Integrating a Usable Security Protocol into User Authentication Services Design Process

To Usable Security, User Experience (UX) Design, and User Authentication enthusiasts, a novel perspective on Security by Design in user authentication!

Francis & Taylor Group, an Auerbach Publication - 344 pages.

Publication Summary

INTEGRATING A USABLE SECURITY PROTOCOL INTO USER AUTHENTICATION SERVICES DESIGN PROCESS

  • Authored by: Christina Braz, Ahmed Seffah, and Syed Naqvi.
  • One of the biggest challenges facing heterogeneous organizations is providing access control services to logical (e.g., databases, servers, applications, etc.) as well as physical resources (e.g., data centers, security facility, etc.) that are both secure and usable. To achieve this, three indispensable components must be implemented such as Identification, Authentication, and Authorization. In Identification, we need to identify 'Who does this user claims to be?'. In Authentication, we need to certify 'If the user is in fact who s/he claims to be', and finally in Authorization we need to be sure 'if this user is authorized to have access to the resource or service that s/he is requesting'. Inquiry particularly on user authentication is vital. Without authentication, a computer system often has no foundation for establishing if access should be granted or not.
    Security and usability are the top concerns of (business and consumer) users and administrators of information technology services, and are both essential in the user authentication process. Moreover, security and usability are broadly held as two opposing goals in system design, and the well known human factor is effortlessly exploited and continually overlooked in computer security. Companies spend millions of dollars on firewalls, encryption and secure access devices, but most of the time they disregard to address issues related to the weakest link in the security chain: the human being.
    The central question of this book is how to ensure usability of user authentication without compromising security? The authors' theory is that there is an intrinsic conflict between creating systems that are secure and systems that are usable. However usability and security can be synergistically combined by providing design tools and artifacts with "embedded" usable security principles earlier in the requirements and design phase. In certain situations it is possible to concurrently increase usable security by revisiting design decisions that were made in the past, and in other situations to align security and usability by changing the regulatory environment in which the computers or system operate. However, to date, there is no theoretical framework to provide an inspection method that considers security and usability synergistically for user authentication methods. To these ends, this book's main goal is not to address usability and security after the product, authentication method, has been created and/or manufactured, but to make security a natural outcome of the requirements and design phase of the user authentication method development life cycle. Therefore a usable security protocol is needed for user authentication.

Publications

Artificial Intelligence (Machine Learning, Automation, etc.), Usable Security, Information Security, User Authentication, Mobile Computing, Mobile Commerce, Radio Frequency Identification (RFID), and Microprocessor Chips.

2025



Books In Progress

A PRACTICAL GUIDE TO ARTIFICIAL INTELLIGENCE FOR CYBERSECURITY IN FINANCIAL SERVICES (Temporary Title)
Authored by: Christina Van Braz.

PUBLICATION SUMMARY

Cybersecurity plays a critical role insafeguarding informtion and systems from significant cyber threats. Keeping up with evolving cybersecurity strategies and the rapidly shifting threat landscape is particularly challenging - especially within enterprise and government networks, where teh protection of valuable intelectual property and sensitive business data in digital form is paramount to preventing theft and misuse. Organizations must now keep away ever-pervasive cyberattacks such as the threat of cybercriminals or even disgruntled employees giving away sensitive information, disclosing intellectual property to competitors, or becoming involved in online fraud. This means that the cyber threat landscape is mounting exponentially. For instance, insider threats are learning to elude signature-based systems, and bad actors are using Artificial Intelligence (AI) (e.g., Machine Learning (ML), Deep Learning (DL), etc.) to circumvent detection by learning the most prevalent detection rules.

Also, the size and complexity of this rising challenge is crushing cybersecurity teams, while the competent cybersecurity talent required to successfully fight back is progressively expensive and tough to find. According to The Deloitte 2019 Future of Cyber Survey on the biggest impacts of cyber incidents or breaches on organizations, concerns about organizations’ reputations in the past two years alone, the repercussions from data breaches and large-scale cyber incidents has caused massive revenue loss due to operational disruption, changes in leadership, reputational loss, drop in share price, and most recently, the imposition of regulatory fines. Furthermore, when protecting critical systems, users, and data, one of the major challenges Cyber Security Operations Center (CSOCs) are facing now is the long dwell times. According to FireEye M-Trends 2019, the global median dwell times vary between 71 and 204 days. Also, most of the organizations are facing insights overload which translates in repetitive work, and the higher likelihood that a significant Indicator of Compromise (IoC) has been missed. The truth is that it is humanly impossible for the security team to keep up with the ever-expanding threat landscape.

From the attackers’ perspective, they are exploiting AI systems and using AI to assist in their attacks. Among some of these techniques, the adversarial machine learning technique attempts to fool models through malicious input with the aim to attack or cause a malfunction in standard machine learning models. For example, “Deep Exploit”, an automated penetration testing tool that uses ML which can be employed by attackers to pen test organizations and uncover security holes in their defenses in only 20 to 30 seconds. 

From the banks’ perspective, AI interest is mostly focused on fraud and cybersecurity because these functions typically already have existing IT teams, infrastructure, and budgets. In several cases, automation efforts are also directed into these functions so process automation in fraud and cybersecurity applications is where a lot of AI focus is currently in the top 100 banks. In fact, threat identification systems already employ machine learning techniques to identify completely new threats, defenders can employ AI to better harden their environments from attacks. For example, AI-based systems could launch a series of simulated attacks on a bank network over time with the intention that an attack iteration will come across a vulnerability that can be closed beforehand it’s revealed by attackers.

Additionally, banks seem to be investing in upgrading and renovating outdated fraud and cybersecurity threat detection systems with AI-based ones. This is due to anomaly detection, an AI approach used to recognize outliers in a dataset (i.e., identify unusual patterns that do not conform to expected behavior), makes fraud detection quicker and more cost-effective for banks. Another aspect is that banks are obligated by supervisory bodies to report instances of fraud or money laundering (e.g., fraudulent bank accounts), and identifying and detecting cases of fraudulent accounts and transactions is slow and difficult employing rules-based systems since they can produce numerous false positives.

Analysts at ABI Research estimate that machine learning in cybersecurity will increase spending in big data, Artificial Intelligence (AI) and analytics to $96 billion by 2021. As mentioned, AI technologies can enhance threat intelligence, prediction, and protection. It can also allow faster attack detection and response, whereas reducing the need for human cybersecurity specialists who are nowadays in short supply. However, AI can also learn from security analysts and improve its performance over time, contributing to time savings and better decisions. These cyber capabilities are imperatively required as cyber attacks continue to raise in volume and sophistication.

In summary, using AI/ML in cybersecurity is more of a requirement than a matter of choice. In fact, machine learning is becoming one of the main components of next-generation security, enabling higher degrees of cybersecurity.

Papers In Progress

PASSID: AN ARTIFICIAL INTELLIGENCE-BASED USER AUTHENTICATION METHOD
Braz, C.
Information Security & Control (IS&C) Scotiabank, Toronto, ON Canada.

A COGNITIVE MODEL OF USER AUTHENTICATION (CMUA)
Braz, C.
Information Security & Control (IS&C)Scotiabank, Toronto, ON Canada.

2024-2004



Published Books

Integrating a Usable Security Protocol into User Authentication Services Design Process - 1st Edition
Authors: Christina Braz, Ahmed Seffah, and Bilal Naqvi

Order Now!

Published Papers

ADDING MEASURES IN TASK MODELS FOR USABILITY INSPECTION OF CLOUD ACCESS CONTROL SERVICES Services
Syed Naqvi[1], Seffah, A.[1], and Braz, C.[2]
7th IFIP WG 13.2 International Working Conference - HCSE 2018
Sophia Antipolis, France, September 3-5, 2018. [1] Department of Research and Innovations, Lappeenranta University of Technology, Finland.
[2] Information Security & Control (IS&C) Scotiabank - Toronto, ON Canada.

GAZEPASS: A USABLE, SINGLE, AND YET STRONG BIOMETRIC AUTHENTICATION METHOD.
Braz, C. [1][2] & Seffah, A. [2]
2018 International Conference on Intelligent Human Systems Integration: Integrating People and Intelligent Systems (iHSI 2018)
Dubai, United Arab Emirates, January 7-9th, 2018
[1] Information Security & Control (IS&C)Scotiabank, Toronto, ON Canada.
[2] Department of Research and Innovations, Lappeenranta University of Technology, Finland.

GLANCEID: A USABLE AND STRONG OPTICAL USER AUTHENTICATION METHOD
Braz, C. [1] & Seffah, A. [2]
7th International Conference on Applied Human Factors and Ergonomics (AHFE) 2016
Walt Disney World Swan and Dolphin Hotel, Florida, USA July 27-31, 2016
[1] Product User Experience Principal, UX Consulting, Boston, MA.
[2] Department of Research and Innovations, Lappeenranta University of Technology, Finland.

DESIGNING USABLE, YET SECURE USER AUTHENTICATION SERVICES - A USER AUTHENTICATION PROTOCOL
Braz, C. [1], Seffah, A. [2] & Poirier, P. [3]
5th International Conference on Applied Human Factors and Ergonomics 2014
Krakow, Poland 19-23 July 2014
[1] Information Management Group (IMG), Symantec Corporation, Mountain View, CA, U.S.
[2] Department of Computer Science, Université de technologie de Troyes (UTT), Troyes, France.
[3] Department of Computer Science, University of Quebec, Montreal, Canada.

GLANCEPASS: A BIOMETRIC AUTHENTICATION METHOD
Braz, C. [1], Seffah, A. [2] & Poirier, P. [3]
IADIS Multi Conference on Computer Science and Information Systems 2011
Rome, Italy 20-26, July 2011
[1] Department of Computer Science, University of Quebec Montreal, Canada
[2] Department of Computer Science, Université de technologie de Troyes (UTT), Troyes, France.
[3] Department of Philosophy, University of Quebec, Montreal, Canada.

CHIPLINK: A SECURE RFID-BASED WIRELESS AUTHENTICATION SYSTEM
Braz, C.
IADIS Multi Conference on Computer Science and Information Systems 2011
Rome, Italy 20-26 July 2011
Department of Computer Science, University of Quebec Montreal, Canada.

DESIGNING USABLE, YET SECURE USER AUTHENTICATION SERVICE: THE COGNITIVE DIMENSION
Braz, C. [1], Seffah, A. [2] & Poirier, P. [3]
e-Review of Tourism Research (eRTR) 2010
Web-based international research network for tourism professionals.
[1] Department of Computer Science, University of Quebec Montreal, Canada
[2] Department of Computer Science, Université de technologie de Troyes (UTT), Troyes, France.
[3] Department of Philosophy, University of Quebec, Montreal, Canada.

USER AUTHENTICATION: ADDING USABLE SECURITY SYMMETRY INTO DESIGN AND REQUIREMENTS
Braz, C. [1], Seffah, A. [2] & Poirier, P. [3]
1st International Workshop on Software Security Process (SSP09)
Vancouver, Canada (29-31 August, 2009)
[1] Department of Computer Science, University of Quebec Montreal, Canada
[2] Department of Computer Science, Université de technologie de Troyes (UTT), Troyes, France.
[3] Department of Philosophy, University of Quebec, Montreal, Canada.

DESIGNING A TRADE-OFF BETWEEN SECURITY AND USABILITY: A METRICS-BASED APPROACH
Braz, C. [1], Seffah, A. [2] & M'Raihi, D. [3]
INTERACT 2007 Socially-Responsible Interaction - The 11th IFIP TC13 International Conference on Human Computer Interaction
Rio de Janeiro, Brazil (10-14 September, 2007)
[1] Department of Computer Science, University of Quebec Montreal, Canada
[2] Department of Computer Science, Université de technologie de Troyes (UTT), Troyes, France.
[3] VeriSign Inc. Mountain View, CA, U.S.

SECURITY USABILITY: THE CASE OF USER AUTHENTICATION METHODS
Braz, C. [1] & Robert, J.M. [2]
18th French-Speaking Conference on Human Computer Interaction (HCI 2006).
Montreal, Quebec, Canada (18-21 April, 2006).
[1] Department of Computer Science, University of Quebec, Montreal, Canada.
[2] Department of Mathematics and Industrial Engineering, École Polytechnique de Montréal, Canada.

ASEMC: AUTHENTICATION FOR A SECURE MOBILE COMMERCE
Braz, C. & Aïmeur, E.
RFID JOURNAL, RFID White Papers, Security White Papers (June 2005).
Montreal, Quebec, Canada (18-21 April, 2006).
Department of Computer Science & Operational Research, University of Montreal, Quebec, Canada.

AUTHENLINK: A MOBILE USER-AUTHENTICATION SYSTEM
Braz, C.
Ergonomie et Systèmes Avancés (ERGO-IA) 2004.
Biarritz, France (November 17-29, 2004).
Department of Computer Science and Operational Research, University of Quebec, Montreal, Canada.

AUTHENLINK: A USER AUTHENTICATION FOR A SECURE MOBILE COMMERCE
Braz, C.
1st French-Speaking Conference on Mobility and Ubiquity Computing - UBIMOB 2004.
Nice, Sophia-Antipolis, France (June 1-3, 2004).
Department of Computer Science and Operational Research, University of Quebec Montreal, Canada.

A USER AUTHENTICATION SYSTEM FOR MOBILE TRANSATIONS: AUTHENLINK
Braz, C. [1] & Aïmeur, E. [2]
3rd International Workshop on Wireless Information Systems (WIS-2004).
Porto, Portugal (13-14 April, 2004).
[1] Department of Computer Science & Operational Research, University of Quebec, Montreal, Canada.
[2] Department of Computer Science & Operational Research, University of Montreal, Quebec, Canada.