User perspective and security of a new mobile authentication method

Along with the dynamic development and utilization of the self-care services, such as banking, e-commerce, healthcare, or e-government, there has been an increasing demand to properly authenticate users in a secure manner. It is vital to authenticate users as currently almost 46% of the global population has access to the Internet [1] and cybercriminals impersonate legitimate users, conduct frauds and steal data on a daily basis.

Despite many attempts to improve security in the communication networks, it is still humans that are the weakest link in the security chain. Fortunately, the awareness of online privacy and security protection among the network users is slowly awakening. One of the most common fears of Internet users is an identity theft attack. However, in most cases users are not fully aware of its risks and causes since they simply lack experience in the field of network security, which prevents them from protecting themselves effectively. Typically, users do not know basic means that can be used in order to protect one’s identity. On the other hand, most well-known and common authentication methods are quite troublesome especially for the end users who represent low level of technical skills.

In general, current authentication processes rely on:The password-based authentication relying on something the user knows is probably the oldest and still most commonly used user authentication method. On one hand it is utilized very often, but on the other hand rarely used properly. For example, nowadays, it is common knowledge that static passwords should be long, complex and should not be reused between various services and providers that the user utilizes. But from the users’ perspective such an approach is typically overcomplicated and annoying to apply in practice. This, in turn, leads to the point where people typically use simple and easily guessable passwords that can be broken with a (very basic) dictionary attack.

The main negative aspect of the methods that rely on something the user has is that the authentication process requires the user to carry appropriate equipment with them. Moreover, for example in the smart vehicle scenario it may happen that, for instance, when the user is near his car with an immobilizer the car opens without the owner being aware of it.

Finally, the weakness of popular biometric systems (something that user is) consists in poor coping with changes. In case of stealing a fingerprint, a face shape or a scan of retina, the user cannot replace it with another one that was not previously stolen. Another thing is that people tend to leave this kind of data everywhere.

From another perspective, multi-factor authentication that combines all above mentioned methods is desirable in order to obtain desired Level of Assurance (LoA) defined by ISO/IEC 29115. The aim of multi-factor authentication is to enhance the strength of the authentication process. It usually increases the security level, especially if the authentication method forms a hybrid of what the user has, knows and is. Still, it should be noticed that a high LoA is not required in all cases. There is no point in using all authentication possibilities everywhere, especially if raising a number of authentication factors affects the user’s perception. Unfortunately, it seems to be a rule that the more effective the confirmation of one’s identity is (thus successful attacks are less probable), the less comfortable it is for the user.

On the other hand, designed authentication methods should not be susceptible to user errors. Therefore, the interaction between the user and the log in process should be prepared in a way so that it has both secure and user-friendly (ergonomic) authentication process.

Considering above, the aim of this paper is to evaluate the proposed mobile authentication method from the user perspective as well as from the point of view of security. Therefore, we focus both on user’s comfort and security. The novel solution described in this paper is based on what the user has. Mobile phones with the Secure Element (SE), such as a smart card based on UICC (Universal Integrated Circuit Card), usually called just a ‘SIM (Subscriber Identity Module) card’, are almost omnipresent. SIM card seems to be a perfect carrier to provide authentications and digital signatures in a user’s everyday life. Nowadays, carrying a mobile phone is not problematic for its user. To increase security the authentication process is based on a SIM card, and not only on security relying on the applications and the operating system. The proposed solution enables users to access websites, services and applications without the need to remember passwords, responses or a support of any equipment. The described method is based on a low LoA, which is still easy to be increased by adding more authentication factors, while utilizing the same idea. Considering the above, the main contribution of this paper is to demonstrate an innovative authentication solution that focuses on the usage that is at the same time comfortable and secure. This new authentication method was designed, developed and evaluated in comparison with other most common methods.

The rest of the paper is structured as follows. First, the related work in the field authentication of mobile users (chapter 2) is reviewed. Chapter 3 describes in detail the new authentication model and the corresponding remote architecture. In the next section (Sect. 4) an experimental methodology to capture user perspective is outlined. Obtained results of the aforementioned studies are shown in Sect. 5. Section 6 is devoted to security analysis of the proposed solution including potential risks and attacks identification and how to protect against them. Finally, Sect. 7 concludes the work.

A growing body of evidence clearly demonstrates that there is a problem to identify mobile users on the Internet. There are many works that deal with this topic, such as [2], which proposes an ID-based communication framework, where IP addresses play a significant role, not only in locating hosts and in routing the traffic, but also in the identification of hosts and services. In this paper, we adopt a MSISDN-based (Mobile Station International Subscriber Directory Number) user’s identity. This allows finding the mobile device (SIM card) quickly while maintaining the integrity and the uniqueness. But in the future any other identifier can be chosen for this purpose.

Many studies have proposed an innovative authentication schemes based on different assumptions. One of the several possibilities are MAI (Message Authentication Image) [3] or other intelligent image-based authentication framework that falls under the “What you know” type of authentication [4]. Moreover, the article [5] proposes an authentication system using OTP (One Time Password) or QR codes (Quick Response Code). Papers [6] and [7] rely on a certificate-based authentication. The exchange of certificates is done on the basis of asymmetric encryption while the digital certificates are issued by a certification authority (CA). However, these works add the additional aspect which requires user attention. Thereby the convenience of the authentication process is lowered.

In order to secure mobile devices against different threats, biometrics has been applied. It seems to be a very effective way of authentication. In the last years, research has provided ample support for the assertion that biometrics is the future of authentication. There are plenty of works based on fingerprint [8], gait, face, voice, gesture, iris, typing pattern, signature [9] or even electrocardiograms acquired by mobile sensors [10]. All these solutions use an authentication method based on the data about “what user is”. There are also works in the field of Wireless Sensor Network, where sensors are either attached to or embedded in the human body and communicate wirelessly with each other and with other components such as network towers, processors, servers, etc. [11]. It must be admitted that biometrics uses a very convenient way of authentication. However, in this paper, we focus on a single factor authentication, but any biometrics method could be developed in order to add another factor utilizing the described idea. Although, for now, due to many frauds and data leaks, biometrics was left for future work. The weakness of biometrics is that in case of data leakage we cannot change it, and this type of personal data can be left everywhere. Furthermore, biometric mobile applications are vulnerable to some types of attacks that can decrease their security [12]. Evidence presented in [12], which is based on the research into facial and fingerprint mobile authentication applications, shows that such mobile applications are vulnerable to several attacks, which poses a serious threat to the overall system security and user privacy.

In this paper, we focus on authentication method that relies on something the user has, meaning the SIM card. A lot of works have focused on such authentication [13‐21]. They propose a SIM based protocol as an authentication tool over existing GSM technology through GPRS [14], for SIP [15, 16]. Other papers describe an anonymous remote user authentication with a key agreement scheme based on smart card using chaotic maps [17] or other cryptographic operations [18‐21]. There are several methods that provide user anonymity and traceability with solutions based on mobile cloud networks [22, 23]. Unfortunately, all the papers mentioned above consider the secure exchange of information between the mobile device and the servers, and do not analyze human users’ perspective. That is why, this paper focuses on introducing the authentication method which is both comfortable and safe. Security is an important matter; however, user convenience should be taken into consideration as well.

According to paper [24], which focuses on how to create an end-to-end secure channel between the digital services, the biggest open issue is how to design the user interaction in terms of data input and output in a way that users can reliably and unobtrusively be aware of which application part they are communicating with. Paper [25] pays greater attention to this issue. In this work, however, the solution is mainly described in terms of Man-in-the-middle (MitM) attack and is not based on standards.

There has also been research into the perception of users. Such studies are mostly done with the use of a survey questionnaire [26]. Evaluation of different authentication methods has been performed in the paper [27]. Three devices in the generation of one-time passcodes (OTPs) were compared. But only hardware tokens which are an additional device for the user to carry were included. Very precise research in this area is conducted in locking the smartphone screens [28]. Also, a questionnaire was used which was distributed among the users via online and offline means. Unfortunately, only widely used methods were evaluated, which allowed investigating a greater number of respondents. However, in this paper we present a method which is not yet available for the users widely.

To summarize, in contrast to the existing works mentioned above in this paper we propose a novel authentication method and we evaluate it in terms of user comfort and security. Moreover, we conduct its comparative analysis with two well-known existing solutions i.e. static passwords and SMS OTP (One Time Password).

The purpose of the solution proposed in this paper is to provide a secure and user-friendly authentication method designed for mobile web applications of any service provider. In fact, the solution used here enables both: authorization and authentication of the end users. The main idea is to push a selection form to the user’s mobile device to establish whether the user would like to be authenticated or not. In order to achieve this, an applet on the SIM card has been used. In this work, a standard applet was utilized, installed on the SIM card of one of the Polish mobile operators. The user, having provided only a login name to any website authentication form, is prompted to confirm the authentication process on their mobile device with a SIM card. After successful confirmation he is automatically redirected to the website he wanted to log in.

The log in process is based on an OpenID Connect standard [29] which is a simple identity layer on top of the OAuth 2.0 protocol [30]. OpenID Connect standard has been chosen as the base protocol and framework because of its openness and robustness. It can work on almost any device that has a web browser with access to the Internet. It works regardless of the operating system of the device. The OpenID Connect Specification is set by the OpenID Foundation, and is constantly evolving.

The proposed solution consists of four types of components, each performing different well-defined functions (Fig. 1):Protocols between the components are characterized as follows: HTTPS—in communication between Browser-Service Provider, Service Provider-Authorization Server, Browser-Authorization Server; WML and HTTPS—in communication between OTA and Authorization Server; Encrypted messages—between OTA and SIM card; STK push—between a SIM card and Mobile device screen which will be described thoroughly in Sect. 6.3.

The process of logging into the web application from the user perspective has been presented in Fig. 1.

The detailed flow of the logging into the external application integrated with the Authorization System using described method is as follows (Figs. 1, 2):In this paper the Authorization Server is deployed on a WebLogic server belonging to one of the Polish mobile operators, which is designed to be user-friendly, reliable and secure. We assume that the operating environment is secure. In this sense there is no malware. However, it is worth noting that there are no extra assumptions for the user authentication using this method, such as:In order to improve LoA, additional actions based on push STK may be implemented. The best solution that fits into this architecture is to implement a PIN (Personal Identification Number) entering instead of a single confirmation on the device. The PIN should be held only on the SE, not in any database. This way it is very secure, because the OTA system only requests the SIM card to verify the PIN, and then returns the information about the successful operation. No passwords are sent over the network. This way, if necessary, two or more factors authentication process can be created thereby increasing LoA. The objective of this paper, however, is to show the concept of creation of the authentication process based on the SIM card.

For the proposed authentication method two types of user-oriented experimental evaluations were performed. The first is focused on establishing users’ subjective perception of the proposed solution. In order to investigate overall users’ awareness and attitude of usability, convenience and security towards different authentication processes the following experiment was designed. A questionnaire was prepared which allowed to determine the difference in users’ perception for three different authentication approaches based on: static passwords, OTP (One-Time Password) SMS, and SIM card. The implementation of all three was based on OAuth 2.0 standard. All the evaluated methods are summarized briefly in Table 1.

The experimental methodology was as follows: a user was asked to use all three methods mentioned in Table 1 and successfully log in. The user has to log in to three web applications using Chrome browser on the laptop. Each web application required authentication in one of the three listed ways. For OTP SMS and SIM methods the users received a Samsung Galaxy A3 model number SM-A310F with a SIM card inside. The SIM card was able to receive the SMS and it had a proper applet installed on it. In case of failure in any method, the experiment for adequate authentication approach was repeated. After completing successfully these tasks, the user was asked to fill in a questionnaire.

The questionnaire was composed of 23 questions and its form is presented in the appendix. Each question was formulated in order to capture users’ perception of the above-mentioned authentication methods from different angles. Furthermore, the same set of questions was asked for each method, which means that the user had to go through the same 23 questions three times. The respondents have been asked to answer each question by choosing one of the five proposed answers (so called 5-Likert scale [31]), which is usually used to determine participants’ attitudes or feelings about something. This time it was used to measure the level of respondents’ satisfaction or consent rate. Each participant had to choose one from the following answers:All 23 questions were divided into four groups representing different aspects of the evaluated authentication methods: convenience, usefulness, security and difficulties. The appendix shows how the questionnaire looks like—there all the questions related to the similar topic have been rearranged in order to increase the reliability. These questions with the respective groups they represent, and the number in the correct order form the questionnaire are presented in Table 2.

The participants of the survey were balanced by age and gender. Forty respondents—thirty men and ten women—took part in the experiment with filling the questionnaire. The participants’ age was between 20 and 50. Technical knowledge was highly diversified: from experts in the field of security to ordinary computer users. The participants represented various professional groups consisted of both students and IT employees as well as people completely unrelated to the IT industry, such as lawyers, pharmacists, builders, financiers or mechanics. Responders were explained the consecutive steps of the log in process without details related to the technical aspects of the methods.

Another aspect that was investigated is related to the time needed to conduct the whole log in process. The aim was to measure the time that a user needs to authenticate successfully. There was no point in measuring the log in time of the static password-based authentication. This is because this time would vary considerably depending on the complexity and length of the password (no security policy when setting the static password has been forced). This means that sometimes the duration of the whole process was really short, and if the participant chose a complex, more secure password then this time was obviously longer. That is why the time needed for each participant to log in has been measured only for OTP SMS and SIM methods.

For the purpose of these experiments the respondent has to put their login name (MSISDN) in the HTML form and confirm it by clicking the “Next” button, which is the moment the time measurement is initiated for both methods. Then, depending on the method, the participant sees another HTML form to put the OTP SMS or an HTML form with instructions to confirm the log in on the device. Copying the SMS OTP had to be approved by clicking on the HTML form. While confirming with SIM, the second HTML vanishes automatically. Typing in the correct OTP or confirming authentication with SIM resulted in redirecting the user to the Service Provider site, where the user tried to log in. The login time was calculated up to this point.

For experiments with SIM card-based authentication, 80 participants were asked to log in while the corresponding time was measured. It is also worth noting that for the OTP SMS-based authentication, the calculated log in duration has been performed on actual customers of one of the major mobile operators in Poland.

This chapter presents the results of research. We presented the results of the questionnaire survey and then the times of logins respectively.

This section presents the proposed method from the perspective of security. The previous sections have shown that the participants of the experiment, in general, like the SIM-based method. In this section, users’ perception is described in terms of security (Sect. 6.1), and then a full security analysis of the new method has been made, in relation to network (Sect. 6.2) and mobile environment (Sect. 6.3). At the end of this section the well-known threats are presented along with a comparison of the authentication methods.

Authentication while using mobile device is an essential part of everyday life. In this paper the possibilities of using mobile devices such as mobile phones as a secure and very user-friendly way of confirming its user’s identity were analyzed. Confirming the identity using a smartphone when trying to log in seems to be a very promising way for the future. That is why in this paper we proposed an innovative authentication scheme which relies on the Secure Element which is a SIM card. Performed experiments proved that the proposed authentication method can be very comfortable and user-friendly. In addition, it has been verified that this solution is extremely fast. Finally, potential security issues were analyzed with conclusion that it is a secure authentication approach.

Future work includes completing the process with next authentication factors, which will rely on something the user knows, something the user has, and something the user is. In the future SIM cards will probably be replaced by eSIM, which would allow remote management of the applet.