UAB - The University of Alabama at Birmingham

Strong User Authentication

User authentication is a classical problem in computer and information security. The problem occurs whenever a user, wanting access to a computing device (remote or otherwise), has to prove to the device her possession of certain credential(s), that she has pre-established with that device. The primary goal of user authentication is to ascertain that only a legitimate user, possessing appropriate credentials,is granted access. In other words, any entity not in possession of appropriate credentials must not be able to impersonate a legitimate user. Typical credentials employed for user authentication fall into following categories of authentication “factors”: (1) “Something You Know,” such as passwords or PINs, (2) “Something You Have,” such as a token or a card, and (3) “Something You Are,” such as biometrics; or combinations thereof.

Of these, passwords or PINs are still the most widely deployed, but authentication tokens have also seen some deployment, e.g., in automated toll collection and ID badges. Biometrics have been becoming increasingly popular on personal devices or in applications such as border and immigration control, e.g., in the United States and Japan. The use of multiple factors for authentication (e.g. “two-factor” authentication using RSA SecurID) has also been incorporated into systems which require a high level of security.Ideally, a user authentication mechanism should satisfy the goals of security, efficiency, usability and universality (or deployment on a wider range of devices and servers). However, currently adopted (aforementioned) methods of authentication fall short of at least one of these goals. (Textual) Passwords are clearly universal and efficient. However, usable passwords tend to be “weak” in practice and vulnerable to guessing or brute-forcing attempts, and eavesdropping or observation attacks as well as social engineering trickeries. Graphical passwords arguably improve the memorability (and thus usability) of password, however their deployment is relatively limited so far. Use of specialized authentication tokens is not universal, has poor usability and is vulnerable to physical theft and duplication. Biometrics seem, at first glance, to provide a good balance between security, efficiency, and usability. However, due to the privacy of biometric information, their use is mostly viable on personal devices. Multiple factors of authentication often improve the security, however, at the cost of poor usability as well as lack of universality.

In summary, none of the existing authentication mechanisms fully solve the authentication problem. Despite their weaknesses, however, we continue using some of these mechanisms in our day-to-day lives, thus undermining the security of our computer systems. The focus of this research is to discover and realize novel user authentication methods that reconcile security, efficiency, usability, and universality, thereby addressing the challenges discussed above. Unlike traditional research on the topic of user authentication, however, we will not emphasize on developing new authentication technologies from scratch. Instead, we aim to solve the problem of authentication by an interplay among existing techniques. Our design choice is motivated by the fact that most existing authentication schemes excel at one of the stated objectives. For instance, despite their shortcomings, passwords are universally deployed, whereas biometrics are likely the most usable and viable authentication method for personal devices. Our thesis is that we can take advantage of commodity hardware, with “near-universal” deployment, to simultaneously leverage the desirable properties of different authentication primitives.

In this research, we propose novel ways of strong authentication and of strengthening universally deployed password authentication by leveraging a new factor of authentication we call Something You Always Have.” The latter is a ubiquitous device such as a personal mobile phone. We observe that a mobile phone has become an integral and indispensable part of users’ lives, and unlike other authentication tokens, it is almost constantly available and accessible to the user. We believe, therefore, that such a device can be effectively exploited to achieve strong and universally applicable user authentication. In particular, we explore two promising research directions: (1) proxy-based authentication (see figure above) and (2) observation-resilient authentication. The first approach uses the phone as an authentication proxy between the user and the device to authenticate to, and can be efficiently used to strongly authenticate to a wide-variety of devices (including personal RFIDs) as well as remote servers. In the second approach, the mobile phone is used to split the challenge issued by the device to be authenticated to. By splitting the challenge into two channels, observation attacks are significantly more difficult to carry out, as an observer needs the ability to monitor both channels simultaneously and to recombine the information they independently convey.