On Community-based Authentication Factor

1. Committee Members Dr. C. Edward Chow Dr. Chuan Yue Dr. Jia Rao Advisor Member Member On Community-based Authentication Factor By Khalid Alkhattabi Master Thesis Proposal

2. OUTLINE OF THE TALK • INTRODUCTION • MULTI-FACTOR AUTHENTICATION • RELATE WORK • RESEARCH QUESTIONS • EVALUATE THE SUCCESS OF PROPOSED RESEARCH • REFERENCES Community Authentication/Khalid Alkhattabi

3. INTRODUCTION • The demand of security and authentication has been rising these days • The current authentication systems suffers from many drawbacks: - Username and password can be forgotten, disclosed, lost, or stolen - Passwords can be guessed based on : - GPU - Brute force algorithm - looking for a dictionary • In Oct 14, 2014, Dropbox was compromised by a hacker who posted usernames and passwords on pastebin.com - To remedy the vulnerabilities, Dropbox has enabled two-factor authentication Community Authentication/Khalid Alkhattabi

4. MULTI-FACTOR AUTHENTICATION • Multi-Factor Authentication requires more steps than traditional authentication • Basically it comes down to these factors: • Knowledge - something you know ( Password, PIN, Someone you know) • Possession - something you have ( home address, phone number, Credit Card, Key ) • Biometrics - something you are (face, fingerprint and iris) • Communityrelationship- who know me ( identified by trust group people) • Challenges: • How to weigh and choose a combination of factors for effective authentication. • The use of community relationship in authentication is new and not much software implementation is available. Community Authentication/Khalid Alkhattabi

5. RELATE WORK 1 • Group authentication : • It can be applied to authenticate group members in group communication • It considered as a new type of authentication • Most of group authentications that proposed [ref1; ref2] arefor group-oriented applications , but it is not meant for Multifactor Authentication • [Harn 2013] proposed “ Group authentication” design which is much close to my thesis idea. • Group Manager (GM) is responsible to register all group members to a group. • After all the members are registered, GM will generate a token for each user. • The group members’ will used this token to authenticate him by other group members’ base on that token Community Authentication/Khalid Alkhattabi

6. RELATE WORK 2 • [Haya2013] “CASA: Context- Aware Scalable Authentication”, which talking about how can chooses an appropriate form of active authentication based on the combination of multiple passive factors. • The most weight passive factor was users’ location. • 84.3% of logins took place at home (59.2%) and work (25.1%). My Research question: Can we take location of my friends or group members location’s as a factor ? • Oauth is open authentication protocol which allows applications to access remote resources on web server [Yang2013; RFC6749 2014] : • Oauthis widely used on smartphone with client apps • Facebook, Google, twitter, Instagram, yahoo and Flickr are supported Oauth 2. • 58% of American adults have smartphones • 40% of people usetheir smartphones to login to theirs social networking site Community Authentication/Khalid Alkhattabi

7. RELATE WORK 3 • [Chau 2011] proposed multi-layer multi-factor authentication for webmail application based on intranet, Internet , extranet users [4]. • Single Layer Single Factor authentication (password) • Single Layer Multi factor authentication (userID/password , and OPT) (Internal) • Multilayer multifactor authentication scheme implementation (OpenID , and (userID/password , and OPT) ) (Public Network) Research question: How can we weight the trustworthiness of multi-factor authentication? Community Authentication/Khalid Alkhattabi

8. RESEARCH QUESTIONS • Can a community based authentication be effective as a key technology for multi-factor authentication? • How can we weight the trustworthiness of multi-factor authentication? • Can we use photo location feature as of iOS8 beta 5, as new factor for mobile authentication? • How we can add new factor for Multi-factor authentication from social networking data? • Can we take location of my friends or group members location’s as a factor ? Community Authentication/Khalid Alkhattabi

9. COMMUNITY BASED AUTHENTICATION • Fact : We live in groups : • My wife and me are group, my friends are group, my classmates are group , … etc • E.g., Inheritance courtin Saudi Arabia, a person is identified by • Your social security number • Two or more “witness” and their social security number as proofs • Family card which shows all family members. Ideas for new community based authentication • Create website or app for register users. • Every user can declare the trust of one person or a group. • After the trust group members arecreated, the system will use them to authenticate a member. Community Authentication/Khalid Alkhattabi

10. COMMUNITY BASED AUTHENTICATION Scenario: • Register to website CAFProejctCs700.com to create group of trust people. • Whenever a user wants to use this service, he will login. • All his trust group members will receive SMS on their mobile devices containing a link, they open that link. • If a group member knows the user , It approves and notify the server. The server will allow the user to login. Otherwise , will waiting for a period of time until condition is satisfied (Depending on the situation, it could require one vote or all votes). Community Authentication/Khalid Alkhattabi

11. TRUSTWORTHINESS OF MULTI-FACTOR AUTHENTICATION Study how it can weigh numbers of factors in multi-factors authentication based on one or more factors: • Current Location or History of Locations • Time (normal time login or not normal) • Kind of requests Community Authentication/Khalid Alkhattabi

12. EVALUATE THE SUCCESS OF PROPOSED RESEARCH • Correctness • Trustworthiness of the authentication - Location - Current Time (normal time ,or midnight or not normal time ) - Kind of request ( what kind of operation you try to do) • Performance - Execution time - Storage requirements. Community Authentication/Khalid Alkhattabi

13. RESEARCH PLAN Community Authentication/Khalid Alkhattabi

14. DELIVERABLES • Thesis report documents the research results • A working prototype which demonstrates the basic concepts Community Authentication/Khalid Alkhattabi

15. REFERENCES [Haya2013] E. Hayashi, S. Das, S. Amini, J. Hong, and I. Oakley, “Casa: context-aware scalable authentication,” in Proceedings of the Ninth Symposium on Usable Privacy and Security, 2013, p. 3. [2] F. Yang and S. Manoharan, “A security analysis of the OAuth protocol,” in Communications, Computers and Signal Processing (PACRIM), 2013 IEEE Pacific Rim Conference on, 2013, pp. 271–276. [3] “RFC 6749 - The OAuth 2.0 Authorization Framework.” [Online]. Available: http://tools.ietf.org/html/rfc6749. [Accessed: 05-Dec-2014]. [4] S. Chaudhari, S. S. Tomar, and A. Rawat, “Design, implementation and analysis of multi layer, Multi Factor Authentication (MFA) setup for webmail access in multi trust networks,” in Emerging Trends in Networks and Computer Communications (ETNCC), 2011 International Conference on, 2011, pp. 27–32. [5] “Facebook Boosts Security with Encryption, ‘Social Authentication’ | News & Opinion | PCMag.com.” [Online]. Available: http://www.pcmag.com/article2/0,2817,2376670,00.asp. [Accessed: 05-Dec-2014]. Community Authentication/Khalid Alkhattabi

16. Community Authentication/Khalid Alkhattabi

17. Community Authentication/Khalid Alkhattabi