Passwordless Authentication Using a Combination of Cryptography, Steganography, and Biometrics

Round 1

Reviewer 1 Report

1. The references used are lack of quality, please add references from reputable journals

2. In the introduction, you claim that " In this paper, we present the development and evaluation of a new passwordless authentication system, known as Sesame Auth. Our system employs a combination of cryptographic, steganographic, and biometric techniques to establish a secure and user-friendly authentication framework. Specifically, we hope to address whether it is possible to have a passwordless authentication system that does not offer security at the expense of great user experience, and vice versa.", Please explain, the advantages of the system offered when compared to other existing systems.

3.  In Related Work, add a table that explain the differences between the proposed system and some existing systems.

4. In the abstract, you claim that "Results from the prototype indicate that authentication is possible within a timeframe similar to passwords (within 2 seconds), without imposing additional hardware costs on users to enhance security or compromising usability". We have not seen any security analysis in this paper. Add analysis in terms of security.

5. In 4.2 authentication, "The duration averaged 282ms. Summing the average server times, the total time to complete an authentication session was 825 ms. Further, success rates of 100 percent were recorded for each authentication session." Please give a detailed analysis of this statement.

6. Please give a detailed explanation for table 1-3. 

7. we have not found a reason for choosing LSB steganography when compared to other steganography methods

Author Response

1. 1. The references used are lack of quality, please add references from reputable journals.

   Added in the paper. Related work section. Note, we have withdrawn the publication of the review paper, as we added part of this into this paper, so that there will be no match in terms of repeated text in eh related work section. The paper is still in the pre-print repository and will be taken off soon.

   2. In the introduction, you claim that " In this paper, we present the development and evaluation of a new passwordless authentication system, known as Sesame Auth. Our system employs a combination of cryptographic, steganographic, and biometric techniques to establish a secure and user-friendly authentication framework. Specifically, we hope to address whether it is possible to have a passwordless authentication system that does not offer security at the expense of great user experience, and vice versa.", Please explain, the advantages of the system offered when compared to other existing systems.

               Our proposed solution aims to eliminate the need for storing plain text passwords using password managers, writing them down, or relying on weak passwords. By doing so, we create a more robust and user-friendly authentication ecosystem that is both dynamic and reliable.

    

   3. In Related Work, add a table that explain the differences between the proposed system and some existing systems.

               In our approach, we favour textual discussions over tabular formats. We understand there are different opinion on comparisons, it works better for us. An we have provided comparison to one selected benchmarking source as presented in tables 1-3

   4. In the abstract, you claim that "Results from the prototype indicate that authentication is possible within a timeframe similar to passwords (within 2 seconds), without imposing additional hardware costs on users to enhance security or compromising usability". We have not seen any security analysis in this paper. Add analysis in terms of security.

               This is provided in table 3

   5. In 4.2 authentication, "The duration averaged 282ms. Summing the average server times, the total time to complete an authentication session was 825 ms. Further, success rates of 100 percent were recorded for each authentication session." Please give a detailed analysis of this statement.

    

   Our solution, with an 825ms time frame, significantly minimizes attack vectors. During testing, all attempts were successful within this time frame. Consequently, we demonstrate a viable and secure solution that enhances the security posture of authentication.

   6. Please give a detailed explanation for table 1-3. 

   More details added, but this has also been explained in the evaluation section second paragraph, the new added text in the paragraph before 5.2.1

   7. we have not found a reason for choosing LSB steganography when compared to other steganography methods

               Other options can be considered; we are not trying to prove that they are not viable, but rather we have not tested them as they are out of scope for this paper. We have also discussed the limitation of LSB in 5.2.1

Reviewer 2 Report

The manuscript is very confusing. Its main drawbacks are the following:

1.- Why is it used steganography? What is the reason to hide the encrypted results of user's typing ID? The encrypted result is encrypted, that is, confidential. Why is then hidden? Why is hidden in an image?

2.-   It is said that "To regain access to the account, the user will need to provide the stego-image that was pre-embedded with their typing ID and the public key for that account". Hence, the user should have to know the image to regain access. This reviewer thinks that remember a password is easier than remember an image.

3.- It is used keystroke dynamics to identify the user. However, nothing is said about the performance of this biometric identification, that is, its false matching ratio and false non-matching ratio. Identifying the user by this behavior is worse (less discriminative) than using other biometric traits such as iris, faces, etc. Why is keystroke dynamics used instead of other biometrics that are more precise? Only average times are shown in results, but accuracy of the identification should have been shown.

4.- The reader cannot know the contributions of this work concerning the state of art because no state of art is reviewed. The reader is referred to another public document from the authors but, then, this manuscript is not self contained. At least the main topics of state of art should have been included.

5.- Passwordless authentication using FIDO Alliance is very much spread. However, nothing is said about FIDO until Section 5, where it is said that "other existing passwordless alternatives (e.g. FIDO2) lack several of the benefits outlines in the framework". Why? Nothing is explained. As a matter of fact, this is unclear and contradictory because it is said several times that "biometric authentication is requested on the user’s device by prompting for either a fingerprint or face ID, depending on that which was previously set up by the user". But FIDO2 uses fingerprint or face ID. Hence, do you need FIDO2 for SA user registration?

6.- In Section 5.1, it is said "Malware on user device - Secret keys are stored in the trusted execution environment (TEE) of the device and are as secure as the strength of the device TEE implementation". However, nothing is said about storing secret keys in hardware security modules (HSMs), which is more secure. Then, in Section 5.2 it is said "the state of cryptography in mobile environments remains relatively rudimentary". This reviewer does not understand that comment: many mobiles offer security in hardware, which is stronger than security in software.

Author Response

Why is it used steganography? What is the reason to hide the encrypted results of user's typing ID? The encrypted result is encrypted, that is, confidential. Why is then hidden? Why is hidden in an image?

            To improve security and provide multiple layers of defence.

2.-   It is said that "To regain access to the account, the user will need to provide the stego-image that was pre-embedded with their typing ID and the public key for that account". Hence, the user should have to know the image to regain access. This reviewer thinks that remember a password is easier than remember an image.

            If you use a simple password, then this might be the case. It Is also subjective and different things works for different people.

3.- It is used keystroke dynamics to identify the user. However, nothing is said about the performance of this biometric identification, that is, its false matching ratio and false non-matching ratio. Identifying the user by this behavior is worse (less discriminative) than using other biometric traits such as iris, faces, etc. Why is keystroke dynamics used instead of other biometrics that are more precise? Only average times are shown in results, but accuracy of the identification should have been shown.

            It is more difficult to attack keystroke analysis than others, as you mentioned iris, fingerprint, etc., are out of focus. Our focus is on keystroke rather than the usual or well-known biometrics used. From our experiments, the accuracy is good, but we have not factored in if the user is using different devices, i.e., a phone in comparison to a laptop. This forms part of our future work to investigate

4.- The reader cannot know the contributions of this work concerning the state of art because no state of art is reviewed. The reader is referred to another public document from the authors but, then, this manuscript is not self contained. At least the main topics of state of art should have been included.

            We have tried to summarise the state of the art within this paper, but full details have been submitted as a review. This allows us to completely focus on the results rather than another survey paper. Text added in the related work section to address this point.

5.- Passwordless authentication using FIDO Alliance is very much spread. However, nothing is said about FIDO until Section 5, where it is said that "other existing passwordless alternatives (e.g. FIDO2) lack several of the benefits outlines in the framework". Why? Nothing is explained. As a matter of fact, this is unclear and contradictory because it is said several times that "biometric authentication is requested on the user’s device by prompting for either a fingerprint or face ID, depending on that which was previously set up by the user". But FIDO2 uses fingerprint or face ID. Hence, do you need FIDO2 for SA user registration?

FIDO is useful, but our contribution lies in eliminating possible attacks on FIDO and using steganography and public key infrastructure. To register, yes, we use fingerprint, but not to authenticate.

6.- In Section 5.1, it is said "Malware on user device - Secret keys are stored in the trusted execution environment (TEE) of the device and are as secure as the strength of the device TEE implementation". However, nothing is said about storing secret keys in hardware security modules (HSMs), which is more secure. Then, in Section 5.2 it is said "the state of cryptography in mobile environments remains relatively rudimentary". This reviewer does not understand that comment: many mobiles offer security in hardware, which is stronger than security in software.

            Our focus is to eliminate the use of extra hardware and focus more on a software solution.

Reviewer 3 Report

This article presents a novel approach to authentication, integrating cryptography, steganography, and biometrics to establish a passwordless system. Central to its security is the user's input behavior, a unique feature ensuring a robust defense against unauthorized access. The methodology strikes a commendable balance between security and practicality. However, several inquiries arise:

1. While the article employs user input mode for security, the utilization of steganography to embed images may seem redundant. Could the authors elaborate on the necessity of this additional layer?

2. Regarding the embedded images, what stylistic parameters are considered, if any? Additionally, is there a predefined size limit for these images?

3. A critical concern pertains to account recovery in the event of image loss. Section 3.2.2 discusses users typically storing images on their current device. How does the system facilitate account recovery on a new device if the original device is lost?

4. Clarification is sought regarding the nature of the registration ID mentioned in Section 3.2.3. Is this ID user-defined or automatically generated by the system? Moreover, is there an option to avoid storing the registration ID altogether for enhanced privacy?

This article presents a novel approach to authentication, integrating cryptography, steganography, and biometrics to establish a passwordless system. Central to its security is the user's input behavior, a unique feature ensuring a robust defense against unauthorized access. The methodology strikes a commendable balance between security and practicality. However, several inquiries arise:

1. While the article employs user input mode for security, the utilization of steganography to embed images may seem redundant. Could the authors elaborate on the necessity of this additional layer?

2. Regarding the embedded images, what stylistic parameters are considered, if any? Additionally, is there a predefined size limit for these images?

3. A critical concern pertains to account recovery in the event of image loss. Section 3.2.2 discusses users typically storing images on their current device. How does the system facilitate account recovery on a new device if the original device is lost?

4. Clarification is sought regarding the nature of the registration ID mentioned in Section 3.2.3. Is this ID user-defined or automatically generated by the system? Moreover, is there an option to avoid storing the registration ID altogether for enhanced privacy?

Author Response

Major

1. While the article employs user input mode for security, the utilization of steganography to embed images may seem redundant. Could the authors elaborate on the necessity of this additional layer?

Adding extra layer of security

2. Regarding the embedded images, what stylistic parameters are considered, if any? Additionally, is there a predefined size limit for these images?

No size or limit is imposed; a user can select an image that provides some context of the service that they are registering for. This will aid in a simple, contextualized, and story-based authentication.

3. A critical concern pertains to account recovery in the event of image loss. Section 3.2.2 discusses users typically storing images on their current device. How does the system facilitate account recovery on a new device if the original device is lost?

 We anticipate that backups of images and devices are in place. Then, a device can be reimaged from the backup system and re-authenticated.

4. Clarification is sought regarding the nature of the registration ID mentioned in Section 3.2.3. Is this ID user-defined or automatically generated by the system? Moreover, is there an option to avoid storing the registration ID altogether for enhanced privacy?

Automatically generated, we have not explored the option of avoiding storage of ID, this can form part of our future work.

Round 2

Reviewer 2 Report

The value of the work is more on the development than on the scientific side.
The use of biometric authentication in the devices where SA is installed should be clarified: It is said in 3.2.3. that “biometric authentication is requested on the user’s device by prompting for either a fingerprint or face ID, depending on that which was previously set up by the user. The SA app is designed to work only on devices with biometric authentication capability.” You mention Face ID, for example. However, devices with biometric authentication use FIDO and you say that solution is expensive. Does it reduce deployability? Please, ellaborate more on this issue.

- Section Introduction should include a short and clear list with the major contributions of the work (preferred listed with bullets). The list should summary the significant contributions that are then explained in Sections 4 and 5.
- The accuracy (i.e. False Acceptance and False Rejection Rates) of the typing behavior biometrics employed should be included in the results in Section 4.
- In Subsection 5.2.2. avoid comments like “the state of cryptography in mobile environments remains relatively rudimentary”, which are misleading.

Author Response

We have addressed the issue of the paper not being self-contained by incorporating additional related work and removing the other paper from publications. - see section 2. 

Use of Fido and deployability "We have chosen to integrate two elements of FIDO, namely fingerprint and face ID, and have enhanced security by incorporating steganography alongside FIDO. While this approach reduces deployability compared to using just FIDO, it enhances system security. Rather than relying solely on external hardware for security, we are leveraging software-based methods to strengthen security measures."

Contributions- added as suggested.

Results for False Acceptance and False Rejection Rates - Unfortunately, we cannot address this aspect in our paper, which is considered a weakness and an area for future exploration. Furthermore, the unavailability of the first author prevents us from accessing the necessary dataset to provide these details.

In Subsection 5.2.2. avoid comments like “the state of cryptography in mobile environments remains relatively rudimentary”, which are misleading. - Replaced with -Mobile cryptography poses challenges for both research and implementation due to device constraints