Security and privacy in continuous authentication: non-technical to technical aspects
Cybersecurity incidents are happening frequently and consistently. Poor authentication mechanism is one of the reasons for security breaches. Traditional authentication mechanisms may suffer from certain security issues, such as stolen credentials, spoofing attacks, session hijacking, etc.
Organizations Implement a Zero Trust Model (ZTM) to strengthen security. ZTM continuously verifies users, devices, activities, etc., and enforces strict access controls. It utilizes user identity data, contextual data, the application installed in the device, cookies, network data, etc., to provide passive and seamless continuous authentication. Zero Trust Framework, to some extent, mitigates the security risks but still may suffer from the risk of insider threats, session hijacking, etc.
Generally, continuous authentication can be accomplished in different ways; by analyzing user contextual information such as location data, device data, cookies, network data, etc., or by analyzing user behavioral patterns such as recognizing user typing patterns (keystroke dynamics), screen pressure and patterns (touch dynamics), mouse or mobile movements, walking patterns (gait dynamics), and more.
Limiting authentication to a specific modality may face limitations and does not make the authentication continuous since a single modality faces certain limitations and cannot make the authentication process continuous. A failure in authentication happens when a session is hijacked by an insider, where no contextual changes occur, or the imposter does not perform the specific action that is utilized for the continuous authentication.
Accomplishing continuous authentication using a combination of behavioral and contextual modalities may solve the limitation and potentially strengthen security.
User privacy is crucial in the domain of continuous authentication. The potential problem with each modality of continuous authentication is that they utilize user personal data. Moreover, excessive tracking and user profiling raise privacy concerns.
As stated above, adding more modalities to the system may strengthen security, but the more modalities we add more privacy we compromise. These modalities contain information about the user's daily life activities, physical and logical locations, and other personal and behavioral information.
Continuous authentication modalities may reveal the following information:
- Data, e.g., behavioral data, contain user-sensitive information (e.g., age, gender), and contextual data contain information about logical and physical addresses and other device-related information.
- User daily life activities, e.g., when what type of activity is performed.
List of cryptographic primitives to achieve privacy.
Homomorphic encryption (HE), the algebraic structure of homomorphic encryption enables performing the computation in the encrypted domain. Protected data using encryption can partially solve some privacy concerns. For instance, it can protect the information that may potentially be induced from the data.
But homomorphic encryption solely cannot solve all privacy concerns, especially when a third party performs computation. Homomorphic encryptions are mostly probabilistic. The data utilized for continuous authentication are index sensitive. One can never predict what kind of activity will be performed, so one has to perform an index lookup before performing the computation. Revealing the index of an activity to a third party reveals the information about that activity; consequently, the third party may know the user's activities, even if the data are encrypted. The privacy of user activities can be achieved by performing computations on the client side. Still, the question remains: How can enrolment data be retrieved from a third party in a privacy-preserving manner?
The following primitives can be combined with homomorphic encryption for privacy-preserving data retrieval:
Private information retrieval (PIR), where the sender transmits data back to the receiver at the beginning of a session without revealing any information about receiver input. The data can be sent back to the client at the beginning of the session without revealing any index (activity) to the third-party (authentication server), and then the client can perform the operation on the encrypted features by performing an index lookup.
Oblivious transfer protocol (OT), an OT protocol is utilized as a cryptographic primitive that allows the retrieval of elements in a privacy-preserving way such that the sender has no information about the receiver's choice and the receiver can only see the element(s) that she has asked for, but other elements remain oblivious from the receiver. OT provides stronger security because it enables the client to see the indices of performed activities but cannot see the indices of the other activities. The combination of OT and HE allows that data can remain encrypted throughout computations. For instance, OT can be utilized to transfer encrypted data while HE allows performing useful operations on encrypted data.
Cryptographic hash function, one can achieve privacy of user activities by using a cryptographic hash function, where indices can be hashed and salted with a secret key.
Due to the deterministic nature of the hash function, the same hash is generated for a value; for instance, each time an index generates the same hashed value, this could make the solution traceable, then the third-party (cloud) may know that the user similar or different activities are performed even without the knowledge of the exact activity. Other solutions provide pretty good privacy, such as PIR and OT; in the case of PIR, indices of all activities are revealed to the client, and the client and perform computation, whereas, in the case of OT, the indices of only relevant activities are revealed to the client and rest of the activities remain oblivious from the client. But a disadvantage of OT protocols is that they require high communication cost.
In conclusion, privacy-preserving continuous authentication enhances user experience. Maintaining the right balance between the trade-off of performance and privacy is a challenge that requires consideration.
- Baig, A.F., Eskeland, S. & Yang, B. Privacy-preserving continuous authentication using behavioral biometrics. Int. J. Inf. Secur. (2023). https://doi.org/10.1007/s10207-023-00721
- Baig, A.F. and Eskeland, S., 2021. Security, privacy, and usability in continuous authentication: A survey. Sensors, 21(17), p.5967.
This blogpost was written by Ahmed Fraz Baig. Ahmed received a Bachelor's degree in Computer Science from International Islamic University Islamabad, Pakistan. Later he received a Master's degree in Computer Science from the same University. He has worked on different research projects related to information security and machine learning. He holds research experience in applied cryptography, network security, machine learning and HCI. Specifically, he has a working experience of Cryptographic protocol modeling, Analysis, formal verification, cryptanalysis and design of secure authentication mechanisms. Moreover, he has also worked on deep learning algorithms, natural language processing(NLP) and gesture-based authentication techniques for mobile devices.