Issue No. 03 - May-June (2015 vol. 12)
Andrea Ceccarelli , Department of Mathematics and Informatics, University of Firenze, Viale Morgagni 65, 50134 Firenze, Italy
Leonardo Montecchi , Department of Mathematics and Informatics, University of Firenze, Viale Morgagni 65, 50134 Firenze, Italy
Francesco Brancati , Resiltech S.R.L., , Piazza Iotti 25, 56025 Pontedera, Italy
Paolo Lollini , Department of Mathematics and Informatics, University of Firenze, Viale Morgagni 65, 50134 Firenze, Italy
Angelo Marguglio , Engineering Ingegneria Informatica S.p.A., Viale Regione Siciliana 7275, 90146 Palermo, Italy
Andrea Bondavalli , Department of Mathematics and Informatics, University of Firenze, Viale Morgagni 65, 50134 Firenze, Italy
Session management in distributed Internet services is traditionally based on username and password, explicit logouts and mechanisms of user session expiration using classic timeouts. Emerging biometric solutions allow substituting username and password with biometric data during session establishment, but in such an approach still a single verification is deemed sufficient, and the identity of a user is considered immutable during the entire session. Additionally, the length of the session timeout may impact on the usability of the service and consequent client satisfaction. This paper explores promising alternatives offered by applying biometrics in the management of sessions. A secure protocol is defined for perpetual authentication through continuous user verification. The protocol determines adaptive timeouts based on the quality, frequency and type of biometric data transparently acquired from the user. The functional behavior of the protocol is illustrated through Matlab simulations, while model-based quantitative analysis is carried out to assess the ability of the protocol to contrast security attacks exercised by different kinds of attackers. Finally, the current prototype for PCs and Android smartphones is discussed.
Authentication, Servers, Protocols, Bioinformatics, Web services, Smart phones
A. Ceccarelli, L. Montecchi, F. Brancati, P. Lollini, A. Marguglio and A. Bondavalli, "Continuous and Transparent User Identity Verification for Secure Internet Services," in IEEE Transactions on Dependable and Secure Computing, vol. 12, no. 3, pp. 270-283, 2015.