Securing User Authentication in Emerging Threat Landscapes

在新兴威胁环境中保护用户身份验证

• 批准号: RGPIN-2021-03141
• 负责人: Alaca, Furkan
• 金额: $ 1.75万
• 依托单位: Queen's University
• 依托单位国家: 加拿大
• 项目类别: Discovery Grants Program - Individual
• 财政年份: 2021
• 资助国家: 加拿大
• 起止时间: 2021-01-01 至 2022-12-31
• 项目状态: 已结题
• 来源: https://www.nserc-crsng.gc.ca/ase-oro/Details-Detailles_eng.asp?id=742398
• 关键词: Securing; User; Authentication; Emerging; Threat

User authentication-the process of verifying the claimed identity of a user prior to granting access to a system-is a critical first line of defense against unauthorized use of computing systems. While passwords have remained the dominant form of user authentication, the increased sophistication and proliferation of cyberthreats is leading institutions in Canada and internationally to adopt stronger authentication schemes, such as two-factor authentication. However, current approaches to strengthen authentication provide maximum benefit only in limited contexts, such as in organizations with large IT departments that can provide the necessary support and training to enable universal use by all users. Multi-factor authentication and password management are known to be among the most important mechanisms that can prevent most losses caused by security breaches. The long-term objective of this research program is to transform the future of user authentication to allow users to authenticate using methods that are convenient, usable, and accessible, while meeting clearly-defined security goals of all stakeholders including users and online service providers. This will improve people's lives by making it easier for them to protect themselves online, and will reduce the burden imposed on industry and government by an increasingly hostile threat landscape. Toward that end, this research program will (1) Examine, via large-scale data collection, untested assumptions in security literature for their applicability in the real-world deployment and usage of authentication systems; (2) Build novel security mechanisms that address a wider and more sophisticated range of threats than current systems, without requiring additional user effort; (3) Design new authentication schemes that leverage modern technologies, such as trusted execution environments and Internet of Things devices, to achieve benefits that were not previously possible; (4) Develop frameworks that security practitioners can use to compose authentication systems from known components tailored to fulfill security objectives required for specific contexts; and (5) Formulate methods to communicate threat models to users to aid them in decision-making for configuring and using authentication systems. One fifth of Canadian businesses suffered operational consequences due to cybersecurity attacks in 2017; the economic impact of such attacks in Canada is over $3 billion annually. Weak authentication is recognized as a leading cause of breaches. This research program will be instrumental in developing security mechanisms and frameworks that counter a more powerful range of threats and systematically address specific security requirements in different contexts. It will also respond to the shortage of cybersecurity professionals in Canada, which will see a demand for up to 53,000 professionals as early as 2023, by training graduate and undergraduate students to be highly-qualified security experts.

用户身份验证（在授予对系统的访问权限之前验证用户声称的身份的过程）是防止未经授权使用计算系统的关键第一道防线。虽然密码仍然是用户身份验证的主要形式，但随着网络威胁的日益复杂和扩散，加拿大和国际机构正在采用更强大的身份验证方案，例如双因素身份验证。然而，目前加强身份验证的方法仅在有限的上下文中提供最大的好处，例如在具有大型IT部门的组织中，这些部门可以提供必要的支持和培训，以使所有用户能够普遍使用。众所周知，多因素身份验证和密码管理是可以防止安全漏洞造成的大多数损失的最重要机制之一。这项研究计划的长期目标是改变用户身份验证的未来，允许用户使用方便、可用和可访问的方法进行身份验证，同时满足包括用户和在线服务提供商在内的所有利益相关者明确定义的安全目标。这将使人们更容易在网上保护自己，从而改善人们的生活，并将减轻日益严峻的威胁环境给行业和政府带来的负担。为此，本研究计划将(1)通过大规模数据收集，检查安全文献中未经检验的假设，以确定其在真实世界部署和使用身份验证系统中的适用性；(2)建立新的安全机制，以应对比现有系统更广泛、更复杂的威胁，而不需要用户额外的努力；(3)设计新的认证方案，利用现代技术，如可信执行环境和物联网设备，实现以前不可能实现的利益；(4)开发安全从业人员可以使用的框架，以从定制的已知组件组成身份验证系统，以实现特定环境所需的安全目标；(5)制定向用户传达威胁模型的方法，以帮助用户在配置和使用认证系统时做出决策。2017年，五分之一的加拿大企业因网络安全攻击而遭受运营后果；在加拿大，此类袭击每年造成的经济损失超过30亿美元。弱身份验证被认为是违规的主要原因。该研究计划将有助于开发安全机制和框架，以应对更强大的威胁范围，并系统地解决不同背景下的特定安全需求。它还将通过培训研究生和本科生成为高素质的安全专家，来应对加拿大网络安全专业人员的短缺，最早在2023年，加拿大将需要多达53,000名专业人员。