Press ${@}{$}{@}{$}$ to Login: Strong Wearable Second Factor Authentication via Short Memorywise Effortless Typing Gestures Conference Paper uri icon

abstract

  • The use of wearable devices (e.g., smartwatches) in two factor authentication (2FA) is fast emerging, as wearables promise better usability compared to smartphones. Still, the current deployments of wearable 2FA have significant usability and security issues. Specifically, one-time PIN-based wearable 2FA (PIN-2FA) requires noticeable user effort to open the app and copy random PINs from the wearable to the login terminal's (desktop/laptop) browser. An alternative approach, based on one-tap approvals via push notifications (Tap-2FA), relies upon user decision making to thwart attacks and is prone to skip-through. Both approaches are also vulnerable to traditional phishing attacks. To address this security-usability tension, we introduce a fundamentally different design of wearable 2FA, called SG-2FA, involving wrist-movement seamless gestures captured near transparently by the second factor wearable device while the user types a very short special sequence on the browser during the login process. The typing of the special sequence creates a wrist gesture that when identified correctly uniquely associates the login attempt with the device's owner. The special sequence can be fixed (e.g., ${@}{$}{@}{$}$), does not need to be a secret, and does not need to be memorized (could be simply displayed on the browser). This design improves usability over PIN-2FA since only this short sequence has to be typed as part of the login process (no interaction with or diversion of attention to the wearable and copying of random PINs is needed). It also greatly improves security compared to Tap-2FA since the attacker can not succeed in login unless the user's wrist is undergoing the exact same gesture at the exact same time. Moreover, the approach is phishing-resistant and privacy-preserving (unlike behavioral biometrics). Our results show that SG-2FA incurs only minimal errors in both benign and adversarial settings based on appropriate parameterizations.

name of conference

  • 2021 IEEE European Symposium on Security and Privacy (EuroS&P)

published proceedings

  • 2021 IEEE European Symposium on Security and Privacy (EuroS&P)

altmetric score

  • 1

author list (cited authors)

  • Shrestha, P., Saxena, N., Shukla, D., & Phoha, V. V.

citation count

  • 0

complete list of authors

  • Shrestha, Prakash||Saxena, Nitesh||Shukla, Diksha||Phoha, Vir V

publication date

  • January 2021