research-article

CASA: context-aware scalable authentication

Authors:

Shahriyar Amini,

Ian OakleyAuthors Info & Claims

SOUPS '13: Proceedings of the Ninth Symposium on Usable Privacy and Security

Article No.: 3, Pages 1 - 10

https://doi.org/10.1145/2501604.2501607

Published: 24 July 2013 Publication History

Abstract

We introduce context-aware scalable authentication (CASA) as a way of balancing security and usability for authentication. Our core idea is to choose an appropriate form of active authentication (e.g., typing a PIN) based on the combination of multiple passive factors (e.g., a user's current location) for authentication. We provide a probabilistic framework for dynamically selecting an active authentication scheme that satisfies a specified security requirement given passive factors. We also present the results of three user studies evaluating the feasibility and users' receptiveness of our concept. Our results suggest that location data has good potential as a passive factor, and that users can reduce up to 68% of active authentications when using an implementation of CASA, compared to always using fixed active authentication. Furthermore, our participants, including those who do not using any security mechanisms on their phones, were very positive about CASA and amenable to using it on their phones.

References

[1]

eToken. http://www.aladdin.com/etoken/.

[2]

RSA securID http://www.rsa.com/node.aspx?id=1156.

[3]

Advanced sign-in security for your Google account. http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.html

[4]

Facebook Social Authentication. http://facebook.com/blog/blog.php?post=486790652130

[5]

Lax Passwords Expose Quater of PC Users to Theft. http://www.washingtonpost.com/wp-dyn/content/article/2007/10/09/AR2007100901896.html

[6]

When Security Gets in the Way. http://jnd.org/dn.mss/when_security_gets_in_the_way.html

[7]

Adams A. and Sasse A. M. 1999. Users are not the enemy. Commun. ACM 42, 12 (December 1999), 40--46.

Digital Library

[8]

Amini S., Lindqvist J., Hong I. J., Lin J., Sadeh N., and Toch E. 2011. Caché: Caching Location-Enhanced Content to Improve User Privacy. In Proc. of MobiSys.

Digital Library

[9]

Bardram J. E., Kjær R. E., Pedersen MØ. 2003. Context-Aware User Authentication Supporting Proximity-Based Login in Pervasive Computing. In Proc. of UbiComp.

[10]

Burr W. E., Dodson D. F., and Polk. W. T. 2006 Electronic authentication guideline. Tech report, NIST

Digital Library

[11]

Buthpitiya S., Zhang Y., Dey A. and Griss M, n-gram Geo-Trace Modeling, In Proc. of Pervasive Computing.

Digital Library

[12]

Cheng P., Rohatgi P., Keser C., Karger P., Wagner G., and Reninger A. 2007. Fuzzy Multi--Level Security: An Experiment on Quantified Risk--Adaptive Access Control. In Proc. of IEEE Symposium on Security and Privacy

Digital Library

[13]

Corner M. D. and Noble B. D. 2003. Protecting applications with transient authentication. In Proc. of MobiSys.

Digital Library

[14]

Cranshaw J, Toch E., Hong J. I., Kittur A., and Sadeh N. 2010. Bridging the gap between physical location and online social networks. In Proc. of UbiComp.

Digital Library

[15]

Fischer I., Kuo C., Huang L., and Frank M. 2012. Short Paper: Smartphones: Not Smart Enough? In Proc. of SPSM.

Digital Library

[16]

Froehlich J. and Krumm J. 2008. Route Prediction from Trip Observations. Society of Automotive Engineers.

[17]

Gupta A., Miettinen M., Asokan N., amd Nagy M. 2012. Intuitive security policy configuration in mobile devices using context profiling. In Proc. of PASSAT.González M. C., Hidalgo C. A., Barabási L. A. 2008. Understanding individual human mobility patterns. Nature 453, 779--782.

Digital Library

[18]

Hayashi E. and Hong J. I. 2011. A diary study of password usage in daily life. In Proc. of SIGCHI.

Digital Library

[19]

Herley C. 2009. So long, and no thanks for the externalities: the rational rejection of security advice by users. In Proc. of NSPW.

Digital Library

[20]

Hulsebosch J. R., Salden H. A., Bargh S. M., Ebben P. W. G, and Reitsma J. 2005. Context sensitive access control. In Proc. of SACMAT.

Digital Library

[21]

Inglesant P. G. and Sasse A. M. 2010. The true cost of unusable password policies: password use in the wild. In Proc. of SIGCHI.

Digital Library

[22]

Jakobsson M., Shi E., Golle P., and Chow R. 2009. Implicit authentication for mobile devices. In Proc. of USENIX.

Digital Library

[23]

Kalamandeen A., Scannell A., Lara E., Sheth A. and LaMarca A. 2010. Ensemble: cooperative proximity-based authentication. In Proc. of Mobisys.

Digital Library

[24]

Komanduri S., Shay R., Kelley P. G., Mazurek M. L., Bauer L., Christin N., Cranor L. F., and Egelman S. 2011. Of passwords and people: measuring the effect of password-composition policies. In Proc. of SIGCHI.

Digital Library

[25]

Krumm J. 2008. A Markov Model for Driver Turn Prediction. Society of Automotive Engineers.

[26]

Ni Q., Bertino E., and Lobo J. 2010. Risk-based Access Control System Built on Fuzzy Inferences. In Proc. of ASIACCS

Digital Library

[27]

Riva, O., Qin, C., Strauss, K., Lymberopoulos, D. 2012. Progressive authentication: deciding when to authenticate on mobile phones. In Proc. of USENIX.

Digital Library

[28]

Orr, R. J. and Abowd, G. D. 2000. The Smart Floor: A Mechanism for Natural User Identification and Tracking. ACM Press, New York, New York, USA.

[29]

Peacock, A., Xian K., Wilkerson, M. 2004. Typing patterns: a key to user identification, Security & Privacy, IEEE, vol.2, no.5, pp.40--47, Sept.-Oct. 2004

Digital Library

[30]

Philip G. Inglesant and M. Angela Sasse. 2010. The true cost of unusable password policies: password use in the wild. In Proc. of SIGCHI.

Digital Library

[31]

Shay R., Komanduri S., Kelley P. G., Leon P. G., Mazurek M. L., Bauer L., Christin N., and Cranor L. F. 2010. Encountering stronger password requirements: user attitudes and behaviors. In Proc. of SOUPS.

Digital Library

[32]

Seifert J., De Luca A., Conradi B. and Hussmann H. 2010. TreasurePhone: Context-Sensitive User Data Protection on Mobile Phones. In Proc. of Pervasive.

Digital Library

[33]

Supriya Singh, Anuja Cabraal, Catherine Demosthenous, Gunela Astbrink, and Michele Furlong. 2007. Password sharing: implications for security design based on social practice. In Proc. of the SIGCHI

Digital Library

Cited By

Chen JHengartner UKhan H(2024)SHRIMPS: A framework for evaluating multi-user, multi-modal implicit authentication systemsComputers & Security10.1016/j.cose.2023.103594137(103594)Online publication date: Feb-2024
https://doi.org/10.1016/j.cose.2023.103594
Kim HSong E(2024)Abnormal behavior detection mechanism using deep learning for zero-trust security infrastructureInternational Journal of Information Technology10.1007/s41870-024-02110-716:8(5091-5097)Online publication date: 28-Aug-2024
https://doi.org/10.1007/s41870-024-02110-7
Picard CPierre S(2023)RLAuth: A Risk-Based Authentication System Using Reinforcement LearningIEEE Access10.1109/ACCESS.2023.328637611(61129-61143)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3286376
Show More Cited By

Index Terms

CASA: context-aware scalable authentication
1. Human-centered computing

Recommendations

A hash-based strong-password authentication scheme without using smart cards

So far, many strong-password authentication schemes have been proposed, however, none is secure enough. In 2003, Lin, Shen, and Hwang proposed a strong-password authentication scheme using smart cards, and claimed that their scheme can resist the ...
Remarks on fingerprint-based remote user authentication scheme using smart cards

In 2002, Lee, Ryu, and Yoo proposed a fingerprint-based remote user authentication scheme using smart cards. The scheme makes it possible for authenticating the legitimacy of each login user without any password table. In addition, the authors claimed ...
An Improved and Effective Secure Password-Based Authentication and Key Agreement Scheme Using Smart Cards for the Telecare Medicine Information System

Recently Lee and Liu proposed an efficient password based authentication and key agreement scheme using smart card for the telecare medicine information system [J. Med. Syst. (2013) 37:9933]. In this paper, we show that though their scheme is efficient, ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

SOUPS '13: Proceedings of the Ninth Symposium on Usable Privacy and Security

July 2013

241 pages

ISBN:9781450323192

DOI:10.1145/2501604

Conference Chairs:
Lujo Bauer
Carnegie Mellon University
,
Konstantin Beznosov
University of British Columbia
,
General Chair:
Lorrie Faith Cranor
Carnegie Mellon University

Copyright © 2013 Copyright is held by the owner/author(s).

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Sponsors

Carnegie Mellon University: Carnegie Mellon University

In-Cooperation

SIGCHI: ACM Special Interest Group on Computer-Human Interaction

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 24 July 2013

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SOUPS '13

Sponsor:

Carnegie Mellon University

SOUPS '13: Symposium On Usable Privacy and Security

July 24 - 26, 2013

Newcastle, United Kingdom

Acceptance Rates

Overall Acceptance Rate 15 of 49 submissions, 31%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

90
Total Citations
View Citations
937
Total Downloads

Downloads (Last 12 months)40
Downloads (Last 6 weeks)2

Reflects downloads up to 21 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Chen JHengartner UKhan H(2024)SHRIMPS: A framework for evaluating multi-user, multi-modal implicit authentication systemsComputers & Security10.1016/j.cose.2023.103594137(103594)Online publication date: Feb-2024
https://doi.org/10.1016/j.cose.2023.103594
Kim HSong E(2024)Abnormal behavior detection mechanism using deep learning for zero-trust security infrastructureInternational Journal of Information Technology10.1007/s41870-024-02110-716:8(5091-5097)Online publication date: 28-Aug-2024
https://doi.org/10.1007/s41870-024-02110-7
Picard CPierre S(2023)RLAuth: A Risk-Based Authentication System Using Reinforcement LearningIEEE Access10.1109/ACCESS.2023.328637611(61129-61143)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3286376
Mavhemwa PZennaro MNsengiyumva PNzanywayingoma F(2023)User-Centred Design of Machine Learning Based Internet of Medical Things (IoMT) Adaptive User Authentication Using Wearables and SmartphonesArtificial Intelligence Application in Networks and Systems10.1007/978-3-031-35314-7_65(783-799)Online publication date: 9-Jul-2023
https://doi.org/10.1007/978-3-031-35314-7_65
Krishnan VSukumaran S(2022)Risk-Based AuthenticationHandbook of Research on Mathematical Modeling for Smart Healthcare Systems10.4018/978-1-6684-4580-8.ch009(154-179)Online publication date: 24-Jun-2022
https://doi.org/10.4018/978-1-6684-4580-8.ch009
Chakraborty PSarkar A(2022)Dynamic Context Driven Re-configurable Business ProcessAnnals of Emerging Technologies in Computing10.33166/AETiC.2022.03.0046:3(37-55)Online publication date: 1-Jul-2022
https://doi.org/10.33166/AETiC.2022.03.004
Liu JSimsek MKantarci BErol-kantarci MMalton AWalenstein A(2022)Risk-aware Fine-grained Access Control in Cyber-physical ContextsDigital Threats: Research and Practice10.1145/34804683:4(1-29)Online publication date: 5-Dec-2022
https://dl.acm.org/doi/10.1145/3480468
Ghose NLazos LLi M(2022)In-Band Secret-Free Pairing for COTS Wireless DevicesIEEE Transactions on Mobile Computing10.1109/TMC.2020.301501021:2(612-628)Online publication date: 1-Feb-2022
https://doi.org/10.1109/TMC.2020.3015010
Sturgess JEberz SSluganovic IMartinovic I(2022)WatchAuth: User Authentication and Intent Recognition in Mobile Payments using a Smartwatch2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP53844.2022.00031(377-391)Online publication date: Jun-2022
https://doi.org/10.1109/EuroSP53844.2022.00031
Syed NShah SShaghaghi AAnwar ABaig ZDoss R(2022)Zero Trust Architecture (ZTA): A Comprehensive SurveyIEEE Access10.1109/ACCESS.2022.317467910(57143-57179)Online publication date: 2022
https://doi.org/10.1109/ACCESS.2022.3174679
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents