Logo des Repositoriums

Auflistung nach Schlagwort "Authentication"

1 - 10 von 14
  • Zeitschriftenartikel
    A Systematic Review of Identity and Access Management Requirements in Enterprises and Potential Contributions of Self-Sovereign Identity
    (Business & Information Systems Engineering: Vol. 66, No. 4, 2024) Glöckler, Jana; Sedlmeir, Johannes; Frank, Muriel; Fridgen, Gilbert
    Digital identity and access management (IAM) poses significant challenges for companies. Cyberattacks and resulting data breaches frequently have their root cause in enterprises’ IAM systems. During the COVID-19 pandemic, issues with the remote authentication of employees working from home highlighted the need for better IAM solutions. Using a design science research approach, the paper reviews the requirements for IAM systems from an enterprise perspective and identifies the potential benefits of self-sovereign identity (SSI) – an emerging, passwordless paradigm in identity management that provides end users with cryptographic attestations stored in digital wallet apps. To do so, this paper first conducts a systematic literature review followed by an interview study and categorizes IAM system requirements according to security and compliance, operability, technology, and user aspects. In a second step, it presents an SSI-based prototype for IAM, whose suitability for addressing IAM challenges was assessed by twelve domain experts. The results suggest that the SSI-based authentication of employees can address requirements in each of the four IAM requirement categories. SSI can specifically improve manageability and usability aspects and help implement acknowledged best practices such as the principle of least privilege. Nonetheless, the findings also reveal that SSI is not a silver bullet for all of the challenges that today’s complex IAM systems face.
  • Konferenzbeitrag
    Alexa, It’s Me! An Online Survey on the User Experience of Smart Speaker Authentication
    (Mensch und Computer 2022 - Tagungsband, 2022) Renz, Andreas; Baldauf, Matthias; Maier, Edith; Alt, Florian
    Verifying the identify of the speaker is a crucial requirement for security-critical voice-based services on smart speakers, such as transferring money or making online purchases. Whilst various studies have explored novel authentication mechanisms for voice based services, there is little research on the user experience of respective authentication methods. To address this gap, we conducted a comprehensive online survey (n=696). We compared five authentication methods (spoken PIN, biometrics, app with button/voice confirmation, card reader) regarding their perceived efficiency, security, ease of use, and error susceptibility. Additionally, we investigated users’ willingness to use security-critical services in banking and government. We found an overall preference to confirm actions triggered by voice by pressing a button on a mobile authentication app followed by PIN-based authentication. In contrast, biometric authentication by voice is considered unreliable, while applying a card reader is regarded secure, yet less convenient.
  • Konferenzbeitrag
    Android Pattern Unlock Authentication - effectiveness of local and global dynamic features
    (BIOSIG 2019 - Proceedings of the 18th International Conference of the Biometrics Special Interest Group, 2019) Ibrahim, Nasiru; Sellahewa, Harin
    This study conducts a holistic analysis of the performances of biometric features incorporated into Pattern Unlock authentication. The objective is to enhance the strength of the authentication by adding an implicit layer. Earlier studies have incorporated either global or local dynamic features for verification; however, as found in this paper, different features have variable discriminating power, especially at different extraction levels. The discriminating potential of global, local and their combination are evaluated. Results showed that locally extracted features have higher discriminating power than global features and combining both features gives the best verification performance. Further, a novel feature was proposed and evaluated, which was found to have a varied impact (both positive and negative) on the system performance. From our findings, it is essential to evaluate features (independently and collectively), extracted at different levels (global and local) and different combination for some might impede on the verification performance of the system.
  • Textdokument
    Authentication and Authorization in Microservice-Based Applications
    (INFORMATIK 2022, 2022) Sänger,Niklas; Abeck,Sebastian
    The development of microservice-based applications adds challenges when using different cloud services. One such challenge is the integration of authentication and authorization among different systems. In this publication, we describe the development of a software as a service solution with the focus on the integration of authentication and authorization. For the development of the business logic, the integration platform as a service MuleSoft is used. The identity and access management as a service solution Okta is used to provide the necessary means for authentication. To perform authorization decisions, JSON Web Tokens and API proxies are used.
  • Konferenzbeitrag
    Continuous authorization over HTTP using Verifiable Credentials and OAuth 2.0
    (Open Identity Summit 2022, 2022) Fotiou, Nikos; Faltaka, Evgenia; Kalos, Vasilis; Kefala, Anna; Pittaras, Iakovos; Siris, Vasilios A.; Polyzos, George C.
    We design, implement, and evaluate a solution for achieving continuous authorization of HTTP requests exploiting Verifiable Credentials (VCs) and OAuth 2.0. Specifically, we develop a VC issuer that acts as an OAuth 2.0 authorization server, a VC verifier that transparently protects HTTP-based resources, and a VC wallet implemented as a browser extension capable of injecting the necessary authentication data in HTTP requests without needing user intervention. Our approach is motivated by recent security paradigms, such as the Zero Trust architecture, that require authentication and authorization of every request and it is tailored for HTTP-based services, accessed using a web browser. Our solution leverages JSONWeb Tokens and JSONWeb Signatures for encoding VCs and protecting their integrity, achieving this way interoperability and security. VCs in our system are bound to a user-controlled public key or a Decentralized Identifier, and mechanisms for proving possession are provided. Finally, VCs can be easily revoked.
  • Konferenzbeitrag
    FAPI 2.0: A High-Security Profile for OAuth and OpenID Connect
    (Open Identity Summit 2021, 2021) Fett, Daniel
    A growing number of APIs, from the financial, health and other sectors, give access to highly sensitive data and resources. With the Financial-grade API (FAPI) Security Profile, the OpenID Foundation has created an interoperable and secure standard to protect such APIs. The first version of FAPI has recently become an official standard and has already been adopted by large ecosystems, such as OpenBanking UK. Meanwhile, the OpenID Foundation’s FAPI Working Group has started the work on a the second version of FAPI, putting a focus on robust interoperability, simplicity, a more structured approach to security, and improved non-repudiation. In this paper, we give an overview of the FAPI profiles, discuss the learnings from practice that influence the development of the latest version of FAPI, and show how formal security analysis helps to shape security decisions.
  • Zeitschriftenartikel
    “Get a Free Item Pack with Every Activation!” - Do Incentives Increase the Adoption Rates of Two-Factor Authentication?
    (i-com: Vol. 18, No. 3, 2019) Busse, Karoline; Amft, Sabrina; Hecker, Daniel; von Zezschwitz, Emanuel
    Account security is an ongoing issue in practice. Two-Factor Authentication (2FA) is a mechanism which could help mitigate this problem, however adoption is not very high in most domains. Online gaming has adopted an interesting approach to drive adoption: Games offer small rewards such as visual modifications to the player’s avatar’s appearance, if players utilize 2FA. In this paper, we evaluate the effectiveness of these incentives and investigate how they can be applied to non-gaming contexts. We conducted two surveys, one recruiting gamers and one recruiting from a general population. In addition, we conducted three focus group interviews to evaluate various incentive designs for both, the gaming context and the non-gaming context. We found that visual modifications, which are the most popular type of gaming-related incentives, are not as popular in non-gaming contexts. However, our design explorations indicate that well-chosen incentives have the potential to lead to more users adopting 2FA, even outside of the gaming context.
  • Zeitschriftenartikel
    IoT Security Best Practices
    (HMD Praxis der Wirtschaftsinformatik: Vol. 58, No. 2, 2021) Barenkamp, Marco
    Der Artikel gibt einen Überblick über Best-Practice-Standards zur Authentifizierung von IoT (Internet of Things) Zugängen. Es wird aufgezeigt, dass clientseitige Authentifizierung gegenüber einer herkömmlichen Authentifizierung und Blockchain-basierten Ansätzen das höchste Potential für sichere Prozessautomatisierung bei hoher Interaktionsfrequenz bietet. Ein neuartiges Konzept des clientseitigen automatisierten Zugangsmanagements auf Basis von TLS (transport layer security), welches sich im Agriculture Segment seit über einem Jahr bewährt hat, wird vorgestellt. Gegenüber derzeitig eingesetzten Authentifizierungsverfahren bietet es den Vorteil höherer Sicherheit bei gleichzeitig automatisierter Anmeldung jeglicher Endgeräte auf dem IoT-Server. Aufgrund dieser Potentiale eignet sich der dargestellte Authentifizierungsstandard zukünftig als allgemeines branchenübergreifendes Zugangssystem für IoT-Anwendungen. The article gives an overview of best practice standards for IoT (Internet of things) access authentication. It is shown that client-side authentication offers the highest potential for secure process automation at high interaction frequency compared to default authentication and blockchain-based-approaches. A novel concept of client-side automated access management using the TLS (transport layer security) standard, which has proven in the agriculture segment for over a year, is presented. Compared to established authentication methods, it offers the advantage of higher security with simultaneous automated login of multiple end devices on the IoT server. Due to these potentials, the presented new authentication standard is suitable as a general cross-industry access concept for IoT applications.
  • Konferenzbeitrag
    Multi-resolution Local Descriptor for 3D Ear Recognition
    (BIOSIG 2019 - Proceedings of the 18th International Conference of the Biometrics Special Interest Group, 2019) Ganapathi, Iyyakutti Iyappan; Ali, Syed Sadaf; Prakash, Surya
    Several approaches have shown promising results in human ear recognition. However, factors such as the pose, illumination, and scaling have an enormous impact on recognition performance. 3D models are insensitive to these factors and are found to be better at enhancing recognition performance with strong geometric information. Low cost 3D data acquisition has also boosted the research community in recent times to explore more about 3D object recognition. We present a local multi-resolution descriptor in this paper to recognize human ears in 3D. For each key-point in 3D ear, a local reference frame (LRF) is constructed. Using multi-radii, we find neighbors at each key-point and the neighbors obtained from each radius are projected to create a depth image using the LRF. Further, a descriptor is computed by employing neural network based auto-encoders and the local statistics of the depth images. The descriptor is used to locate the potential correspondence matching points in the probe and gallery images for a coarse arrangement, followed by a fine alignment to compute the registration error. The obtained registration error is used as the matching score. The proposed technique is assessed on UND-J2 dataset to demonstrate its effectiveness.
  • Konferenzbeitrag
    Private Authentication with Alpha-Beta Privacy
    (Open Identity Summit 2023, 2023) Fernet, Laouen; Mödersheim, Sebastian
    Alpha-beta privacy is a new approach for security protocols that aims to provide a logical and intuitive way of specifying privacy-type goals. Recently the tool noname was published that can automatically analyze specifications for a bounded number of sessions, but ships only with a few simple examples. This paper models two more complicated case studies, namely the ICAO 9303 BAC and the Privacy Authentication protocol by Abadi and Fournet, and applies the noname tool to analyze them, reproducing known vulnerabilities and verifying the corresponding fixes, as well as providing a better understanding of the privacy properties they provide