A multi-factor re-authentication framework with user privacy

TL;DR: The initial design of a privacy-preserving multi-factor re-authentication framework that can successfully validate legitimate users while detecting impostors is introduced.

Abstract: Continuous re-authentication of users is a must to protect connections with long duration against any malicious activity. Users can be re-authenticated in numerous ways. One popular way is an approach that requires the presentation of two or more authentication factors (i.e., knowledge, possession, identity) called Multi-factor authentication (MFA). Given the market dominance of ubiquitous computing systems (e.g., cloud), MFA systems have become vital in re-authenticating users. Knowledge factor (i.e., passwords) is the most ubiquitous authentication factor; however, forcing a user to re-enter the primary factor, a password, at frequent intervals could significantly lower the usability of the system. Unfortunately, an MFA system with a possession factor (e.g., Security tokens) usually depends on the distribution of some specific device, which is cumbersome and not user-friendly. Similarly, MFA systems with an identity factor (e.g., physiological biometrics, keystroke pattern) suffer from a relatively low deployability and are highly intrusive and expose users sensitive information to untrusted servers. These servers can keep physically identifying elements of users, long after the user ends the relationship with the server. To address these concerns, in this poster, we introduce our initial design of a privacy-preserving multi-factor re-authentication framework. The first factor is a password while the second factor is a hybrid profile of user behavior with a large combination of host- and network-based features. Our initial results are very promising as our framework can successfully validate legitimate users while detecting impostors.