-
A Secure Mobile Authentication Alternative to Biometrics
Authors:
Mozhgan Azimpourkivi,
Umut Topkara,
Bogdan Carbunar
Abstract:
Biometrics are widely used for authentication in consumer devices and business settings as they provide sufficiently strong security, instant verification and convenience for users. However, biometrics are hard to keep secret, stolen biometrics pose lifelong security risks to users as they cannot be reset and re-issued, and transactions authenticated by biometrics across different systems are link…
▽ More
Biometrics are widely used for authentication in consumer devices and business settings as they provide sufficiently strong security, instant verification and convenience for users. However, biometrics are hard to keep secret, stolen biometrics pose lifelong security risks to users as they cannot be reset and re-issued, and transactions authenticated by biometrics across different systems are linkable and traceable back to the individual identity. In addition, their cost-benefit analysis does not include personal implications to users, who are least prepared for the imminent negative outcomes, and are not often given equally convenient alternative authentication options.
We introduce ai.lock, a secret image based authentication method for mobile devices which uses an imaging sensor to reliably extract authentication credentials similar to biometrics. Despite lacking the regularities of biometric image features, we show that ai.lock consistently extracts features across authentication attempts from general user captured images, to reconstruct credentials that can match and exceed the security of biometrics (EER = 0.71%). ai.lock only stores a hash of the object's image. We measure the security of ai.lock against brute force attacks on more than 3.5 billion authentication instances built from more than 250,000 images of real objects, and 100,000 synthetically generated images using a generative adversarial network trained on object images. We show that the ai.lock Shannon entropy is superior to a fingerprint based authentication built into popular mobile devices.
△ Less
Submitted 21 August, 2018; v1 submitted 6 December, 2017;
originally announced December 2017.
-
Camera Based Two Factor Authentication Through Mobile and Wearable Devices
Authors:
Mozhgan Azimpourkivi,
Umut Topkara,
Bogdan Carbunar
Abstract:
We introduce Pixie, a novel, camera based two factor authentication solution for mobile and wearable devices. A quick and familiar user action of snap** a photo is sufficient for Pixie to simultaneously perform a graphical password authentication and a physical token based authentication, yet it does not require any expensive, uncommon hardware. Pixie establishes trust based on both the knowledg…
▽ More
We introduce Pixie, a novel, camera based two factor authentication solution for mobile and wearable devices. A quick and familiar user action of snap** a photo is sufficient for Pixie to simultaneously perform a graphical password authentication and a physical token based authentication, yet it does not require any expensive, uncommon hardware. Pixie establishes trust based on both the knowledge and possession of an arbitrary physical object readily accessible to the user, called trinket. Users choose their trinkets similar to setting a password, and authenticate by presenting the same trinket to the camera. The fact that the object is the trinket, is secret to the user. Pixie extracts robust, novel features from trinket images, and leverages a supervised learning classifier to effectively address inconsistencies between images of the same trinket captured in different circumstances.
Pixie achieved a false accept rate below 0.09% in a brute force attack with 14.3 million authentication attempts, generated with 40,000 trinket images that we captured and collected from public datasets. We identify master images, that match multiple trinkets, and study techniques to reduce their impact.
In a user study with 42 participants over 8 days in 3 sessions we found that Pixie outperforms text based passwords on memorability, speed, and user preference. Furthermore, Pixie was easily discoverable by new users and accurate under field use. Users were able to remember their trinkets 2 and 7 days after registering them, without any practice between the 3 test dates.
△ Less
Submitted 20 October, 2017;
originally announced October 2017.
-
Video Liveness for Citizen Journalism: Attacks and Defenses
Authors:
Mahmudur Rahman,
Mozhgan Azimpourkivi,
Umut Topkara,
Bogdan Carbunar
Abstract:
The impact of citizen journalism raises important video integrity and credibility issues. In this article, we introduce Vamos, the first user transparent video "liveness" verification solution based on video motion, that accommodates the full range of camera movements, and supports videos of arbitrary length. Vamos uses the agreement between video motion and camera movement to corroborate the vide…
▽ More
The impact of citizen journalism raises important video integrity and credibility issues. In this article, we introduce Vamos, the first user transparent video "liveness" verification solution based on video motion, that accommodates the full range of camera movements, and supports videos of arbitrary length. Vamos uses the agreement between video motion and camera movement to corroborate the video authenticity. Vamos can be integrated into any mobile video capture application without requiring special user training. We develop novel attacks that target liveness verification solutions. The attacks leverage both fully automated algorithms and trained human experts. We introduce the concept of video motion categories to annotate the camera and user motion characteristics of arbitrary videos. We show that the performance of Vamos depends on the video motion category. Even though Vamos uses motion as a basis for verification, we observe a surprising and seemingly counter-intuitive resilience against attacks performed on relatively "stationary" video chunks, which turn out to contain hard-to-imitate involuntary movements. We show that overall the accuracy of Vamos on the task of verifying whole length videos exceeds 93\% against the new attacks.
△ Less
Submitted 6 April, 2017;
originally announced April 2017.
-
Secure Management of Low Power Fitness Trackers
Authors:
Mahmudur Rahman,
Bogdan Carbunar,
Umut Topkara
Abstract:
The increasing popular interest in personal telemetry, also called the Quantified Self or "lifelogging", has induced a popularity surge for wearable personal fitness trackers. Fitness trackers automatically collect sensor data about the user throughout the day, and integrate it into social network accounts. Solution providers have to strike a balance between many constraints, leading to a design p…
▽ More
The increasing popular interest in personal telemetry, also called the Quantified Self or "lifelogging", has induced a popularity surge for wearable personal fitness trackers. Fitness trackers automatically collect sensor data about the user throughout the day, and integrate it into social network accounts. Solution providers have to strike a balance between many constraints, leading to a design process that often puts security in the back seat. Case in point, we reverse engineered and identified security vulnerabilities in Fitbit Ultra and Gammon Forerunner 610, two popular and representative fitness tracker products. We introduce FitBite and GarMax, tools to launch efficient attacks against Fitbit and Garmin.
We devise SensCrypt, a protocol for secure data storage and communication, for use by makers of affordable and lightweight personal trackers. SensCrypt thwarts not only the attacks we introduced, but also defends against powerful JTAG Read attacks. We have built Sens.io, an Arduino Uno based tracker platform, of similar capabilities but at a fraction of the cost of current solutions. On Sens.io, SensCrypt imposes a negligible write overhead and significantly reduces the end-to-end sync overhead of Fitbit and Garmin.
△ Less
Submitted 24 March, 2017;
originally announced March 2017.
-
Enabling Multiple QR Codes in Close Proximity
Authors:
Mercan Topkara,
Thomas Erickson,
Umut Topkara,
Chandrasekhar Narayanaswami
Abstract:
Quick response codes - 2D patterns that can be scanned to access online resources - are being used in a variety of industrial and consumer applications. However, it is problematic to use multiple QR codes in close proximity: scans can fail or result in access to the wrong resource. While this problem is, strictly speaking, due to the design of the scanning software, the very large number of extant…
▽ More
Quick response codes - 2D patterns that can be scanned to access online resources - are being used in a variety of industrial and consumer applications. However, it is problematic to use multiple QR codes in close proximity: scans can fail or result in access to the wrong resource. While this problem is, strictly speaking, due to the design of the scanning software, the very large number of extant scanning applications makes changing the software a difficult logistical challenge. Instead, we describe the design of a new type of QR code that not only enables the use of multiple QR codes in close proximity, but also is compatible with existing scanning solutions. In an evaluation with 20 users, it was found that the new QR codes were as usable as traditional ones, and that they were superior for selecting one code from many. Users did have initial difficulty in discovering how to use the new QR code, so further work is required on that front. We conclude with a discussion of the pros and cons of pQR codes.
△ Less
Submitted 28 October, 2015;
originally announced October 2015.