Timing Attacks on Cognitive Authentication Schemes
Classical password/PIN-based authentication methods have proven to be vulnerable to a broad range of observation attacks (like key-logging, video-recording or shoulder surfing attacks). So as to mitigate these attacks, a variety of solutions have been proposed, most of them being cognitive authentication schemes (challenge-response protocols that require users to perform some reasonably cognitive operations). In this paper, we show successful passive facet-channel timing attacks on two cognitive authentication schemes, a well-known Hopper-Blum (HB) protocol and a U.S. patent Mod10 methodology, previously believed to be secure against observation attacks. As we tend to show, the main security weakness of these strategies comes from detectable variations within the user's cognitive load that results from cognitive operations during the authentication procedure. We dispensed theoretical analysis of both Mod10 and HB methods, also an experimental user study of Mod10 methodology with 58 participants to validate the results of our timing attacks. We additionally propose security enhancements of these schemes aimed to mitigate the timing side-channel attacks. The proposed enhancements show the existence of a sturdy tradeoff between security and usability, indicating that the security of cognitive authentication schemes comes at a non-negligible usability price (e.g., increased overall login time). For that reason, the designers of new cognitive authentication schemes ought to not ignore doable threats induced by facet-channel timing attacks.
Did you like this research project?
To get this research project Guidelines, Training and Code... Click Here