Explore the full ebook collection and download it now at textbookfull.

com

Emerging Technologies for Authorization and

Authentication Third International Workshop ETAA
2020 Guildford UK September 18 2020 Proceedings
Andrea Saracino
https://textbookfull.com/product/emerging-technologies-for-
authorization-and-authentication-third-international-
workshop-etaa-2020-guildford-uk-
september-18-2020-proceedings-andrea-saracino/

OR CLICK HERE

DOWLOAD EBOOK

Browse and Get More Ebook Downloads Instantly at https://textbookfull.com

Click here to visit textbookfull.com and download textbook now
 Your digital treasures (PDF, ePub, MOBI) await
Download instantly and pick your perfect format...

Read anywhere, anytime, on any device!

Emerging Technologies for Authorization and Authentication

First International Workshop ETAA 2018 Barcelona Spain
September 7 2018 Proceedings Andrea Saracino
https://textbookfull.com/product/emerging-technologies-for-
authorization-and-authentication-first-international-workshop-
etaa-2018-barcelona-spain-september-7-2018-proceedings-andrea-
saracino/
textbookfull.com

Security and Trust Management 16th International Workshop

STM 2020 Guildford UK September 17 18 2020 Proceedings
Kostantinos Markantonakis
https://textbookfull.com/product/security-and-trust-management-16th-
international-workshop-stm-2020-guildford-uk-
september-17-18-2020-proceedings-kostantinos-markantonakis/
textbookfull.com

Computer Security ESORICS 2020 25th European Symposium on

Research in Computer Security ESORICS 2020 Guildford UK
September 14 18 2020 Proceedings Part II Liqun Chen
https://textbookfull.com/product/computer-security-esorics-2020-25th-
european-symposium-on-research-in-computer-security-
esorics-2020-guildford-uk-september-14-18-2020-proceedings-part-ii-
liqun-chen/
textbookfull.com

Computer Algebra in Scientific Computing 22nd

International Workshop CASC 2020 Linz Austria September 14
18 2020 Proceedings François Boulier
https://textbookfull.com/product/computer-algebra-in-scientific-
computing-22nd-international-workshop-casc-2020-linz-austria-
september-14-18-2020-proceedings-francois-boulier/
textbookfull.com
Business Process Management: 18th International
Conference, BPM 2020, Seville, Spain, September 13–18,
2020, Proceedings Dirk Fahland
https://textbookfull.com/product/business-process-management-18th-
international-conference-bpm-2020-seville-spain-
september-13-18-2020-proceedings-dirk-fahland/
textbookfull.com

Combinatorial Image Analysis 20th International Workshop

IWCIA 2020 Novi Sad Serbia July 16 18 2020 Proceedings
Tibor Luki■
https://textbookfull.com/product/combinatorial-image-analysis-20th-
international-workshop-iwcia-2020-novi-sad-serbia-
july-16-18-2020-proceedings-tibor-lukic/
textbookfull.com

Algorithms and Models for the Web Graph 17th International

Workshop WAW 2020 Warsaw Poland September 21 22 2020
Proceedings Bogumi■ Kami■ski
https://textbookfull.com/product/algorithms-and-models-for-the-web-
graph-17th-international-workshop-waw-2020-warsaw-poland-
september-21-22-2020-proceedings-bogumil-kaminski/
textbookfull.com

Interpretable and Annotation Efficient Learning for

Medical Image Computing Third International Workshop
iMIMIC 2020 Second International Workshop MIL3ID 2020 and
5th International Workshop LABELS 2020 Held in Conjunction
https://textbookfull.com/product/interpretable-and-annotation-
with MICCAI 2020 Lima Pe Jaime Cardoso
efficient-learning-for-medical-image-computing-third-international-
workshop-imimic-2020-second-international-workshop-
mil3id-2020-and-5th-international-workshop-labels-202/
textbookfull.com

Computer Safety Reliability and Security 39th

International Conference SAFECOMP 2020 Lisbon Portugal
September 16 18 2020 Proceedings António Casimiro
https://textbookfull.com/product/computer-safety-reliability-and-
security-39th-international-conference-safecomp-2020-lisbon-portugal-
september-16-18-2020-proceedings-antonio-casimiro/
textbookfull.com
 Andrea Saracino
Paolo Mori (Eds.)

Emerging Technologies
LNCS 12515

for Authorization
and Authentication
Third International Workshop, ETAA 2020
Guildford, UK, September 18, 2020
Proceedings
Lecture Notes in Computer Science 12515

Founding Editors
Gerhard Goos
Karlsruhe Institute of Technology, Karlsruhe, Germany
Juris Hartmanis
Cornell University, Ithaca, NY, USA

Editorial Board Members

Elisa Bertino
Purdue University, West Lafayette, IN, USA
Wen Gao
Peking University, Beijing, China
Bernhard Steffen
TU Dortmund University, Dortmund, Germany
Gerhard Woeginger
RWTH Aachen, Aachen, Germany
Moti Yung
Columbia University, New York, NY, USA
More information about this subseries at http://www.springer.com/series/7410
Andrea Saracino Paolo Mori (Eds.)
•

Emerging Technologies
for Authorization
and Authentication
Third International Workshop, ETAA 2020
Guildford, UK, September 18, 2020
Proceedings

123
Editors
Andrea Saracino Paolo Mori
Istituto di Informatica e Telematica Institute of Informatics and Telematics
Consiglio Nazionale delle Ricerche Pisa, Italy
Pisa, Italy

ISSN 0302-9743 ISSN 1611-3349 (electronic)

Lecture Notes in Computer Science
ISBN 978-3-030-64454-3 ISBN 978-3-030-64455-0 (eBook)
https://doi.org/10.1007/978-3-030-64455-0
LNCS Sublibrary: SL4 – Security and Cryptology

© Springer Nature Switzerland AG 2020

This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the
material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,
broadcasting, reproduction on microfilms or in any other physical way, and transmission or information
storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now
known or hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant
protective laws and regulations and therefore free for general use.
The publisher, the authors and the editors are safe to assume that the advice and information in this book are
believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors
give a warranty, expressed or implied, with respect to the material contained herein or for any errors or
omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in
published maps and institutional affiliations.

This Springer imprint is published by the registered company Springer Nature Switzerland AG
The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland
 Preface

This book contains the papers which were selected for presentation at the Third
International Workshop on Emerging Technologies for Authorization and Authenti-
cation (ETAA 2020), that was held in Guildford, UK, on September 18, 2020,
co-located with the 24th European Symposium on Research in Computer Security
(ESORICS 2020).
The workshop program included 10 full papers concerning the workshop topics, in
particular: new techniques for biometric and behavioral based authentication, authen-
tication and authorization in the IoT and in distributed systems in general, techniques
for strengthening password based authentication and for dissuading malicious users
from stolen password reuse, an approach for discovering authentication vulnerabilities
in interconnected accounts, and strategies to optimize the access control decision
process in the big data scenario.
We would like to express our thanks to the authors who submitted their papers to the
third edition of this workshop, thus contributing to making it once again a successful
event, even through the difficulties brought by a fully virtual event.
Last but not least, we would like to express our gratitude to the members of the
Technical Program Committee for their valuable work in evaluating the submitted
papers.

September 2020 Andrea Saracino

Paolo Mori
 Organization

Workshop Chairs
Paolo Mori Consiglio Nazionale delle Ricerche, Italy
Andrea Saracino Consiglio Nazionale delle Ricerche, Italy

Technical Program Committee

Benjamin Aziz University of Portsmouth, UK
Alessandro Aldini Università degli Studi di Urbino Carlo Bo, Italy
Francesco Buccafurri Università degli Studi Mediterranea di Reggio Calabria,
Italy
Gabriele Costa IMT Lucca, Italy
Francesco Di Cerbo SAP Lab, France
Carmen Fernandez Gago University of Malaga, Spain
Vasileios Gkioulos Norwegian University of Science and Technology,
Norway
Jatinder Singh, University of Cambridge, UK
Jens Jensen Science and Technology Facilities Council, UK
Erisa Karafili Imperial College London, UK
Georgos Karopulos JRC, Italy
Hristo Koshutanski ATOS, Spain
Gabriele Lenzini University of Luxembourg, Luxembourg
Mirko Manea HPE Italia, Italy
Charles Morisset Newcastle University, UK
Silvio Ranise Fondazione Bruno Kessler, Italy
Marco Tiloca RISE, Sweden
Francesco Santini Università degli Studi di Perugia, Italy
Daniele Sgandurra Royal Holloway, University of London, UK
Nicola Zannone Eindhoven University of Technology, The Netherlands
 Contents

Deep Learning Based Sequential Mining for User Authentication

in Web Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Matan Levi and Itay Hazan

An Interoperable Architecture for Usable Password-Less Authentication. . . . . 16

Matthew Casey, Mark Manulis, Christopher J. P. Newton,
Robin Savage, and Helen Treharne

auth.js: Advanced Authentication for the Web . . . . . . . . . . . . . . . . . . . 33

Neophytos Christou and Elias Athanasopoulos

Automated and Secure Integration of the OpenID Connect iGov Profile

in Mobile Native Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Amir Sharif, Roberto Carbone, Giada Sciarretta, and Silvio Ranise

Micro-Id-Gym: A Flexible Tool for Pentesting Identity Management

Protocols in the Wild and in the Laboratory . . . . . . . . . . . . . . . . . . . . . . . . 71
Andrea Bisegna, Roberto Carbone, Giulio Pellizzari, and Silvio Ranise

IFTTT Privacy Checker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Federica Paci, Davide Bianchin, Elisa Quintarelli, and Nicola Zannone

A Comparison Among Policy Editors for Attributed Based Access

Control Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Fabio Martinelli, Christina Michailidou, Oleksii Osliak,
Alessandro Rosetti, Antonio La Marra, and Theo Dimitrakos

Automatic Firewalls’ Configuration Using Argumentation Reasoning. . . . . . . 124

Erisa Karafili and Fulvio Valenza

On Results of Data Aggregation Operations . . . . . . . . . . . . . . . . . . . . . . . . 141

Francesco Di Cerbo, Marco Rosa, and Rocío Cabrera Lozoya

The Cost of Having Been Pwned: A Security Service

Provider’s Perspective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Gergely Biczók, Máté Horváth, Szilveszter Szebeni, István Lám,
and Levente Buttyán

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

 Deep Learning Based Sequential Mining
for User Authentication in Web Applications

Matan Levi(B) and Itay Hazan

IBM Cybersecurity Center of Excellence, Beer Sheva, Israel

{matanle,itayha}@il.ibm.com

Abstract. Behavioral biometrics is a seamless and transparent way to authenticate

or identify users through their interaction with electronic systems. It can serve as
an additional security mechanism to existing security methods by continuously
authenticating the users, for example when using pointing devices (e.g., mouse,
touchscreen). These methods usually aim at extracting meaningful features such as
curvature and acceleration using the raw mouse coordinates and ignore the specific
elements the user interacts with during the movement. A possible improvement is
to combine these methods with approaches that analyze the user path of elements
throughout the session. One such previously suggested process proposes using a
model-per-user approach, built using the traditional sequence mining algorithm
Hidden Markov Model (HMM). In this paper we examine the use of deep learning
sequential mining mechanisms for authentication, using mechanisms such as Long
Short-Term Memory (LSTM), LSTM with Attention, and a Convolutional Neural
Network (CNN). This method has the major advantage of one global model per
web application, which drastically reduces the system’s required memory and
storage resources. We demonstrate the competitive advantage by encouraging
results in low false positive rates (FPR) ranges on an anonymized dataset collected
by IBM from accounts of more than 2000 web application users.

Keywords: User verification · Continuous authentication · Behavioral

biometrics · Deep learning

1 Introduction
User authentication in online systems is fertile ground for many new solutions. Each
system has its pros and cons, but most solutions are focused on the login phase, during
which users must enter a password, a token (e.g., a one-time password), or even a
biometric attribute such as their fingerprint or facial image. Although solutions that
focus only on the login phase are effective, they don’t protect users against session
hijacking after the login phase or if their credentials have been leaked. One emerging
type of approach that isn’t focused on the login phase uses continuous authentication to
complement existing login solutions. The idea behind this approach is that continuous
authentication constantly verifies the user’s identity throughout an active session.
One of the ways to implement continuous authentication is behavioral biometrics,
which verifies the identity of a user based on his or her particular behavioral traits while

© Springer Nature Switzerland AG 2020

A. Saracino and P. Mori (Eds.): ETAA 2020, LNCS 12515, pp. 1–15, 2020.
https://doi.org/10.1007/978-3-030-64455-0_1
2 M. Levi and I. Hazan

using a certain electronic system. In connection with computer desktop applications,

behavioral biometrics are usually based on mouse dynamics [1–3], which refer to the
particular ways a user moves the mouse. In connection with mobile applications, behav-
ioral biometrics are usually based on touch dynamics [17, 21, 22], the way unique way
the user interacts with the mobile touchscreen (e.g., swiping, tap-ping, etc.). The main
focus of mouse and touch dynamics is on the X, Y coordinates of the movement, in addi-
tion to supplemental information such as mouse clicks and scrolls, touch pressure, and
finger size. In short, we refer to both mouse and touch dynamics as pointing device-based
solutions. These solutions are usually composed of data collected from an interaction
session that extracts features related to movement characteristics such as velocity, dis-
tance, curvature, time, etc. The extracted features are input into one of several existing
machine or deep learning algorithms or distance metrics that model the user’s behavior.
In most cases, these solutions examine how the interaction is done instead of evalu-
ating what the user is doing during the interaction with the system. Websites and mobile
applications are usually assembled from layers of elements such as buttons, text fields,
images, and so forth. When tracking the X, Y coordinates and combining them with
the location of various on-screen elements, one can easily infer the user paths during
the session. In addition to elements the user clicked or pressed, each path also includes
elements the user just hovered over or swiped through. We suggest that it is possible
to profile users based on their paths. This solution can add a complementary aspect to
existing continuous authentication mechanisms that examine movement features such
as velocity, distance, curvature, time, etc.
The idea of using elements paths to profile user in web applications was first sug-
gested by us in [23]. However, that paper only examined the use of basic sequence-based
algorithms. The evaluated algorithms were Hidden Markov Model (HMM) with Linear
Regression who show promising results both in desktop and mobile environments. The
approach of using HMM with Linear Regression was inspired by a meth-od for detecting
cyber-attacks on connected vehicles [4].
In this paper, we extend the approach we previously suggested [23] for pointing
device-based solutions in web applications, by exploring more sophisticated, sequence-
based algorithms based on neural networks. We specifically examine Long Short-Term
Memory (LSTM), LSTM with Attention and a 1D Convolutional Neural Network (CNN)
that showed value in sequence-related problems. A major advantage of this work is the
use of one global model for all users, instead of separate models for each user. Model per
user approach requires the solution to train, save, and load flows for every user accessing
the system or website. This results in high memory and storage requirements. A global
model allows us to support many users without increasing the load on system resources,
such as memory and storage.
Using the abovementioned methods, we profile the user’s normal behavior; devia-
tions from that normal behavior can indicate a possible attack on the user’s account. The
deviations on the neural network algorithms were detected using a static thresh-old on
the output of a linear layer that was integrated at the end of each network.
We evaluated the neural network algorithms on an anonymized real-world dataset
that was collected from an uncontrolled environment of over 2000 users. Our results
Deep Learning Based Sequential Mining for User Authentication in Web Applications 3

showed that this approach exhibited an advantage when low false positive rate (FPR) is
required.

2 Related Work
Behavioral biometrics as a continuous authentication mechanism has been researched
for several decades and includes several different approaches. One of the most com-mon
techniques is keystroke dynamics, which focuses on verification based on the particular
way each user types on the keyboard [5–9]. There are generally two types of keystroke
dynamics, based on the characteristics of the text to which they are applied: fixed-text
keystroke dynamics, which require users to enter a repeat-able text that can be very
short (such as a password); and free-text keystroke dynamics, which requires users to
enter more text, but text that can be spontaneous (e.g., email) and changed. Fixed-text
keystroke dynamics are usually applied in the login page, and in general cannot serve
as a continuous authentication mechanism. Free-text keystroke dynamics can be used
for this, but only in systems that require the user to continuously type long text, which
is not too common in regular internet use (e.g., browsing news, video streaming, and
social media). In these types of applications however, most interactions are done through
mouse dynamics (on desktops) or touch dynamics (on mobile devices). Therefore, we
focus on solutions from the pointing device domain.
For example, Ahmed et al. [10, 11] used mouse movement for user verification.
After collecting the movement coordinates and events, they categorized each movement
according to four types: mouse-move, point-and-click, drag-and-drop, and silence. Next,
they extracted descriptive features such as travel distance, elapsed time, average speed,
and more. The feature vectors were aggregated into histograms and used for training
and testing neural networks. Pusara et al. [13] worked on the same task, collecting
mouse coordinates and click events. They segmented the data by the number of defined
movement points and extracted features such as distance, speed, angle, etc., using a C5.0
decision tree to classify the segmented data and produce a score. Feher et al. [12] also
used mouse movement for user verification but with additional descriptive features such
as curvature, moment, etc. They segmented the movements into actions and proposed a
verification method that is applied on each individual segment, using a Random Forest
classifier applied on the segments to produce a score for the user identity. Zheng et al. [15]
also presented a verification scheme based on the user’s mouse movement coordinates
and time. They extracted angle-based features and applied the widely used Support
Vector Machine (SVM) algorithm.
Shen et al. [14] designed an efficient user verification method using one-class clas-
sification and dimensionality reduction. They divided their features into two types: pro-
cedural (e.g., speed curve against time, acceleration curve against time) and holistic
(e.g., double click statistics, movement elapsed time). They applied several different
one-class classification algorithms with Principal Components Analysis (PCA) dimen-
sionality reduction, where the best among them was one-class SVM. In another paper,
Shen et al. [16] divided the data into what they referred to as frequent behavior segments.
These segments are stacked into a sequence of an ordered set of operations, and then
integrated into mouse pattern sequence generation, matching methods, and finally into
the selected one-class classification algorithm.
4 M. Levi and I. Hazan

Antal et al. [27] used mouse movement to detect intrusion in systems. The mouse
movements were tracked and segmented according to three possible user actions: mouse-
move, point-and-click, and drag-and-drop. Features taken from various papers were then
extracted, such as distance, acceleration, jerk, straightness, critical points, and more.
Finally, they applied several supervised classification algorithms, among them Random
Forest, which performed best. The authors showed that detection improved as the number
of actions grew, and that the clearest action for detecting impostors is drag-and-drop.
Hinbarji et al. [28] used mouse movement to verify user identity, but unlike other
methods, they focused on the properties of the generated curves and their discriminative
information. The curves are created from consecutive coordinates, and several curves
are grouped into a session. For each curve, they extracted features such as efficiency,
self-intersection, regularity, and more. The probability distribution of the features was
inserted into a neural network built independently for each user. Tan et al. [29] used
time-series forecasting for user verification in mouse movement, applying curve-fitting
strategies to the data. Here again the authors took the coordinates of the movement and
applied a curve-fitting method to the raw data, such as cubic splines, AR, and ARMA.
They then extracted features and integrated them with the linear SVM algorithm, showing
results comparative to the traditional methods.
Another researched area of continuous authentication using behavioral biometrics is
through mobile devices. Patel et al. [21] produced a thorough overview of existing meth-
ods and suggested paths for further research in the field. The reviewed works [18–20] that
focused on touch dynamics for continuous mobile authentication were also based on the
user touch coordinates X, Y and additional metrics extracted from the touchscreen. The
authors developed methods that included innovative feature engineering and machine
learning algorithms.
Other researchers sought to add additional information to touch dynamics. Feng
et al. [22] used touch dynamics to verify user identity, adding the context of the running
application. Ben Kimon et al. [17] addressed the same task by monitoring touch gesture
sequences and the context of both the user (e.g., driving, walking) and the device (e.g.,
power consumption, running app). Each user model was trained on gesture trac-es within
a predefined time interval using the gradient boosting learning algorithm. Jain et al. [31]
combined touch dynamics with motion and orientation sensors to improve verification.
The authors used the X, Y coordinates and finger area, in addition to the accelerometer
and orientation. They extracted descriptive features and used min-max normalization,
and eventually used the modified Hausdorff distance to pro-duce a score.
Other researchers tried to limit the level of information or work in different setups.
Yang et al. [30] proposed a continuous authentication method in mobile based on one-
class classification algorithms, evaluating one-class SVM and Isolation Forest. They
extracted movement-based features, such as velocity and slope, and pressure-based fea-
tures, such as pressure at start and pressure at end; the process involved removing outliers
before the feature extraction and running a min-max normalization after-ward. Ngyuen
et al. [32] used touchscreen dynamics to detect user identity across multiple devices.
They evaluated verification abilities through three different tasks: reading, writing, and
playing a game. They extracted features that relate to the coordinates, time, and finger
size, and used multi-class SVM to classify the users. They found that the best task for
detection across devices is reading, followed by playing, and lastly writing.
Deep Learning Based Sequential Mining for User Authentication in Web Applications 5

As opposed to many previous works, we don’t use the feature engineering scheme to
profile users based on their movement coordinates. We use sequence-mining techniques
to learn users’ element paths through websites. Our method can be used in parallel to
existing methods to complement them. To the best of our knowledge, the only work
that seeks to verify a user’s identity based on their elemental paths within the context
of a website is our previous work [23]. In that work, we demonstrated the encouraging
results received when using sequence mining over web elements with HMM and Linear
Regression. In this work, we present extensive research and further experiments using
different deep learning mechanisms (LSTM, LSTM with Attention and 1D CNN) to
build a global model (per web application) that can distinguish be-tween benign users
and impostors.

3 Suggested Method

In our previous work [23], we introduced a new technique to profile users and identify
imposters in web applications. This technique analyzes the user’s behavior based on
sequences constructed from elements they interacted with during their session on the
website. Each element is defined by element name, element type, ancestor element, and
interaction type.
The user’s pointing device movements during a session form a path that consists
of the specific website’s elements with which the user interacts. This path indicates the
order in which elements were traversed by the user and the action that was taken on
each element. The basic assumption we rely on is that people tend to develop habits for
routine tasks. Therefore, we assume that each user develops “preferred” paths during
his or her sessions on the website. Sharp deviations from those paths could indicate a
possible attack.
A path consists of the elements the pointing device traversed during the session.
Hence, each session on the website constructs a single sequence or path.
In the following section we introduce a cost-efficient and fast global model approach
that uses sequences from different users and previously seen impostors, with the goal of
distinguishing between the two.

3.1 Data Collector

We collect pointing device data using a Java Script snippet integrated into the different
pages of the website. Each pointing device event (press, move, scroll, swipe, etc.) the
user performs is collected and sent to the servers. For each event, we extract the following
information:

(Element name, Element type, Interaction type, Ancestor)

Such that:

• Element name: Name (ID) of the element

• Element type: HTML type, ‘FORM’, ‘BUTTON’, ‘DIV’, ‘INPUT’, ‘LABEL’, etc.
• Interaction type: Whether the element was hovered over, pressed, or swiped
6 M. Levi and I. Hazan

• Ancestor: In a case where the element does not contain a name, our collectors tra-
verse the HTML Document Object Model (DOM) and attach the element name to its
ancestor’s name

Each such quartet is treated as an event in the time series of events that represent
the user’s movements over the website’s elements. The learning and predictions are
performed using different neural networks models: one-dimensional CNN, LSTM, and
LSTM with Attention model.

3.2 Sequence Construction

There are various ways in which we can construct sequences, as shown in Fig. 1. We
tested the following construction options:

Menu Login Page Background Login

Button Button Image Field

Password Submit Transaction Transaction

Field Button 1 2

Fig. 1. Example of a sequence of elements a user hovered, pressed or swiped.

• Construct sequences based on all elements the user interacted with (swiped/
• clicked/hovered) during the session
• Construct sequences based on elements that were pressed/clicked
• Construct sequences based on elements that were stopped on (stopping is defined
using a predefined period of time in which the user did not move the device)

Each type of sequence construction has its own advantages and disadvantages. The
full sequence construction type contains more information and gives us a more precise
point of view on the path the user took. However, since the sequence has more data, it also
contains more noise, and therefore requires more data for training. On the other hand,
the other two types of sequence construction contain less data about the path but are
easier to generalize and model. At the end of the process, we built movement sequences
based on the website structure for all of the user’s historical sessions.

3.3 Training Phase

Pointing device movements can be viewed as a sequence of events, where each event
consists of the HTML element in which the pointing device was at time t. Since our
data has sequential characteristics; we need a learning algorithm that can use these
Deep Learning Based Sequential Mining for User Authentication in Web Applications 7

characteristics. Therefore, we chose to apply our method on several algorithms such as

the Long Shot-Term Memory neural network (LSTM), LSTM with Attention model,
and the 1D Convolutional Neural Network (CNN).
LSTM is a popular tool for processing time-series data and has been widely used
for tasks such as speech recognition [24, 25]. LSTM was developed to encounter the
vanishing gradient problem in a vanilla Recurrent Neural Network (RNN). LSTM could
be also combined with an Attention mechanism. The Attention mechanism can give the
model the ability to focus on certain parts of the input sequence when predicting part
of the output. Another approach involves using 1D CNN [26], which can be applied to
one-dimensional sequences of data for time-series analysis.
All of the abovementioned models were trained using the output sequences, which
are the sequences of elements traversed using the pointing device. Since the deep learn-
ing mechanisms require large amounts of data, we learned a global model for each
web application (instead of a separate model for each user); the model is designed to
distinguish between benign users and impostors.
To train the neural networks, we split the data into train (60%), validation (20%), and
test (20%) sets. Each set consisted of different users with different sessions. Training
was done using the Adam [34] optimizer with β1 = 0.9, β2 = 0.99 and ∈ = 1e−9 . We
tested various epoch values, with a warm-up policy and an early stopping mechanism
that was used to avoid over-fitting. To overcome the imbalance in the data, we create new
fraudulent sessions by splitting the fraudulent sessions in different locations (without
affecting the fraudulent activity) and add class weights to the loss function.

3.4 Test Phase

As a new test session arrives, we extract the session’s element-based sequences using
the sequence construction technique we chose and test it against the model we trained.
We integrated a linear layer followed by softmax as our network output. The final
network score is actually the benign/impostor score. We can easily define a threshold on
the score or alternatively choose the label based on the higher score.

4 Experiments
In our experiments we trained LSTM, LSTM with Attention and 1D CNN. All algorithms
attempt to detect impostors’ activity using the sequential data.

4.1 Dataset
We received mouse data from IBM that consists of data from more than 2000 real
anonymous users. The data contained benign data and impostor data. The original dataset
we presented in our previous work [23] also contained touch device data; however, due
to an insufficient amount of touch device data for a global model, we tested our method
only on the mouse data. Nevertheless, the method is suitable for both and we leave the
application of touch for future work. The dataset contains both benign and impostor
data.
8 M. Levi and I. Hazan

Benign data – the dataset contained sessions from users’ web accounts during their
daily account actions on the website. The users were monitored over a period of several
months in an uncontrolled environment and for each of the 2000 real anonymous users
we collected up to 40 sessions.
Impostor data – the dataset contained 75 real impostor sessions that gained control
over innocent user accounts.
All sessions were monitored in an uncontrolled environment while users performed
their daily account actions. The data was collected using a JavaScript code integrated
into the different pages of the website and each session contained the elements related
data (element type, element name, interaction type and ancestor) with respect to the
user’s pointing device movements during the session.

4.2 Model Generation

To generate a global model for a web application that can distinguish between impostor
and benign data, we need enough data from both benign users and impostors. After
receiving a sufficient number of sessions, for each such session, we extracted a sequence
based on the elements (and their attributes) that were traversed during the session. After
constructing a set of sequences for benign users and impostors, we trained a global model
based on LSTM, LSTM with Attention, and 1D CNN. The models were built in Python
using the PyTorch deep learning package [33].
LSTM Architecture. Our LSTM architecture consists of a word embedding layer,
where each word is a state in the sequence, followed by a dropout layer, LSTM layer,
and a linear layer with an output size of 2 (benign/impostor), followed by softmax.
Hyper-parameter tuning was performed using randomized search. The chosen set of
parameters is described below:
Best results for the LSTM network were obtained using the following: learning rate
0.002, batch size: 32, weight decay: 0, hidden size: 64, embedding length: 100, drop-out:
0.2, bidirectional: False, number of layers: 1.

LSTM with Attention Architecture. Our LSTM with Attention architecture uses the
LSTM architecture mentioned above and integrates the attention mechanism on top
of the LSTM architecture. Hyper-parameter tuning was performed using randomized
search. The chosen set of parameters is described below.
Best results for the LSTM with Attention network were obtained using the following:
learning rate 0.002, batch size: 32, weight decay: 0, hidden size: 64, embedding length:
100, dropout: 0.2, bidirectional: False, number of layers: 1 (Fig. 2).

One-dimensional Convolutional Neural Network Architecture. Our 1D CNN archi-

tecture consists of a layer of word embedding where each word is a state in the sequence,
followed by three consecutive convolutional blocks (convolutional layer, ReLU, and max
pooling), a dropout layer, and a linear layer with an output size of 2 (benign/impostor),
followed by softmax. Hyper-parameter tuning was performed using randomized search.
The chosen set of parameters is described below.
Best results for the 1D CNN network were obtained using the following: learning rate
0.002, batch size: 32, weight decay: 0.0001, dropout: 0.5, stride: 1, padding: 0 (Fig. 3).
Deep Learning Based Sequential Mining for User Authentication in Web Applications 9

Fig. 2. LSTM/LSTM with Attention architecture.

4.3 Results

We tested different techniques to detect impostor activity for mouse devices by training
different global models designed to distinguish between impostor activity and benign
activity. The results are summarized in confusion matrices presented in Tables 1, 2, and
3, and their associated ROC graphs presented in Figs. 4, 5, and 6.

LSTM Results. Using the mouse data, our LSTM model achieves approximately 0.86
AUC with 97% true negative rate (TNR) and 57% true positive rate (TPR). We can
observe that the LSTM model is more benign-oriented and can be effective when high
TNR is needed, at the expense of the TPR. To improve our LSTM results, we also
tried to use deep LSTM (stacking several LSTM layers). Stacking two to three LSTM
layers improved results on benign users by 1–2%. Another approach we tried was using
bidirectional LSTM; however, we did not see any significant improvement in the results.

LSTM with Attention Results. Using the mouse data, our LSTM with Attention model
achieves 0.88 AUC with 98% true negative rate (TNR) and 63% true positive rate (TPR).
We can observe that this model is also more benign oriented and can be effective when
high TNR is needed, at the expense of the TPR. Stacking several layers of LSTM with
Attention did not improve the results.

CNN Results. Using the mouse data, the one-dimensional CNN model achieves ap-
proximately 0.84 AUC with 98% true negative (TNR) and 56% true positive (TPR). We
can observe that this model is also more benign-oriented and can be effective when high
TNR is needed at the expense of the TPR.
10 M. Levi and I. Hazan

Fig. 3. One-dimensional Convolutional Neural Network Architecture.

Table 1. LSTM predicted results vs. actual labels on real web application users’ data and
impostors’ data.

Predicted Results vs. Real Real Labels

Labels
Benign Impostors
Predicted Label Impostors 3% 57%
Benign 97% 43%

The top performing algorithm in our experiments was the LSTM with Attention.
Since keeping the FPR as low as possible is essential when focusing on commercial uses
for continuous authentication, we compare our global model results with our previous
user-based work [23], which used HMM with Linear Regression, while focusing on low
FPR.
When focusing low FPR of up to 2%, the LSTM with Attention gains an advantage
of up to 6% more TPR over the HMM with Linear Regression.
Deep Learning Based Sequential Mining for User Authentication in Web Applications 11

Table 2. LSTM with Attention predicted results vs. actual labels on real web application users’
data and impostors’ data.

Predicted Results vs. Real Real Labels

Labels
Benign Impostors
Predicted Label Impostors 2% 63%
Benign 98% 37%

Table 3. 1D CNN predicted results vs. actual labels on real web application users’ data and
impostors’ data.

Predicted Results vs. Real Real Labels

Labels
Benign Impostors
Predicted Label Impostors 2% 56%
Benign 98% 44%

Fig. 4. LSTM ROC of impostor data vs. benign user data.

12 M. Levi and I. Hazan

Fig. 5. LSTM with Attention ROC of impostor data vs. benign user data.

Fig. 6. 1D CNN ROC of impostors’ data vs. benign users’ data.

5 Conclusion
We presented a deep learning approach to verify user authenticity using the traversed
paths of web elements, as we proposed in our previous work [23]. Instead of learning
common features based on the users’ pointing device movement (e.g., speed, angle), our
method uses sequences of hovered or pressed web elements. Our previous work [23]
Deep Learning Based Sequential Mining for User Authentication in Web Applications 13

introduced a model-per-user approach using HMM and Linear Regression. In our current
work, we present various deep learning mechanisms that use a single global model.
We tested our current solutions using mouse data from IBM, containing data from
daily internet tasks for more than 2000 real anonymous users, and showed that our
different mechanisms were capable of successfully distinguish between impostors and
benign users.
Among the deep learning methods that we tested; LSTM with Attention performed
best with AUC of 0.884.
Although the overall AUC score of the HMM from our previous work was slightly
higher (AUC of 0.908), the LSTM with Attention showed better results when focusing
on the low FPR areas of the ROC curve with and improvement of up to 6% more
TPR over the HMM, which is the desired case for most commercial usages of real-time
authentication systems with high traffic that cannot tolerate high number of false alarms.
In addition, the LSTM with Attention has the major advantage of using one global
model per web application instead of a model per user, which in a highly preferable in
terms of memory consumption, storage, and implementation in high volume, real-time
systems.
One limitation of this work is that due to insufficient touch data, we were only able
to test our new methods on mouse data. Possible future work might focus on a touch
dynamics dataset collected from mobile users who browse the web using their mobile
devices.

References
1. Yampolskiy, R.V., Govindaraju, V.: Behavioural biometrics: a survey and classification. Int.
J. Biometrics 1(1), 81–113 (2008)
2. Revett, K., Jahankhani, H., de Magalhães, S.T., Santos, H.M.D.: A survey of user authenti-
cation based on mouse dynamics. In: Jahankhani, H., Revett, K., Palmer-Brown, D. (eds.)
ICGeS 2008. CCIS, vol. 12, pp. 210–219. Springer, Heidelberg (2008). https://doi.org/10.
1007/978-3-540-69403-8_25
3. Jorgensen, Z., Yu, T.: On mouse dynamics as a behavioral biometric for authentication. In:
Proceedings of the 6th ACM Symposium on Information, Computer and Communications
Security, pp. 476–482, March 2011
4. Levi, M., Allouche, Y., Kontorovich, A.: Advanced analytics for connected car cybersecurity.
In: 2018 IEEE 87th Vehicular Technology Conference (VTC Spring), pp. 1–7. IEEE, June
2018
5. Bergadano, F., Gunetti, D., Picardi, C.: User authentication through keystroke dynamics.
ACM Trans. Inf. Syst. Security (TISSEC) 5(4), 367–397 (2002)
6. Lau, E., Liu, X., Xiao, C., Yu, X.: Enhanced user authentication through keystroke biometrics.
Comput. Network Secur. 6 (2004)
7. Gunetti, D., Picardi, Claudia: Keystroke analysis of free text. ACM Trans. Inf. Syst. Secur.
(TISSEC) 8(3), 312–347 (2005)
8. Ahmed, A.A., Traore, I.: Biometric recognition based on free-text keystroke dynamics. IEEE
Trans. Cybernetics 44(4), 458–472 (2013)
9. Monaco, J.V., Bakelman, N., Cha, S. H., Tappert, C.C.: Recent advances in the development
of a long-text-input keystroke biometric authentication system for arbitrary text input. In:
2013 European Intelligence and Security Informatics Conference, pp. 60–66. IEEE, August
2013
14 M. Levi and I. Hazan

10. Ahmed, A.A.E., Traore, I.: A new biometric technology based on mouse dynamics. IEEE
Trans. Depend. Secure Comput. 4(3), 165–179 (2007)
11. Awad, A., Ahmed, E., Traore, I.: Anomaly intrusion detection based on biometrics. In:
Proceedings of the IEEE (2005)
12. Feher, C., Elovici, Y., Moskovitch, R., Rokach, L., Schclar, A.: User identity verification via
mouse dynamics. Inf. Sci. 201, 19–36 (2012)
13. Pusara, M., Brodley, C.E.: User re-authentication via mouse movements. In: Proceedings of
the 2004 ACM Workshop on Visualization and Data Mining for Computer Security, pp. 1–8,
October 2004
14. Shen, C., Cai, Z., Guan, X., Du, Y., Maxion, R.A.: User authentication through mouse
dynamics. IEEE Trans. Inf. Foren. Secur. 8(1), 16–30 (2012)
15. Zheng, N., Paloski, A., Wang, H.: An efficient user verification system via mouse movements.
In: Proceedings of the 18th ACM Conference on Computer and Communications Security,
pp. 139–150, October 2011
16. Shen, C., Cai, Z., Guan, X.: Continuous authentication for mouse dynamics: a pattern-growth
approach. In: IEEE/IFIP International Conference on Dependable Systems and Networks
(DSN 2012), pp. 1–12. IEEE (2012)
17. Kimon, L.B., Mirsky, Y., Rokach, L., Shapira, B.: Utilizing sequences of touch gestures for
user verification on mobile devices. In: Phung, D., Tseng, V.S., Webb, G.I., Ho, B., Ganji, M.,
Rashidi, L. (eds.) PAKDD 2018. LNCS (LNAI), vol. 10939, pp. 816–828. Springer, Cham
(2018). https://doi.org/10.1007/978-3-319-93040-4_64
18. Frank, M., Biedert, R., Ma, E., Martinovic, I., Song, D.: Touchalytics: On the applicability of
touchscreen input as a behavioral biometric for continuous authentication. IEEE Trans. Inf.
Foren. Secur. 8(1), 136–148 (2012)
19. Feng, T., Liu, Z., Kwon, K.A., Shi, W., Carbunar, B., Jiang, Y., Nguyen, N.: Continuous mobile
authentication using touchscreen gestures. In: 2012 IEEE Conference on Technologies for
Homeland Security (HST), pp. 451–456. IEEE, November 2012
20. Zhang, H., Patel, V.M., Fathy, M., Chellappa, R.: Touch gesture-based active user authen-
tication using dictionaries. In: 2015 IEEE Winter Conference on Applications of Computer
Vision, pp. 207–214. IEEE, January 2015
21. Patel, V.M., Chellappa, R., Chandra, D., Barbello, B.: Continuous user authentication on
mobile devices: recent progress and remaining challenges. IEEE Signal Process. Mag. 33(4),
49–61 (2016)
22. Feng, T., Yang, J., Yan, Z., Tapia, E.M., Shi, W.: Tips: context-aware implicit user identification
using touch screen in uncontrolled environments. In: Proceedings of the 15th Workshop on
Mobile Computing Systems and Applications, pp. 1–6, February 2014
23. Levi, M., Hazan, I.: User profiling using sequential mining over web elements. In: 2019 IEEE
10th International Conference on Biometrics Theory, Applications and Systems (BTAS),
Tampa, FL, USA, pp. 1–6 (2019). https://doi.org/10.1109/btas46853.2019.9186005
24. Graves, A., Mohamed, A.R., Hinton, G.: Speech recognition with deep recurrent neural net-
works. In: 2013 IEEE International Conference on Acoustics, Speech and Signal Processing,
pp. 6645–6649. IEEE, May 2013
25. Sak, H., Senior, A.W., Beaufays, F.: Long short-term memory recurrent neural network
architectures for large scale acoustic modeling (2014)
26. Chen, T., Xu, R., He, Y., Wang, X.: Improving sentiment analysis via sentence type
classification using BiLSTM-CRF and CNN. Expert Syst. Appl. 72, 221–230 (2017)
27. Antal, M., Egyed-Zsigmond, E.: Intrusion detection using mouse dynamics. IET Biometrics
8(5), 285–294 (2019)
Deep Learning Based Sequential Mining for User Authentication in Web Applications 15

28. Hinbarji, Z., Albatal, R., Gurrin, C.: Dynamic user authentication based on mouse movements
curves. In: He, X., Luo, S., Tao, D., Xu, C., Yang, J., Hasan, M.A. (eds.) MMM 2015. LNCS,
vol. 8936, pp. 111–122. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-14442-
9_10
29. Tan, Y.X.M., Binder, A., Roy, A.: Insights from curve fitting models in mouse dynamics
authentication systems. In: 2017 IEEE Conference on Application, Information and Network
Security (AINS), pp. 42–47. IEEE, November 2017
30. Yang, Y., Guo, B., Wang, Z., Li, M., Yu, Z., Zhou, X.: BehaveSense: Continuous authentication
for security-sensitive mobile apps using behavioral biometrics. Ad Hoc Netw. 84, 9–18 (2019)
31. Jain, A., Kanhangad, V.: Exploring orientation and accelerometer sensor data for personal
authentication in smartphones using touchscreen gestures. Pattern Recogn. Lett. 68, 351–360
(2015)
32. Ngyuen, T., Voris, J.: Touchscreen biometrics across multiple devices. In: SOUPS (2017)
33. Paszke, A., et al.: Automatic differentiation in pytorch (2017)
34. Kingma, D.P., Ba, J.: Adam: a method for stochastic optimization. arXiv preprint arXiv:1412.
6980 (2014)
 An Interoperable Architecture for Usable
Password-Less Authentication

Matthew Casey1 , Mark Manulis2 , Christopher J. P. Newton2 , Robin Savage3 ,

and Helen Treharne2(B)
1
Pervasive Intelligence Ltd., Fleet, UK
[email protected]
2
Surrey Centre for Cyber Security, University of Surrey, Surrey, UK
{m.manulis,c.newton,h.treharne}@surrey.ac.uk
3
SSP Ltd., Halifax, UK
[email protected]

Abstract. Passwords are the de facto standard for authentication

despite their significant weaknesses. While businesses are currently
focused on implementing multi-factor authentication to provide greater
security, user adoption is still low. An alternative, WebAuthn, uses cryp-
tographic key pairs to provide password-less authentication. WebAuthn
has been standardised and is resilient to phishing attacks. However, its
adoption is also very low; the barriers to adoption include usability
and resilience of keys. We propose a novel architecture for password-
less authentication designed to improve usability and deployability. Our
architecture is based on the WebAuthn standards and supports registra-
tion and login to web-services. We support a WebAuthn authenticator
that generates and uses the key pairs on the client device by providing
resilience for these key pairs by using a backup key store in the cloud. We
also propose a WebAuthn authenticator using a key store in the cloud
so that password-less authentication can be used interoperably between
devices. We also assess the properties of these architectures against iden-
tified threats and how they can form the basis for improving usability
and lowering the technical barriers to adoption of password-less authen-
tication.

Keywords: Authentication · Password-less · Crypto-hardware · Key

management · Security · WebAuthn

1 Introduction
Passwords are the de facto standard for authentication from e-commerce to
online banking, yet they are a weak form of authentication [29]. To strengthen
them, current advice [15,27] focuses on making passwords more complex (but not
too complex), avoiding password re-use (cf. [17]) and expiry, reducing the number
of passwords we use and using password managers, for example LastPass [22].
These measures are designed to balance security with usability, where usability
c Springer Nature Switzerland AG 2020
A. Saracino and P. Mori (Eds.): ETAA 2020, LNCS 12515, pp. 16–32, 2020.
https://doi.org/10.1007/978-3-030-64455-0_2
 An Interoperable Architecture for Usable Password-Less Authentication 17

is crucial in ensuring that we achieve acceptable levels of security. For the general
population, however, only a minority of people appear to know how to protect
themselves online [2], and hackers take advantage of this with 65% of malicious
groups using phishing as their prime attack vector [32]. In simple terms there-
fore, passwords are easy to use but offer far lower levels of security than we need,
especially for accounts that require stronger security, such as a user’s prime email
account or for online banking. The weaknesses of passwords make it desirable
to replace them with stronger, password-less techniques which cannot so readily
be subject to phishing attacks. In this paper we explore why password-less tech-
nologies are not being widely adopted and propose an architecture which can be
used to unify existing password-less technologies and standards to make them
interoperable in order to overcome their limitations and to help drive adoption.
Contributions: in this paper we review the barriers to adoption of password-less
authentication technologies and propose how these barriers might be overcome.
Our approach is to take advantage of the usability of password-less technologies,
but to overcome issues of deployment to make them available for the general
population through a unified architecture that provides an interoperable app-
roach to password-less authentication adhering to the published standards [5].
We outline how the architecture can be designed, such that with strong security,
trust and usability, we can help drive adoption.
In Sect. 3 we describe password-less authentication solutions and the user and
business barriers to adoption. In Sect. 4 we propose how the technical barriers can
be overcome through architectures that can be used to unify current and future
standards-based password-less solutions. These architectures are described in
Sects. 4.1 and 4.2 and we consider the trust assumptions and threats related
to these architectures in Sect. 4.3. In Sect. 5 we consider how the architectures
might be used by users and how this will affect how the systems are designed.
Finally in Sect. 6 we conclude with the required next steps.

2 Background
To strengthen password authentication, multi-factor authentication (MFA) or
(its more common subset) two-factor authentication (2FA) has been used, along-
side password blacklists and throttling with lockouts [15,27]. Yet while these
methods can improve security and, in particular, studies have found 2FA to
offer acceptable levels of usability (cf. [31]), even here these extra measures can
still be attacked because they rely on something that we know (or write down).
For example, some systems still use the far weaker two-step verification which
requires the user to provide two pieces of information that they know, such as
a password and memorable data, both of which can be compromised in the
same way through phishing (cf. [28]). To correctly implement MFA, systems
should require that a user provide information from two or more independent
factors: 1) something they know, 2) something they have or 3) something they
are [15]. However, even here, 2FA in particular can be compromised, for example
weaknesses arise when users combine both independent factors into a single
18 M. Casey et al.

device (logging in from a phone which also receives the text message), or when the
second factor is intercepted (text messages can be re-directed by compromising
the telecommunications provider [21]).
While MFA provides stronger security compared to passwords alone, a big-
ger problem however is the lack of uptake of this and similar technologies. For
example, in 2018 Google reported that less than 10% of users were using 2FA
for their Google accounts [25].
For businesses, one of the drivers causing adoption of stronger authentication
is the increasing cost of data breaches, with a global average cost per breach of
$3.92m [18], a rise in cost by 12% over 6 years, and with one survey reporting
that 94% of businesses cite that data breaches in the previous 12 months have
influenced their security policies [33]. With malicious attacks causing 51% of
data breaches in 2019 [18], businesses need stronger protection. In general, 58%
of organisations believe that 2FA is the most likely access control tool which will
be used to protect their systems [33], while 49% believe it is single sign-on and
47% biometric authentication. This shows that stronger access controls are being
adopted, with one survey in 2019 [34] reporting 60% of organisations using 2FA or
password-less technologies, and a further 29% looking at adoption or expansion
of these technologies. However, 26% also cite complex implementation challenges,
26% customer friction and 10% expense as barriers to adoption.

3 Adoption of Password-Less Authentication

It is clear that both users and businesses struggle with the adoption of stronger
authentication. If additional steps are implemented, such as basic forms of 2FA,
user adoption is low because of perceived usability issues or a lack of under-
standing. For businesses, while the roll-out of stronger authentication is seen as
beneficial, there is concern about implementation complexity. Here then, there
is a clear need for stronger authentication, but the barriers to adoption are
currently high for users, even if the majority of businesses are moving towards
adoption. Microsoft have been promoting password-less authentication both for
business (Windows Hello for Business [23]) and other users (Microsoft Authen-
ticator App [24]) and these can work well in a Microsoft environment. Instead of
promoting 2FA based on text messages and one-time passwords, or proprietary
solutions, in this paper we discuss how a greater emphasis should be placed
on password-less solutions using public key cryptography, which offer far bet-
ter levels of security (thwarting phishing attacks [26]), usability and reduced
management costs [37].
Password-less authentication [5,12] allows WebAuthn users to login to web
applications using a cryptographic key pair. Once registered with their pub-
lic key, to log in, the web application issues a challenge which must be signed
using the user’s private key that is then verified by the web application using
the corresponding public key. This challenge-response protocol [5] is resistant to
phishing because no credentials are ever exchanged, and instead relies upon the
private key being kept secret (and here it is typically unknown and inaccessi-
ble to the user). Even if the encrypted challenge-response communication were
 An Interoperable Architecture for Usable Password-Less Authentication 19

intercepted, it cannot be used in a replay attack because a different challenge

would be issued. Also, if a hacker were able to, say, clone the device which is
holding the private key, an incremental usage counter can be used to reduce the
likelihood that the clone could be used successfully to login. As a potentially
usable and secure technology which offers far greater protection than passwords,
why has adoption been slow and why has it not supplanted techniques which
use passwords? Password-less authentication should be better for both users and
businesses. There is clearly an uptake by industry, [10], but there are still bar-
riers to overcome, including preconceptions, knowledge of techniques, expense
and deployment (cf. [6]).
Password-less authentication was recently standardised in the W3C WebAu-
thn recommendation [5] and it is this proposal that we focus on here. WebAuthn
is supported in all major web browsers and this gives businesses confidence to
develop solutions which will work with any of them. Figure 1 represents the data
flows which support registration and login to a web application using WebAuthn.
In the W3C documentation login is referred to as the authentication ceremony.
In this paper since we use the word authentication in several contexts, we use the
term login instead of the WebAuthn authentication term. In the figure we show
an authenticator app separate from the authenticator itself, in some cases this
may be a single entity. The WebAuthn protocol requires a user to authenticate
with the authenticator, this might be using biometrics, a PIN, or a passphrase.
The web application, known as a relying party, can decide what security level
it will accept for this authentication. We now outline the protocols used for
registration and login.
When a user wishes to register an account with a relying party they connect
to it (1). The relying party sends the user a challenge (2) which is passed to
the authenticator (3). The user needs to authenticate themselves (4) and the
authenticator generates a new signing key pair against an identifier for the relying
party (5). The identifier, public key and signed challenge are then sent back to the
relying party for verification (6) and storage against the newly created account
(7).
At a later time when the user wishes to login (1), the relying party sends a
challenge to the user (2) and it is passed to the authenticator (3). The user needs
to authenticate themselves (4) and then the authenticator signs the challenge
using the same private key (5) and sends it back (6). Login is successful if the
challenge signature is validated against the public key for the user (7).
WebAuthn defines the protocols and data structures necessary to support
registration and login to web applications. In particular it defines the interface
for a WebAuthn authenticator which is used to generate the necessary key pairs
(on registration) and sign the challenges when a user wishes to login to a relying
party. This standard grew out of the work of the FIDO Alliance on the Fast
Identity Online protocol and Client to Authenticator Protocol (current versions
are FIDO2 [12] and CTAP2 [7]) and many systems base their current implemen-
tations on these standards.
20 M. Casey et al.

Registration Login
(1) user registers user requests access
(2) server sends challenge data server sends challenge data
(3) challenge passed to authenticator challenge passed to authenticator
(4) user verification user verification
(5) authenticator generates key pair authenticator signs the challenge
(6) public key and attestation sent to server response sent to server
(7) server validates response server validates response

Fig. 1. Data flows in WebAuthn

When built into a device, an authenticator (a platform authenticator) is typi-

cally just used to protect private keys and other secrets used on that device only.
This protection is achieved by, for example, using biometric access to apps, like
that provided by Apple’s Face ID. Other authenticators are designed to allow
the associated keys to be used on any compatible computer via, for example,
USB or NFC, and these are known as roaming authenticators. These devices are
used to hold (or re-generate) key pairs for signing and offer portability between
devices, but have limited capacity.
Both platform and roaming authenticators have the same problem: if a device
with a platform authenticator or a roaming authenticator is lost or damaged,
the data they hold is lost and hence so is a user’s access to their registered
relying parties. At the moment users of roaming authenticators would need to
purchase them in pairs and create backup access by registering both of them
with a relying party. This would mitigate the problem of loss or damage, but
does not get over their limited capacity. Platform authenticators do not have
the same capacity problem, but even when private keys are backed up to the
cloud where they are typically encrypted so that they can only be decrypted on
 An Interoperable Architecture for Usable Password-Less Authentication 21

the corresponding phone [3]. So, while either type of authenticator offers strong
security and improved usability over passwords their different capabilities are
confusing, and this prevents adoption.
This highlights that usability is only one aspect which affects adoption of
password-less authentication. Bonneau et al. [6] developed a wider, subjective
framework for the comparison of password and password-less authentication
methods and their properties. Crucially, this included deployability and secu-
rity, as well as usability. They concluded broadly that usability and security
can be improved through measures such as single sign-on (reducing the need
for multiple passwords), but that of the technologies surveyed, most were an
improvement in security relative to passwords. However, they also highlighted
that every alternative was harder to deploy in some way. Specifically, they were
less accessible, more expensive, less compatible with browsers or servers, less
mature or proprietary. This is backed up by a study on secure communications
tools, which found that usability is not the prime barrier to adoption, but that
interoperability, low quality, lack of trust and misunderstanding were also fac-
tors [1]. Password-less solutions offer far greater security only if such technologies
are actually used, therefore how they are implemented and deployed is just as
crucial.

3.1 Adoption Challenges

From this we can summarise the barriers to adoption of password-less authenti-

cation faced by users and businesses as follows (building on [6]):

User Adoption Barriers:

Knowledge: With perhaps only 15% of people having sufficient knowledge

of how to protect themselves online [2], and the majority of people using
passwords, shifting to stronger authentication will take persuasion. Although
when mandated by a service provider, people do learn how to adopt new
authentication technologies.
Capabilities: There are over 70 FIDO2-certified authenticators [13] available
on the market. They each offer different capabilities, such as the ability to
roam between devices, and the number of keys that they can hold. They also
differ in levels of protection, from no hardware-based protection (Level 1)
over to uncertified (Level 2) and certified (Level 3) use of trusted tamper-
resistant hardware [4,20,35]. A transparent comparison of capabilities would
help, but a unified set of capabilities which meet minimum usability and
security requirements would further promote adoption.
Expense: Hardware authenticators have an associated cost (for example, the
latest generation of Yubikeys start at $45 per authenticator and Google Titan
from $25) While crypto-hardware currently only tends to be built into more
expensive devices (Google Pixel 3 from $399 and iPhone from $449). Adoption
can therefore be expensive.
Exploring the Variety of Random
Documents with Different Content
credit card donations. To donate, please visit:
www.gutenberg.org/donate.

Section 5. General Information About

Project Gutenberg™ electronic works
Professor Michael S. Hart was the originator of the Project
Gutenberg™ concept of a library of electronic works that could
be freely shared with anyone. For forty years, he produced and
distributed Project Gutenberg™ eBooks with only a loose
network of volunteer support.

Project Gutenberg™ eBooks are often created from several

printed editions, all of which are confirmed as not protected by
copyright in the U.S. unless a copyright notice is included. Thus,
we do not necessarily keep eBooks in compliance with any
particular paper edition.

Most people start at our website which has the main PG search
facility: www.gutenberg.org.

This website includes information about Project Gutenberg™,

including how to make donations to the Project Gutenberg
Literary Archive Foundation, how to help produce our new
eBooks, and how to subscribe to our email newsletter to hear
about new eBooks.
Welcome to our website – the ideal destination for book lovers and
knowledge seekers. With a mission to inspire endlessly, we offer a
vast collection of books, ranging from classic literary works to
specialized publications, self-development books, and children's
literature. Each book is a new journey of discovery, expanding
knowledge and enriching the soul of the reade

Our website is not just a platform for buying books, but a bridge
connecting readers to the timeless values of culture and wisdom. With
an elegant, user-friendly interface and an intelligent search system,
we are committed to providing a quick and convenient shopping
experience. Additionally, our special promotions and home delivery
services ensure that you save time and fully enjoy the joy of reading.

Let us accompany you on the journey of exploring knowledge and

personal growth!

textbookfull.com