Emerging Technologies for Authorization and Authentication: 4th International Workshop, ETAA 2021, Darmstadt, Germany, October 8, 2021, Revised Selected Papers (Security and Cryptology)

Preface
Organization
Contents
WYK: Mobile Device Authentication Using the User's Address Book
1 Introduction
2 Authentication on Mobile Devices
2.1 Ways to Authenticate a User
2.2 Authentication Mechanisms
3 Related Work
4 WYK Authentication Scheme
4.1 Phase 1: Initialization
4.2 Phase 2: Update
4.3 Phase 3: Authentication
5 Implementation and Analysis
5.1 Proof of Concept Implementation
5.2 CasperFDR: Formal Verification
5.3 Analysis
6 Conclusion
References
Future-Proof Web Authentication: Bring Your Own FIDO2 Extensions
1 Introduction
2 Background
2.1 FIDO2
2.2 FIDO2 Extensions
2.3 Extension Pass-Through
3 Survey: Existing FIDO2 Extensions
3.1 Standard Extensions
3.2 Recovery Extension (Yubico)
3.3 CaBLE Extension (Google)
3.4 GoogleLegacyAppIdSupport Extension (Google)
4 Survey: Compatibility of FIDO2 Extensions
4.1 Web Browsers
4.2 Client Libraries
4.3 Authenticators
4.4 Summary
5 Design and Implementation of Custom Extensions
5.1 Relying Party
5.2 Web Browser
5.3 Client Library
5.4 Authenticator
6 Discussion
6.1 Extension Pass-Through
6.2 Supporting FIDO2 Extensions via Browser Extensions
6.3 Outlook
7 Related Work
8 Conclusion
References
Heartbeat-Based Authentication on Smartwatches in Various Usage Contexts
1 Introduction
2 Notations
3 Background
4 Related Works
5 Heartbeat Signals Estimation on Smartwatches
6 Experiments
7 Conclusion
References
Quantum Multi-factor Authentication
1 Introduction
1.1 Brief Summary of Mechanism
2 A Brief Review of Quantum Authentication
3 Quantum Computing Properties and Preliminaries
3.1 Hidden Matching Problem
4 Quantum MFA Mechanism
4.1 SASL Mechanism
4.2 Informal Security Analysis
4.3 Token Lifetime
5 Comparison to State of the Art
5.1 Attack Susceptibility Summary
6 Discussion
7 Conclusion
References
An Interface Between Legacy and Modern Mobile Devices for Digital Identity
1 Introduction
2 Background
2.1 Wireless Application Protocol
2.2 QR Codes for Digital Identity
3 Problem Statement
3.1 Use Cases
3.2 Threat Model
4 Design and Implementation
4.1 Protocol
5 Related Work
6 Conclusions
References
Facial Recognition for Remote Electronic Voting – Missing Piece of the Puzzle or Yet Another Liability?
1 Introduction
2 State of the Art
2.1 Facial Recognition
2.2 Elections and Biometrics
2.3 Some Facial Biometry Deployment Examples
3 Architectural Questions
3.1 At Which Stage to Use Facial Recognition?
3.2 Compatibility with Different I-Voting Protocols
3.3 Is a Semi-controlled Voting Environment Achievable?
4 General Issues with Facial Recognition
4.1 How to Resolve Disputes?
4.2 Privacy
5 Discussion
6 Conclusions
References
Integrating a Pentesting Tool for IdM Protocols in a Continuous Delivery Pipeline
1 Introduction
2 Background on DevOps, DevSecOps and Pentesting
2.1 Security Practices in DevSecOps
2.2 Overview of Micro-Id-Gym
3 Scenario and Requirements
4 Continuous Delivery Solution for Pentesting of IdM Protocols
4.1 Design
4.2 Implementation
5 Use Case: SAML SSO Implementation
5.1 Results
6 Conclusion and Future Work
References
Mimicry Attacks Against Behavioural-Based User Authentication for Human-Robot Interaction
1 Introduction
2 Related Work
3 Threat Model and Attacks
3.1 Zero-Effort Attacks
3.2 Imitation Attacks
4 Experimental Design Considerations
4.1 Experiment Choices
4.2 Experimental Design
4.3 Data Collection
4.4 Feature Extraction and Feature Subset Selection
4.5 Considered Classifiers and Parameter Value Selection
5 Attack Design
5.1 Recruitment and Motivation of Participants
5.2 Procedures for Attack
6 Results and Discussion
6.1 Baseline Evaluation
6.2 Offline Training Attacks Evaluation
6.3 Shoulder Surfing Attacks Evaluation
6.4 Attacker Acceptance Rate
7 Conclusion
References
Private Data Harvesting on Alexa Using Third-Party Skills
1 Introduction
2 Introduction to Alexa's Skills and Past Attacks
2.1 Alexa Skills
2.2 Previous Exploits on Alexa and Related Work
3 Overview of the Adversarial Framework
3.1 Data Compromising Through the Adversarial Framework
4 Developed Malicious Skills
4.1 Local Facts: Address Harvesting
4.2 Daily Treasure: Password Harvesting
4.3 County Facts: Payment Detail Harvesting
4.4 Lucky Fortune: Payment Detail/Personal Information Harvesting
5 Usability and Feasibility Study
5.1 Usability Study
5.2 Feasibility Study
6 Conclusion and Discussion
References
Handling Meta Attribute Information in Usage Control Policies (Short Paper)
1 Introduction
2 Related Work and Background
2.1 Access and Usage Control
2.2 Evaluating Trust Level
3 Trust-Aware Continuous Authorization Architecture
3.1 Architecture Component Description
3.2 Policy Meta Information
3.3 Workflow
4 Conclusions and Future Work
References
``Ask App Not to Track'': The Effect of Opt-In Tracking Authorization on Mobile Privacy
1 Introduction
2 ATT Pop-Ups in the Wild
2.1 Methodology
2.2 Results
3 User Study Methodology
3.1 App Design and Conditions
3.2 Participant Recruitment
3.3 Participant Demographics
4 Results
5 Related Work
5.1 Tracking
5.2 Permissions and User Preferences
5.3 Nudging
6 Conclusion
A Follow-Up Survey Questions
References
Author Index