A Passwordless MFA Utlizing Biometrics, Proximity and Contactless Communication

• URL: http://arxiv.org/abs/2406.09000v1
• Date: Thu, 13 Jun 2024 10:58:25 GMT
• Title: A Passwordless MFA Utlizing Biometrics, Proximity and Contactless Communication
• Authors: Sneha Shukla, Gaurav Varshney, Shreya Singh, Swati Goel,
• Abstract summary: This paper introduces an advanced authentication method for user verification that utilizes the user's real-time facial biometric identity. We have implemented a prototype authentication system on a BLE-NFC-enabled Android device, and initial threat modeling suggests that it is safe against known phishing attacks.
• Score: 0.3749861135832073
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Despite being more secure and strongly promoted, two-factor (2FA) or multi-factor (MFA) schemes either fail to protect against recent phishing threats such as real-time MITM, controls/relay MITM, malicious browser extension-based phishing attacks, and/or need the users to purchase and carry other hardware for additional account protection. Leveraging the unprecedented popularity of NFC and BLE-enabled smartphones, we explore a new horizon for designing an MFA scheme. This paper introduces an advanced authentication method for user verification that utilizes the user's real-time facial biometric identity, which serves as an inherent factor, together with BLE- NFC-enabled mobile devices, which operate as an ownership factor. We have implemented a prototype authentication system on a BLE-NFC-enabled Android device, and initial threat modeling suggests that it is safe against known phishing attacks. The scheme has been compared with other popular schemes using the Bonneau et al. assessment framework in terms of usability, deployability, and security.

Related papers

• A Mobile Payment Scheme Using Biometric Identification with Mutual Authentication [9.904746542801837]
  Cashless payment systems offer many benefits over cash, but also have some drawbacks. Fake terminals, skimming, wireless connectivity, and relay attacks are persistent problems. We propose a novel mobile payment scheme based on biometric identification.
  arXiv  Detail & Related papers  (2024-09-24T07:37:55Z)
• L2AI: lightweight three-factor authentication and authorization in IOMT blockchain-based environment [0.6554326244334868]
  Medical Internet of Things (IoMT) enables individuals to remotely manage their essential activities with minimal interaction. This paper presents a lightweight multi-factor authentication and anonymous user authentication scheme to access real-time data in a blockchain-based environment.
  arXiv  Detail & Related papers  (2024-07-16T21:33:46Z)
• Rethinking the Vulnerabilities of Face Recognition Systems:From a Practical Perspective [53.24281798458074]
  Face Recognition Systems (FRS) have increasingly integrated into critical applications, including surveillance and user authentication. Recent studies have revealed vulnerabilities in FRS to adversarial (e.g., adversarial patch attacks) and backdoor attacks (e.g., training data poisoning)
  arXiv  Detail & Related papers  (2024-05-21T13:34:23Z)
• Reducing Usefulness of Stolen Credentials in SSO Contexts [0.0]
  Multi-factor authentication (MFA) helps to thwart attacks that use valid credentials, but attackers still commonly breach systems by tricking users into accepting MFA step up requests. This paper proposes a token-based enrollment architecture that is less invasive to user devices than mobile device management.
  arXiv  Detail & Related papers  (2024-01-21T21:05:32Z)
• Leveraging Machine Learning for Wi-Fi-based Environmental Continuous Two-Factor Authentication [0.44998333629984877]
  We present a novel 2FA approach replacing the user's input with decisions made by Machine Learning (ML) Our system exploits unique environmental features associated with the user, such as beacon frame characteristics and Received Signal Strength Indicator ( RSSI) values from Wi-Fi Access Points (APs) For enhanced security, our system mandates that the user's two devices (i.e., a login device and a mobile device) be situated within a predetermined proximity before granting access.
  arXiv  Detail & Related papers  (2024-01-12T14:58:15Z)
• Tamper-Evident Pairing [55.2480439325792]
  Tamper-Evident Pairing (TEP) is an improvement of the Push-Button configuration (PBC) standard. TEP relies on the Tamper-Evident Announcement (TEA), which guarantees that an adversary can neither tamper a transmitted message without being detected, nor hide the fact that the message has been sent. This paper provides a comprehensive overview of the TEP protocol, including all information needed to understand how it works.
  arXiv  Detail & Related papers  (2023-11-24T18:54:00Z)
• When Authentication Is Not Enough: On the Security of Behavioral-Based Driver Authentication Systems [53.2306792009435]
  We develop two lightweight driver authentication systems based on Random Forest and Recurrent Neural Network architectures. We are the first to propose attacks against these systems by developing two novel evasion attacks, SMARTCAN and GANCAN. Through our contributions, we aid practitioners in safely adopting these systems, help reduce car thefts, and enhance driver security.
  arXiv  Detail & Related papers  (2023-06-09T14:33:26Z)
• Secure access system using signature verification over tablet PC [62.21072852729544]
  We describe a highly versatile and scalable prototype for Web-based secure access using signature verification. The proposed architecture can be easily extended to work with different kinds of sensors and large-scale databases.
  arXiv  Detail & Related papers  (2023-01-11T11:05:47Z)
• Face Presentation Attack Detection [59.05779913403134]
  Face recognition technology has been widely used in daily interactive applications such as checking-in and mobile payment. However, its vulnerability to presentation attacks (PAs) limits its reliable use in ultra-secure applicational scenarios.
  arXiv  Detail & Related papers  (2022-12-07T14:51:17Z)
• Resilient Risk based Adaptive Authentication and Authorization (RAD-AA) Framework [3.9858496473361402]
  We discuss the design considerations for a secure and resilient authentication and authorization framework capable of self-adapting based on the risk scores and trust profiles. We call this framework as Resilient Risk based Adaptive Authentication and Authorization (RAD-AA)
  arXiv  Detail & Related papers  (2022-08-04T11:44:29Z)
• Mind the GAP: Security & Privacy Risks of Contact Tracing Apps [75.7995398006171]
  Google and Apple have jointly provided an API for exposure notification in order to implement decentralized contract tracing apps using Bluetooth Low Energy. We demonstrate that in real-world scenarios the GAP design is vulnerable to (i) profiling and possibly de-anonymizing persons, and (ii) relay-based wormhole attacks that basically can generate fake contacts.
  arXiv  Detail & Related papers  (2020-06-10T16:05:05Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.