New approach to authentication - considering background and untrusted devices when taking the authentication decision

Abstract

IT usage today is typified by users that use multiple devices, including smartphones, desktop PCs, laptops, tablets, etc. Thus, the need to repeatedly authenticate is raised, and even with the most basic security in place this process can be a source of frustration and inconvenience for the user. This especially holds true for authentication on mobile devices where usage is frequent but short. Thus, the struggle to balance usability and security in authentication approaches has been present for some time now. Several user-friendly authentication approaches have been introduced till now, whose motivation was to reduce the number of intrusive authentications in mobile devices as much as possible. Even though, by focusing too much on the user-friendliness of the authentication approach, its security isn t completely addressed. In this thesis, we propose a new user-friendly authentication approach, whose focus is on security at the same time. It leverages the security potential of surrounding devices of the user, specifically the devices that the user trusts, as well as the non trusted devices which can be found in his/her surrounding. We explore the capabilities of the devices that are not trusted /owned by the user in increasing the security of our authentication approach. Those devices can either be environmental background devices or untrusted devices. Our research has shown that by increasing the level of security in a user-friendly authentication approach, it is still possible to achieve a high number of automatic (non-intrusive) authentications, except in the cases where it is not secure for the mobile device to allow automatic access. We achieved up to 97.89% of automatic authentications at the users home, which is considered to be a known environment which the users most likely trust. A high percentage of up to 72.99% of automatic authentications was achieved at the users offices, which is also considered as a known environment, which the users most likely trust. While a very low percentage of positive authentications was achieved when the users were in unknown (possibly untrusted) environments. The highest percentage of automatic authentications in this case was 6%. But, when in such an environment the users most likely wouldn t have liked to have their device open automatically, without any countermeasures in place. The increase of security in our authentication approach can be seen by this low percentage of automatic authentications in an unknown environment.