Date of Completion

8-10-2016

Embargo Period

8-10-2017

Major Advisor

Dr. Mohammad Maifi Hasan Khan

Associate Advisor

Dr. Reda A. Ammar

Associate Advisor

Dr. Jinbo Bi

Associate Advisor

Dr. Song Han

Associate Advisor

Dr. Sanguthevar Rajasekaran

Field of Study

Computer Science and Engineering

Degree

Doctor of Philosophy

Open Access

Campus Access

Abstract

Online service providers often use pre-selected challenge questions (i.e., personal knowledge questions) as a fallback authentication mechanism to facilitate resetting/recovery of passwords or to provide an extra layer of security for authentication. However, this widely used approach has several limitations such as easy predictability, inapplicability, and poor recall rate. To address the limitations of static question based fallback authentication mechanisms, in this thesis, we investigate the challenge of authenticating users leveraging smartphone-based behavior data, and investigate the usability of this approach.

Towards that, in the first part of the thesis, we leverage users' location information tracked by smartphones over an extended period of time and generate different types of dynamic security questions and present them to users for authentication. Specifically, the system builds a location profile for an individual user based on periodically logged Wi-Fi access point data, and leverages this location profile to generate authentication questions.

Subsequently, as smartphone can capture a wide range of information about users' day-to-day activities, in the second part of the thesis, we extend our work and leverage multiple data types (e.g., phone call, SMS messaging, application usage behavior) to generate dynamic security questions for fallback authentication. As answering different types and styles of challenge questions is likely to require different amount of cognitive effort and affect users' performance, in this part of the dissertation, we explore the design space of dynamic security questions and answer generation algorithms for fallback authentication, and their usability through a field study.

Finally, to address users' poor recall rate, which can negatively affect the usability of such systems significantly, we investigate the possibility of using hints that may help users to recall recent day-to-day events more easily and explore various design alternatives for generating hints. Towards that, we generate challenge questions and hints based on different kinds of autobiographical data (e.g., call logs, SMS logs, and location logs), and evaluate the effect of different question and hint types on user performance by conducting a field study.

Through a series of field studies, we found that question types indeed have a significant effect on user performance. We also found that hints have a significant positive effect on legitimate users' response correctness while negative effect on strong adversarial users' response correctness, and no significant effect on response correctness for naive adversarial users. Finally, the model-based accuracy of the presented system was found to exceed the accuracy of static challenge question based systems significantly, and was also harder to compromise by adversarial users. Based on our findings, we conclude that the presented authentication framework can be used for fallback authentication and can improve the overall system security significantly.

COinS