CS406: Information Security

The continuous growth in the numbers of smart devices and related connectivity loads has impacted mobile services seamlessly offered anywhere around the globe. In such connected world, the enabler keeping the transmitted data secure is, in the first place, authentication.

According to the fundamental work in, authentication is a process where a "user identifies himself by sending $x$ to the system; the system authenticates his identity by computing $x$ and checking that it equals the stored value $y$". This definition has not changed significantly over time despite the fact that a simple password is no longer the only factor for validating the user from the information technology perspective .

Authentication remains a fundamental safeguard against illegitimate access to the device or any other sensitive application, whether offline or online (see Figure 1). Back in time, the transactions were authenticated primarily by physical presence, i.e., for example, by applying the wax seal. Closer to present days and with the advancement of our civilization, it was realized that the validation based on the sender identification only is not always adequate on the global scale.

Initially, only one factor was utilized to authenticate the subject. By that time, Single-Factor Authentication (SFA) was mostly adopted by the community due to its simplicity and user friendliness. As an example, the use of a password (or a PIN) to confirm the ownership of the user ID could be considered. Apparently, this is the weakest level of authentication. By sharing the password, one can compromise the account immediately. Moreover, an unauthorized user can also attempt to gain access by utilizing the dictionary attack, rainbow table, or social engineering techniques . Commonly, the minimum password complexity requirement is to be considered while utilizing this type of authentication.

Further, it was realized that authentication with just a single factor is not reliable to provide adequate protection due to a number of security threats. As an intuitive step forward, Two-Factor Authentication (2FA) was proposed that couples the representative data (username/password combination) with the factor of personal ownership, such as a smartcard or a phone.

Today, three types of factor groups are available to connect an individual with the established credentials:

1. Knowledge factor – something the user knows, such as a password or, simply, a "secret";
2. Ownership factor – something the user has, such as cards, smartphones, or other tokens;
3. Biometric factor – something the user is, i.e., biometric data or behavior pattern.

Subsequently, Multi-Factor Authentication (MFA) was proposed to provide a higher level of safety and facilitate continuous protection of computing devices as well as other critical services from unauthorized access by using more than two categories of credentials. For the most part, MFA is based on biometrics, which is automated recognition of individuals based on their behavioral and biological characteristics. This step offered an improved level of security as the users were required to present the evidence of their identity, which relies on two or more different factors. The discussed evolution of authentication methods is shown in Figure 2.

Today, MFA is expected to be utilized in scenarios where safety requirements are higher than usual. According to SC Media UK, 68 percent of Europeans are willing to use biometric authentication for payments. Consider the daily routine of ATM cash withdrawal. Here, the user has to provide a physical token (a card) representing the ownership factor and support it with a PIN code representing the knowledge factor to be able to access a personal account and withdraw money.

This system could be easily made more complex by adding the second channel like, for example, a one-time password to be entered after both the card and the user password were presented. In a more interesting scenario, it could be done with the facial recognition methods. Moreover, a recent survey discovered that 30 percent of enterprises planned to implement the MFA solution in 2017, with 51 percent claiming that they already utilize MFA, and 38 percent saying that they utilize it in "some areas" of operation. This evidence supports the MFA as an extremely promising direction of the authentication evolution.

As one of the interesting future trends, authentication between a vehicle and its owner or a temporary user may be considered. Based on the statistics, a vehicle is stolen every 45 s in the U.S. The current authentication method that allows for starting and using the vehicle is still an immobilizer key. The MFA may significantly improve access to most of the electronic devices from both security and user experience perspectives.

Generally, MFA applications could be divided into three market-related groups: commercial applications, i.e., account login, e-commerce, ATM, physical access control, etc.; governmental applications, i.e., identity documents, government ID, passport, driver's license, social security, border control, etc.; and forensic applications, i.e., criminal investigation, missing children, corpse identification, etc. Generally, the number of scenarios related to authentication is indeed large. Today, MFA becomes an extremely critical factor for:

• Validating the identity of the user and the electronic device (or its system);
• Validating the infrastructure connection;
• Validating the interconnected IoT devices, such as a smartphone, tablet, wearable device, or any other digital token (key dongle).

Presently, one of the main MFA challenges is the absence of correlation between the user identity and the identities of smart sensors within the electronic device/system. Regarding security, this relationship must be established so that only the legitimate operator, e.g., the one whose identity is authenticated in advance, can gain the access rights. At the same time, the MFA process should be as user-friendly as possible, for example:

1. Customers first register and authenticate with the service provider to activate and manage services they are willing to access;
2. Once accessing the service, the user is required to pass a simple SFA with the fingerprint/token signed in advance by the service provider;
3. Once initially accepted by the system, the customer authenticates by logging in with the same username and password as setup previously in the customer portal (or social login). For additional security, the managing platform can enable secondary authentication factors. Once the user has successfully passed all the tests, the framework automatically authenticates to the service platform;
4. The secondary authentication occurs automatically based on the biometric MFA, so the user would be requested to enter an additional code or provide a token password only in case the MFA fails.

Biometrics indeed significantly contribute to the MFA scheme and can dramatically improve identity proofing by pairing the knowledge factor with the multimodal biometric factors, thus making it much more difficult for a criminal to eavesdrop on a system while pretending to be another person. However, the utilization of biological factors has its challenges mainly related to the ease of use, which largely impacts the MFA system usability.

From the user experience perspective, fingerprint scanner already provides the most widely integrated biometric interface. This is mainly due to its adoption by smartphone vendors on the market. On the other hand, it is not recommended to be utilized as a standalone authentication method. However, the use of any biometrics often requires a set of separate sensing devices. The utilization of already integrated ones allows for reducing the authentication system costs and facilitate the adoption by end users. A fundamental trade-off between usability and security is one of the critical drivers when considering the authentication systems of today.

Another challenge is that the use of biometrics relies on a binary decision mechanism. This was well studied over past decades in classical statistical decision theory from the authentication perspective. There are various possible solutions to control a slight mismatch of the actual "measured" biometrics and the data stored in previously captured samples. The two widely utilized techniques are: false accept rate (FAR) and false reject rate (FRR). Manipulations with the decision criteria allow adjusting the authentication framework based on the predefined cost, risks, and benefits. The MFA operation is highly dependent on FAR and FRR, since obtaining zero values for both of the metrics is almost infeasible. The evaluation of more than one biometric feature to establish the identity of an individual can improve the operation of the MFA system dramatically.

Since the currently available literature faces a lack of detailed MFA analysis suitable for non-specialists in the field, the main contributions of this work are as follows:

1. This work provides a detailed analysis of factors that are presently utilized for MFA with their corresponding operational requirements. Potential sensors to be utilized are surveyed based on the academic and industrial sources (Section 2);
2. The survey is followed by the challenges related to MFA adoption from both the user experience and the technological perspectives (Section 3);
3. Further, the framework based on the reversed Lagrange polynomial is proposed to allow for utilizing MFA in cases where some of the factors are missing (Section 4). A discussion on the potential evaluation methodology is also provided;
4. Finally, the vision of the future of MFA is discussed (Section 5)