WYK: Mobile Device Authentication Using the User’s Address Book

Abstract

Authenticating a user the correct way is paramount to IT systems, where the risk is growing more and more in number and complexity. This is specially important in mobile phones, where a number of applications require continuous device authentication following the Point-of-Entry user authentication. Existing common approach in systems that require strict security rules and regulations is to use a One-Time-Password (OTP). Usually the OTP is generated using a special hardware device or another application that is synchronised with the back-end system. Another approach is to use SMS based activation/approval codes such as used by Telegram, Facebook, Twitter and other social media platforms. However, this approach has three major drawbacks: (1) it requires active user participation/interaction which could be annoying if repeated continuously, (2) SMS messages can be accessed by service provider’s employees, and (3) it does not consider the authenticity of the device from which the services are being accessed. The later is particularly serious as access sessions can be hijacked by malicious entities. In this paper, we investigate the possibility of using the user’s address book (contacts list) to continuously authenticate the device to ensure the services are only accessed from the mobile phone that belongs to the legitimate user. We call this authentication the Who-You-Know (WYK) scheme. For our research, we developed three components, the WYK-Mobile-Service, WYK-API-Server and a Mobile-Demo-Application. The WYK-API-Server exposes a set of authentication server APIs and the WYK-Mobile-Service consumes these APIs to authenticate the device every time the mobile applications are launched and make a request to the API server. Finally, the Mobile-Demo-Application will extract user’s data from the server if the device is successfully authenticated.