Policy Configuration in Mobile Devices Using Context Profiling , 2012, 2012 International Conference on Privacy, Security, Risk and Trust and 2012 International Confernece on Social Computing.

[4]  Chuan Qin,et al.  Progressive Authentication: Deciding When to Authenticate on Mobile Phones , 2012, USENIX Security Symposium.

[5]  Lujo Bauer,et al.  Of passwords and people: measuring the effect of password-composition policies , 2011, CHI.

[6]  Jason I. Hong,et al.  A diary study of password usage in daily life , 2011, CHI.

[7]  Norman M. Sadeh,et al.  Caché: caching location-enhanced content to improve user privacy , 2011, MobiSys '11.

[8]  Aniket Kittur,et al.  Bridging the gap between physical location and online social networks , 2010, UbiComp.

[9]  Lujo Bauer,et al.  Encountering stronger password requirements: user attitudes and behaviors , 2010, SOUPS.

[10]  Eyal de Lara,et al.  Ensemble: cooperative proximity-based authentication , 2010, MobiSys '10.

[11]  Heinrich Hußmann,et al.  TreasurePhone: Context-Sensitive User Data Protection on Mobile Phones , 2010, Pervasive.

[12]  Jorge Lobo,et al.  Risk-based access control systems built on fuzzy inferences , 2010, ASIACCS '10.

[13]  M. Angela Sasse,et al.  The true cost of unusable password policies: password use in the wild , 2010, CHI.

[14]  Donald A. Norman,et al.  THE WAY I SEE ITWhen security gets in the way , 2009, INTR.

[15]  Cormac Herley,et al.  So long, and no thanks for the externalities: the rational rejection of security advice by users , 2009, NSPW '09.

[16]  Markus Jakobsson,et al.  Implicit authentication for mobile devices , 2009 .

[17]  John Krumm,et al.  A Markov Model for Driver Turn Prediction , 2008 .

[18]  John Krumm,et al.  Route Prediction from Trip Observations , 2008 .

[19]  Albert-László Barabási,et al.  Understanding individual human mobility patterns , 2008, Nature.

[20]  Claudia Keser,et al.  Fuzzy Multi-Level Security: An Experiment on Quantified Risk-Adaptive Access Control , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[21]  Gunela Astbrink,et al.  Password sharing: implications for security design based on social practice , 2007, CHI.

[22]  Alfons H. Salden,et al.  Context sensitive access control , 2005, SACMAT '05.

[23]  Xian Ke,et al.  Typing patterns: a key to user identification , 2004, IEEE Security & Privacy Magazine.

[24]  Jakob E. Bardram,et al.  Context-Aware User Authentication - Supporting Proximity-Based Login in Pervasive Computing , 2003, UbiComp.

[25]  Brian D. Noble,et al.  Protecting applications with transient authentication , 2003, MobiSys '03.

[26]  Gregory D. Abowd,et al.  The smart floor: a mechanism for natural user identification and tracking , 2000, CHI Extended Abstracts.

[27]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.