Multi-device Authentication using Wearables and IoT

Jan Hajny, Petr Dzurenda and Lukas Malina

Brno University of Technology, Technicka 12, Brno, Czech Republic

Keywords:

Authentication, Cryptography, Constrained Devices, Wearables, Internet of Things.

Abstract:

The paper presents a novel cryptographic authentication scheme that makes use of the presence of electronic

devices around users. The scheme makes authentication more secure by involving devices that are usually

worn by users (such as smart-watches, ﬁtness bracelets and smart-cards) or are in their proximity (such as

sensors, home appliances, etc.). In our scheme, the user private key is distributed over all personal devices

thus cannot be compromised by breaking into only a single device. Furthermore, involving wearables and

IoT devices makes it possible to use multiple authentication factors, such as user’s position, his behavior and

the state of the surrounding environment. We provide the full cryptographic speciﬁcation of the protocol, its

formal security analysis and the implementation results in this paper.

1 INTRODUCTION

In modern society, people are surrounded by a huge

amount of so-called smart devices, such as smart-

phones, tablets, smart-cards, smart-watches, etc. Fur-

thermore, the amount of various sensors, smart-

meters and smart-home appliances increases signiﬁ-

cantly. The current trend is to interconnect all these

devices into a single network, called the Internet

of Things (IoT). Although the aforementioned de-

vices have only small computational and memory re-

sources, they are programmable and can communi-

cate with one another.

Despite there are so many electronic devices

around us, we usually use only a single device to

access electronic services, either a PC, a tablet or a

smart-phone. However, if such a device gets compro-

mised by attackers, the security is gone and attack-

ers can access user’s assets. For example, if user’s

smart-phone gets stolen and the password for elec-

tronic banking is revealed (or stored in memory), the

attacker might get access to the user’s account.

We resolve this weakness by involving multiple

personal devices in the authentication process. These

devices can provide additional authentication data.

For example, if a user owns a smart-watch, it would

be natural to check its presence during the authenti-

cation. Or, it would be useful to check the presence

of a wireless home router in some applications where

we want to allow the access only from users from

a home location. For very sensitive applications, it

would make sense to check for multiple factors, such

as the password knowledge, the presence of a smart-

card and the presence of a Bluetooth Low Energy

(BLE) beacon device that certiﬁes position.

In this paper, we provide the description of a cryp-

tographic protocol that allows such an involvement of

many constrained devices in the authentication pro-

cess. We propose a provably secure protocol that

distributes the user’s private key among multiple de-

vices. To get authenticated, the user must prove the

knowledge of all parts of his private key that corre-

sponds to his personal public key. Our protocol is

provably secure and easily implementable on all pro-

grammable constrained devices, such as smart-cards,

smart-watches, sensors and wearables in general.

1.1 Related Work and Contribution

The design of cryptographic protocols for user au-

thentication is the topic of countless scientiﬁc papers,

starting with the proposals of traditional authentica-

tion protocols (Neuman and Ts’ O, 1994; Lashkari

et al., 2009), provably secure authentication proto-

cols based on zero-knowledge proofs (Schnorr, 1991;

Guillou and Quisquater, 1988), to privacy-enhanced

authentication protocols (Camenisch and et Al., 2012;

Paquin, 2011) and light-weight protocols (Chien and

Huang, 2007). Since personal and wearable smart

devices have started to appear only very recently,

Hajny, J., Dzurenda, P. and Malina, L.

Multi-Device Authentication using Wearables and IoT.

DOI: 10.5220/0006000004830488

In Proceedings of the 13th International Joint Conference on e-Business and Telecommunications (ICETE 2016) - Volume 4: SECRYPT, pages 483-488

ISBN: 978-989-758-196-0

483

not many papers focusing on using the combina-

tion of many devices, i.e. the multi-device authen-

tication, exist. Xu (Xu, 2015) focuses on biomet-

ric authentication using wearables, namely on face

recognition using smart-glass and gait recognition us-

ing smart-watch. Cha et al. (Cha et al., 2015)

present a simple model for two device authentica-

tion for micro-payment systems using a mobile and

wearable devices. Nevertheless, their approach lacks

more details and concrete cryptographic functions.

To some extent, the concepts of continuous authen-

tication (Shepherd, 1995) and progressive authentica-

tion (Riva et al., 2012) are close to our approach as

they are also based on combining multiple sources

of authentication data. However, the schemes are

using mainly biometric authentication factors. The

most related work from 2015 (Gonzalez-Manzano

et al., 2015) presents an access control mechanism

for cloud-based storage service access by using a

set of devices. However, their scheme is based on

symmetric cryptography, thus does not provide non-

repudiation. Furthermore, there is no formal security

analysis provided in the paper.

Based on the current state analysis, to our best

knowledge, we present the ﬁrst cryptographic scheme

that 1) allows strong multi-device authentication, 2)

is provably secure, 3) provides non-repudiation and

allows private keys to never leave the user device, 4)

is easily implementable on personal and wearable de-

vices and 5) allows simple registration and deregis-

tration of personal devices. Using this authentication

scheme, the practical access control mechanisms can

get much more secure without any negative inﬂuence

on usability and user friendliness.

1.2 Paper Outline

We provide the preliminaries in Sec. 2, the security

model and description of protocols in Sec. 3, the se-

curity proof in Sec. 4 and the implementation results

in Sec. 5.

2 PRELIMINARIES

2.1 Notation

We describe Proof of Knowledge protocols (PK) us-

ing the efﬁcient notation introduced by Camenisch

and Stadler (Camenisch and Stadler, 1997a). The pro-

tocol for proving the knowledge of a discrete loga-

rithm of an element c with respect to a generator g is

denoted as PK{α : c = g

}. The symbol “:” means

“such that”, “|” means “divides”, “|x|” is the bitlength

of x and “x ∈

{0, 1}

” is a randomly chosen bitstring

of maximum length l.

2.2 Used Primitives

Our scheme is based on Schnorr’s identiﬁcation

scheme (Schnorr, 1991). That, in turn, makes use of

the protocols for the interactive proof of knowledge of

a discrete logarithm (Camenisch and Stadler, 1997b).

Using the cryptographic proofs of knowledge, it is

possible to prove the knowledge of a private value

of a discrete logarithm w with respect to public val-

ues c, g, p such that c ≡ g

(mod p) holds in modular

multiplicative group Z

∗

where p is a large prime and

g is a group generator. The protocol can be denoted

as PK{w : c = g

}. We use the modiﬁcation of this

protocol called the proof of representation, denoted

as PK{w

, w

, . . . , w

: c = g

. . . g

}. Further-

more, we use a signature scheme that can be obtained

by hashing the protocol challenge e with the message

using the Fiat-Shamir heuristics (Fiat and Shamir,

1987). The signature on message m is then denoted

as SPK{w

, w

, . . . , w

: c = g

. . . g

}(m).

3 MULTI-DEVICE

AUTHENTICATION

In multi-device authentication, there are three types

of entities (or roles) in the system:

• Veriﬁers: usually service providers that need to

verify the identity of their users.

• Users: customers that are represented by their

master devices (PCs, laptops, smart-phones,

tablets, . . . ). Users need to prove their identity.

• Devices: constrained personal devices (smart-

cards, smart-watches, sensors, RFID tags, . . . ),

that are involved in the authentication process to

strengthen security.

These entities engage in the following protocols:

• (spar, (sk

, . . . , sk

), pk

) ←Setup(k, d) protocol:

the protocol is run by a Veriﬁer and a User to gen-

erate and share initial parameters. It inputs the

security parameter k, the maximum of user de-

vices d and outputs the system parameters spar

and User’s initial keypair (sk

, . . . , sk

), pk

• (Accept/Reject) ←Authenticate(spar, (sk

, . . . ,

), pk

) protocol: the protocol is run jointly

by a User, his devices and a Veriﬁer to prove

the knowledge of User’s private keys. It inputs

the system parameters spar, the User’s public key

, all corresponding private keys (sk

, . . . , sk

)

SECRYPT 2016 - International Conference on Security and Cryptography

484

and outputs Accept if the proof is valid and Reject

otherwise.

• (pk

) ←Register(spar, (sk

, . . . , sk

), pk

, sk

i+1

)

protocol: the protocol is run jointly by a User, his

devices and a Veriﬁer to register a new device in

the system. It inputs the system parameters spar,

new (i + 1)’th device’s private key sk

i+1

, the

User’s keypair (sk

, . . . , sk

), pk

and outputs an

updated User’s public key pk

that corresponds

to sk

i+1

and all previous private keys of the user.

• (pk

) ←Deregister(spar, (sk

, . . . , sk

), pk

i+1

) protocol: the protocol is run jointly by

a User and the Veriﬁer to deregister the public

key of his device, in case the device needs to

be revoked (due to loss, damage, theft, etc.).

It inputs the system parameters spar, existing

(i + 1)’th device’s private key sk

i+1

, the User’s

keypair (sk

, . . . , sk

), pk

and outputs an updated

User’s public key pk

that corresponds to all

previous private keys of the user except sk

i+1

In classical authentication, the Authenticate

protocol only proves User’s knowledge of a password

and keys stored in his master device to a Veriﬁer. In

multi-device authentication, each device has its pri-

vate cryptographic key that corresponds to a general

public key stored by a Veriﬁer. The Authenticate

protocol proves the knowledge of all private keys to

a Veriﬁer without revealing them. Thus, authenti-

cation is successful only if the whole group of pre-

selected devices participate in the protocol. However,

this group can be changed jointly by Users and Veri-

ﬁers, using the Register and Deregister protocols.

3.1 Security Model

We use and prove properties for authentication pro-

tocol completeness, soundness and zero-knowledge

(Quisquater et al., 1989). The completeness property

states that honest Users are almost always accepted

by Veriﬁers, the soundness property states that dis-

honest Users are almost always rejected by Veriﬁers

and the zero-knowledge property states that the pro-

tocol leaks no information about Users’ private keys,

using the simulation paradigm (i.e., all the public pro-

tocol values can be efﬁciently generated without the

knowledge of private keys).

Deﬁnition 1. Authentication completeness. An hon-

est Veriﬁer rejects an honest User (i.e., the one using

private keys that correspond to the public key) with

probability negligible in the length of the security pa-

rameter k.

Deﬁnition 2. Authentication soundness. An honest

Veriﬁer accepts a dishonest User (i.e., the one using

private keys that do not correspond to the public key)

with probability negligible in the length of the security

parameter k.

Deﬁnition 3. Authentication zero-knowledge. There

exist a simulator S that is able to efﬁciently generate a

protocol transcript indistinguishable from a real pro-

tocol transcript without the knowledge of private keys.

3.2 Scheme Instantiation

In this section, we provide the concrete instantiation

of the protocols used in our scheme. All operations

are computed in Z

∗

3.2.1 Setup Protocol

On the input of the security parameter k and device

number parameter d, a Veriﬁer randomly selects a

group G = hgi of prime order q : |q| = k where DL

assumption holds, chooses d + 1 random elements

(α

, α

, . . . , α

) ∈

, computes g

= g

for all 0 ≤

l ≤ d and outputs (G, (g

, . . . , g

)) as public system

parameters spar to all Users and devices over a secure

channel

. A User selects his private key at random,

i.e., computes sk

∈

and computes his public key

as pk

= g

. If some additional device is already

present, it also generates its private key, i.e. computes

∈

, and computes its public key as pk

= g

The same applies if more devices are present. We

note that the device private key never leaves the de-

vice, only the public key is revealed. Finally, the User

(represented by his master user device) computes the

user public key as pk

∏

i=0

for all l available

devices and distributes this public key to the Veriﬁer

over a secure channel.

3.2.2 Authenticate Protocol

In the Authenticate protocol, the User must prove

that he knows all private keys sk

, . . . , sk

that were

used to construct the public key pk

. This can be re-

alized by the proof of discrete logarithm representa-

tion, a protocol denoted as PK{(sk

, . . . , sk

) : pk

. . . g

}. Since the User’s master device does not

know the private keys, except sk

, the proving proto-

col must be distributed among all devices, as depicted

in Fig. 1 in CS notation and in Fig. 2 in full notation.

3.2.3 Register Protocol

The Register protocol is used when a new device

needs to be added to the set of user devices. In that

These values can be pre-shared in software.

Multi-Device Authentication using Wearables and IoT

485

Master Device Veriﬁer

PK{(sk

, . . . , sk

) : pk

= g

. . . g

}

←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

PK{(sk

) : pk

= g

}

Device 1

PK{(sk

) : pk

= g

}

←−−−−−−−−−−−−−−−−−−−−−−−→

Device i

PK{(sk

) : pk

= g

}

←−−−−−−−−−−−−−−−−−−−−−−→

PK{(sk

, . . . , sk

) : pk

= g

. . . g

}

−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→

Verify PK

Accept/Reject

←−−−−−−−−−−−−−−−−−−−−−−−−−−

Figure 1: Authenticate protocol in CS notation.

Device 1 Master Device Veriﬁer

∈

¯c

= g

mod p

¯c

−−−−−−−−−−−−−−−−−−−−−→

∈

¯c = ¯c

mod p

¯c

−−−−−−−−−−−−−−−−−−−−→

e ∈

←−−−−−−−−−−−−−−−−−−−−

= r

− esk

←−−−−−−−−−−−−−−−−−−−−

= r

− esk

−−−−−−−−−−−−−−−−−−−−−→

, z

−−−−−−−−−−−−−−−−−−−−→

¯c

= pk

Accept/Reject

←−−−−−−−−−−−−−−−−−

Figure 2: Authenticate protocol for 1 master device and

1 additional device in full notation.

case, the new device generates its private key, i.e.,

computes sk

i+1

∈

, and computes its public key as

i+1

= g

i+1

. The new public key must be delivered

to the master device using a secure channel. Then,

the master device may authenticate itself to the Ver-

iﬁer (using the Authenticate protocol) and provide

the new public key pk

i+1

. The Veriﬁer then updates

the main User’s public key pk

= pk

∗ pk

i+1

. After

this update, the new (i + 1)’th device must be always

used in the Authentication protocol. The Register

protocol is depicted in Fig. 3.

3.2.4 Deregister Protocol

In case some of devices gets lost, stolen or stops

working, a User can use the Deregister protocol

to remove it from the set of registered devices. The

User ﬁrst sends the public key of the invalid device,

e.g. pk

i+1

, to the Veriﬁer. The Veriﬁer temporarily

Device i+1 Master Device Veriﬁer

i+1

∈

i+1

= g

i+1

−−−−−−−−−−−−→

SPK{(sk

, . . . , sk

) : pk

= g

. . . g

}(pk

i+1

)

←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→

Verify SPK

Accept/Reject

←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

= pk

∗ pk

i+1

= pk

∗ pk

i+1

Figure 3: Register protocol.

Master Device Veriﬁer

i+1

−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→

Check that pk

i+1

is a valid key.

temp

= pk

∗ pk

−1

i+1

SPK{(sk

, . . . , sk

) : pk

temp

= g

. . . g

}(pk

i+1

)

←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

SPK{(sk

) : pk

= g

}(pk

i+1

)

Device 1

SPK{(sk

) : pk

= g

}(pk

i+1

)

←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→

Device i

SPK{(sk

) : pk

= g

}(pk

i+1

)

←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→

SPK{(sk

, . . . , sk

) : pk

temp

= g

. . . g

}(pk

i+1

)

−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→

Verify SPK

= pk

temp

Accept/Reject

←−−−−−−−−−−−−−−−−−−−−−−−−−−

= pk

temp

Figure 4: Deregister protocol.

removes the device and computes the temporal public

key pk

temp

= pk

∗ pk

−1

i+1

. Then, the Veriﬁer asks the

User to authenticate with respect to the pk

temp

. If the

User is able to successfully ﬁnish the authentication

protocol, the Veriﬁer sets the temporal public key as

permanent, i.e. sets pk

= pk

temp

. The protocol is

depicted in Fig. 4.

4 SECURITY PROOF

We prove the completeness, soundness and zero-

knowledge in this section.

Theorem 1. Authentication protocol is complete as

deﬁned in Def. 1.

Proof. We prove the authentication protocol’s com-

pleteness using the veriﬁcation equation used in the

authentication protocol depicted in Fig. 2.

SECRYPT 2016 - International Conference on Security and Cryptography

486

Table 1: Performance results for 1280 bit keys (|p| = 1280, |q| = 160).

Type Product ModExp RNG ModMul Sub Total [ms]

Smart-watch Sony SmartWatch 3 SWR50 2.3 1.4 < 0.1 < 0.01 3.7

Smart-phone Nexus 5 LG 1.9 7.4 < 0.1 < 0.01 9.3

Micro-computer Raspberry Pi 1 model B 59.3 0.8 < 0.6 < 0.1 60.1

Smart-card MULTOS ML4-P17 227 49 188 48 512

Smart-card MULTOS ML3-80KR1 403 45 195 44 687

Smart-card MULTOS MC4-P16 333 68 255 56 712

Smart-card SmartCafe 4.x 356 47 1159 79 1641

Smart-card SmartCafe 3.2 59 31 1737 94 1921

Smart-card J3A081 75 31 2510 179 2795

Secure element CertGate microSD 78 34 2694 168 2974

Table 2: Performance results for 2048 bit keys (|p| = 2048, |q| = 256).

Type Product ModExp RNG ModMul Sub Total [ms]

Smart-watch Sony SmartWatch 3 SWR50 7.5 2 < 0.1 < 0.01 9.5

Smart-phone Nexus 5 LG 5.2 9.2 < 0.1 < 0.01 14.4

Micro-computer Raspberry Pi 1 model B 216.2 1.2 < 0.7 < 0.1 217.4

Smart-card MULTOS ML4-P17 346 62 190 48 646

Smart-card MULTOS ML3-80KR1 530 56 194 44 824

Smart-card MULTOS MC4-P16 484 84 256 56 880

Smart-card SmartCafe 4.x 617 47 1536 79 2279

Smart-card SmartCafe 3.2 188 31 2532 94 2845

Smart-card J3A081 258 47 3962 179 4446

Secure element CertGate microSD 263 48 4153 168 4632

¯c = pk

= (g

)

−esk

= g

= ¯c

Theorem 2. Authentication protocol is sound as de-

ﬁned in Def. 2.

Proof. Suppose that a user does not know the pri-

vate keys and is ready to correctly respond to at least

two Veriﬁer’s challenges (denoted as e, e

) by send-

ing (z

, z

) and (z

, z

). Then, the following equations

must hold for the User to be accepted.

¯c = pk

By dividing we get:

1 = pk

e−e

−z

And ﬁnally we get:

= g

−z

−e

−z

−e

And we reached the contradiction because the user

knows the private keys sk

−z

−e

and sk

−z

−e

Theorem 3. Authentication protocol is zero-

knowledge as deﬁned in Def. 3.

Proof. We prove the zero-knowledge property by

constructing the zero-knowledge simulator S. The

simulator works in the following steps.

1. Randomly selects the responses ˆz

, ˆz

∈

2. Randomly selects the challenge ˆe ∈

3. Computes the commitment

¯c = pk

ˆe

ˆz

The simulator’s output is computationally indis-

tinguishable from the real protocol transcript, i.e.

(

¯c, ˆe, ( ˆz

, ˆz

))

∼

( ¯c, e, (z

, z

)), because all pairs are

selected randomly and uniformly from the same sets.

5 IMPLEMENTATION ASPECTS

In this section, we prove that our scheme is efﬁ-

cient and easy to implement even on constrained

devices. We implemented all required operations

of the authentication protocol

on a set of devices

that have very limited resources. We used devices

that can be expected around modern users, namely

a smart-watch, smart-cards, a smart-phone, a secure

element with tamper-resistant hardware and a micro-

computer. The results for individual operations and

ModExp - modular exponentiation, RNG - random number

generation, ModMul - modular multiplication and Sub -

subtraction.

Multi-Device Authentication using Wearables and IoT

487

the total time of the authentication protocol are shown

in Tab. 1 for 1280-bit keysize and in Tab. 2 for 2048-

bit keysize.

Based on the implementation results, we state

that the authentication protocol can be easily imple-

mented on smart-phones and smart-watches with run-

ning times around 10 ms, on micro-computers with

running times under 100 ms for the standard vari-

ant and around 200 ms for the more secure vari-

ant. The protocol can be also implemented on pro-

grammable smart-cards using the Multos smart-card

platform with running times under 1 s for all variants.

The worst results were obtained using a microSD se-

cure element, a device that is used for storing sensi-

tive cryptographic information on mobile phones. Us-

ing this device, the authentication protocol would take

around 3 seconds.

6 CONCLUSION

In this paper, we proposed a novel multi-device au-

thentication scheme. By using the inputs from per-

sonal and wearable devices, the authentication pro-

cess gets more secure and reliable as it is possible to

verify not only user’s knowledge of a password, but

the presence of his wearables, tags and smart-devices

at his location. The scheme does not require any ad-

ditional actions from a user, allows easy registration

of new personal devices and deregistration of invalid

devices. The full security analysis is provided and im-

plementation aspects are described in this paper. As

the next step, we focus on adding privacy-enhancing

features to this scheme.

ACKNOWLEDGMENT

Research was sponsored by the Czech Science Foun-

dation project nr. 14-25298P Research into crypto-

graphic primitives for secure authentication and digi-

tal identity protection”, the Technology Agency of the

Czech Republic project TA04010476 ”Secure Sys-

tems for Electronic Services User Veriﬁcation” and

the National Sustainability Program LO1401. For the

research, infrastructure of the SIX Center was used.

REFERENCES

Camenisch, J. and et Al. (2012). Speciﬁcation of the iden-

tity mixer cryptographic library. Technical report,

IBM Research - Zurich.

Camenisch, J. and Stadler, M. (1997a). Efﬁcient group sig-

nature schemes for large groups. In Advances in Cryp-

tology - CRYPTO ’97, volume 1294 of LNCS, pages

410–424. Springer Berlin / Heidelberg.

Camenisch, J. and Stadler, M. (1997b). Proof systems for

general statements about discrete logarithms. Techni-

cal report, IBM.

Cha, B.-R., Lee, S.-H., Park, S.-B., and Ji, G.-K. L. Y.-K.

(2015). Design of micro-payment to strengthen secu-

rity by 2 factor authentication with mobile & wearable

devices.

Chien, H.-Y. and Huang, C.-W. (2007). Security of ultra-

lightweight rﬁd authentication protocols and its im-

provements. SIGOPS Oper. Syst. Rev., 41(4):83–86.

Fiat, A. and Shamir, A. (1987). How to prove your-

self: Practical solutions to identiﬁcation and signature

problems. In Advances in Cryptology - CRYPTO 86,

volume 263 of LNCS, pages 186–194. Springer Berlin

/ Heidelberg.

Gonzalez-Manzano, L., de Fuentes, J., and Orﬁla, A.

(2015). Access control for the cloud based on multi-

device authentication. In Trustcom/BigDataSE/ISPA,

2015 IEEE, volume 1, pages 856–863. IEEE.

Guillou, L. C. and Quisquater, J.-J. (1988). EURO-

CRYPT ’88: Workshop on the Theory and Applica-

tion of Cryptographic Techniques, chapter A Practical

Zero-Knowledge Protocol Fitted to Security Micro-

processor Minimizing Both Transmission and Mem-

ory, pages 123–128. Springer Berlin Heidelberg,

Berlin, Heidelberg.

Lashkari, A. H., Danesh, M. M. S., and Samadi, B. (2009).

A survey on wireless security protocols (wep, wpa and

wpa2/802.11 i). In Computer Science and Information

Technology, 2009. ICCSIT 2009. 2nd IEEE Interna-

tional Conference on, pages 48–52. IEEE.

Neuman, B. C. and Ts’ O, T. (1994). Kerberos: An authen-

tication service for computer networks. Communica-

tions Magazine, IEEE, 32(9):33–38.

Paquin, C. (2011). U-prove cryptographic speciﬁcation

v1.1. Technical report, Microsoft Corporation.

Quisquater, J.-J., Guillou, L., Annick, M., and Berson, T.

(1989). How to explain zero-knowledge protocols to

your children. In Proceedings on Advances in cryp-

tology, CRYPTO ’89, pages 628–631, New York, NY,

USA. Springer-Verlag New York, Inc.

Riva, O., Qin, C., Strauss, K., and Lymberopoulos, D.

(2012). Progressive authentication: Deciding when to

authenticate on mobile phones. In Presented as part

of the 21st USENIX Security Symposium (USENIX Se-

curity 12), pages 301–316, Bellevue, WA. USENIX.

Schnorr, C. P. (1991). Efﬁcient signature generation by

smart cards. Journal of Cryptology, 4:161–174.

Shepherd, S. J. (1995). Continuous authentication by analy-

sis of keyboard typing characteristics. In Security and

Detection, pages 111–114.

Xu, W. (2015). Mobile applications based on smart wear-

able devices. In Proceedings of the 13th ACM Confer-

ence on Embedded Networked Sensor Systems, pages

505–506. ACM.

SECRYPT 2016 - International Conference on Security and Cryptography

488