Security and Performance of Knowledge-Based User Authentication for Smart Devices

Introduction

Authentication is the process of verifying an identity claim using the users’ knowledge (e.g., secret questions, passwords, PINs), their possessions or ownership (e.g., ID cards, mobile phones, tokens), their location, other social accounts, or their biometrics (e.g., biometrics, fingerprints, iris scans, signatures) of which can all be referred to as different authentication factors (Flu, 2015). The purpose of authentication is to establish confidence, that the user trying to access technology, is the user themselves and to only allow the user access to their account/sensitive information. Strong authentication systems help to reduce potential fraudsters and other hackers from gaining access to sensitive information they should not have access to. The need of a secure authentication process is still a sizable concern in cyberspace to establish the integrity and authenticity of a claimant while accessing anything from technologies, applications to network systems. With the growth of smart technologies in many different sectors such as hospitals, financial sectors, the military, aviation, etc. there is an even greater need to determine the authenticity of a genuine user.

A secure authentication process ensures that the claimant is the legitimate user trying to access the system and the authentication process is not susceptible to misplacement, forgetfulness, or reproduction. Whilst technological progress in the authentication process continues to evolve, most of the authentication systems still have more room for improvement, particularly in their accuracy, tolerance to various security attacks, noisy environments, and scalability as the number of individuals increases (Poh, Bengio, & Korczak, 2002). The classification of user authentication factors can be seen in Figure 1, which classifies authentication factors in to five main categories, Knowledge-based, Biometric (inherence)-based, Ownership-based, Location-based, and Social-based authentication factors.

Figure 1.

A Taxonomy of Authentication Factors - A breakdown of each authentication method and a list of examples for each type

The knowledge-based authentication (KBA) is a flexible tool in digital identity proofing protocols and solutions. As the name suggests, knowledge-based authentication factors seek to prove the identity of the claimant accessing the technology or service, using private and secret pieces of information to prove the claimant’s identity. KBA can be offered in many formats, making it a valuable and flexible authentication mechanism in many cybersecurity architectures. Knowledge-based factors are based on information only the user should know such as a username and password or personal identification number (PIN).

Ownership-based authentication factors are based on something the user has, such as cards, smartphones, or other tokens. For instance, one of the most prevalent examples of ownership-based factors are payment cards, utilized by banks that each possess a unique combination of numbers and security information from one another. Another example of ownership-based factors is the usage of tokens that are issued to the user to use to sign in.

The location-based authentication factors use the claimant’s identity to detect its presence at a distinct location (Trojahn & Marcus, 2012). It is based on the user being located within a certain vicinity in order to correctly authenticate them. This usually involves the user using a location-based client (LBC) to verify with a server containing their location-based ID in order to authenticate themselves. Usually location-based authentication is used in combination with another form of authentication, however location-based authentication can also be used on its own, to get access to a machine or detecting that a person is at a specified area – such as an entrance.