-
Very happy to see our newest article "Adversary Models for Mobile Device Authentication" online as open access: dl.acm.org/doi/10.1145/3477601. It was a long process, and I greatly enjoyed working with @StephSigg on this survey of authentication methods with now 303 refs. Short summary:Permalink On twitter.com
♻️ 1 Retweets ❤️ 13 Favorites Mood +4 🙂
-
@StephSigg Authenticating users to their mobile devices is hard, and very use case and situation dependent. There is a long, active research history of over 20 years that proposed a multitude of such methods. 1/Permalink On twitter.com
-
@StephSigg We analyzed user-to-device (U2D), device-to-device (D2D), and device-to-user (D2U) approaches. While there are many highly interesting methods with great research on biometric and other data analysis, we found that often the threat models are not clear. 2/Permalink On twitter.com
-
@StephSigg Our main contribution in addition to the survey is to propose a qualitative adversarial model to roughly rank how resistant an authentication method is against different capabilities and effort available to the (assumed) adversary. Obviously, proposed methods differ widely. 3/Permalink On twitter.com
-
@StephSigg We urge the community to be clearer on which adversaries a method is designed to be resistant against in future research. The best case is to also test each method against adversaries that are assumed to break it - to delineate what it is and isn't supposed to protect against. 4/Permalink On twitter.com
-
@StephSigg For current smart phones, it is becoming standard procedure to test fingerprint and other biometric unlock methods specifically against adversaries with the assumed capability to create good fakes of these biometrics: fingerprint molds or face masks, e.g. 5/Permalink On twitter.com
-
@StephSigg This takes a lot of work and is not feasible for all academic research proposals. However, we need to do better than many of the proposals we found that only tested security against uninformed adversaries with no real motivation to break the system. 6/Permalink On twitter.com
-
@StephSigg Our initial working title for this project was "Three office mates and myself: How (not) to model adversaries for mobile device authentication" in reference to how many of the proposals were tested. However, the final paper goes a bit beyond that 😅 7/On twitter.com
-
@StephSigg We'd like to especially thank @vishwath and @aesdeluca for many discussions during the multi-year project to come up with an adversarial classification that we hope will be useful for future research. 8/8Permalink On twitter.com