Skip to main content
SpringerLink
Log in

WYK: Mobile Device Authentication Using the User’s Address Book

  • Conference paper
  • First Online:
Emerging Technologies for Authorization and Authentication (ETAA 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 13136))

  • 534 Accesses

Abstract

Authenticating a user the correct way is paramount to IT systems, where the risk is growing more and more in number and complexity. This is specially important in mobile phones, where a number of applications require continuous device authentication following the Point-of-Entry user authentication. Existing common approach in systems that require strict security rules and regulations is to use a One-Time-Password (OTP). Usually the OTP is generated using a special hardware device or another application that is synchronised with the back-end system. Another approach is to use SMS based activation/approval codes such as used by Telegram, Facebook, Twitter and other social media platforms. However, this approach has three major drawbacks: (1) it requires active user participation/interaction which could be annoying if repeated continuously, (2) SMS messages can be accessed by service provider’s employees, and (3) it does not consider the authenticity of the device from which the services are being accessed. The later is particularly serious as access sessions can be hijacked by malicious entities. In this paper, we investigate the possibility of using the user’s address book (contacts list) to continuously authenticate the device to ensure the services are only accessed from the mobile phone that belongs to the legitimate user. We call this authentication the Who-You-Know (WYK) scheme. For our research, we developed three components, the WYK-Mobile-Service, WYK-API-Server and a Mobile-Demo-Application. The WYK-API-Server exposes a set of authentication server APIs and the WYK-Mobile-Service consumes these APIs to authenticate the device every time the mobile applications are launched and make a request to the API server. Finally, the Mobile-Demo-Application will extract user’s data from the server if the device is successfully authenticated.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 44.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 59.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Patel, V.M., Chellappa, R., Chandra, D., Barbello, B.: Continuous user authentication on mobile devices: Recent progress and remaining challenges. IEEE Signal Process. Mag. 33(4), 49–61 (2016)

    Article  Google Scholar 

  2. Aviv, A.J., Gibson, K.L., Mossop, E., Blaze, M., Smith, J.M.: Smudge attacks on smartphone touch screens. In: Miller, C., Shacham, H. (eds.) 4th USENIX Workshop on Offensive Technologies, WOOT 2010, Washington, D.C., August 9, 2010. USENIX Association (2010)

    Google Scholar 

  3. Mayron, L.: Biometric authentication on mobile devices. IEEE Secur. Privacy 13(03), 70–73 (2015)

    Article  Google Scholar 

  4. Azimpourkivi, M., Topkara, U., Carbunar, B.: A secure mobile authentication alternative to biometrics. In: Proceedings of the 33rd Annual Computer Security Applications Conference, pp. 28–41, Association for Computing Machinery, New York (2017)

    Google Scholar 

  5. Hazhirpasand Barkadehi, M., Nilashi, M., Ibrahim, O., Fardi, A.Z., Samad, S.: Authentication systems: a literature review and classification. Telemat. Inform. 35(5), 1491–1511 (2018)

    Google Scholar 

  6. Abuhamad, M., Abusnaina, A., Nyang, D., Mohaisen, D.A.: Sensor-based continuous authentication of smartphones’ users using behavioral biometrics: a survey. CoRR, abs/2001.08578 (2020)

    Google Scholar 

  7. Feng, T., et al.: Continuous mobile authentication using touchscreen gestures. In: 2012 IEEE Conference on Technologies for Homeland Security (HST), pp. 451–456 (2012)

    Google Scholar 

  8. Traore, I., Ahmed, A.A.E.: Continuous Authentication Using Biometrics: Data, Models, and Metrics. University of Victoria, Canada (2011)

    Google Scholar 

  9. Frank, M., Biedert, R., Ma, E., Martinovic, I., Song, D.: Touchalytics: on the applicability of touchscreen input as a behavioral biometric for continuous authentication. IEEE Trans. Inf. Forensics Secur. 8(1), 136–148 (2013)

    Article  Google Scholar 

  10. Braz, C., Robert, J.-M.: Security and usability: the case of the user authentication methods. In: Proceedings of the 18th International Conference of the Association Francophone d’Interaction Homme-Machine, Montreal, Quebec, Canada, 18-21 April 2006, pp. 199–203 (2006)

    Google Scholar 

  11. Theofanos, M.F., Micheals, R.J., Stanton. B.C.: Biometrics systems include users. IEEE Syst. J. 3(4), 461–468 (2009)

    Google Scholar 

  12. NIST. Computer security resource center. https://csrc.nist.gov/glossary/term/entity_authentication

  13. Schneider, F.B.: Something you know, have, or are. https://www.cs.cornell.edu/courses/cs513/2005fa/NNLauthPeople.html

  14. Forsblom, N.: Were you aware of all these sensors in your smartphone? (2015). https://blog.adtile.me/2015/11/12/were-you-aware-of-all-these-sensors-in-your-smartphone/

  15. Gupta, S., Buriro, A., Crispo1, B.: Demystifying authentication concepts in smartphones: ways and types to secure access. Adv. Person. Mobile Serv. 2018(2018)

    Google Scholar 

  16. Bertino, E., Bettini, C., Ferrari, E., Samarati, P.: An access control model supporting periodicity constraints and temporal reasoning. ACM Trans. Database Syst. 23(3), 231–285 (1998)

    Article  Google Scholar 

  17. Crawford, H., Renaud, K.: Understanding user perceptions of transparent authentication on a mobile device. J. Trust Manag. 7 (2014)

    Google Scholar 

  18. Buriro, A., Crispo, B., Zhauniarovich. Y.: Please hold on: unobtrusive user authentication using smartphone’s built-in sensors. In: 2017 IEEE International Conference on Identity, Security and Behavior Analysis (ISBA), pp. 1–8 (2017)

    Google Scholar 

  19. Michaluk, K., Nickinson, P., Ritchie, R., Rubino, D.: The future of authentication: Biometrics, multi-factor, and co-dependency (2021). https://www.androidcentral.com/talk-mobile/future-authentication-biometrics-multi-factor-and-co-dependency-talk-mobile

  20. Stanislav, M.: Two-Factor Authentication. IT Governance Ltd., Berlin (2015)

    Google Scholar 

  21. De Luca, A., et al.: Back-of-device authentication on smartphones. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI 2013, pp. 2389–2398 (2013)

    Google Scholar 

  22. Incel, D.Ö., et al.: DAKOTA: sensor and touch screen-based continuous authentication on a mobile banking application. IEEE Access 9, 38943–38960 (2021)

    Google Scholar 

  23. Teh, P.S., et al.: Strengthen user authentication on mobile devices by using user’s touch dynamics pattern. J. Ambient. Intell. Humaniz. Comput., 11(10):4019–4039 (2020)

    Google Scholar 

  24. Schürmann, D., Brüsch, A., Sigg, S., Wolf, L.: Bandana - body area network device-to-device authentication using natural gait. In: 2017 IEEE International Conference on Pervasive Computing and Communications (PerCom), pp. 190–196 (2017)

    Google Scholar 

  25. Zhang, J., Wang, Z., Yang, Z., Zhang, Q.: Proximity based IoT device authentication. In: IEEE INFOCOM 2017 - IEEE Conference on Computer Communications, pp. 1–9 (2017)

    Google Scholar 

  26. Shen, M., et al.: Blockchain-assisted secure device authentication for cross-domain industrial IoT. IEEE J. Select. Areas Commun. 38(5), 942–954 (2020)

    Article  Google Scholar 

  27. Khalid, U., Asim, M., Baker, T., Hung, P.C.K., Tariq, M.A., Rafferty, L.: A decentralized lightweight blockchain-based authentication mechanism for IoT systems. Clust. Comput., 23(3), 2067–2087 (2020)

    Google Scholar 

  28. Gong, L., Alghazzawi, D.M., Cheng. L.: BCoT sentry: A blockchain-based identity authentication framework for IoT devices. Information 12(5) (2021)

    Google Scholar 

  29. Chen, F., Tang, X., Cheng, X., Xie, D., Wang, T., Zhao, C.: Blockchain-based efficient device authentication protocol for medical cyber-physical systems. Secur. Commun. Netw. 2021 (2021)

    Google Scholar 

  30. MySQL. Mysql: The World’d Most Popular Open Source Database. https://www.mysql.com/

  31. Golang. Go. https://golang.org/

  32. Lowe, G.: Casper: a compiler for the analysis of security protocols. In: Proceedings 10th Computer Security Foundations Workshop, pp. 18–30 (1997)

    Google Scholar 

  33. University of Oxford: Department of Computer Science. Installing casper. http://www.cs.ox.ac.uk/gavin.lowe/Security/Casper/installation.html, 2021

  34. University of Oxford. Fdr4 - the CSP refinement checker. https://cocotec.io/fdr/

  35. Herzog, J.: A computational interpretation of Dolev-Vao adversaries. Theor. Comput. Sci. 340(1), 57–81 (2005)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Norwegian University of Science and Technology (NTNU), Teknologivegen 22, 2815, Gjøvik, Norway

    Mehari Msgna, Sokratis Katsikas & Vasileios Gkioulos

Authors
  1. Mehari Msgna
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sokratis Katsikas
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Vasileios Gkioulos
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mehari Msgna .

Editor information

Editors and Affiliations

  1. Consiglio Nazionale delle Ricerche, Pisa, Italy

    Andrea Saracino

  2. Institute of Informatics and Telematics, Pisa, Italy

    Paolo Mori

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Msgna, M., Katsikas, S., Gkioulos, V. (2021). WYK: Mobile Device Authentication Using the User’s Address Book. In: Saracino, A., Mori, P. (eds) Emerging Technologies for Authorization and Authentication. ETAA 2021. Lecture Notes in Computer Science(), vol 13136. Springer, Cham. https://doi.org/10.1007/978-3-030-93747-8_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-93747-8_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-93746-1

  • Online ISBN: 978-3-030-93747-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation