Non-invasive authentication for hands-free financial transactions in trusted connected locations
Abstract
Virtual assistants deployed on smartphone and smart speaker devices enable hands-free financial transactions by voice commands. Even though these voice transactions are frictionless for end-users in trusted connected locations, they are susceptible to typical attacks to authentication protocols (e.g., replay). Using traditional knowledge-based or possession-based authentication with additional invasive interactions prejudice usability. State-of-the-art schemes for trusted devices with Physical Unclonable Functions (PUF) have complex enrollment processes. We propose a scheme based on a challenge response protocol with a trusted IoT autonomous device for hands-free scenarios (i.e., with no additional user interaction) integrated with a trusted connected location behavior for continuous authentication. The challenge-response protocol was validated with formal security tests with Burrows-Abadi-Needham logic and Scyther tool. A proof of concept with websockets presented an average response time of 383ms for mutual authentication using a 6-message protocol with a simple enrollment process. We performed hands-free activity recognition of a specific user based on a smart home testbed data from two months, obtaining an accuracy of 97% and a recall of 81%. Given the data minimization privacy principle, it is possible to reduce the total number of smart home events time series from 7 to 5. When compared to existing invasive solutions, our non-invasive mechanism contributes to enhance financial institutions virtual assistants usability while maintaining security and privacy.
References
Blue, L., Abdullah, H., Vargas, L., and Traynor, P. (2018). 2MA. In Proceedings of the 2018 on Asia Conference on Computer and Communications Security, New York, NY, USA. ACM.
Das, A. K., Kalam, S., Sahar, N., and Sinha, D. (2020). UCFL: User Categorization using Fuzzy Logic towards PUF based Two-Phase Authentication of Fog assisted IoT devices. Computers and Security, 97.
de Barcelos Silva, A., Gomes, M. M., da Costa, C. A., da Rosa Righi, R., Barbosa, J. L. V., Pessin, G., De Doncker, G., and Federizzi, G. (2020). Intelligent personal assistants: A systematic literature review.
Feng, H., Fawaz, K., and Shin, K. G. (2017). Continuous authentication for voice assistants. In Proceedings of the Annual International Conference on Mobile Computing and Networking, MOBICOM, volume Part F131210, pages 343–355. Association for Computing Machinery.
Gao, Y., Wang, W., Phoha, V. V., Sun, W., and Jin, Z. (2019). EarEcho. Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies, 3(3).
Hassija, V., Chamola, V., Saxena, V., Jain, D., Goyal, P., and Sikdar, B. (2019). A survey on IoT security: application areas, security threats, and solution architectures. IEEE Access, 7:82721–82743.
Hayashi, V., Garcia, V., Manzan de Andrade, R., and Arakaki, R. (2020a). OKIoT Open Knowledge IoT Project: Smart Home Case Studies of Shortterm Course and Software Residency Capstone Project. In Proceedings of the 5th International Conference on Internet of Things, Big Data and Security, pages 235–242. SCITEPRESS - Science and Technology Publications.
Hayashi, V. and Ruggiero, W. (2020). Non-Invasive Challenge Response Authentication for Voice Transactions with Smart Home Behavior. Sensors, 20(22).
Hayashi, V. T., Arakaki, R., Fujii, T. Y., Khalil, K. A., and Hayashi, F. H. (2020b). B2B B2C Architecture for Smart Meters using IoT and Machine Learning: a Brazilian Case Study. In 2020 International Conference on Smart Grids and Energy Systems (SGES). IEEE.
Hayashi, V. T., Arakaki, R., and Ruggiero, W. V. (2020c). OKIoT: Trade off analysis of smart speaker architecture on open knowledge IoT project. Internet of Things, 12.
Hayashi, V. T., Ribeiro, C. M. N., Quintino Filho, A., Pita, M. A. B., Trazzi, B. M., Estrella, J. C., and Ruggiero, W. V. (2021). Improving IoT Module Testability with Test-Driven Development and Machine Learning. In 2021 8th International Conference on Future Internet of Things and Cloud (FiCloud), pages 406–412.
Hayashi, V. T. and Ruggiero, W. V. (2022). Hands-Free Authentication for Virtual Assistants with Trusted IoT Device and Machine Learning. Sensors, 22(4):1325.
Kavianpour, S., Shanmugam, B., Azam, S., Zamani, M., Narayana Samy, G., and De Boer, F. (2019). A Systematic Literature Review of Authentication in Internet of Things for Heterogeneous Devices. Journal of Computer Networks and Communications, 2019.
Köckemann, U., Alirezaie, M., Renoux, J., Tsiftes, N., Ahmed, M. U., Morberg, D., Lindén, M., and Loutfi, A. (2020). Open-source data collection and data sets for activity recognition in smart homes. Sensors (Switzerland), 20(3).
Lei, X., Tu, G. H., Liu, A. X., Li, C. Y., and Xie, T. (2018). The insecurity of home digital voice assistants - Vulnerabilities, attacks and countermeasures. In 2018. IEEE Conference on Communications and Network Security, CNS 2018. Institute of Electrical and Electronics Engineers Inc.
Liu, Y., Ouyang, D., Liu, Y., and Chen, R. (2017). A novel approach based on time cluster for activity recognition of daily living in smart homes. Symmetry, 9(10).
Meng, Y., Zhang, W., Zhu, H., and Shen, X. S. (2018). Securing Consumer IoT in the Smart Home: Architecture, Challenges, and Countermeasures. IEEE Wireless Communications, 25(6):53–59.
Nandy, T., Idris, M. Y. I. B., Md Noor, R., Mat Kiah, L., Lun, L. S., Annuar Juma’at, N. B., Ahmedy, I., Abdul Ghani, N., and Bhattacharyya, S. (2019). Review on Security of Internet of Things Authentication Mechanism. IEEE Access, 7.
Nef, T., Urwyler, P., Buchler, M., Tarnanas, I., Stucki, R., Cazzoli, D., Muri, R., and Mosimann, U. (2015). Evaluation of three state-of-the-art classifiers for recognition of activities of daily living from smart home ambient data. Sensors (Switzerland), 15(5):11725–11740.
Nespoli, P., Zago, M., Celdrán, A. H., Pérez, M. G., Mármol, F. G., and Clemente, F. J. (2019). PALOT: Profiling and authenticating users leveraging internet of things. Sensors (Switzerland), 19(12).
Ponticello, A. (2020). Towards Secure and Usable Authentication for Voice-Controlled Smart Home Assistants. PhD thesis, Wien.
Pradhan, S., Sun, W., Baig, G., and Qiu, L. (2019). Combating Replay Attacks Against Voice Assistants. Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies, 3(3):1–26.
Sahidullah, M., Delgado, H., Todisco, M., Kinnunen, T., Evans, N., Yamagishi, J., and Lee, K.-A. (2019). Introduction to Voice Presentation Attack Detection and Recent Advances.
Shahzad, M. and Singh, M. P. (2017). Natural Web Interfaces Continuous Authentication and Authorization for the Internet of Things. Technical report.
Shi, C., Liu, J., Liu, H., and Chen, Y. (2017). Smart User Authentication through Actuation of Daily Activities Leveraging WiFi-enabled IoT. pages 1–10. Association for Computing Machinery (ACM).
Wang, Q., Lin, X., Zhou, M., Chen, Y., Wang, C., Li, Q., and Luo, X. (2019). VoicePop: A Pop Noise based Anti-spoofing System for Voice Authentication on Smartphones. Technical report.
