Abstract
In recent years, there has been a significant number of works on the development of multifactor authentication (MFA) systems. Traditionally, behavioral biometrics (eg, keystroke dynamics) have been known to have the best usability because they do not require one to know or possess anything—they simply communicate “how you type” to an authenticator. However, though highly usable, MFA approaches that are based on biometrics are highly intrusive, and users’ sensitive information is exposed to untrusted servers. To address this privacy concern, in this paper, we present a privacy-preserving MFA system for computer users, called PINTA. In PINTA, the second factor is a hybrid behavioral profile user, while the first authentication factor is a password. The hybrid profile of the user includes host-based and network flow-based features. Since the features include users’ sensitive information, it needs to be protected from untrusted parties. To protect users’ sensitive profiles and to handle the varying nature of the user profiles, we adopt two cryptographic methods, Fuzzy hashing and fully homomorphic encryption (FHE). Our results show that PINTA can successfully validate legitimate users and detect impostors. Although the results are promising, the trade-off for privacy preservation is a slight reduction in performance compared with traditional identity-based MFA techniques.
Abbas Acar
Senior Research Scientist
I completed my PhD in the Cyber-Physical Systems Security (CSL) lab under the supervision of Professor Selcuk Uluagac in 2020 at Florida International University (FIU), USA. Before that, I received my BSc from Electrical and Electronics Engineering at Middle East Technical University, Turkey in 2015 with a minor in Mathematics. My research interests include alternative authentication methods (e.g., continuous authentication), IoT security and privacy, and privacy-preserving technologies (e.g., homomorphic encryption).