ContextAware Authentication Framework

1
Context-Aware Authentication Framework
Diwakar Goel, Eisha Kher, Shriya Joag, Veda
Mujumdar, Martin Griss, Anind K. Dey
CyLab Mobility Research Center
Mobility Research Center Carnegie Mellon Silicon
Valley
1
2
Outline

• Background
• A Scenario
• The Architecture
• Threats and Attacks Mitigated
• Conclusion

Context-Aware Authentication Framework
3
Outline

• Background
• A Scenario
• The Architecture
• Threats and Attacks Mitigated
• Conclusion

October 26, 2009
4
Context-Awareness

• Context
• information about the situation of an entity,
  e.g., location, identity, time, activity
• Context-Aware Systems
• use context to provide relevant information
  and/or services to the user
• enhance the behavior of any application by
  informing it of the context of use

October 26, 2009
5
Our solution framework

• Authentication algorithm
• User scans QR codes using camera-phones, requests
  access
• Context contains authentication information
• Access may be granted based on policies
• Contextual cues used
• Location (coordinates, using Wi-Fi positioning)
• Roles (faculty, student, staff, admin)
• Time of day

October 26, 2009
6
Context-Aware Authentication

• Enhances usability
• Password replaced by gesture
• Enhances Robustness
• Adaptive instead of static passwords
• Scalable
• Ubiquitous use of mobile phones
• Extensible
• Multiple contextual cues, e.g., time, location,
  roles

October 26, 2009
7
Outline

• Background
• A Scenario
• The Architecture
• Threats and Attacks Mitigated
• Conclusion

October 26, 2009
8
A scenario
October 26, 2009
9
Outline

• Background
• A Scenario
• The Architecture
• Threats and Attacks Mitigated
• Conclusion

October 26, 2009
10
The Architecture
October 26, 2009
11
The Architecture
Dynamic -Linked to server -On tablets, kiosks,
other screens
Static -Inexpensive -On Paper
October 26, 2009
12
The Architecture
Logs -Authentication attempts -Time -Result -Con
text info
Maintains -QR code info -Location info -Expiry
time
October 26, 2009
13
The Architecture
Stores -User-specific info -Session
token -Calendar id
October 26, 2009
14
Example
Step 2 Extra authentication Optional extra layer
of security
Step 3 Context-based Access
Step 1 Scan QR code
October 26, 2009
15
Outline

• Background
• A Scenario
• The Architecture
• Threats and Attacks Mitigated
• Conclusion

October 26, 2009
16
Threats and Attacks Mitigated

• Replication of displayed code
• Time varying, location varying QR codes
• Cloning/ theft of user device
• Session tokens, line-of-sight property
• Brute force/guessing attack
• Dynamically generated codes
• Faking/manipulating context information
• Weighted context cues, peer verification
• Sniffing attack

October 26, 2009
17
Why QR codes?

• Can be read fast
• Easy to generate
• Can be displayed anywhere on screens/print outs
• Can be read by nearly all camera equipped phones
• Robust against sniffing attacks
• Line-of-sight property

October 26, 2009
18
Outline

• Background
• A Scenario
• The Architecture
• Threats and Attacks Mitigated
• Conclusion

October 26, 2009
19
Conclusion

• Role-based and location-based access control
• Leveraged users context
• Used light-weight tagging
• Advantages
• Simple, inexpensive, scalable, extensible
• Centralized control over authentication sites
• Smarter and robust authentication
• Future work
• Adding other contextual cues, user profiling

October 26, 2009
20
Acknowledgments

• Thanks to
• Co-authors for their contribution
• CyLab, ARO and Nokia for their grants
• You for patient listening!

October 26, 2009
Context-Aware Authentication Framework
October 26, 2009
21
Context-Aware Authentication Framework
Diwakar Goel, Eisha Kher, Shriya Joag, Veda
Mujumdar, Martin Griss, Anind K. Dey
CyLab Mobility Research Center
Mobility Research Center Carnegie Mellon Silicon
Valley
21