Inception of Relation-based User Authentication system coupled with User Behavior Analysis
Abhijit Rao, abhijit_rao1@rediffmail.com
Manipal Institute of Technology, Manipal, Karnataka, India

Abstract

The most vulnerable interface of any company is the user authentication interface whose robustness is the only criteria. Till now user authentication has been restricted to recognition-based and recall-based systems in the knowledge-based systems domain. This proposed relation-based system involves the user as much as it involves the company that provides this service. User Authentication can grow more than the typical login-password interface and can be more personalized and customized. Here an attempt is being made to bring forth a new paradigm of user authentication interface. We are trying to associate the user authentication process with a more intricate user behavior analysis where we try to comprehend user interest, tendencies and preferences. We shall also look at various issues that arise when we formulate the ideology. One significant approach is to advance in the security aspect of the system but still maintaining an easy to employ User Interface Design. This involves a combination of several technologies which when united together shall generate a highly secure user authentication environment.

Introduction

User authentication is principled on the fact that every user can be distinctly recorded based on some identity. So first we need to analyze the different mechanisms of user authentication systems. User authentication is a central component of currently deployed security infrastructures. We distinguish three main techniques for user authentication: Token-based systems, systems based on biometrics and Knowledge-based systems.

Token-based authentication System

Most token-based authentication systems also use knowledge-based authentication to prevent impersonation through theft or loss of the token. An example is ATM authentication, which requires a combination of a token (a bank card) and secret knowledge (a PIN). Generally a physical security component (ATM card) has to be followed up by a PIN and only on combination of both can we penetrate successfully.

Systems based on biometrics

Biometrics is the science of identifying a person through the electronic examination of his or her physical characteristics (e.g. fingerprints, voice, or retina patterns). These methods are extraordinarily useful as protections against fraud as well as an impediment to unauthorized electronic access to data networks. Biometric systems allow only those persons possessing a unique biological characteristic to present themselves as the authentic person in a non-face to face transaction over the telephone or a computer network.

Knowledge Based systems

In today's security systems, knowledge-based schemes are predominantly used for user authentication. Knowledge based system demands a higher level of memorability from the user. For instance, in a token-based system the user only needs to remember his PIN whereas in knowledge-based systems he may be expected to precisely remember his login and his password. Thus, we call for work in this area wherein with little effort the user can successfully enter.

Advantages of Knowledge based systems

Although biometrics can be useful for user identification, one problem with these systems is the difficult tradeoff between impostor pass rate and false alarm rate. In addition, many biometric systems require specialized devices, and some can be unpleasant to use. For these reasons, knowledge-based techniques are currently the most frequently used method for user authentication.

Recall-based authentication

In this section, we enumerate the problems of password-based authentication. Recall-based Password and PIN-based user authentication have numerous deficiencies. Unfortunately, many security systems are designed such that security relies entirely on a secret password. It was found by Cheswick and Bellovin that weak passwords are the most common cause for system break-ins.

The main weakness of knowledge-based authentication is that it relies on precise recall of the secret information. If the user makes a small error in entering the secret, the authentication fails. Unfortunately, precise recall is not a strong point of human cognition. People are much better at imprecise recall, particularly in recognition of previously experienced stimuli. The human limitation of precise recall is in direct conflict with the requirements of strong passwords. Many researchers show that people pick easy to guess passwords. It was found that majority of all passwords could be trivially broken through a simple exhaustive search to find short passwords and by using a dictionary to find longer ones. Because of these password cracker programs, users need to create unpredictable passwords, which are more difficult to memorize. As a result, users often write their passwords down and "hide" them close to their work space. Strict password policies, such as forcing users to change passwords periodically, only increase the number of users who write them down to aid memorability.

As companies try to increase the security of their IT infrastructure, the number of password protected areas is growing. Simultaneously, the number of Internet sites which require a username and password combination is also increasing. To cope with this, users employ similar or identical passwords for different purposes, which reduce the security of the password to that of the weakest link.

The majority of solutions to the problems of weak passwords fall into three main categories:

1. The first types of solutions are proactive security measures that aim to identify weak passwords before they are broken by constantly running a password cracking programs.
2. The second type of solution is also technical in nature, which utilizes techniques to increase the computational overhead of cracking passwords.
3. The third class of solutions involves user training and education to raise security awareness and establishing security guidelines and rules for users to follow.

Note that all three classes of solutions do not remedy the main cause of password insecurity, which is the human limitation of memory for secure passwords. In fact, most previously proposed schemes for knowledge-based user authentication rely on perfect memorization.

Need for Recognition-based authentication

One approach to improve user authentication systems is to replace the precise recall of a password or PIN with the recognition of a previously seen image, a skill at which humans are remarkably proficient. In general, it is much easier to recognize something than to recall the same information from memory without help. Classic cognitive science experiments show that humans have a vast, almost limitless memory for pictures in particular. In fact, experiments show that we can remember and recognize hundreds to thousands of pictures in fractions of a second of perception. By replacing precise recall of the password with image recognition, we can minimize the user's cognitive load, help the user to make fewer mistakes and provide a more pleasant experience. The system should not rely on precise recall. Instead, it should be based on recognition, to make the authentication task more reliable and easier for the user. The system should prevent users from choosing weak passwords. The system should make it difficult to write passwords down and to share them with others. A vulnerability of this system is that an attacker might try to discover the image portfolio by making repeated login attempts and taking the intersection of images that are presented. Such attacks need to be taken into consideration during system design.

Deja Vu, is one such system which authenticates a user through her ability to recognize previously seen images. Deja Vu is more reliable and easier to use than traditional recall-based schemes, one problem with these systems is the difficult tradeoff between impostor pass rate and false alarm rate.

Our Direction

We have found that the image authentication systems do give an edge over the precise-recall based systems. But these can be the potential areas which are vulnerable to several technical complications and overheads:

1. Image generation should be instantaneous when it comes to real-time operations like user authentication over Internet.
2. The system is slightly more imposing as the user needs to make a choice from the set of images he encounters during registration.
3. Difficult to create an association between the different randomly drawn images.
4. No clue can be provided to remind the user about his image choice.
5. Analysis on long-term memorability will be something to reckon about if the images are intricate.

The basic goal of relation-based system is that the user associates his authentication process with objects/entities he/she is familiar with thus reducing the load on his memory. It can be observed that when an individual has an affinity towards a particular area, it is easier for him to make a rapid decision. Just imagine that you are fond of cars. So when you are shown a combination of locomotives it will be easier to make your pick.

The most important aspect of human selection and choice-making strategy is "Irrelevant choice elimination" process. If a situation arises wherein the user is baffled about his selection, then he/she eliminates those alternatives which don't seem to be stimulating enough. This is one striking feature which makes the concept stand out from others. In our authentication system we project the images such that only the user can eliminate the right from wrong.

User Interface Design Issues

The user interface design has a key role to play as it will facilitate the user to make his/her choice. Firstly we will try and understand the various elements of the user interface.

The user interface needs to be simple and intuitive. The whole concept of relation-based user authentication revolves around the idea that 'Users are Deciders'. This means that users decide what they want to see as their authentication interface. So, objects make up the user interface. These objects can be dead hyperlinks (links that don't lead to any page), images, shapes, pictures or any other object that can be represented on the interface, refer Figure 1.

Figure 1: Illustration of Object Base

Humans find it relatively easy to relate entities with something personal. For example, if we hear a name for the first time we generally try and relate it with some entity. If you friend's dog is named Snoopy then we may relate it to the cartoon character. Someone may relate Snoopy with the term "spy". Every individual has a different mechanism of entity association. We can come to a reasonable conclusion that the first individual is more interested in "cartoons" whereas the other individual considers the literal meaning of the word.

The task which we may encounter here is to try and recognize user's area of inclination, tendencies and preferences. We can find this on two grounds:

1. By explicitly asking the user about his penchant during the registration phase.
2. By tracking the user's navigational behavior in the Internet environment.

The second option seems more ambitious as there are many issues involved if we intend to track the user's navigational behavior. Privacy is the biggest hurdle amongst them. Also this will only work if the user authentication system is on the web. Moreover no user will be ready to sacrifice his privacy just to aid himself during authentication. The first option is more realistic. During the authentication phase the user may be suggested several areas of interest or he may be asked to mention it on his own. If we ask the user to make a choice from our Object-base it will be easier for the company to maintain an Object repository. The user needs to be given a choice in various areas of interest. Once the user selects his area the job of the company is to create a set of photographs which embeds photographs from which the user can make a choice. So, what we are doing here is that we don't generate images which are of convenience to us rather we suggest the user to personalize his own authentication choice. This will enable the user to maintain high level of memorability and sustain it over a longer period of time.

Components of User Interface

The user interface components are nothing but the area of interest to the user. Say, the user's favorite sport is F1 Grand Prix. Then the components of the user interface will be a set of images pertaining to Grand Prix. Here we will consider a simple illustration where the user thinks that various food items can form his authentication key. So the interface will be generated which involves various food items. This can be seen in Figure 2. The job of the user is to click on the photograph which forms his authentication image. We can have 3-4 interface stages following one after the other. Each of these interfaces embeds one user authentication image. The task of the user is to select the image and then proceed to the next interface. Failure in choice in any of the interfaces will cause login failure. This will ameliorate the security process. A very straightforward interface should do the job.

Figure 2:Food Object illustration

Figure 3: Shapes Objects illustration

Hybrid Objects

We can create the user authentication interface by selecting different objects from different Object-base, see Figure 4. This will facilitate the use of various combinations of the images.

Figure 4: Hybrid Objects illustration

There may be one drawback with the hybrid system interface. User may be slightly confounded with the different genre of objects. It may be noticed that making a choice is easy when we have images of the same type. But again since the images are of user's interest this possibility of confusion may be eliminated. The placement of the objects will not be the same but will change every time the user's log's in.

Coupling Relation-based authentication with User Behavior Analysis

Web Usability Testing

Web usability testing presents special challenges for taking notes about user behavior. Capturing user behavior accurately and completely for immediate reporting is difficult to accomplish in "real time", with fast-clicking and complicated user interface elements to track. However, it is critical for the rapid usability feedback Web site Authentication developers demand. In most Web sites, as in many hypertext systems, users have enormous freedom of action.

Clicks can happen quickly, and we cannot always tell at that moment if the user's action is germane to the issues of concern. Thus, we must err on the side of recording too much, not too little. In essence, we must record every click so that we can retrace the user's steps. This opens a new chapter in User Behavior Analysis.

Automated Data Collection Methods

Automated methods for recording user behavior are popular with today's usability professionals. These methods include Screencam recording, data-logging software, and server log files. All these methods reduce how much note-taking the usability specialist must perform during the session.

Screencam recording

This method records fast-paced user activity accurately and completely. While it captures cursor-pointing behavior, it does not capture user commentary. Thus it is slightly less complete than videotaping. Reviewing recordings also delays reporting of results.

Data-logging software

The advantages of using data-logging software are that the note-taker can record textual notes more quickly than writing by hand, and can code observations into categories such as "Error" or "Observer Comment". These advantages mean that data is more complete and already somewhat sortable into categories for more immediate analysis. This method still does not solve the problem of labeling user choices at the user's pace.

Server log files

This automated method is unique to Web software, and its advantage is, it records a lot of detail-so much so that one might think every keystroke is captured. However, log files in fact miss important information: client-side events such as pages displayed from cache (return visits), cursor-pointing behavior, and JavaScript activity. Equally disadvantageous are the large amounts of time required to synthesize the individual records into episodes.

Analysis of User Behavior

Some of the key analytical features of User Behavior in our system are as follows:

• The time taken between two image choices
• Dynamism of the Mouse movement in terms of pace and area coverage
• Time spent on certain interface elements like placing the cursor on a particular object for considerable amount of time
• Click stream analysis
• Usage of the browser keys and other elements related to the browser
• Session Time and page requests

Each of these points does reflect a good picture on how the user has gone about using the interface. This will help the authentication provider to serve their customers better. Simple example will be that if a user is bemused about his choice he will have very little movement and time difference between two clickstreams will be greater than normal. This will enable the company to get back to their customer and ask for any assistance. This analysis has to take place over a period of time.

Another sensitive area in any authentication system is the security measures. We will find that any aberration from the normal pattern of the user behavior will demand for a security check. This will always help the company to maintain high level of security. Therefore we find that recording user digital behavior is important from all aspects of authentication.

Benefits of relation-based User authentication system

• Personalization and customization of objects
• Suits to ones interest and inclination
• Better User adaptability
• The company can remind the user if he forgets his area of interest and his authentication images
• Increased level of security
• Innovative user authentication interface approach

Security Issues

Let's see how we cater to the various security issues concerning this new authentication system proposal.

Deployability

Web authentication protocols differ from traditional authentication protocols in part because of the limited interface offered by the Web. The goal is to develop an authentication system by using the protocols and technologies commonly available in today's Web browsers and servers. Relation-based authentication system is simplistic in nature and is browser independent.

User acceptability

Web sites must also consider user acceptability. Because sites want to attract many users, the client authentication must be as non-confrontational as possible. Users will be discouraged by schemes requiring work such as installing a plug-in or clicking away dialog boxes. Now what lies here is to decide on the implementation of the user behavior recording technology. We need to clearly figure out what technology will we be using. Plug-in can contradict our stand of user acceptability therefore the recording behavior falls in a dilemma. But applets and servlets could provide a similar recording environment.

Performance

Stronger security protocols generally cost more in performance. But here we are not looking for any expert security protocol. Cryptographic solutions will usually degrade server performance; no special solution is required in this case.

Conclusion

This paper is very introductory to the area of relation-based authentication and demands a lot of filtering and development. We are focusing on a different approach to user authentication. Relation-based user authentication doesn't ask for any special attention as far as technology goes. But what we need to work out is the success factor of the user recording mechanism. The Web Usability is catching up with the usability professionals hence this ideology seems to be more viable.

References

• B. Cheswick and S. Bellovin, Firewalls and Internet security: Repelling the wily hacker, 1994.
• H. Intraub, Presentation rate and the representation of briefly glimpsed pictures in memory. Journal of Experimental Psychology: Human Learning and Memory, 6(1):1-12, 1980.
• A. Paivio and K. Csapo, Concrete image and verbal memory codes. Journal of Experimental Psychology, 80(2):279-285, 1969.
• R. Dhamija, A. Perrig, Deja Vu: A User Study Using Images for Authentication.

Terminology used:

Object: Area of interest to the user. For example, if the user is interested in Baseball he can be given an option to select his favorite baseball player.

Object repository: An image bank containing various objects and images associated with those objects.

Object-base: Listing of all the areas of interest. For example, Celebrities, Food, Shapes, Places etc. An illustration of the Shapes Object is given in Figure 3.