Multi-factor Authentication Updating System Evaluation Dynamically for Service Continuity

Hiroya Susuki, Rie Shigetomi Yamaguchi, Shizuo Sakamoto


In response to changes in security environments, an authentication framework has an important role for service continuity, which can evaluate both of security and usability and handle authentication methods. If the service provider cannot respond to problems such as new attacks immediately, the service must be stopped. In this paper, we propose a multi-factor authentication framework using a probabilistic evaluation method considering service continuity. Our framework includes a formal theoretical model, based on Bayesian approach, to be dynamically updated to use appropriate combinations of authentication factors in response to changes in the security environment. The model is important because it forms the basis on which the real-world systems is able to be evaluated security immediately and responded to weak factor.


  1. Al-Assam, H., Sellahewa, H., and Jassim, S. (2010). On security of multi-factor biometric authentication. In Internet Technology and Secured Transactions (ICITST), 2010 International Conference for, pages 1-6. IEEE.
  2. Aloul, F., Zahidi, S., and El-Hajj, W. (2009). Multi factor authentication using mobile phones. International Journal of Mathematics and Computer Science, 4(2):65-80.
  3. Bonneau, J., Herley, C., Van Oorschot, P. C., and Stajano, F. (2012). The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In Security and Privacy (SP), 2012 IEEE Symposium on, pages 553-567. IEEE.
  4. Burr, W. E., Dodson, D. F., and Polk, W. T. (2004). Electronic authentication guideline. Citeseer.
  5. Chen, L. and Crampton, J. (2012). Risk-aware role-based access control. In Security and Trust Management, pages 140-156. Springer.
  6. Cheng, P. C., Rohatgi, P., Keser, C., Karger, P. A., Wagner, G. M., and Reninger, A. S. (2007). Fuzzy multi-level security: An experiment on quantified risk-adaptive access control. In Security and Privacy, 2007. SP'07. IEEE Symposium on, pages 222-230. IEEE.
  7. Damer, N., Opel, A., and Nouak, A. (2014). Cmc curve properties and biometric source weighting in multibiometric score-level fusion. In Information Fusion (FUSION), 2014 17th International Conference on, pages 1-6. IEEE.
  8. Google (2015). Google 2-step verification [retrieved 18 sep. 2015].
  9. Herley, C. (2009). So long, and no thanks for the externalities: the rational rejection of security advice by users. In Proceedings of the 2009 workshop on New security paradigms workshop, pages 133-144. ACM.
  10. Hocking, C. G., Furnell, S. M., Clarke, N. L., and Reynolds, P. L. (2010). A distributed and cooperative user authentication framework. In Information Assurance and Security (IAS), 2010 Sixth International Conference on, pages 304-310. IEEE.
  11. Karabacak, B. and Sogukpinar, I. (2005). Isram: information security risk analysis method. Computers & Security, 24(2):147-159.
  12. Kim, J.-J. and Hong, S.-P. (2011). A method of risk assessment for multi-factor authentication. JIPS, 7(1):187- 198.
  13. Kondakci, S. (2010). Network security risk assessment using bayesian belief networks. In Social Computing (SocialCom), 2010 IEEE Second International Conference on, pages 952-960. IEEE.
  14. Nguyen, N. T., Zheng, G., Han, Z., and Zheng, R. (2011). Device fingerprinting to enhance wireless security using nonparametric bayesian method. In INFOCOM, 2011 Proceedings IEEE, pages 1404-1412. IEEE.
  15. Pavlovic, D. and Meadows, C. (2010). Bayesian authentication: Quantifying security of the hancke-kuhn protocol. Electronic Notes in Theoretical Computer Science, 265:97-122.
  16. Riva, O., Qin, C., Strauss, K., and Lymberopoulos, D. (2012). Progressive authentication: Deciding when to authenticate on mobile phones. In USENIX Security Symposium, pages 301-316.
  17. Sabzevar, A. P. and Stavrou, A. (2008). Universal multifactor authentication using graphical passwords. In Signal Image Technology and Internet Based Systems, 2008. SITIS'08. IEEE International Conference on, pages 625-632. IEEE.
  18. Shay, R., Komanduri, S., Kelley, P. G., Leon, P. G., Mazurek, M. L., Bauer, L., Christin, N., and Cranor, L. F. (2010). Encountering stronger password requirements: User attitudes and behaviors. In Proceedings of the Sixth Symposium on Usable Privacy and Security, SOUPS 7810, pages 2:1-2:20, New York, NY, USA. ACM.
  19. Yang, G., Wong, D. S., Wang, H., and Deng, X. (2008). Two-factor mutual authentication based on smart cards and passwords. Journal of Computer and System Sciences, 74(7):1160-1172.
  20. Zhao, J. J. and Zhao, S. Y. (2010). Opportunities and threats: A security assessment of state egovernment websites. Government Information Quarterly, 27(1):49-56.

Paper Citation

in Harvard Style

Susuki H., Shigetomi Yamaguchi R. and Sakamoto S. (2016). Multi-factor Authentication Updating System Evaluation Dynamically for Service Continuity . In Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-167-0, pages 273-281. DOI: 10.5220/0005681802730281

in Bibtex Style

author={Hiroya Susuki and Rie Shigetomi Yamaguchi and Shizuo Sakamoto},
title={Multi-factor Authentication Updating System Evaluation Dynamically for Service Continuity},
booktitle={Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},

in EndNote Style

JO - Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Multi-factor Authentication Updating System Evaluation Dynamically for Service Continuity
SN - 978-989-758-167-0
AU - Susuki H.
AU - Shigetomi Yamaguchi R.
AU - Sakamoto S.
PY - 2016
SP - 273
EP - 281
DO - 10.5220/0005681802730281