Web-Biometrics for User Authenticity Verification in Zero Trust Access Control

Abstract

Read online

In the case of remote work, once a user completes account authentication, they can continue to access confidential data without further verification of user identity. Thus, if a user’s device or authentication information is leaked/stolen by an adversary or shared with a third party, the confidentiality of the data is violated. Previous studies have proposed classical biometrics-based verification of user authenticity. This method could identify whether a user was an adversary or not, but could not verify whether the account operator was a legitimate user. Moreover, since the architecture of ZTAC was not designed for the use of biometrics, it could not effectively control the various access patterns of adversaries in remote work. In this study, we propose a user authenticity verification method based on biometrics, designed for use in ZTAC. By designing and monitoring web biometrics that can verify that the account operator is a legitimate user, we aim to realize a system that provides appropriate access control for accounts after authentication according to the verification results of behavioral/cognitive patterns on the browser. Achieving dynamic access control independent of authentication results enables secure management of confidential data in remote work. In the evaluation experiment, we classified the access patterns of adversaries in remote work and confirmed that the system can appropriately control each of them. Additionally, measuring the response time to access requests showed that the evaluation experiment resulted in delays of no more than approximately 130 milliseconds, confirming that the migration to the proposed method has a very low impact on the system load.

Keywords

• Zero trust access control
• zero trust network
• web-biometrics
• user authenticity