An Event-Driven Authentication Approach for Mediation of User Actions

Abstract

Traditional authentication schemes challenge the user by something only they know, often a username and password, and become more robust with two-factor authentication. However, a new security problem arises when the system or service cannot ensure accountability for all events that occur within some user application. The vulnerability exists in authentication mechanisms that fail to provide security for events that occur after the login stage. This accountability issue leaves users susceptible to physical and cyber-attacks, such as physical compromises or Man-in-the-Middle (MITM) and replay attacks. In these cases the user is held accountable for these actions and the server is unaware that the legitimate user is no longer near the active session. Therefore, an additional authentication mechanism is needed to provide security up to the application layer when critical events are attempted. In this paper we study a practical, user-friendly approach to mediate critical events by authentication to verify the legitimate user is still near the live session. Critical events are authenticated by pairing the PC with the user's mobile smart device over a connection medium to determine if both devices are within an acceptable range. Afterwards, the PC sends a cryptographic challenge that can only be answered by the user's devices using the public key infrastructure and digital signatures. The smartphone replies back to the PC with a challenge, so that both devices can guarantee mutual authentication.