Hacksaw

Abstract

The currently deployed web authentication model, involving only entry-point authentication of users, does not do anything to protect against account takeover attacks. Once the attacker has compromised the entry-point authentication method, such as by learning a user's password or even two-factor authentication credentials via widely exploited mechanisms such as phishing and password database breaches, or has hijacked a login session, he can fully access and abuse the user's account and associated services. To respond to this critical vulnerability, we introduce the notion of non-stop post-entry authentication, to be integrated with any entry-point authentication method, using which the web service can proactively authenticate the user throughout the login session invisibly in the background without explicit user involvement and without the need for storing user-specific templates (like in biometric systems) thereby preserving user privacy. We design a transparent and privacy-preserving non-stop authentication system, called Hacksaw, using a wrist-worn personal wearable device that authenticates the user continually by correlating the input events on the website (e.g., keyboard and mouse activities) with the user's corresponding hand movements captured via the device's motion sensors. Specifically, at its core, Hacksaw's correlation algorithm computes the cosine similarity of the hand gesture with the stored generic (i.e., non user-specific) templates of input gestures. We build an instance of Hacksaw's implementation on an Android smartwatch as the wearable and desktops/laptops as the client terminals, and comprehensively evaluate it under benign and adversarial settings. Our results suggest that Hacksaw can keep the legitimate users logged into their accounts for long durations, while promptly detecting or automatically deauthenticating remote and proximity attackers attempting to take over the users' account following the compromise of the initial login credentials or hijacking of the login session. Given that wrist-worn wearable devices are already increasingly used in many domains of daily lives (including security applications), we believe that Hacksaw can be incorporated to the current web authentication model, especially to sensitive web services such as banking or e-commerce, to significantly improve its security against online fraud, without additional effort from the users and without degrading user privacy.