Press @$@$ to login: Strong wearable second factor authentication via short memorywise effortless typing gestures

Prakash Shrestha, Nitesh Saxena, Diksha Shukla, Vir V. Phoha

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

The use of wearable devices (e.g., smartwatches) in two factor authentication (2FA) is fast emerging, as wearables promise better usability compared to smartphones. Still, the current deployments of wearable 2FA have significant usability and security issues. Specifically, one-time PIN-based wearable 2FA (PIN-2FA) requires noticeable user effort to open the app and copy random PINs from the wearable to the login terminal's (desktop/laptop) browser. An alternative approach, based on one-tap approvals via push notifications (Tap-2FA), relies upon user decision making to thwart attacks and is prone to skip-through. Both approaches are also vulnerable to traditional phishing attacks. To address this security-usability tension, we introduce a fundamentally different design of wearable 2FA, called SG-2FA, involving wrist-movement 'seamless gestures' captured near transparently by the second factor wearable device while the user types a very short special sequence on the browser during the login process. The typing of the special sequence creates a wrist gesture that when identified correctly uniquely associates the login attempt with the device's owner. The special sequence can be fixed (e.g., "@$@$"), does not need to be a secret, and does not need to be memorized (could be simply displayed on the browser). This design improves usability over PIN-2FA since only this short sequence has to be typed as part of the login process (no interaction with or diversion of attention to the wearable and copying of random PINs is needed). It also greatly improves security compared to Tap-2FA since the attacker can not succeed in login unless the user's wrist is undergoing the exact same gesture at the exact same time. Moreover, the approach is phishing-resistant and privacy-preserving (unlike behavioral biometrics). Our results show that SG-2FA incurs only minimal errors in both benign and adversarial settings based on appropriate parameterizations.

Original languageEnglish (US)
Title of host publicationProceedings - 2021 IEEE European Symposium on Security and Privacy, Euro S and P 2021
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages71-87
Number of pages17
ISBN (Electronic)9781665414913
DOIs
StatePublished - Sep 2021
Event6th IEEE European Symposium on Security and Privacy, Euro S and P 2021 - Virtual, Online, Austria
Duration: Sep 6 2021Sep 10 2021

Publication series

NameProceedings - 2021 IEEE European Symposium on Security and Privacy, Euro S and P 2021

Conference

Conference6th IEEE European Symposium on Security and Privacy, Euro S and P 2021
Country/TerritoryAustria
CityVirtual, Online
Period9/6/219/10/21

Keywords

  • Behavioral Authentication
  • Two Factor Authentication
  • Wearable Authentication

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Information Systems
  • Information Systems and Management
  • Safety, Risk, Reliability and Quality

Fingerprint

Dive into the research topics of 'Press @$@$ to login: Strong wearable second factor authentication via short memorywise effortless typing gestures'. Together they form a unique fingerprint.

Cite this