Paul Dowland

Active authentication for mobile devices utilising behaviour profiling

With nearly 6 billion subscribers around the world, mobile devices have become an indispensable component in modern society. The majority of these devices rely upon passwords and personal identification numbers as a form of user authentication, and the weakness of these point-of-entry techniques is widely documented. Active authentication is designed to overcome this problem by utilising biometric techniques to continuously assess user identity. This paper describes a feasibility study into a behaviour profiling technique that utilises historical application usage to verify mobile users in a continuous manner. By utilising a combination of a rule-based classifier, a dynamic profiling technique and a smoothing function, the best experimental result for a users overall application usage was an equal error rate of 9.8xa0%. Based upon this result, the paper proceeds to propose a novel behaviour profiling framework that enables a user’s identity to be verified through their application usage in a continuous and transparent manner. In order to balance the trade-off between security and usability, the framework is designed in a modular way that will not reject user access based upon a single application activity but a number of consecutive abnormal application usages. The proposed framework is then evaluated through simulation with results of 11.45 and 4.17xa0% for the false rejection rate and false acceptance rate, respectively. In comparison with point-of-entry-based approaches, behaviour profiling provides a significant improvement in both the security afforded to the device and user convenience.

The impact of security and its antecedents in behaviour intention of using e-government services

ABSTRACT One of the main challenges associated with e-government adoption is lack of security. Thus, the aim of this research is to investigate the role of security in e-government adoption by integrating security, trust and privacy with the Unified Theory of Acceptance and Use of Technology 2 (UTAUT2). In addition, this research will also investigate the factors that influence the end users’ perception of e-government security. Thus, the research starts with a qualitative study to investigate security antecedents, and this is followed by a quantitative study to validate the qualitative study and determine the role of security in e-government adoption. Data from 625 Saudi citizens were gathered and used in the model assessment. The findings show that user interface quality, security culture and cybersecurity law positively affect security perception. In addition, security perception was found to have a strong effect on trust. Trust is ranked as the third most critical factor affecting behaviour intention after performance expectance and habit. The results make a significant contribution to academic research and have practical implications regarding understanding the role of security in e-government adoption and the factors that affect end users’ perception in e-government security.

Activity Recognition using wearable computing

A secure, user-convenient approach to authenticate users on their mobile devices is required as current approaches (e.g., PIN or Password) suffer from security and usability issues. Transparent Authentication Systems (TAS) have been introduced to improve the level of security as well as offer continuous and unobtrusive authentication (i.e., user friendly) by using various behavioural biometric techniques. This paper presents the usefulness of using smartwatch motion sensors (i.e., accelerometer and gyroscope) to perform Activity Recognition for the use within a TAS. Whilst previous research in TAS has focused upon its application in computers and mobile devices, little attention is given to the use of wearable devices - which tend to be sensor-rich highly personal technologies. This paper presents a thorough analysis of the current state of the art in transparent and continuous authentication using acceleration and gyroscope sensors and a technology evaluation to determine the basis for such an approach. The best results are average Euclidean distance scores of 5.5 and 11.9 for users intra acceleration and gyroscope signals respectively and 24.27 and 101.18 for users inter acceleration and gyroscope activities accordingly. The findings demonstrate that the technology is sufficiently capable and the nature of the signals captured sufficiently discriminative to be useful in performing Activity Recognition.

Secure Graphical One Time Password GOTPass: An Empirical Study

ABSTRACT The traditional text-based password has been the default security medium for years; however, the difficulty of memorizing secure strong passwords often leads to insecure practices. A possible alternative solution is graphical authentication, which is motivated by the fact that the capability of humans’ memory for images is superior to text, which helps to improve password usability and security. Recently, some implementations of graphical authentication techniques have been deployed in practice. This paper introduces a new hybrid graphical authentication, “GOTPass,” that authenticates by means of a one-time numerical code that needs to be typed in based on a sequence of secret images and a prechosen input format. An important focus for this paper was the security aspects of the graphical password scheme. This paper reports an in-depth analysis of the security evaluation and shows a high resistance capability of GOTPass against common graphical password attacks. Three attacks were simulated (Guessing, Intersection, and Shoulder-surfing), and the results showed that nearly 98% of the 690 attempts failed to compromise the system.

Graphical One-Time Password GOTPass: A usability evaluation

ABSTRACT Complying with a security policy often requires users to create long and complex passwords to protect their accounts. However, remembering such passwords is difficult for many and may lead to insecure practices, such as choosing weak passwords or writing them down. In addition, they are vulnerable to various types of attacks, such as shoulder surfing, replay, and keylogger attacks (Gupta, Sahni, Sabbu, Varma, & Gangashetty, 2012) One-Time Passwords (OTPs) aim to overcome such problems (Gupta et al., 2012); however, most implemented OTP techniques require special hardware, which not only adds cost, but there are also issues regarding its availability (Brostoff, Inglesant, & Sasse, 2010). In contrast, the use of graphical passwords is an alternative authentication mechanism designed to aid memorability and ease of use, often forming part of a multifactor authentication process. This article is complementary to the earlier work that introduced and evaluated the security of the new hybrid user-authentication approach: Graphical One-Time Password (GOTPass) (Alsaiari et al., 2015). The scheme aims to combine the usability of recognition-based and draw-based graphical passwords with the security of OTP. The article presents the results of an empirical user study that investigates the usability features of the proposed approach, as well as pretest and posttest questionnaires. The experiment was conducted during three separate sessions, which took place over five weeks, to measure the efficiency, effectiveness, memorability, and user satisfaction of the new scheme. The results showed that users were able to easily create and enter their credentials as well as remember them over time. Participants carried out a total of 1,302 login attempts with a 93% success rate and an average login time of 24.5 s.

Adaptive behavioral profiling for identity verification in cloud computing: A model and preliminary analysis

In the past few years, cloud computing has become a new paradigm for hosting and delivering services over the Internet. Customers can directly access the resources (hardware and software) of cloud computing services over the Internet without the need to have specific knowledge about the resources. This flexibility has also made cloud services more vulnerable to potential attack. A key issue is that the cloud services rely upon a simple authentication login and remain accessible to users afterward for significant periods of time. This makes cloud computing services vulnerable to misuse. Well-known service providers including Dropbox (2012) and Apple (2014) have suffered from attacks, leading to sensitive information of their customers being exposed. As a result, there is a growing need for increasing the trust among end-users and cloud service providers and to be able to continuously monitor users to identify potential misuse. User behavior profiling is one technology that has been applied with various technologies/services to provide continuous re-authentication of a user transparently in order to monitor and improve the security of a system. This paper investigates the current state of the art in this approach and examines its applicability within cloud services. A preliminary experiment is undertaken using Dropbox log data to explore the feasibility of the approach within this type cloud service. The initial analysis of the proposed approach is very encouraging and provides the basis for proposing a novel multi-level behavioural profiling architecture.

Nonvisual Presentation, Navigation and Manipulation of Structured Documents on Mobile and Wearable Devices

There are a large number of highly structured documents, for example: newspaper articles, scientific, mathematical or technical literature. As a result of inductive research with 200 blind and visually impaired participants, a multi-modal user interface for non-visual presentation, navigation and manipulation of structured documents on mobile and wearable devices like smart phones, smart watches or smart tablets has been developed. It enables the user to get a fast overview over the document structure and to efficiently skim and scan over the document content by identifying the type, level, position, length, relationship and content text of each element as well as to focus, select, activate, move, remove and insert structure elements or text. These interactions are presented in a non-visual way using earcons, tactons and speech synthesis, serving the aural and tactile human sense. Navigation and manipulation is provided by using the multitouch, motion (linear acceleration and rotation) or speech recognition input modality. It is a complete solution for reading, creating and editing structured documents in a non-visual way. There is no special hardware required. For the development, testing and evaluation of the user interface, a flexible platform independent software architecture has been developed and implemented for iOS and Android. The evaluation of the user interface has been undertaken by a structured observation of 160 blind and visually impaired participants using an implemented software (App) over the Internet.

Security challenges of E-government adoption based on end users' perspective

In recent years, many countries have used e-government to provide high quality services to their citizens. Thus, a number of studies have investigated user acceptance of e-government through the use of adoption models, such as the Unified Theory of Acceptance and Use of Technology (UTAUT) model. However, these models do not focus sufficiently on security. In order to develop a more security-focused adoption model for investigating user acceptance of e-government, it is important to first understand the security challenges that may inhibit the adoption of e-government. This paper considers these security challenges based on the end users perspective, identifying the extent of the challenges. For example, 85.5% of the participants agree that there is a lack of user awareness. In addition, 62.4% of the participants believe that culture plays an important role in e-government security. Also, 49.8% of the participants are worried about privacy when using e-government services.

Investigating the Viability of Multifactor Graphical Passwords for User Authentication

ABSTRACT Authentication using images (i.e., graphical passwords) is claimed to be one of the alternatives for overcoming weaknesses in the traditional username and password authentication. This paper reports on the study to explore the feasibility of combining two graphical password methods for better security. A graphical password prototype scheme, the Enhanced Graphical Authentication System (EGAS), was developed (which combines the methods of clicking on the image (i.e., click-based) and selecting a series of images (i.e., choice-based). The EGAS was tested by 30 participants randomly chosen from the authors’ university and two evaluations were made; namely user performance of the combined method and the feasibility of authentication strategies toward the introduced method itself. From both evaluations, it is found that positive results have been obtained, which suggest that these methods could be combined together effectively without giving impediment to users.