ZEBRA: Zero-Effort Bilateral Recurring Authentication

Mare, Shrirang; Markham, Andrés Molina; Cornelius, Cory; Peterson, Ronald; Kotz, David

doi:10.1109/sp.2014.51

Cited by 91 publications

(126 citation statements)

References 18 publications

Supporting

Mentioning

124

Contrasting

Order By: Relevance

“…We selected schemes that targeted IoT scenarios and utilized different context information or context features. We excluded schemes based on behavioral biometrics, e.g., gait [4], gesture [27] or keystroke dynamics [19], as these schemes designed for wearable IoT scenarios. In the end, we arrived at five schemes, which we reproduced from the ground up, relying on the help of the original authors to ensure the correctness of our implementations.…”

Section: Reproduced Zis Schemesmentioning

confidence: 99%

Perils of Zero-Interaction Security in the Internet of Things

Fomichev

Maaß

Almon

et al. 2019

Proc. ACM Interact. Mob. Wearable Ubiquitous Technol.

View full text Add to dashboard Cite

The Internet of Things (IoT) demands authentication systems which can provide both security and usability. Recent research utilizes the rich sensing capabilities of smart devices to build security schemes operating without human interaction, such as zero-interaction pairing (ZIP) and zero-interaction authentication (ZIA). Prior work proposed a number of ZIP and ZIA schemes and reported promising results. However, those schemes were often evaluated under conditions which do not reflect realistic IoT scenarios. In addition, drawing any comparison among the existing schemes is impossible due to the lack of a common public dataset and unavailability of scheme implementations.In this paper, we address these challenges by conducting the first large-scale comparative study of ZIP and ZIA schemes, carried out under realistic conditions. We collect and release the most comprehensive dataset in the domain to date, containing over 4250 hours of audio recordings and 1 billion sensor readings from three different scenarios, and evaluate five state-ofthe-art schemes based on these data. Our study reveals that the effectiveness of the existing proposals is highly dependent on the scenario they are used in. In particular, we show that these schemes are subject to error rates between 0.6% and 52.8%. 10:2 • M. Fomichev et al.often called context information [22]. This information is used to build context-based security schemes operating without user interaction such as zero-interaction pairing (ZIP) [20,24,39] and zero-interaction authentication (ZIA) [14,28,36]. We further refer to both as zero-interaction security (ZIS) schemes.The security of ZIS schemes is based on the assumption that context information has high entropy, changes frequently, and is unpredictable from outside the specified environment [31]. Context information, obtained from the ambient environment of an IoT device, is used to derive a shared secret key between colocated devices in ZIP or to serve as a proof of physical proximity between devices in ZIA. For example, similarity in ambient audio sensed by two colocated devices was successfully used in both ZIP [24] and ZIA [14], with the latter scheme becoming part of a commercial product [11]. Other research explored the applicability of different context information in ZIS schemes: temperature, humidity, pressure, and luminosity [20,28], magnetic fields, acceleration and rotation rates [23,26], as well as observed WiFi and Bluetooth beacons [36].ZIS schemes have three main advantages compared to traditional approaches. First, they offer high usability by minimizing user involvement in pairing and authentication procedures. Second, ZIS schemes can scale to a large number of devices, including those that do not share a common sensing modality [13]. Third, ZIS schemes can be built on top of devices' sensing capabilities, reducing modification overhead and facilitating interoperability.Despite the great potential of ZIS schemes to enable a more secure and usable IoT, prior work raised questions about their practica...

show abstract

Section: Reproduced Zis Schemesmentioning

confidence: 99%

Perils of Zero-Interaction Security in the Internet of Things

Fomichev

Maaß

Almon

et al. 2019

Proc. ACM Interact. Mob. Wearable Ubiquitous Technol.

View full text Add to dashboard Cite

show abstract

“…An inspirational work. The closest work to our approach is proposed in [49] called ZEBRA. In ZEBRA, users are classified according to the sequence of interactions (e.g., typing, scrolling), where the user wears a bracelet with motion sensors and radio.…”

Section: Related Workmentioning

confidence: 99%

“…WACA captures the sensor readings through a smartwatch without interrupting the user, i.e., unobtrusively. However, unlike time-out or classical keystroke dynamics, it requires an extra channel to collect data, but obviously a smartwatch Proximity [51], [52] na Face [53], [33] Fingerprint [42] Eye-movement [13] Keystroke [54] ZEBRA [49] WACA (this work) = offers the benefit; = almost offers the benefit; no circle = does not offer the benefit. is a not a customized hardware, i.e., it is an off-the-shelf device, so we say it partially supports the benefit of Nothing-to-Carry and since its error is very low, it also offers the benefit of Infrequent-Errors.…”

Section: Related Workmentioning

confidence: 99%

WACA: Wearable-Assisted Continuous Authentication

Acar¹,

Aksu²,

Uluagac³

et al. 2018

2018 IEEE Security and Privacy Workshops (SPW)

View full text Add to dashboard Cite

One-time login process in conventional authentication systems does not guarantee that the identified user is the actual user throughout the session. However, it is necessary to re-verify the user identity periodically throughout a login session without reducing the user convenience. Continuous authentication can address this issue. However, existing methods are either not reliable or not usable. In this paper, we introduce a usable and reliable method called Wearable-Assisted Continuous Authentication (WACA). WACA relies on the sensor-based keystroke dynamics, where the authentication data is acquired through the builtin sensors of a wearable (e.g., smartwatch) while the user is typing. We implemented the WACA framework and evaluated its performance on real devices with real users. The empirical evaluation of WACA reveals that WACA is feasible and its error rate is as low as 1% with 30 seconds of processing time and 2 − 3% for 20 seconds. The computational overhead is minimal. Furthermore, we tested WACA against different attack scenarios. WACA is capable of identifying insider threats with very high accuracy (99.2%) and also robust against powerful adversaries such as imitation and statistical attackers.

show abstract

“…Wrist movement monitoring (e.g., using an accelerometer and a gyroscope contained in a bracelet as in [12]) has much the same flaws as keystroke dynamics. Moreover, recent results [9] demonstrated a worrisome weakness of this approach.…”

Section: Continuous Authenticationmentioning

confidence: 99%

Assentication: User De-authentication and Lunchtime Attack Mitigation with Seated Posture Biometric

Kaczmarek

Ozturk

Tsudik

2018

Applied Cryptography and Network Security

View full text Add to dashboard Cite

Biometric techniques are often used as an extra security factor in authenticating human users. Numerous biometrics have been proposed and evaluated, each with its own set of benefits and pitfalls. Static biometrics (such as fingerprints) are geared for discrete operation, to identify users, which typically involves some user burden. Meanwhile, behavioral biometrics (such as keystroke dynamics) are well-suited for continuous, and sometimes more unobtrusive, operation. One important application domain for biometrics is de-authentication: a means of quickly detecting absence of a previously-authenticated user and immediately terminating that user's active secure sessions. De-authentication is crucial for mitigating so-called Lunchtime Attacks, whereby an insider adversary takes over (before any inactivity timeout kicks in) authenticated state of a careless user who walks away from her computer.Motivated primarily by the need for an unobtrusive and continuous biometric to support effective de-authentication, we introduce PoPa -a new hybrid biometric based on a human user's seated posture pattern. PoPa captures a unique combination of physiological and behavioral traits. We describe a low-cost fully functioning prototype that involves an office chair instrumented with 16 tiny pressure sensors. We also explore (via user experiments) how PoPa can be used in a typical workplace to provide continuous authentication (and de-authenication) of users. We experimentally assess viability of PoPa in terms of uniqueness by collecting and evaluating posture patterns of a cohort of users. Results show that PoPa exhibits very low false positive, and even lower false negative, rates. In particular, users can be identified with, on average, 91.0% accuracy. Finally, we compare pros and cons of PoPa with those of several prominent biometric-based de-authentication techniques.

show abstract

ZEBRA: Zero-Effort Bilateral Recurring Authentication

Cited by 91 publications

References 18 publications

Perils of Zero-Interaction Security in the Internet of Things

Perils of Zero-Interaction Security in the Internet of Things

WACA: Wearable-Assisted Continuous Authentication

Assentication: User De-authentication and Lunchtime Attack Mitigation with Seated Posture Biometric

Contact Info

Product

Resources

About