Abstract
Authenticating a user the correct way is paramount to IT systems, where the risk is growing more and more in number and complexity. This is specially important in mobile phones, where a number of applications require continuous device authentication following the Point-of-Entry user authentication. Existing common approach in systems that require strict security rules and regulations is to use a One-Time-Password (OTP). Usually the OTP is generated using a special hardware device or another application that is synchronised with the back-end system. Another approach is to use SMS based activation/approval codes such as used by Telegram, Facebook, Twitter and other social media platforms. However, this approach has three major drawbacks: (1) it requires active user participation/interaction which could be annoying if repeated continuously, (2) SMS messages can be accessed by service provider’s employees, and (3) it does not consider the authenticity of the device from which the services are being accessed. The later is particularly serious as access sessions can be hijacked by malicious entities. In this paper, we investigate the possibility of using the user’s address book (contacts list) to continuously authenticate the device to ensure the services are only accessed from the mobile phone that belongs to the legitimate user. We call this authentication the Who-You-Know (WYK) scheme. For our research, we developed three components, the WYK-Mobile-Service, WYK-API-Server and a Mobile-Demo-Application. The WYK-API-Server exposes a set of authentication server APIs and the WYK-Mobile-Service consumes these APIs to authenticate the device every time the mobile applications are launched and make a request to the API server. Finally, the Mobile-Demo-Application will extract user’s data from the server if the device is successfully authenticated.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Patel, V.M., Chellappa, R., Chandra, D., Barbello, B.: Continuous user authentication on mobile devices: Recent progress and remaining challenges. IEEE Signal Process. Mag. 33(4), 49–61 (2016)
Aviv, A.J., Gibson, K.L., Mossop, E., Blaze, M., Smith, J.M.: Smudge attacks on smartphone touch screens. In: Miller, C., Shacham, H. (eds.) 4th USENIX Workshop on Offensive Technologies, WOOT 2010, Washington, D.C., August 9, 2010. USENIX Association (2010)
Mayron, L.: Biometric authentication on mobile devices. IEEE Secur. Privacy 13(03), 70–73 (2015)
Azimpourkivi, M., Topkara, U., Carbunar, B.: A secure mobile authentication alternative to biometrics. In: Proceedings of the 33rd Annual Computer Security Applications Conference, pp. 28–41, Association for Computing Machinery, New York (2017)
Hazhirpasand Barkadehi, M., Nilashi, M., Ibrahim, O., Fardi, A.Z., Samad, S.: Authentication systems: a literature review and classification. Telemat. Inform. 35(5), 1491–1511 (2018)
Abuhamad, M., Abusnaina, A., Nyang, D., Mohaisen, D.A.: Sensor-based continuous authentication of smartphones’ users using behavioral biometrics: a survey. CoRR, abs/2001.08578 (2020)
Feng, T., et al.: Continuous mobile authentication using touchscreen gestures. In: 2012 IEEE Conference on Technologies for Homeland Security (HST), pp. 451–456 (2012)
Traore, I., Ahmed, A.A.E.: Continuous Authentication Using Biometrics: Data, Models, and Metrics. University of Victoria, Canada (2011)
Frank, M., Biedert, R., Ma, E., Martinovic, I., Song, D.: Touchalytics: on the applicability of touchscreen input as a behavioral biometric for continuous authentication. IEEE Trans. Inf. Forensics Secur. 8(1), 136–148 (2013)
Braz, C., Robert, J.-M.: Security and usability: the case of the user authentication methods. In: Proceedings of the 18th International Conference of the Association Francophone d’Interaction Homme-Machine, Montreal, Quebec, Canada, 18-21 April 2006, pp. 199–203 (2006)
Theofanos, M.F., Micheals, R.J., Stanton. B.C.: Biometrics systems include users. IEEE Syst. J. 3(4), 461–468 (2009)
NIST. Computer security resource center. https://csrc.nist.gov/glossary/term/entity_authentication
Schneider, F.B.: Something you know, have, or are. https://www.cs.cornell.edu/courses/cs513/2005fa/NNLauthPeople.html
Forsblom, N.: Were you aware of all these sensors in your smartphone? (2015). https://blog.adtile.me/2015/11/12/were-you-aware-of-all-these-sensors-in-your-smartphone/
Gupta, S., Buriro, A., Crispo1, B.: Demystifying authentication concepts in smartphones: ways and types to secure access. Adv. Person. Mobile Serv. 2018(2018)
Bertino, E., Bettini, C., Ferrari, E., Samarati, P.: An access control model supporting periodicity constraints and temporal reasoning. ACM Trans. Database Syst. 23(3), 231–285 (1998)
Crawford, H., Renaud, K.: Understanding user perceptions of transparent authentication on a mobile device. J. Trust Manag. 7 (2014)
Buriro, A., Crispo, B., Zhauniarovich. Y.: Please hold on: unobtrusive user authentication using smartphone’s built-in sensors. In: 2017 IEEE International Conference on Identity, Security and Behavior Analysis (ISBA), pp. 1–8 (2017)
Michaluk, K., Nickinson, P., Ritchie, R., Rubino, D.: The future of authentication: Biometrics, multi-factor, and co-dependency (2021). https://www.androidcentral.com/talk-mobile/future-authentication-biometrics-multi-factor-and-co-dependency-talk-mobile
Stanislav, M.: Two-Factor Authentication. IT Governance Ltd., Berlin (2015)
De Luca, A., et al.: Back-of-device authentication on smartphones. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI 2013, pp. 2389–2398 (2013)
Incel, D.Ö., et al.: DAKOTA: sensor and touch screen-based continuous authentication on a mobile banking application. IEEE Access 9, 38943–38960 (2021)
Teh, P.S., et al.: Strengthen user authentication on mobile devices by using user’s touch dynamics pattern. J. Ambient. Intell. Humaniz. Comput., 11(10):4019–4039 (2020)
Schürmann, D., Brüsch, A., Sigg, S., Wolf, L.: Bandana - body area network device-to-device authentication using natural gait. In: 2017 IEEE International Conference on Pervasive Computing and Communications (PerCom), pp. 190–196 (2017)
Zhang, J., Wang, Z., Yang, Z., Zhang, Q.: Proximity based IoT device authentication. In: IEEE INFOCOM 2017 - IEEE Conference on Computer Communications, pp. 1–9 (2017)
Shen, M., et al.: Blockchain-assisted secure device authentication for cross-domain industrial IoT. IEEE J. Select. Areas Commun. 38(5), 942–954 (2020)
Khalid, U., Asim, M., Baker, T., Hung, P.C.K., Tariq, M.A., Rafferty, L.: A decentralized lightweight blockchain-based authentication mechanism for IoT systems. Clust. Comput., 23(3), 2067–2087 (2020)
Gong, L., Alghazzawi, D.M., Cheng. L.: BCoT sentry: A blockchain-based identity authentication framework for IoT devices. Information 12(5) (2021)
Chen, F., Tang, X., Cheng, X., Xie, D., Wang, T., Zhao, C.: Blockchain-based efficient device authentication protocol for medical cyber-physical systems. Secur. Commun. Netw. 2021 (2021)
MySQL. Mysql: The World’d Most Popular Open Source Database. https://www.mysql.com/
Golang. Go. https://golang.org/
Lowe, G.: Casper: a compiler for the analysis of security protocols. In: Proceedings 10th Computer Security Foundations Workshop, pp. 18–30 (1997)
University of Oxford: Department of Computer Science. Installing casper. http://www.cs.ox.ac.uk/gavin.lowe/Security/Casper/installation.html, 2021
University of Oxford. Fdr4 - the CSP refinement checker. https://cocotec.io/fdr/
Herzog, J.: A computational interpretation of Dolev-Vao adversaries. Theor. Comput. Sci. 340(1), 57–81 (2005)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Msgna, M., Katsikas, S., Gkioulos, V. (2021). WYK: Mobile Device Authentication Using the User’s Address Book. In: Saracino, A., Mori, P. (eds) Emerging Technologies for Authorization and Authentication. ETAA 2021. Lecture Notes in Computer Science(), vol 13136. Springer, Cham. https://doi.org/10.1007/978-3-030-93747-8_1
Download citation
DOI: https://doi.org/10.1007/978-3-030-93747-8_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-93746-1
Online ISBN: 978-3-030-93747-8
eBook Packages: Computer ScienceComputer Science (R0)