Frictionless Authentication Systems: Emerging Trends, Research Challenges and Opportunities
Tim Van hamme, Vera Rimmer, Davy Preuveneers, Wouter Joosen, Mustafa A. Mustafa, Aysajan Abidin, Enrique Argones Rúa
FFrictionless Authentication Systems: Emerging Trends, ResearchChallenges and Opportunities
Tim Van hamme, Vera Rimmer, Davy Preuveneers, Wouter Joosen,Mustafa A. Mustafa, Aysajan Abidin, and Enrique Argones R´ua ∗† Abstract
Authentication and authorization are critical security layers to protect a wide range of online systems, servicesand content. However, the increased prevalence of wearable and mobile devices, the expectations of a frictionlessexperience and the diverse user environments will challenge the way users are authenticated. Consumers demandsecure and privacy-aware access from any device, whenever and wherever they are, without any obstacles. Thispaper reviews emerging trends and challenges with frictionless authentication systems and identifies opportunitiesfor further research related to the enrollment of users, the usability of authentication schemes, as well as securityand privacy trade-offs of mobile and wearable continuous authentication systems.
Nowadays, the ubiquitous nature of mobile and wearable devices has allowed users to access a multitude of newapplications, services and content. More and more personal related information is stored on (or accessed via)personal devices such as smart phones, which enhances users’ experience and convenience, and creates new op-portunities for both, consumers and service providers. However, such access of multitude applications via personaldevices also brings new challenges for service providers that must now secure access from a wide variety of de-vices [1]. Moreover, there is a continuous growth of mobile malware and other mobile security threats. Thus, it isimportant these mobile devices to be equipped with reliable means of authentication and authorization.However, usually, these mobile and wearable devices have limited computational and interaction capabilities.Furthermore, because these devices are small, light, and easy to carry, there is also an associated risk in that theyare susceptible to loss and theft, and easier to break. The use of context information (such as the user’s currentlocation, his typical behavior, etc.) may also trigger privacy concerns. Moreover, due to the increased prevalenceof wearable and mobile applications, users nowadays expect a frictionless customer experience, making minimumeffort. Taking into account these characteristics, the way users are authenticated and granted access to a wide rangeof online services and content becomes more challenging.Ideally, users’ devices will jointly and continuously operate in the background to establish the identity of theindividual by continuously monitoring the context and detecting unusual deviations, as depicted in Figure 1. Theadvantage is that this will move the verification of the additional factors away from the user, making it transpar-ent, and thereby greatly improving the convenience for the user, but posing important privacy challenges whensensitive context information is used, the addressing of which is an important aspect. The objective of pursuing acollaborative multi-device approach is that it can be less vulnerable against malicious users or unauthorized accessafter theft or loss of a device. Systems that support such user experience are called frictionless authenticationsystems [2].In this paper we provide an overview of the emerging trends, research challenges and opportunities in such fric-tionless authentication systems that allow users to authenticate themselves using their devices to service providerswithout intentionally performing any specific authentication-related actions, such as entering a password.The rest of this paper is structured as follows. In Section 2, we review the current state of practice in mobile andmulti-factor authentication, as well as risk-adaptive solutions. Emerging trends on collaborative and behavioral arehighlighted in Section 3. Section 4 reviews challenges and opportunities for further research. We conclude thepaper in Section 5. ∗ This work was partially supported by the Research Council KU Leuven: C16/15/058. In addition, it was also funded by FWO throughSBO SPITE S002417N and imec through ICON DiskMan. DiskMan is a project realized in collaboration with imec. Project partners are Sony,IS4U and Televic Conference, with project support from VLAIO (Flanders Innovation and Entrepreneurship). † T. Van hamme, V. Rimmer, D. Preuveneers, and W. Joosen are with the imec-DistriNet research group, KU Leuven, Belgium. e-mail:( { tim.vanhamme, vera.rimmer, davy.preuveneers, wouter.joosen } @cs.kuleuven.be); M.A. Mustafa, A. Abidin and E. Argones R´ua are with theimec-COSIC research group, Departement of Electrical Engineering (ESAT), KU Leuven, Belgium. e-mail: ( { mustafa.mustafa, aysajan.abidin,enrique.argonesrua } @esat.kuleuven.be). a r X i v : . [ c s . CR ] F e b omogeneous and static AuthorizationAuthenticationHeterogeneous, dynamic and low-friction experience AuthorizationAuthentication Risksingle high-enddevicecollaborative mobile devices context, threat model, heuristics, policies, metrics, thresholds MULTI-FACTORSECURITY LEVELS adaptive, local and globalfactors, access history versatile assets, services, operations and security levelsrigid policies
Figure 1. Collaborative, frictionless and adaptive mulfi-factor authentication with many mobile devices.
Before highlighting emerging trends in frictionless authentication systems, we will briefly review current bestpractices and the state-of-the-art in multi-factor authentication.
Weak passwords are a major cause of data and security breaches [3]. With dictionary attacks and optimizedpassword cracking tools, users with simple or short (i.e., less than 8 characters) passwords are easy prey, especiallyif they use the same password for various services. Additionally, complex passwords are difficult to enter on mobileand wearable devices. This illustrates the generally acknowledged conception that passwords are problematic.Therefore, efforts are ongoing to replace password-based authentication with better alternatives [4–7]. With multi-factor authentication, users authenticate with a combination of authentication factors, i.e., knowledge, intrinsic(biometrics) and possession. Biometric factors like speaker recognition, fingerprints, iris or retina scans cannotbe forgotten, but may require expensive equipment to implement. Furthermore, such solutions require storingbiometric templates, which can also be compromised and which are often cumbersome to revoke.An interesting alternative to multi-factor mobile authentication is the Pico, a concept introduced by Stajano [8].The Pico is a dedicated hardware token to authenticate the user to a myriad of remote servers; it is designed to bevery secure while remaining quasi-effortless for users. The authentication process is based on the use of public-key cryptography and certificates, making common attacks on passwords (such as sniffing, phishing, guessing,and social engineering) impossible. Although being an interesting proposal, an actual implementation is currentlylacking.Leveraging on these recent initiatives, dynamic, multi-factor, collaborative and context-based authenticationcould further improve the current state-of-the-art on mobile authentication, finding an optimal balance betweencost, user-convenience and security and privacy. Early work in this direction was presented in [9] in which theauthors presented SmartAuth, a scalable context-aware authentication framework built on top of OpenAM, a state-of-practice Identity and Access Management (IAM) suite (see Figure 2). It uses adaptive and dynamic contextfingerprinting based on Hoeffding trees [10] to continuously ascertain the authenticity of a user’s identity.However, existing solutions that exploit context information often depend on a single device. Especially formobile devices, a simple device or browser fingerprint is hardly unique and can easily be intercepted and spoofedby an attacker [11]. uthenticate Username &PasswordBehavioralBiometricsContext User Behavior Analytics SuccessFailure
Identity and Access Management : Step-up Authentication
SMS Email e-ID
Figure 2. Risk-adaptive step-up authentication leveraging context and behaviometrics adopted within contemporary Identity and AccessManagement systems.
Authentication is a basic building block of practically all business models. As mobile devices and wearablescontinue to proliferate and become part of the user’s expanded computing environment - fundamentally changingthe way people access services and content - there is an associated security risk in that these devices are susceptibleto loss and theft because they are small, light, and easy to carry.The latest trend in access control models is Risk-Adaptive Access Control (RAdAC) where access decisionsdepend on dynamic risk assessments. There is a large body of knowledge on this topic in the scientific litera-ture [12–19], and risk-based authentication and access controls are being adopted in contemporary identity andaccess management solutions, such as SecureAuth IdP 8.0, RSA SecurID Risk-Based Authentication, CA Tech-nologies and ForgeRock’s OpenAM 14. Contextual information (device fingerprints, user location, time zone, IPaddress, time of day and other parameters) is used to evaluate the risk of users attempting to access a resource, butthe approach is often based on weighted score functions or meaningless user-defined risk thresholds.
Authentication means solely based on possession factors bear the risk that the unique possession factor could belost or stolen, hence compromising the security of the authentication system. Combining these schemes with otherauthentication factors, such as passwords or PINs, could improve the security, but at the cost of user-friendliness.Furthermore, one still needs to take into account the typical attacks on knowledge-based authentication factors,such as PIN guessing or phishing attacks. An interesting alternative are collaborative authentication schemes,where multiple devices jointly authenticate to a remote server or within a device-to-device setting. To limit the cost,the combination of wearables and the user’s smartphone would be preferred. Such collaborative authenticationschemes overcome the security problems of using a single possession factor during the authentication process asan adversary would have to steal multiple wearables to successfully impersonate a user, while still offering user-friendliness. Moreover, by using wearables the user is carrying anyhow, one avoids the need of employing externalhardware authentication tokens, which could be quite costly.The concept of collaborative authentication is to transform a challenge-response protocol with a single proverand verifier, to a challenge-response protocol with multiple collaborating provers and a single verifier. To mitigatethe threat of wearables being stolen or lost, and the fact that the set of wearables is dynamic (the user is not alwayscarrying the same set of wearables), threshold-based cryptography is used. The aim of threshold cryptography is toprotect a key by sharing it amongst a number of entities in such a way that only a subset of minimal size, namely athreshold t + 1 , can use the key. No information about the key can be learnt from t or less shares. Shamir [20] wasthe first to introduce this concept of secret sharing. Feldman [21] extended this concept by introducing verifiablesecret sharing. Pedersen [22] then used this idea to construct the first Distributed Key Generation (DKG) protocol.Shoup [23] showed how signature schemes such as RSA could be transformed into a threshold-based variant. ecurity Context
Usability Privacy
Figure 3. Security, privacy and usability trade-offs in frictionless authentication.
To increase the resilience in a threshold-based authentication scheme, the number of devices included in thethreshold scheme should be maximized. Therefore, Simoens et al. [24] presented a new DKG protocol and demon-strated how this allows wearables not capable of securely storing secret shares to be incorporated. Peeters et al. [25]used this idea to propose a threshold-based distance bounding protocol. A gap that remains to be filled is athreshold-based mobile authentication scheme, where the secret keying material is distributed among a set of per-sonal wearables. For recent developments in continuous authentication, we refer the reader to [26].
A recent trend in the area of continuous authentication is the use of behaviometrics. DARPA hosted the ActiveAuthentication program [27] in which various kinds of behavioral biometrics, i.e., metrics that measure humanbehavior to recognize or verify the identity of a person, are investigated. Several studies have investigated theapplication of using behaviometrics in order to provide an authentication method that is (a) continuous , duringan entire user session, and (b) non-intrusive , since the normal user interaction with the system is analyzed. Ithas been demonstrated that a user identity can be recognized and verified by means of several behaviometrics,such as keystroke dynamics, mouse movements (together with display resolution) [28], gait analysis [29], CPUand RAM usage [30], accelerometer [31] and battery fingerprints of mobile devices [32], stylometry [33], webbrowsing behavior [34], etc. An overview of techniques can be found in these works [35–37] and survey [38]. Akey challenge will be to investigate which combination of behaviometrics will deliver a sufficient low number offalse positives (mistakenly granted access = security concern) and false negatives (mistakenly denied access = userexperience concern) such that the risk is acceptable given the circumstances.
A frictionless authentication system is a complex system, involving multiple devices and sensors that interact witheach other. This complexity makes such systems also a very flexible kind of authentication system. Nonetheless,several challenges and research opportunities remain. Authentication systems are usually characterized by thefollowing interacting dimensions (see Figure 3):-
Security , which refers to how difficult it is for an impostor to be falsely authenticated.-
Usability , which describes how easy and convenient it is for genuine users to be authenticated.-
Privacy , which describes how any private information about the user being used are securely stored and/orprocessed by the system.Security and usability are usually a trade-off in most authentication systems. For instance, False Acceptanceand False Rejection Rates (FAR and FRR, respectively) are usually depicted in a ROC curve in biometric systems,and the lower the FAR is the higher the FRR is, where FAR is related to security, and FRR is related to usability.Hence, authentication systems are characterized by a specific security-usability trade-off. Regarding privacy, it canbe also related to the security and usability of an authentication system. For instance, biometric systems based onprotected templates, with a superior privacy protection when compared to their unprotected counterparts, usuallyprovide an inferior set of working points regarding usability and security. In addition, the disclosure of a biometrictemplate can lead to a security problem, unless appropriate revocation mechanisms are incorporated.ctive authentication systems involve multiple devices and sensors that interact with each other. This com-plexity also makes a frictionless authentication system a very flexible and powerful kind of system, which can bedynamically adapted to different usage scenarios, security-usability trade-offs, and overcome situations in whichother types of authentication mechanisms would normally fail. In what follows, we expose different challengesand opportunities related to these three dimensions, security , usability and privacy , and specific to frictionlessauthentication systems Regarding security, active authentication systems based on multiple behaviometrics and/or biometrics can provideincreased security, since they are intrinsically multi-factor, and each employed behavioural modality makes themmore difficult to spoof. However, the authentication decision will be based on the outcome of the classificationand/or clustering algorithms. Such algorithms are usually not 100% accurate [38], and in some cases the templatesmust be retrained by discarding old data to account for changes in the user’s behaviour. This creates an opportunityfor an attacker to impersonate a legitimate user by manipulating input data to compromise the learning process (i.e.,a poisoning attack).A specific security concern in continuous authentication systems is related to the enrollment. The enrollmentphase establishes the identity of the subject within the authentication systems. Typically, this is based on credentialsor certificates. However, with behavioral and context-dependent authentication, the enrollment phase becomes farmore challenging, especially when using a collaborative authentication relying on multiple mobile and wearabledevices. In the case of other biometrics, this can be done by ensuring the identity of the user during the enrollmentphase by other means. However, since the enrollment in behaviometrics is done in an uncontrolled environment,the enrollment can also pose a threat to security, since it may be easier to inject artificial data to the system.Furthermore, behavioral authentication systems relying on machine learning methods require a time-consumingtraining step on an individual basis before they become effective.
Regarding usability, the frictionless nature of continuous authentication makes these systems one of the mostconvenient and easy to use modalities, since the user does not even need to learn how to use the authentication sys-tem, and the authentication process is transparent, potentially providing a smooth user experience. Furthermore,the availability of different sensors and modalities opens the opportunity to provide a very flexible authenticationmechanism, where the system can implement different security/usability trade-offs for controlling the access to dif-ferent functionalities or services. However, this also poses a challenge regarding the design of template protectiontechniques, since this flexibility may increase significantly the complexity of the system.
Another key challenge with frictionless authentication systems is addressing the privacy concerns which arise whenuser behaviour analytics on sensitive data is used to continuously authenticate against online services.
Honestbut curious service providers can use the keystrokes − collected for behavioral authentication purposes − toreconstruct the original text typed by the users. In addition, accelerometer data could be used by the same kind ofadversary to reconstruct the whole history of a user’s location. Furthermore, continuous authentication can also usephysiological biometric measurements, whose implications regarding privacy are well known. Hence, employingthe adequate biometric template protection mechanisms and appropriately imposing data minimality principles inthe system design is even more important in continuous authentication. There is a continuous quest for stronger authentication systems that at the same time offer a frictionless experiencetowards users of mobile and wearable devices. Context and behavioral information are nowadays being adoptedin the enterprise marketplace as part of an adaptive authentication strategy that better serves the needs of themobile consumer in diverse situational circumstances. However, irrespective of the technological advances to havemultiple mobile and wearable devices collaborate to authenticate a user, the adoption of frictionless authenticationwill only be successful when the right balance between usability, security and privacy can be found that meets thedemands of a diverse set of users. eferences . sciencedirect ..