research-article

Typing-Proof: Usable, Secure and Low-Cost Two-Factor Authentication Based on Keystroke Timings

Authors:

Robert H. DengAuthors Info & Claims

ACSAC '18: Proceedings of the 34th Annual Computer Security Applications Conference

Pages 53 - 65

https://doi.org/10.1145/3274694.3274699

Published: 03 December 2018 Publication History

Abstract

Two-factor authentication (2FA) systems provide another layer of protection to users' accounts beyond password. Traditional hardware token based 2FA and software token based 2FA are not burdenless to users since they require users to read, remember, and type a onetime code in the process, and incur high costs in deployments or operations. Recent 2FA mechanisms such as Sound-Proof, reduce or eliminate users' interactions for the proof of the second factor; however, they are not designed to be used in certain settings (e.g., quiet environments or PCs without built-in microphones), and they are not secure in the presence of certain attacks (e.g., sound-danger attack and co-located attack).

To address these problems, we propose Typing-Proof, a usable, secure and low-cost two-factor authentication mechanism. Typing-Proof is similar to software token based 2FA in a sense that it uses password as the first factor and uses a registered phone to prove the second factor. During the second-factor authentication procedure, it requires a user to type any random code on a login computer and authenticates the user by comparing the keystroke timing sequence of the random code recorded by the login computer with the sounds of typing random code recorded by the user's registered phone. Typing-Proof can be reliably used in any settings and requires zero user-phone interaction in the most cases. It is practically secure and immune to the existing attacks to recent 2FA mechanisms. In addition, Typing-Proof enables significant cost savings for both service providers and users.

References

[1]

Manal Adham, Amir Azodi, Yvo Desmedt, and Ioannis Karaolis. 2013. How to attack two-factor authentication internet banking. In International Conference on Financial Cryptography and Data Security. Springer, 322--328.

[2]

Aladdin. 2018. Two-Factor Authentication -- The Real Cost of Ownership. https://mpa.co.nz/media/4410/twofactorauthenticationtherealcostofownership.pdf. (2018).

[3]

Dmitri Asonov and Rakesh Agrawal. 2004. Keyboard acoustic emanations. In IEEE Proceedings of the 2004 Symposium on Security and Privacy. 3--11.

[4]

AWS. 2018. Amazon EC2 Pricing. https://aws.amazon.com/cn/ec2/pricing/on-demand. (2018).

[5]

AWS. 2018. Worldwide SMS Pricing. https://aws.amazon.com/cn/sns/sms-pricing. (2018).

[6]

Aaron Bangor, Philip T Kortum, and James T Miller. 2008. An empirical evaluation of the system usability scale. Intl. Journal of Human--Computer Interaction 24, 6 (2008), 574--594.

[7]

Francesco Bergadano, Daniele Gunetti, and Claudia Picardi. 2002. User authentication through keystroke dynamics. ACM Transactions on Information and System Security (TISSEC) 5, 4 (2002), 367--397.

Digital Library

[8]

Yigael Berger, Avishai Wool, and Arie Yeredor. 2006. Dictionary attacks using keyboard acoustic emanations. In Proceedings of the 13th ACM Conference on Computer and Communications Security. ACM, 245--254.

Digital Library

[9]

Blizzard. 2015. Introducing The One-Button Authenticator. http://us.battle.net/heroes/en/blog/20152210/introducing-the-one-button-authenticator-6-16-2016. (2015).

[10]

Joseph Bonneau, Cormac Herley, Paul C Van Oorschot, and Frank Stajano. 2012. The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In Security and Privacy (SP), 2012 IEEE Symposium on. IEEE, 553--567.

Digital Library

[11]

John Brooke et al. 1996. SUS-A quick and dirty usability scale. Usability evaluation in industry 189, 194 (1996), 4--7.

[12]

Nelson Cowan. 2001. The Magical Number 4 in Short-term Memory: A Reconsideration of Mental Storage Capacity. Behavioral and Brain Sciences 24 (2001), 87--114.

[13]

Alexei Czeskis, Michael Dietz, Tadayoshi Kohno, Dan Wallach, and Dirk Balfanz. 2012. Strengthening user authentication through opportunistic cryptographic identity assertions. In Proceedings of the 2012 ACM conference on Computer and Communications Security. ACM, 404--414.

Digital Library

[14]

Duo-Security. 2018. DUO PUSH: Quickly Verify Your Identity. https://duo.com/product/trusted-users/two-factor-authentication/authentication-methods/duo-push. (2018).

[15]

Facebook. 2017. Security Key for safer logins with a touch. https://www.facebook.com/notes/facebook-security/security-key-for-safer-logins-with-a-touch/10154125089265766. (2017).

[16]

Futurea. 2018. Futurae Authentication Suite. https://futurae.com/product/. (2018).

[17]

Sujata Garera, Niels Provos, Monica Chew, and Aviel D Rubin. 2007. A framework for detection and measurement of phishing attacks. In Proceedings of the 2007 ACM workshop on Recurring malcode. ACM, 1--8.

Digital Library

[18]

GOOGLE. 2018. Firebase Cloud Messaging. https://firebase.google.com/docs/cloud-messaging. (2018).

[19]

GOOGLE. 2018. Google 2-Step Verification. https://www.google.com/landing/2step. (2018).

[20]

Google. 2018. Notification Listener Service. https://developer.android.com/reference/android/service/notification/NotificationListenerService.html. (2018).

[21]

Robert Hackett. 2016. LinkedIn Lost 167 Million Account Credentials in Data Breach. http://fortune.com/2016/05/18/linkedin-data-breach-email-password. (2016).

[22]

Nikolaos Karapanos and Srdjan Capkun. 2014. On the Effective Prevention of TLS Man-In-The-Middle Attacks in Web Applications. In Proceedings of the 23th Conference on USENIX Security Symposium.

Digital Library

[23]

Nikolaos Karapanos, Claudio Marforio, Claudio Soriente, and Srdjan Capkun. 2015. Sound-Proof: Usable Two-Factor Authentication Based on Ambient Sound. In Proceedings of the 24th Conference on USENIX Security Symposium. 483--498.

Digital Library

[24]

Swati Khandelwal. 2018. Download: 68 Million Hacked Dropbox Accounts are Just a Click Away! https://thehackernews.com/2016/10/dropbox-password-hack.html. (2018).

[25]

Manu Kumar, Tal Garfinkel, Dan Boneh, and Terry Winograd. 2007. Reducing shoulder-surfing by using gaze-based password entry. In Proceedings of the 3rd symposium on Usable privacy and security. ACM, 13--19.

Digital Library

[26]

MDN. 2018. Bluetooth.requestDevice(). https://developer.mozilla.org/en-US/docs/Web/API/Bluetooth/requestDevice. (2018).

[27]

MDN. 2018. MediaDevices.getUserMedia(). https://developer.mozilla.org/zh-CN/docs/Web/API/MediaDevices/getUserMedia. (2018).

[28]

Microsoft. 2018. One easy-to-use app for all your multi-factor authentication needs. https://dirteam.com/sander/2016/08/15/microsoft-authenticator-one-easy-to-use-app-for-all-your-multi-factor-authentication-needs/. (2018).

[29]

Fabian Monrose and Aviel D Rubin. 2000. Keystroke dynamics as a biometric for authentication. Future Generation Computer Systems 16, 4 (2000), 351--359.

Digital Library

[30]

NetApplications. 2018. Browser Market Share. https://www.netmarketshare.com/browser-market-share.aspx. (2018).

[31]

Eric Ravenscraft. 2018. Last Pass Authenticator Now Has a One-Button Approval Option. https://lifehacker.com/lastpass-authenticator-now-has-a-one-button-approval-op-1785138823. (2018).

[32]

SAASPASS. 2018. Two-factor Authentication with Proximity Uses iBeacon Bluetooth Low Energy (BLE) to Authenticate Users Instantly. https://saaspass.com/technologies/proximity-instant-login-two-factor-authentication-beacon.html. (2018).

[33]

Maliheh Shirvanian, Stanislaw Jarecki, Nitesh Saxena, and Naveen Nathan. 2014. Two-Factor Authentication Resilient to Server Compromise Using Mix-Bandwidth Devices. In Proceedings of the 21st Annual Network and Distributed System Security Symposium, NDSS.

[34]

Agent Smith. 2016. 1 Billion Accounts are leaked from yahoo's database. https://latesthackingnews.com/2016/12/15/1-billion-accounts-leaked-yahoos-database. (2016).

[35]

Dawn Xiaodong Song, David Wagner, and Xuqing Tian. 2001. Timing Analysis of Keystrokes and Timing Attacks on SSH. In Proceedings of the 10th Conference on USENIX Security Symposium. USENIX Association.

Digital Library

[36]

Routhu Srinivasa Rao and Alwyn R. Pais. 2017. Detecting Phishing Websites Using Automation of Human Behavior. In Proceedings of the 3rd ACM Workshop on Cyber-Physical System Security. ACM, 33--42.

Digital Library

[37]

StatCounter. 2018. Mobile Vendor Market Share Worldwide. http://gs.statcounter.com/vendor-market-share/mobile/worldwide. (2018).

[38]

Zhu Tong, Qiang Ma, Shanfeng Zhang, and Yunhao Liu. 2014. Context-free attacks using keyboard acoustic emanations. In Proceedings of the 21st ACM Conference on Computer and Communications Security. ACM, 453--464.

Digital Library

[39]

W3school. 2018. jQuery keydown() Method. https://www.w3schools.com/jquery/eventkeydown.asp. (2018).

[40]

Wikipedia. 2018. Network Time Protocol. https://en.wikipedia.org/wiki/NetworkTimeProtocol. (2018).

[41]

Qiang Yan, Jin Han, Yingjiu Li, and Robert H. Deng. 2012. On Limitations of Designing Leakage-Resilient Password Systems: Attacks, Principles and Usability. In Proceedings of the 19th Annual Network and Distributed System Security Symposium, NDSS. Internet Society.

[42]

Kehuan Zhang and XiaoFeng Wang. 2009. Peeping Tom in the Neighborhood: Keystroke Eavesdropping on Multi-user Systems. In Proceedings of the 18th Conference on USENIX Security Symposium. USENIX Association, 17--32.

Digital Library

[43]

Linghan Zhang, Sheng Tan, Jie Yang, and Yingying Chen. 2016. Voicelive: A phoneme localization based liveness detection for voice authentication on smartphones. In Proceedings of the 23rd ACM Conference on Computer and Communications Security. ACM, 1080--1091.

Digital Library

[44]

Li Zhuang, Feng Zhou, and J. Doug Tygar. 2009. Keyboard acoustic emanations revisited. ACM Transactions on Information and System Security 13, 1 (2009), 3:1--3:26.

Digital Library

Cited By

Shrestha PMahdad ASaxena N(2024)Sound-based Two-factor Authentication: Vulnerabilities and RedesignACM Transactions on Privacy and Security10.1145/363217527:1(1-27)Online publication date: 10-Jan-2024
https://dl.acm.org/doi/10.1145/3632175
Piet JSharma APaxson VWagner DCalandrino JTroncoso C(2023)Network detection of interactive SSH impostors using deep learningProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620477(4283-4300)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620477
Su YJiang GDu YChen YLiu HRen YDai HWang YLi SChen Y(2023) P 2 Auth: Two-Factor Authentication Leveraging PIN and Keystroke-Induced PPG Measurements 2023 IEEE 43rd International Conference on Distributed Computing Systems (ICDCS)10.1109/ICDCS57875.2023.00074(726-737)Online publication date: Jul-2023
https://doi.org/10.1109/ICDCS57875.2023.00074
Show More Cited By

Typing-Proof: Usable, Secure and Low-Cost Two-Factor Authentication Based on Keystroke Timings
1. Security and privacy
  1. Security services

Recommendations

Proof of plaintext knowledge for code-based public-key encryption revisited
ASIA CCS '13: Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security

In a recent paper at Asiacrypt'2012, Jain et al point out that Veron code-based identification scheme is not perfect zero-knowledge. In particular, this creates a gap in security arguments of proof of plaintext knowledge (PPK) and verifiable encryption ...
Security Proof for Partial-Domain Hash Signature Schemes
CRYPTO '02: Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology

We study the security of partial-domain hash signature schemes, in which the output size of the hash function is only a fraction of the modulus size. We show that for e = 2 (Rabin), partial-domain hash signature schemes are provably secure in the ...
Universal designated verifier ring signature (proof) without random oracles
EUC'06: Proceedings of the 2006 international conference on Emerging Directions in Embedded and Ubiquitous Computing

This paper first introduces the concept of universal designated verifier ring signature (UDVRS), which not only allows members of a group to sign messages on behalf of the group without revealing their identities, but also allows any holder of the ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '18: Proceedings of the 34th Annual Computer Security Applications Conference

December 2018

766 pages

ISBN:9781450365697

DOI:10.1145/3274694

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 December 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

Singapore National Research Foundation (NRF)

Conference

ACSAC '18

ACSAC '18: 2018 Annual Computer Security Applications Conference

December 3 - 7, 2018

PR, San Juan, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
308
Total Downloads

Downloads (Last 12 months)17
Downloads (Last 6 weeks)0

Reflects downloads up to 13 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Shrestha PMahdad ASaxena N(2024)Sound-based Two-factor Authentication: Vulnerabilities and RedesignACM Transactions on Privacy and Security10.1145/363217527:1(1-27)Online publication date: 10-Jan-2024
https://dl.acm.org/doi/10.1145/3632175
Piet JSharma APaxson VWagner DCalandrino JTroncoso C(2023)Network detection of interactive SSH impostors using deep learningProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620477(4283-4300)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620477
Su YJiang GDu YChen YLiu HRen YDai HWang YLi SChen Y(2023) P 2 Auth: Two-Factor Authentication Leveraging PIN and Keystroke-Induced PPG Measurements 2023 IEEE 43rd International Conference on Distributed Computing Systems (ICDCS)10.1109/ICDCS57875.2023.00074(726-737)Online publication date: Jul-2023
https://doi.org/10.1109/ICDCS57875.2023.00074
Yi ZJuremi J(2023)Dezvent - Digitalizing Attendance System with 2FA and Face Recognition Implementation2023 15th International Conference on Developments in eSystems Engineering (DeSE)10.1109/DeSE58274.2023.10100308(125-130)Online publication date: 9-Jan-2023
https://doi.org/10.1109/DeSE58274.2023.10100308
Liu XLi YDeng RCao JHo Au MLin ZYung M(2021)UltraPIN: Inferring PIN Entries via UltrasoundProceedings of the 2021 ACM Asia Conference on Computer and Communications Security10.1145/3433210.3453075(944-957)Online publication date: 24-May-2021
https://dl.acm.org/doi/10.1145/3433210.3453075
Shrestha PSaxena NShukla DPhoha V(2021)Press ${@}{\$}{@}{\$}$ to Login: Strong Wearable Second Factor Authentication via Short Memorywise Effortless Typing Gestures2021 IEEE European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP51992.2021.00016(71-87)Online publication date: Sep-2021
https://doi.org/10.1109/EuroSP51992.2021.00016

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents