Conference article

An Authentication Framework for Nomadic Users

Naveed Ahmed
Department of Informatics and Mathematical Modeling (IMM), Technical University of Denmark, Denmark

Christian Damsgaard Jensen
Department of Informatics and Mathematical Modeling (IMM), Technical University of Denmark, Denmark

Download article

Published in: NODES 09: NOrdic workshop and doctoral symposium on DEpendability and Security; Linköping; Sweden; April 27; 2009

Linköping Electronic Conference Proceedings 41:5, p. 33-42

Show more +

Published: 2009-07-14

ISBN:

ISSN: 1650-3686 (print), 1650-3740 (online)

Abstract

Security and usability are often horn locked and system administrators tend to configure systems so that they favor security over usability. In many cases; however; the increased security results in usability that is so poor that users feel the need to circumvent the security mechanisms. This is probably best explained by considering password based authentication; where a user is actively involved in the process. If the time required to log in to an account is considered too high; users tend to leave their terminals logged in throughout the day and share their account with other users. This is particularly true for nomadic users who move around in ubiquitous computing environments and avail from different IT services from many different locations. In many ubiquitous computing environments; where information processing is not considered the main priority; management often accepts this practise in order to increase productivity; e.g.; in a hectic hospital environment; medical staff has to login and logout of various machines several times in an hour; but the repeated interactions consume a considerable amount of time; causing organizational inefficiency; job frustration and a tendency towards defeating the obstacle by leaving terminals logged in or choosing short and easy to type passwords. Therefore; a password based authentication mechanism; which is quite simple and secure in personal computing; has become too cumbersome for nomadic users; which means that other means of authentication must be developed for nomadic users.

In this paper; we focus on usability of authentication for nomadic users in a ubiquitous computing environment. We identify requirements for authentication of nomadic users and propose an authentication framework for this class of users. A prototype of the proposed authentication framework has been developed; which supports persistent and multifactor authentication without the active intervention of a user.

We evaluate the usability of the developed mechanism by considering the time required to authenticate when logging in to a workstation and compare this to classic password based authentication. The evaluation shows that the proposed mechanism saves a significant amount of time for the nomadic users; which reduces the incentive to circumvent the authentication mechanism. Thus; the mechanism will both provide users with better job satisfaction and increased organizational efficiency; while at the same time increase the effective level of security of the system.

Keywords

Security; Usability; Ubiquitous Computing; Nomadic Users; Authentication

References

[1] Lin Hong; Anil K. Jain; and Sharath Pankanti; “ Can multibiometrics improve performance”; Technical Report MSUCSE9939; Department of Computer Science; Michigan State University; 1999.

[2] Imran Naseem and Ajmal Mian; “User Verification by Combining Speech and Face Biometrics in Video”; Advances in Visual Computing; ISBN 9783540896456; Pg. 482492; 2008.

[3] Sundararaman Jeyaraman and Umut Topkara ; “Have the cake and eat it too – Infusing usability into textpassword based authentication systems”; Proceedings of the 21st ACSAC; Pg. 473 –482; 2005.

[4] D. Davis; F. Monrose and M. K. Reiter; “On User Choice in Graphical Password Schemes;” In Proceedings of the 13th UNIX Security Symposium; August 2004.

[5] Nicholas J. Hopper and Manuel Blum; “A secure human computer authentication schemes”; CMUCS00139; School of Computer Science; Carneige Mellon University; May 2000.

[6] Cynthia Kuo; Sasha Romanosky and Lorrie Faith Cranor; “Human Selection of Mnemonic Phrasebased Passwords”; ACM International Conference Proceeding Series Vol. 149; Pg. 67–78; 2006.

[7] Mark D. Corner and Brian D. Noble; “Zerointeraction authentication”; Proceedings of the 8th annual international conference on Mobile computing and networking Atlanta; Georgia; Pg. 1–11; 2002.

[8] Einar Jonsson; “CoAuthentication A Probabilistic Approach to Authentication”; Master’s thesis; IMMThesis200783; Informatics and Mathematical Modeling; Technical University of Denmark; DTU; 2007.

[9] Bruce L. Riddle; Murray S. Miron; and Judith A. Semo; “Passwords in use in a university timesharing environment”; Computers and Security Vol 8 (7); Pg. 569 – 578; November 1989.

[10] Daniel V. Klein; “Foiling the cracker: A survey of; and improvements to; password security”; Proceedings of the second USENIX Workshop on Security; Pg. 514; July 1990.

[11] Jakob E. Bardram; Rasmus E. Kjær; and Michael Ø. Pedersen; “ContextAware User Authentication: Supporting ProximityBased Login in Pervasive”; UbiComp 2003: Ubiquitous Computing; Pg. 107123; 2003.

[12] Mark D. Corner; Brian D. Noble; “Protecting applications with transient authentication”; Proceedings of the 1st international conference on Mobile systems; San Francisco; California; Pg. 57 – 70; 2003.

[13] F. Bennett; T. Richardson; and A. Harter; “TeleportingMaking Applications Mobile”; Proceedings of the IEEE Workshop on Mobile Computer Systems and Applications; Pg. 82–84; 1994.

[14] B. Brumitt; B. Meyers; J. Krumm; A. Kern and S. Shafer; “EasyLiving: Technologies for Intelligent Environments”; Handheld and Ubiquitous Computing; Pg. 97119; 2000.

[15] A. Ward; A. Jones; and A. Hopper; “A new location technique for the active office”; IEEE Personal Communications; Vol. 4(5); Pg. 4247; October 1997.

[16] Daniel M. Russell and Rich Gossweiler; “On the Design of Personal & Communal Large Information Scale Appliances”; Ubicomp 2001: Ubiquitous Computing; Pg. 354361; January 01; 2001.

[17] Xyloc family of products; Ensure Technologies (Ypsilanti; Michigan) ; <http://www.ensuretech.com>; Last visited March 24th; 2009.

[18] Ladislav Bodnar; “Top Ten Linux Distributions”; <http://distrowatch.com/>; Last visited April 1st; 2009.

[19] Lawrence O’Gorman; “Comparing Passwords; Tokens; and Biometrics for User Authentication”; Proceedings of the IEEE; Vol 91(12); Pg 20192040; 2003.

[20] K. Nagel; C. D. Kidd; O’Connell; T. O’Connell; A. Dey and G. D. Abowd; “The Family Intercom: Developing a ContextAware Audio Communication System”; Proceedings of UBICOMP; Pg. 176183; 2001.

[21] R. Want; A. Hopper; V. Falco; and J. Gibbons; “The Active Badge Location System;” ACM Transaction on Information Systems; Vol 10(1); Pg. 91102; January1992.

[22] Science News University of California; San Francisco. "Agerelated Memory Loss Tied To Slip In Filtering Information Quickly." ScienceDaily dated 5 September 2008. <http://www.sciencedaily.com/releases/2008/09/080902143234.htm>; Last visited April 1st; 2009.

[23] Department of Defense; Trusted Computer System Evaluation Criteria dated 1985; <http://csrc.nist.gov/ publications/history/dod85.pdf>; Last visited March 30th; 2009.

[24] Lawrence A. Tomei ; “Encyclopedia of Information Technology Curriculum Integration”; Information Science Reference; illustrated edition ; ISBN13: 9781599048819; February 5; 2008.

[25] Mike Ebbers; Wayne O’Brien and Bill Ogden; “Introduction to the New Mainframe: z/OS Basics” dated July 2006; <http://publibz.boulder.ibm.com/zoslib/pdf/zosbasic.pdf>; last visited March 26th; 2009.

[27] Pam Snaith and Rob Steiskal; “Mainframes are still mainstream”; White paper by CA Inc; June 2007. <www.ca.com>; Last visited March 30th; 2009.

[28] Mark Weasor; “Nomadic Issues in Ubiquitous Computing”; Xerox PARC (Palo Alto Research Center); <http://www.ubiq.com/hypertext/weiser/NomadicInteractive> ; last visited March 26th; 2009.

[29] Marcia Riley; "Ubiquitous Computing: An Interesting New Paradigm"; <http://www.cc.gatech.edu/classes/cs6751_97_fall/projects/saycheese/ marcia/mfinal.html>;Last visited March 26th; 2009.

[30] J. Vollbrecht; P. Calhoun; S. Farrell; L. Gommans; G. Gross; B. de Bruijn; C. de Laat; M. Holdrege and D. Spence; “Network Working Group: RFC 2904”; August 2000.

[31] Charles P. Pfleeger and Shari Lawrence Pfleeger; “Security in Computing”; Prentice Hall Professional Technical Reference; 2002.

[32] Stephan J. Engberg; Morten B. Harning and Christian Damsgaard Jensen; “Zeroknowledge Device Authentication:Privacy & Security Enhanced RFID preserving Business Value and Consumer Convenience”; Proceedings of the 2nd Annual Conference on Privacy; Security and Trust (PST’04); 2004

[33] Martin Kirschmeyer; Mads S. Hansen and Christian D. Jensen; “Persistent Authentication in Smart Environments”; 2nd International Workshop on Combining Context with Trust; Security and Privacy. Trondheim; Norway; 2008.

[34] J. Bardram; T. Kjær and C. Nielsen; “Mobility in Healthcare Reporting on our initial Observations and Pilot Study”;Technical report of a clinical study; CfPC 2003PB52; Center for Pervasive Computing; 2003.

[35] Jens Bæk Jørgensen and Claus Bossen; “Executable Use Cases for Pervasive Healthcare”; IEEE Software Volume 21 ; Issue 2; Pg. 34 – 41; ISSN:07407459; March 2004.

[36] Jakob Bardram; “The trouble with login: on usability and computer security in ubiquitous computing”; Personal and Ubiquitous Computing Vol9(6); Pg. 357–367; ISSN:16174909; November 2005

[37] Rachna Dhamija and Adrian Perrig; “Deja Vu: A user study using images for authentication”; In the Proceedings of the 9th USENIX Security Symposium; Denver; Colorado; August 2000.

[38] I. Jermyn; A. Mayer; F. Monrose; M. Reiter and A. Rubin. “The Design and Analysis of Graphical Passwords”; Proceedings of the 8th UNIX Security Symposium; August 1999.

[39] Matt Bishop; “Computer Security: Art and Science” ; book published by AddisonWesley Professional; ISBN13: 9780201440997; 2002.

[40] Computer Industry Almanac; “25Year PC Anniversary Statistics”; Press release August2006; <http://www.cia. com/pr0806.htm>; Last visited April 1st; 2009.

[41] Password Research; “Authentication Statistic Index” maintained by Bruce K. Marshall; <http://passwordresearch.com/stats/statindex.html>; Last visited April 1st; 2009.

Citations in Crossref