Multi-factor Mobile Authentication

Transcription

1 Multi-factor Mobile Authentication Ram Ramachandran Program Director, Adv. Technologies IBM Research June 9, 2014

2 Password Authentication Who is using this mobile device? Valuable information and assets are at risk! Mobile device unlock is predominantly: Weak credentials: PIN / SWYPE No authentication Secure passwords are very hard to enter High dissatisfaction with strong password entry Security credentials are cached by mobile apps We are authenticating devices! Mobile devices are more likely to be lost / stolen / shared 2

3 Many Possible Authentication Methods Face recognition (with liveness testing) Voice recognition (with liveness testing) Fingerprint Gesture/signature Iris Gait/motion Tapped rhythm QR Code Image selection Q&A Paired device, physical tokens. 3

4 Example: Face and Voice Biometrics 4

5 Multi-factor Authentication Strong authentication through fusion of several biometric samples 5

6 Accessible Authentication A choice of authentication methods is flexible for use in a range of mobile situations, and provides accessibility Hands busy Gloves on Bad light Amputation Poor memory Low literacy Motor impairment Tremor Voice control Low vision Light sensitive Glass eye Wearing a niqab Public place Laryngitis Speech impairment 6

7 Approach Reduce security risk and improve accessibility through context aware multi-factor authentication and risk-based authorization. Based on context, "authenticate just enough" to accommodate user preference and (situational) impairments 7

8 Context-awareness Recognizes unfamiliar environment stepped-up authentication Senses device left behind session lockout 8

9 Multi-Factor Authentication Situation Authentication Tests Enrollment Driving Gloves on Voice Gesture Auth. service selects challenges Verifies against enrollment Hands busy Face Bad light QRCode / NFC Public place Fingerprint 9

10 Risk-based Access Usable Security: Authenticate if and when needed, to the extent needed. Model the user and device context and behaviors Time, location, environment, Usability Security Estimate possible change in possession of the device Lock out to prevent misuse by a 3 rd party Home Determine required authentication confidence Authentication commensurate with value at risk Risk communication Crowded Location Daily Commute Risk? Loss of physical control Public Location Office 10

11 Accommodating Impairments Securely Goal: Create differentiated user experiences, increase mobile channel usage, meet ADA compliance, maintain security, reduce litigation risk People factor: Aging, low vision What if it is too dark to take a picture? Or if Olive s thick glasses make face recognition difficult? Olive can speak her passphrase and sign her name instead. What if she is on the airport bus, or Olive has a tremor that makes it hard to sign? Olive can use face and voice instead. What if Olive has low vision AND a tremor AND she has forgotten her password? She can use her passphrase and take a photo without glasses. Alternatively, a knowledge-based Q&A dialog can be initiated. It may be textual or speech based. What if Olive's phone is snatched? Even if the snatcher finds a password on the device, the bank's policy requires a second form of ID. What if someone is watching over her shoulder? They won't be able to reproduce her signature from just one observation. It would have been easy to see her password as she entered it and they might have been able to use it later. 11

12 One Size Does Not Fit All - Laboratory Study of Biometric Methods Face and Voice can be faster than an 8-character password 10% could not enroll with face/voice. Different impact on working memory. 12 IBM Confidential

13 Scenario Olive the Banker Goal: Create differentiated user experiences, increase mobile channel usage, meet ADA compliance, maintain security, reduce litigation risk People factor: Aging, low vision Olive is a bank employee traveling overseas She lands in Naples, Italy She launches her mobile banking app Access Granted! Banking app syncs with phone s geo-locator. Unusual location triggers strong authentication Olive takes a photo of her face Her face is clearly recognized and her wireless headset and watch are present She accesses the banking system and requests a transfer $$$ The transfer is confirmed 13 It s a very large amount of money, additional authentication is requested She writes her signature on the screen Her signature is recognized IBM Confidential - For Discussion Purposes Only

14 Risk Assessments Information Safety in Different Locations Different access tasks, 6 locations Asked to assess the safety of performing the task in that situation. There was a significant effect: Task (Kruskal-Wallis test, Chi-Square=94.918, p<0.001) Location (Kruskal-Wallis test, Chi-Square= , p<0.001) 14 Summary of responses indicating safety in different situations. X-axis indicates percentage of participant responses for each location.

15 Perceived Information Security Risks 15