ABSTRACT
Password patterns, as used on current Android phones, and other shape-based authentication schemes are highly usable and memorable. In terms of security, they are rather weak since the shapes are easy to steal and reproduce. In this work, we introduce an implicit authentication approach that enhances password patterns with an additional security layer, transparent to the user. In short, users are not only authenticated by the shape they input but also by the way they perform the input. We conducted two consecutive studies, a lab and a long-term study, using Android applications to collect and log data from user input on a touch screen of standard commercial smartphones. Analyses using dynamic time warping (DTW) provided first proof that it is actually possible to distinguish different users and use this information to increase security of the input while keeping the convenience for the user high.
- Aviv, A. J., Gibson, K., Mossop, E., Blaze, M., Smith, J. M. Smudge attacks on smartphone touch screens. In USENIX 4th Workshop WOOT 2010. Google ScholarDigital Library
- Bigun, J., Fierrez-Aguilar, J., Ortega-Garcia, J., Gonzales-Rodriguez, J. Combining biometric evidence for person authentication. Advanced Studies in Biometrics. Springer (2005), 1--18. Google ScholarDigital Library
- Brunelli, R., Falavigna, D. Person identification using multiple cues. IEEE Transactions on Pattern Analysis and Machine Intelligence, 17(10). (1995), 955--966. Google ScholarDigital Library
- Buchoux, A., Clarke, N.L. Deployment of keystroke analysis on a smartphone. In Proceedings AIMS 2008.Google Scholar
- Card, S., Moran, T., Newell, A. Computer text-editing: An information-processing analysis of a routine cognitive skill. Cognitive Psychology, 12(1). (1980), 32--74.Google ScholarCross Ref
- Chow, R., Jakobsson, M., Masuoka, R., Molina, J., Niu, Y., Shi, E., Song, Z. Authentication in the clouds: a framework and its application to mobile users. In Proceedings Workshop CCSW 2010. ACM Press (2010), 1--6. Google ScholarDigital Library
- Clarke, N.L., Furnell, S.M. Authenticating mobile phone users using keystroke analysis. International Journal of Information Security, 6(1). Springer (2007), 1--14. Google ScholarDigital Library
- Clarke, N.L., Furnell, S.M., Rodwell, P.M., Reynolds P.L. Acceptance of subscriber authentication methods for mobile telephony devices. Computers & Security, 21 (3). (2002), 220--228.Google ScholarDigital Library
- Coventry, L., De Angeli, A., Johnson, G. Usability and biometric verification at the ATM interface. In Proceedings CHI 2003. ACM Press (2003), 153--160. Google ScholarDigital Library
- Cutting, J., Kozlowski, L. Recognizing friends by their walk: Gait perception without familiarity cues. Bulletin of the Psychonomic Society, 9(5). (1977), 353--356.Google ScholarCross Ref
- De Luca, A., Denzel, M. and Hussmann, H. Look into my eyes! Can you guess my password? In Proceedings SOUPS 2009. ACM Press (2009), 7:1--7:12. Google ScholarDigital Library
- Dunphy, P., Yan, J. Do background images improve "draw a secret" graphical passwords? In Proceedings CCS 2007. ACM Press (2007), 36--47. Google ScholarDigital Library
- Fleishman, E., Parker, J. Factors in the retention and relearning of perceptual-motor skill. Journal of Experimental Psychology, 64. (1962), 215--226.Google ScholarCross Ref
- Francis, L., Mayes, K., Hancke, G., Markantonakis, K. A location based security framework for authenticating mobile phones. In Proceedings Workshop M-MPAC 2010. ACM Press (2010), 5:1--5:8. Google ScholarDigital Library
- Giorgino, T. Computing and visualizing dynamic time warping alignments in R: the DTW package. Journal of Statistical Software, 31(7). (2009), 1--24.Google ScholarCross Ref
- Gafurov, D., Helkala, K., Søndrol, T. Biometric gait authentication using accelerometer sensor. Journal of Computers, 1 (7). Academy Publisher (2006), 51--59.Google Scholar
- Jakobsson, M., Shi, E., Golle, P., Chow, R. Implicit authentication for mobile devices. In Proceedings HotSec 2009. USENIX Association, 9--9. Google ScholarDigital Library
- Jermyn, I., Mayer, A., Monrose, F., Reiter, M. K., Rubin, A. D. The design and analysis of graphical passwords. In Proceedings SSYM 1999. USENIX Association. Google ScholarDigital Library
- Kar, B., Dutta, P. K., Basu, T. K., Vielhauer, C., Dittmann, J. DTW based verification scheme of biometric signatures. In Proceedings ICIT 2006.Google ScholarCross Ref
- Karlson, A., Brush, A.J., Schechter, S. Can i borrow your phone? Understanding concerns when sharing mobile phones. In Proceedings CHI 2009. ACM Press (2009), 1647--1650. Google ScholarDigital Library
- Kim, D., Dunphy, P., Briggs, P., Hook, J., Nicholson, J., Nicholson, J., Olivier, P. Multi-touch authentication on tabletops. In Proceedings CHI 2010. ACM Press (2010), 1093--1102. Google ScholarDigital Library
- Legget, J., Williams, G., Usnick, M. Dynamic identity verification via keystroke characteristics. International Journal of Man-Machine Studies, 35 (6). Academic Press Ltd (1991), 859--870. Google ScholarDigital Library
- Mantyjarvi, J., Lindholm, M., Vildjiounaite, E., Makela, S. M., Ailisto, H.A. Identifying users of portable devices from gait pattern with accelerometers. In Proceedings ICASSP 2005.Google ScholarCross Ref
- Marcel, S., Cool, C., Atanasoaei, C., Tarsetti, F., Pesán, J., Matejka, P., Cernocky, J., Helistekangas, M., Turtinen, M. MOBIO: mobile biometric face and speaker authentication, In Proceedings CVPR 2010.Google Scholar
- Nelson, D. L., Reed, V. S., Walling, J. R. Pictorial superiority effect. Journal of Experimental Psychology: Human Learning and Memory 2 (5). (1976), 523--528.Google ScholarCross Ref
- Pons, A.P., Polak, P. Understanding user perspectives on biometric technology. Commun. ACM, 51 (9). ACM Press (2008), 115--118. Google ScholarDigital Library
- Rogers, J. Please enter your four-digit pin. Financial Services Technology, U.S. Edition Issue 4 (Mar. 2007).Google Scholar
- Rokita, J. Krzyzak, A., Suen, C.Y. Cell phones personal authentication systems using multimodal biometrics. In Proceedings ICIAR 2008. Springer (2008), 1013--1022. Google ScholarDigital Library
- Sakoe, H., Chiba, S. Dynamic programming algorithm optimization for spoken word recognition. IEEE Transactions on Acoustics, Speech and Signal Processing, 26(1). (1978), 43--49.Google ScholarCross Ref
- Shadmer, R., Brashers-Krug, T. Functional stages in the formation of human long-term motor memory. The Journal of Neuroscience, 17(1). (1997), 409--419.Google ScholarCross Ref
- Shi, E., Niu, Y., Jakobsson, M., Chow, R. Implicit authentication through learning user behavior. In Proceedings ISC 2010. Springer (2011), 99--113. Google ScholarDigital Library
- Sonkamble, S., Thool, R., Sonkamble, B. Survey of biometric recognition systems and their applications. Journal of Theoretical and Applied Information Technology, 11(1). (2010), 45--51.Google Scholar
- Standing, L. Learning 10,000 pictures. The Quarterly Journal of Experimental Psychology, 25(2). (1973), 20722.Google Scholar
- Tamviruzzaman, M., Ahamed, S. I., Hasan, C. S., O'brien, C. ePet: When cellular phone learns to recognize its owner. In Proceedings Workshop SafeConfig 2009. ACM Press (2009), 13--18. Google ScholarDigital Library
- Wood, H.M. The use of passwords for controlled access to remote computer systems and services. In Proceedings AFIPS 1977. ACM Press(1977), 27--33. Google ScholarDigital Library
- Weiss, R., De Luca, A. PassShapes: utilizing stroke based authentication to increase password memorability. In Proceedings NordiCHI 2008. ACM Press (2008), 383392. Google ScholarDigital Library
- Yazji, S., Chen, X. Dick, R.P., Scheuermann P. Implicit user re-authentication for mobile devices. In Proceedings UIC 2009. Springer (2009), 325--339. Google ScholarDigital Library
- Zhu, W., Zeng, N., Wang, N. Sensitivity, specificity, accuracy, associated confidence interval and ROC analysis with practical SAS implementations. In Proceedings Nesug 2010.Google Scholar
Index Terms
- Touch me once and i know it's you!: implicit authentication based on touch screen patterns
Recommendations
Itus: an implicit authentication framework for android
MobiCom '14: Proceedings of the 20th annual international conference on Mobile computing and networkingSecurity and usability issues with pass-locks on mobile devices have prompted researchers to develop implicit authentication (IA) schemes, which continuously and transparently authenticate users using behavioural biometrics. Contemporary IA schemes ...
POSTER: When and How to Implicitly Authenticate Smartphone Users
CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications SecurityPossession of modern smartphones is becoming increasingly ubiquitous, and with this rise in usage comes a rise in the amount of sensitive data being stored on them. Despite this, the high-frequency, low-duration nature of the average smartphone session ...
Comments