Abstract
Due to the numerous data breaches, often resulting in the disclosure of a substantial amount of user passwords, the classic authentication scheme where just a password is required to log in, has become inadequate. As a result, many popular web services now employ risk-based authentication systems where various bits of information are requested in order to determine the authenticity of the authentication request. In this risk assessment process, values consisting of geo-location, IP address and browser-fingerprint information, are typically used to detect anomalies in comparison with the user’s regular behavior.
In this paper, we focus on risk-based authentication mechanisms in the setting of mobile devices, which are known to fall short of providing reliable device-related information that can be used in the risk analysis process. More specifically, we present a web-based and low-effort system that leverages accelerometer data generated by a mobile device for the purpose of device re-identification. Furthermore, we evaluate the performance of these techniques and assess the viability of embedding such a system as part of existing risk-based authentication processes.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
References
Florencio, D., Herley, C.: A large-scale study of web password habits. In: Proceedings Of The 16th International Conference on World Wide Web, pp. 657–666. ACM (2007)
Eckersley, P.: How unique is your web browser? In: Atallah, M.J., Hopper, N.J. (eds.) PETS 2010. LNCS, vol. 6205, pp. 1–18. Springer, Heidelberg (2010)
Spooren, J., Preuveneers, D., Joosen, W.: Mobile device fingerprinting considered harmful for risk-based authentication. In: Proceedings of the Eighth European Workshop on System Security, pp. 6. ACM (2015)
Hupperich, T., Maiorca, D., Kührer, M., Holz, T., Giacinto, G.: On the robustness of mobile device fingerprinting: can mobile users escape modern web-tracking mechanisms? In: Proceedings of the 31st Annual Computer Security Applications Conference, pp. 191–200. ACM (2015)
Mowery, K., Shacham, H.: Pixel perfect: Fingerprinting canvas in html5. Proceedings of W2SP (2012)
Acar, G., Juarez, M., Nikiforakis, N., Diaz, C., Gürses, S., Piessens, F., Preneel, B.: Fpdetective: Dusting the web for fingerprinters. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 1129–1140. ACM (2013)
Bojinov, H., Michalevsky, Y., Nakibly, G., Boneh, D.: Mobile device identification via sensor fingerprinting. arXiv preprint (2014). arxiv:1408.1416
Lukas, J., Fridrich, J., Goljan, M.: Digital camera identification from sensor pattern noise. IEEE Trans. Inf. Forensics Secur. 1(2), 205–214 (2006)
Das, A., Borisov, N., Caesar, M.: Do you hear what i hear?: fingerprinting smart devices through embedded acoustic components. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 441–452. ACM (2014)
Dey, S., Roy, N., Xu, W., Choudhury, R.R., Nelakuditi, S.: Accelprint: imperfections of accelerometers make smartphones trackable. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2014)
Bonneau, J., Herley, C., van Oorschot, P., Stajano, F.: The quest to replace passwords: a framework for comparative evaluation of web authentication schemes. In: 2012 IEEE Symposium on Security and Privacy (SP), pp. 553–567, May 2012
Das, A., Borisov, N., Caesar, M.: Exploring ways to mitigate sensor-based smartphone fingerprinting. CoRR abs/1503.01874 (2015)
Aloul, F., Zahidi, S., El-Hajj, W.: Two factor authentication using mobile phones. In: IEEE/ACS International Conference on Computer Systems and Applications, AICCSA 2009, pp. 641–644. IEEE (2009)
Dodson, B., Sengupta, D., Boneh, D., Lam, M.S.: Secure, consumer-friendly web authentication and payments with a phone. In: Gris, M., Yang, G. (eds.) MobiCASE 2010. LNICST, vol. 76, pp. 17–38. Springer, Heidelberg (2012)
Alpár, G., Batina, L., Verdult, R.: Using NFC phones for proving credentials. In: Schmitt, J.B. (ed.) Measurement, Modelling, and Evaluation of Computing Systems and Dependability and Fault Tolerance. LNCS, vol. 7201, pp. 317–330. Springer, Heidelberg (2012)
Google: Slicklogin
Preuveneers, D., Joosen, W.: Smartauth: dynamic context fingerprinting for continuous user authentication. In: Proceedings of the 30th Annual ACM Symposium on Applied Computing, SAC 2015, pp. 2185–2191. ACM, New York (2015)
Wang, H., Lymberopoulos, D., Liu, J.: Sensor-based user authentication. In: Abdelzaher, T., Pereira, N., Tovar, E. (eds.) EWSN 2015. LNCS, vol. 8965, pp. 168–185. Springer, Heidelberg (2015)
Mayrhofer, R., Gellersen, H.-W.: Shake well before use: authentication based on accelerometer data. In: LaMarca, A., Langheinrich, M., Truong, K.N. (eds.) Pervasive 2007. LNCS, vol. 4480, pp. 144–161. Springer, Heidelberg (2007)
Chen, M., Fridrich, J., Goljan, M., Lukáš, J.: Determining image origin and integrity using sensor noise. IEEE Trans. Inf. Forensics Secur. 3(1), 74–90 (2008)
Bertini, F., Sharma, R., Iannì, A., Montesi, D.: Profile resolution across multilayer networks through smartphone camera fingerprint. In: Proceedings of the 19th International Database Engineering & Applications Symposium, pp. 23–32 (2015)
Chen, D., Mao, X., Qin, Z., Wang, W., Li, X.-Y., Qin, Z.: Wireless device authentication using acoustic hardware fingerprints. In: Wang, Y., Xiong, H., Argamon, S., Li, X.Y., Li, J.Z. (eds.) BigCom 2015. LNCS, vol. 9196, pp. 193–204. Springer, Heidelberg (2015)
Michalevsky, Y., Boneh, D., Nakibly, G.: Gyrophone: recognizing speech from gyroscope signals. In: Proc. 23rd USENIX Security Symposium (SEC 2014). USENIX Association (2014)
Fridman, L., Weber, S., Greenstadt, R., Kam, M.: Active authentication on mobile devices via stylometry, application usage, web browsing, and GPS location. CoRR abs/1503.08479 (2015)
Antal, M., Szabo, L.Z., Laszlo, I.: Keystroke dynamics on android platform. Procedia Technol. 19, 820–826 (2015). 8th International Conference Interdisciplinarity in Engineering, INTER-ENG 2014, Tirgu Mures, Romania, 9–10 October 2014
Li, F., Clarke, N.L., Papadaki, M., Dowland, P.: Active authentication for mobile devices utilising behaviour profiling. Int. J. Inf. Sec. 13(3), 229–244 (2014)
Shi, E., Niu, Y., Jakobsson, M., Chow, R.: Implicit authentication through learning user behavior. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 99–113. Springer, Heidelberg (2011)
Acknowledgment
This research is partially funded by the Research Fund KU Leuven, and by the MediaTrust and TRU-BLISS projects funded by iMinds.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Van Goethem, T., Scheepers, W., Preuveneers, D., Joosen, W. (2016). Accelerometer-Based Device Fingerprinting for Multi-factor Mobile Authentication. In: Caballero, J., Bodden, E., Athanasopoulos, E. (eds) Engineering Secure Software and Systems. ESSoS 2016. Lecture Notes in Computer Science(), vol 9639. Springer, Cham. https://doi.org/10.1007/978-3-319-30806-7_7
Download citation
DOI: https://doi.org/10.1007/978-3-319-30806-7_7
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-30805-0
Online ISBN: 978-3-319-30806-7
eBook Packages: Computer ScienceComputer Science (R0)