Privacy-Preserving Continuous Authentication
Abstract
Digital security uses traditional authentication mechanisms to verify the identity of an entity or a user who seeks access to a system, service, or application. Such authentication mechanisms verify user identity only at the beginning of a session and may face certain security weaknesses, such as stolen credentials, spoofing attacks, session hijacking, etc. Continuous authentication as a secondary and additional authentication factor enforces strict access control and may enhance security. It continuously collects and monitors personal and sensitive data to authenticate the user passively throughout the session. Continuous authentication monitors user contextual information such as location data, device data, cookies, network data, etc. Another approach is monitoring and recognizing users by their behavioral patterns, such as user typing patterns (keystroke dynamics), screen pressure and touch patterns (touch gestures), mouse or mobile movements, walking patterns (gait dynamics), and more. Collecting and continuously monitoring users by means of sensitive data may strengthen security, but it compromises privacy. These data are voluminous and contain said personal information, such as location information, user behavioral information, user activities, device-related data, etc.
This thesis attempts to address the privacy issues in continuous authentication. The thesis contains three parts. The first part investigates the existing methods for continuous authentication without privacy and also the privacy-preserving methods. It examines the privacy, security, and performance overhead of the existing methods. The second part focuses on the privacy of continuous authentication modalities and presents efficient privacy-preserving protocols that enable continuous authentication in a protected manner. The third part of the thesis investigates the limitations of individual modalities of continuous authentication in terms of practicality and usability. This has to do with that authentication can only be performed if there is a modality-specific user activity or action. Combining multiple modalities, therefore does not only improve usability but also security. However, using multiple modalities would then worsen the level of privacy. This part of the thesis investigates how to protect privacy under single and multiple modalities. Generic privacy-preserving protocols are proposed that enable continuous authentication using single or multiple modalities with behavioral data (keystroke, swipe gesture, etc.), contextual data, device data, etc., and privacy-preserving continuous authentication. The proposed protocols protect the user’s behavioral-, contextual-, and other types of data. Also, protecting the type of modality used to achieve continuous authentication is considered.
The protocols presented in this thesis use different cryptographic approaches, including additive homomorphic encryption, privacy-preserving comparison, and oblivious transfer. The protocols offer low overhead regarding communication and computation costs and enable protected computation under the semi-honest- and malicious adversarial models.