Auflistung nach Schlagwort "Authentication"
1 - 10 von 13
Treffer pro Seite
Sortieroptionen
- KonferenzbeitragAlexa, It’s Me! An Online Survey on the User Experience of Smart Speaker Authentication(Mensch und Computer 2022 - Tagungsband, 2022) Renz, Andreas; Baldauf, Matthias; Maier, Edith; Alt, FlorianVerifying the identify of the speaker is a crucial requirement for security-critical voice-based services on smart speakers, such as transferring money or making online purchases. Whilst various studies have explored novel authentication mechanisms for voice based services, there is little research on the user experience of respective authentication methods. To address this gap, we conducted a comprehensive online survey (n=696). We compared five authentication methods (spoken PIN, biometrics, app with button/voice confirmation, card reader) regarding their perceived efficiency, security, ease of use, and error susceptibility. Additionally, we investigated users’ willingness to use security-critical services in banking and government. We found an overall preference to confirm actions triggered by voice by pressing a button on a mobile authentication app followed by PIN-based authentication. In contrast, biometric authentication by voice is considered unreliable, while applying a card reader is regarded secure, yet less convenient.
- KonferenzbeitragAndroid Pattern Unlock Authentication - effectiveness of local and global dynamic features(BIOSIG 2019 - Proceedings of the 18th International Conference of the Biometrics Special Interest Group, 2019) Ibrahim, Nasiru; Sellahewa, HarinThis study conducts a holistic analysis of the performances of biometric features incorporated into Pattern Unlock authentication. The objective is to enhance the strength of the authentication by adding an implicit layer. Earlier studies have incorporated either global or local dynamic features for verification; however, as found in this paper, different features have variable discriminating power, especially at different extraction levels. The discriminating potential of global, local and their combination are evaluated. Results showed that locally extracted features have higher discriminating power than global features and combining both features gives the best verification performance. Further, a novel feature was proposed and evaluated, which was found to have a varied impact (both positive and negative) on the system performance. From our findings, it is essential to evaluate features (independently and collectively), extracted at different levels (global and local) and different combination for some might impede on the verification performance of the system.
- TextdokumentAuthentication and Authorization in Microservice-Based Applications(INFORMATIK 2022, 2022) Sänger,Niklas; Abeck,SebastianThe development of microservice-based applications adds challenges when using different cloud services. One such challenge is the integration of authentication and authorization among different systems. In this publication, we describe the development of a software as a service solution with the focus on the integration of authentication and authorization. For the development of the business logic, the integration platform as a service MuleSoft is used. The identity and access management as a service solution Okta is used to provide the necessary means for authentication. To perform authorization decisions, JSON Web Tokens and API proxies are used.
- KonferenzbeitragContinuous authorization over HTTP using Verifiable Credentials and OAuth 2.0(Open Identity Summit 2022, 2022) Fotiou, Nikos; Faltaka, Evgenia; Kalos, Vasilis; Kefala, Anna; Pittaras, Iakovos; Siris, Vasilios A.; Polyzos, George C.We design, implement, and evaluate a solution for achieving continuous authorization of HTTP requests exploiting Verifiable Credentials (VCs) and OAuth 2.0. Specifically, we develop a VC issuer that acts as an OAuth 2.0 authorization server, a VC verifier that transparently protects HTTP-based resources, and a VC wallet implemented as a browser extension capable of injecting the necessary authentication data in HTTP requests without needing user intervention. Our approach is motivated by recent security paradigms, such as the Zero Trust architecture, that require authentication and authorization of every request and it is tailored for HTTP-based services, accessed using a web browser. Our solution leverages JSONWeb Tokens and JSONWeb Signatures for encoding VCs and protecting their integrity, achieving this way interoperability and security. VCs in our system are bound to a user-controlled public key or a Decentralized Identifier, and mechanisms for proving possession are provided. Finally, VCs can be easily revoked.
- KonferenzbeitragFAPI 2.0: A High-Security Profile for OAuth and OpenID Connect(Open Identity Summit 2021, 2021) Fett, DanielA growing number of APIs, from the financial, health and other sectors, give access to highly sensitive data and resources. With the Financial-grade API (FAPI) Security Profile, the OpenID Foundation has created an interoperable and secure standard to protect such APIs. The first version of FAPI has recently become an official standard and has already been adopted by large ecosystems, such as OpenBanking UK. Meanwhile, the OpenID Foundation’s FAPI Working Group has started the work on a the second version of FAPI, putting a focus on robust interoperability, simplicity, a more structured approach to security, and improved non-repudiation. In this paper, we give an overview of the FAPI profiles, discuss the learnings from practice that influence the development of the latest version of FAPI, and show how formal security analysis helps to shape security decisions.
- Zeitschriftenartikel“Get a Free Item Pack with Every Activation!” - Do Incentives Increase the Adoption Rates of Two-Factor Authentication?(i-com: Vol. 18, No. 3, 2019) Busse, Karoline; Amft, Sabrina; Hecker, Daniel; von Zezschwitz, EmanuelAccount security is an ongoing issue in practice. Two-Factor Authentication (2FA) is a mechanism which could help mitigate this problem, however adoption is not very high in most domains. Online gaming has adopted an interesting approach to drive adoption: Games offer small rewards such as visual modifications to the player’s avatar’s appearance, if players utilize 2FA. In this paper, we evaluate the effectiveness of these incentives and investigate how they can be applied to non-gaming contexts. We conducted two surveys, one recruiting gamers and one recruiting from a general population. In addition, we conducted three focus group interviews to evaluate various incentive designs for both, the gaming context and the non-gaming context. We found that visual modifications, which are the most popular type of gaming-related incentives, are not as popular in non-gaming contexts. However, our design explorations indicate that well-chosen incentives have the potential to lead to more users adopting 2FA, even outside of the gaming context.
- ZeitschriftenartikelIoT Security Best Practices(HMD Praxis der Wirtschaftsinformatik: Vol. 58, No. 2, 2021) Barenkamp, MarcoDer Artikel gibt einen Überblick über Best-Practice-Standards zur Authentifizierung von IoT (Internet of Things) Zugängen. Es wird aufgezeigt, dass clientseitige Authentifizierung gegenüber einer herkömmlichen Authentifizierung und Blockchain-basierten Ansätzen das höchste Potential für sichere Prozessautomatisierung bei hoher Interaktionsfrequenz bietet. Ein neuartiges Konzept des clientseitigen automatisierten Zugangsmanagements auf Basis von TLS (transport layer security), welches sich im Agriculture Segment seit über einem Jahr bewährt hat, wird vorgestellt. Gegenüber derzeitig eingesetzten Authentifizierungsverfahren bietet es den Vorteil höherer Sicherheit bei gleichzeitig automatisierter Anmeldung jeglicher Endgeräte auf dem IoT-Server. Aufgrund dieser Potentiale eignet sich der dargestellte Authentifizierungsstandard zukünftig als allgemeines branchenübergreifendes Zugangssystem für IoT-Anwendungen. The article gives an overview of best practice standards for IoT (Internet of things) access authentication. It is shown that client-side authentication offers the highest potential for secure process automation at high interaction frequency compared to default authentication and blockchain-based-approaches. A novel concept of client-side automated access management using the TLS (transport layer security) standard, which has proven in the agriculture segment for over a year, is presented. Compared to established authentication methods, it offers the advantage of higher security with simultaneous automated login of multiple end devices on the IoT server. Due to these potentials, the presented new authentication standard is suitable as a general cross-industry access concept for IoT applications.
- KonferenzbeitragMulti-resolution Local Descriptor for 3D Ear Recognition(BIOSIG 2019 - Proceedings of the 18th International Conference of the Biometrics Special Interest Group, 2019) Ganapathi, Iyyakutti Iyappan; Ali, Syed Sadaf; Prakash, SuryaSeveral approaches have shown promising results in human ear recognition. However, factors such as the pose, illumination, and scaling have an enormous impact on recognition performance. 3D models are insensitive to these factors and are found to be better at enhancing recognition performance with strong geometric information. Low cost 3D data acquisition has also boosted the research community in recent times to explore more about 3D object recognition. We present a local multi-resolution descriptor in this paper to recognize human ears in 3D. For each key-point in 3D ear, a local reference frame (LRF) is constructed. Using multi-radii, we find neighbors at each key-point and the neighbors obtained from each radius are projected to create a depth image using the LRF. Further, a descriptor is computed by employing neural network based auto-encoders and the local statistics of the depth images. The descriptor is used to locate the potential correspondence matching points in the probe and gallery images for a coarse arrangement, followed by a fine alignment to compute the registration error. The obtained registration error is used as the matching score. The proposed technique is assessed on UND-J2 dataset to demonstrate its effectiveness.
- KonferenzbeitragPrivate Authentication with Alpha-Beta Privacy(Open Identity Summit 2023, 2023) Fernet, Laouen; Mödersheim, SebastianAlpha-beta privacy is a new approach for security protocols that aims to provide a logical and intuitive way of specifying privacy-type goals. Recently the tool noname was published that can automatically analyze specifications for a bounded number of sessions, but ships only with a few simple examples. This paper models two more complicated case studies, namely the ICAO 9303 BAC and the Privacy Authentication protocol by Abadi and Fournet, and applies the noname tool to analyze them, reproducing known vulnerabilities and verifying the corresponding fixes, as well as providing a better understanding of the privacy properties they provide
- DissertationRisks and potentials of graphical and gesture-based authentication for touchscreen mobile devices: balancing usability and security through user-centered analysis and design(2016) Zezschwitz, Emanuel vonWhile a few years ago, mobile phones were mainly used for making phone calls and texting short messages, the functionality of mobile devices has massively grown. We are surfing the web, sending emails and we are checking our bank accounts on the go. As a consequence, these internet-enabled devices store a lot of potentially sensitive data and require enhanced protection. We argue that authentication often represents the only countermeasure to protect mobile devices from unwanted access. Knowledge-based concepts (e.g., PIN) are the most used authentication schemes on mobile devices. They serve as the main protection barrier for many users and represent the fallback solution whenever alternative mechanisms fail (e.g., fingerprint recognition). This thesis focuses on the risks and potentials of gesture-based authentication concepts that particularly exploit the touch feature of mobile devices. The contribution of our work is threefold. Firstly, the problem space of mobile authentication is explored. Secondly, the design space is systematically evaluated utilizing interactive prototypes. Finally, we provide generalized insights into the impact of specific design factors and present recommendations for the design and the evaluation of graphical gesture-based authentication mechanisms. The problem space exploration is based on four research projects that reveal important real-world issues of gesture-based authentication on mobile devices. The first part focuses on authentication behavior in the wild and shows that the mobile context makes great demands on the usability of authentication concepts. The second part explores usability features of established concepts and indicates that gesture-based approaches have several benefits in the mobile context. The third part focuses on observability and presents a prediction model for the vulnerability of a given grid-based gesture. Finally, the fourth part investigates the predictability of user-selected gesture-based secrets. The design space exploration is based on a design-oriented research approach and presents several practical solutions to existing real-world problems. The novel authentication mechanisms are implemented into working prototypes and evaluated in the lab and the field. In the first part, we discuss smudge attacks and present alternative authentication concepts that are significantly more secure against such attacks. The second part focuses on observation attacks. We illustrate how relative touch gestures can support eyes-free authentication and how they can be utilized to make traditional PIN-entry secure against observation attacks. The third part addresses the problem of predictable gesture choice and presents two concepts which nudge users to select a more diverse set of gestures. Finally, the results of the basic research and the design-oriented applied research are combined to discuss the interconnection of design space and problem space. We contribute by outlining crucial requirements for mobile authentication mechanisms and present empirically proven objectives for future designs. In addition, we illustrate a systematic goal-oriented development process and provide recommendations for the evaluation of authentication on mobile devices.