Assentication: User De-authentication and Lunchtime Attack Mitigation with Seated Posture Biometric
Biometric techniques are often used as an extra security factor in authenticating human users. Numerous biometrics have been proposed and evaluated, each with its own set of benefits and pitfalls. Static biometrics (such as fingerprints) are geared for discrete operation, to identify users, which typically involves some user burden. Meanwhile, behavioral biometrics (such as keystroke dynamics) are well-suited for continuous and more unobtrusive operation. One important application domain for biometrics is de-authentication: a means of quickly detecting absence of a previously-authenticated user and immediately terminating that user’s secure sessions. De-authentication is crucial for mitigating so-called Lunchtime Attacks, whereby an insider adversary takes over an authenticated state of a careless user who leaves her computer.
Motivated primarily by the need for an unobtrusive and continuous biometric to support effective de-authentication, we introduce Assentication – a new hybrid biometric based on a human user’s seated posture pattern. Assentication captures a unique combination of physiological and behavioral traits. We describe a low-cost fully functioning prototype that involves an office chair instrumented with 16 tiny pressure sensors. We also explore (via user experiments) how Assentication can be used in a typical workplace to provide continuous authentication (and de-authentication) of users. We experimentally assess viability of Assentication in terms of uniqueness by collecting and evaluating posture patterns of a cohort of 30 users. Results show that Assentication yields very low false accept and false reject rates. In particular, users can be identified with \(94.2\%\) and \(91.2\%\) accuracy using 16 and 10 sensors, respectively.
- 2.Eberz, S., Rasmussen, K.B., Lenders, V., Martinovic, I.: Preventing lunchtime attacks: fighting insider threats with eye movement biometrics. In: NDSS (2015)Google Scholar
- 4.Eberz, S., Rasmussen, K.B., Lenders, V., Martinovic, I.: Evaluating behavioral biometrics for continuous authentication: challenges and metrics. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, pp. 386–399. ACM (2017)Google Scholar
- 5.Rasmussen, K.B., Roeschlin, M., Martinovic, I., Tsudik, G.: Authentication using pulse-response biometrics. In: NDSS (2014)Google Scholar
- 6.Mare, S., Markham, A.M., Cornelius, C., Peterson, R., Kotz, D.: Zebra: zero-effort bilateral recurring authentication. In: 2014 IEEE Symposium on Security and Privacy (SP), pp. 705–720. IEEE (2014)Google Scholar
- 7.Huhta, O., Shrestha, P., Udar, S., Juuti, M., Saxena, N., Asokan, N.: Pitfalls in designing zero-effort deauthentication: opportunistic human observation attacks. arXiv preprint arXiv:1505.05779 (2015)
- 9.Conti, M., Lovisotto, G., Martinovic, I., Tsudik, G.: Fadewich: fast deauthentication over the wireless channel. In: 2017 IEEE 37th International Conference on Distributed Computing Systems (ICDCS), pp. 2294–2301. IEEE (2017)Google Scholar
- 10.Gia, N., Takimoto, T., Giang, N.D.M., Nakazawa, J., Takashio, K., Tokuda, H.: People identification based on sitting patterns. In: Workshop on Ubiquitous Data Mining, p. 33 (2012)Google Scholar
- 12.Riener, A., Ferscha, A.: Supporting implicit human-to-vehicle interaction: driver identification from sitting postures. In: The First Annual International Symposium on Vehicular Computing Systems (ISVCS 2008), p. 10 (2008)Google Scholar
- 13.Mutlu, B., Krause, A., Forlizzi, J., Guestrin, C., Hodgins, J.: Robust, low-cost, non-intrusive sensing and recognition of seated postures. In: Proceedings of the 20th Annual ACM Symposium on User Interface Software and Technology, pp. 149–158. ACM (2007)Google Scholar
- 16.Marques, D., Muslukhov, I., Guerreiro, T.J., Carriço, L., Beznosov, K.: Snooping on mobile phones: prevalence and trends. In: Twelfth Symposium on Usable Privacy and Security, SOUPS 2016, Denver, CO, USA, 22–24 June 2016, pp. 159–174. USENIX (2016)Google Scholar
- 17.Mickelberg, K., Pollard, N., Schive, L.: US cybercrime: rising risks, reduced readiness key findings from the 2014 US state of cybercrime survey. US Secret Service. National Threat Assessment Center, Pricewaterhousecoopers (2014)Google Scholar
- 18.Robb, D.: Sony hack: a timeline (2014). http://deadline.com/2014/12/sony-hack-timeline-any-pascal-the-interview-north-korea-1201325501/
- 21.Jaimes, A.: Sit straight (and tell me what i did today): a human posture alarm and activity summarization system. In: Proceedings of the 2nd ACM Workshop on Continuous Archival and Retrieval of Personal Experiences, pp. 23–34. ACM (2005)Google Scholar