Background
Related work
Methods
Data collection
Data | Details of collected data |
---|---|
Call | Type (outgoing, incoming), duration, name of the person, time |
SMS | Type (sent, received), receiver/sender name, length of SMS message, time |
App usage | App name, package name, duration, time |
Music | Track name, artist, album, duration, time |
Physical activity | Type (walking, running, in vehicle, on bicycle), confidence level, duration, time |
Battery charging | Type of power connection (AC, USB), duration, time |
Location | Latitude, longitude, duration, time, accuracy (i.e., the expected error bound) |
Question type | Question | Retrieval type |
---|---|---|
Call | Who called you on <time> ? Who did you call on <time> ? | Recall |
SMS | Who SMS messaged you on <time> ? Who did you SMS message on <time> ? | Recall |
Location | Where were you on <time> ? | Recall |
Application | What are the applications you used in the last 24 h? | Recognize |
Music | What are the music you listened to in the last 24 h? | Recognize |
Activity | What activities did you perform in the last 24 h and when? | Recognize and recall |
Battery | When did you charge your phone in the last 24 h and how was it charged? | Recognize and recall |
Autobiographical question generation
Questions generated based on communications activity
Questions generated based on application usage data
Questions generated based on music data
Questions generated based on physical activity log
Questions generated based on battery charging events
Questions generated based on location information
Algorithm for generating challenge questions
Window\day | Nov 14 | Nov 15 |
\(\ldots\)
| Dec 27 |
---|---|---|---|---|
\(00:00-00:59\)
| – | – |
\(\ldots\)
|
\(\{Received call from-Jeff, 55 s\}\)
|
\(01:00-01:59\)
| – | – |
\(\ldots\)
| – |
\(\vdots\)
|
\(\vdots\)
|
\(\vdots\)
|
\(\vdots ~ \vdots ~ \vdots\)
|
\(\vdots\)
|
\(14:00-14:59\)
|
\(\{Called-Alice, 55\, s\} , \{Called-Bob, 32\, s\}\)
|
\(\{Called-Bob, 89 \,s\}\)
|
\(\ldots\)
|
\(\{Called-Bob, 17\, s\}\)
|
\(15:00-15:59\)
|
\(\{Called-John, 300\, s\}\)
|
\(\{Received call from-Jeff, 42\, s\}\)
|
\(\ldots\)
| – |
\(16:00-16:59\)
|
\(\{Called-John, 14 \,s\}\)
|
\(\{Called-Bob, 20 \,s\}\)
|
\(\ldots\)
|
\(\{Called-Bob, 89 \,s\}\)
|
\(17:00-17:59\)
|
\(\{Called-Bob, 27\, s\}\)
| – |
\(\ldots\)
| – |
\(\vdots\)
|
\(\vdots\)
|
\(\vdots\)
|
\(\vdots ~ \vdots ~ \vdots\)
|
\(\vdots\)
|
\(23:00-23:59\)
| – |
\(\{Received call-Bob, 14 \,s\}\)
|
\(\ldots\)
|
\(\{Called-Mike, 14 \,s\}\)
|
User score calculation
Question type | Question format | Score calculation | Distractors |
---|---|---|---|
Call | Open-ended | Jaro-Winkler [38] see "Score calculation for communication questions" section | ✗ |
SMS | Open-ended | Jaro-Winkler [38] see "Score calculation for communication questions" section | ✗ |
Location | Open-ended | Haversine [34] see "Score calculation for location questions" section | ✗ |
Application | Multiple-choice | Eq. 1
see "Score calculation for app usage and music questions" section | ✓ |
Music | Multiple-choice | Eq. 1
see "Score calculation for app usage and music questions" section | ✓ |
Activity | Multiple-choice and time selection | Eq. 2
| ✗ |
Battery | Multiple-choice and time selection | Eq. 2
| ✗ |
Score calculation for communication questions
Score calculation for location questions
Score calculation for app usage and music questions
-
\(n^q\): the number of options that are correct for a question q.
-
\(n_{ac}^q\): number of selected options for which the answer is correct for question q.
-
\(n_{aw}^q\): number of selected options for which the answer is wrong for question q.
-
sp: severity of penalty is a parameter that controls the points deducted/subtracted for an incorrect answer.
Score calculation for activity and battery charging questions
-
\(n_{ac}^q\): number of selected options for which the answer is correct for a question q.
-
\(w_{o}\): weight for the event type component of the answer
-
\(w_{t}\): weight for the time component of the answer
-
\(t_{diff}\): time differences between the selected answer and the correct time(s)
-
\(t_{min}\): minimum allowed time difference
-
\(t_{max}\): maximum allowed time difference
-
\(t_{i,correct}\): time of the correct answer for a question
-
\(t_{i,selected}\): selected time for a question
Model-based authentication
Threshold based scheme
Bayesian based classifier for authentication
Study design
Evaluation
Question type | Number of response collected | ||
---|---|---|---|
Legitimate | Strong | Naive | |
Call | 288 | 267 | 235 |
SMS | 523 | 488 | 406 |
Location | 480 | 452 | 388 |
Activity | 347 | 289 | 271 |
Battery | 416 | 346 | 313 |
App | 437 | 349 | 308 |
Music | 374 | 362 | 333 |
Total | 2865 | 2553 | 2254 |
Descriptive statistics for collected data
Accuracy scores
Question type | Accuracy score | ||
---|---|---|---|
Legitimate | Strong | Naive | |
Call | 0.76 | 0.13 | 0.008 |
SMS | 0.46 | 0.08 | 0.002 |
Location | 0.69 | 0.29 | 0.038 |
App | 0.55 | −0.03 | −0.549 |
Music | 0.46 | −0.71 | −1.782 |
Activity | 0.42 | 0.06 | −0.240 |
Battery | 0.53 | −0.005 | −0.157 |
Users’ level of confidence
Order | Legitimate | Strong | Naive |
---|---|---|---|
1 | App (888) | Location (857) | Battery (778) |
2 | Activity (880) | Activity (833) | Location (747) |
3 | Location (848) | App (830) | App (734) |
4 | Battery (805) | Music (802) | Activity (717) |
5 | Call (801) | Battery (793) | Music (702) |
6 | Music (776) | SMS (725) | SMS (672) |
7 | SMS (651) | Call (690) | Call (646) |
Time taken to answer questions
Legitimate | Strong | Naive | |||||||
---|---|---|---|---|---|---|---|---|---|
Mean | Median | SD | Mean | Median | SD | Mean | Median | SD | |
Activity | 18.11 | 13 | 17.15 | 13.96 | 9 | 15.47 | 8.45 | 6 | 9.95 |
Battery | 14.15 | 9 | 21.44 | 10.42 | 7 | 11.47 | 7.00 | 4 | 7.41 |
App | 18.70 | 14 | 14.43 | 18.68 | 14 | 17.16 | 14.75 | 12 | 11.00 |
Music | 20.55 | 13 | 28.88 | 25.79 | 17 | 31.77 | 13.73 | 9 | 21.96 |
Call | 15.51 | 11 | 13.20 | 7.53 | 5 | 9.52 | 6.96 | 5 | 7.26 |
SMS | 17.99 | 12 | 17.88 | 7.88 | 5 | 9.91 | 7.34 | 5 | 7.57 |
Location | 28.56 | 23 | 19.05 | 18.79 | 15 | 12.98 | 14.94 | 11 | 11.05 |
Accuracy of model-based authentication
Classification accuracy of threshold based scheme
Accuracy of Bayesian based classifier for authentication
Against naive | Against strong+naive | Against strong | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
TPR (%) | FPR (%) | F1 score (%) | Accuracy (%) | TPR (%) | FPR (%) | F1 score (%) | Accuracy (%) | TPR (%) | FPR (%) | F1 score (%) | Accuracy (%) | ||
Call | n = 1 | 87.0 | 3.1 | 89.7 | 91.8 | 79.3 | 6.6 | 82.1 | 88.4 | 75.2 | 10.2 | 80.4 | 82.1 |
n = 3 | 95.9 | 4.7 | 95.9 | 96.0 | 90.7 | 2.1 | 92.8 | 95.7 | 89.1 | 2.7 | 92.7 | 93.1 | |
n = 6 | 100.0 | 4.2 | 98.2 | 97.8 | 98.1 | 0.6 | 98.3 | 98.9 | 95.9 | 0.8 | 97.4 | 97.5 | |
SMS | n = 1 | 76.8 | 5.0 | 82.3 | 86.2 | 69.7 | 10.7 | 73.7 | 81.6 | 65.1 | 14.3 | 72.1 | 74.5 |
n = 3 | 93.4 | 4.4 | 94.7 | 94.1 | 88.1 | 8.2 | 87.4 | 90.2 | 86.2 | 12.6 | 87.4 | 86.8 | |
n = 6 | 97.8 | 4.0 | 97.3 | 96.8 | 94.2 | 5.5 | 92.3 | 94.3 | 92.8 | 7.8 | 93.1 | 92.6 | |
Location | n = 1 | 84.3 | 7.1 | 86.0 | 89.1 | 75.1 | 14.4 | 73.4 | 82.3 | 70.8 | 17.0 | 74.0 | 77.0 |
n = 3 | 96.3 | 3.2 | 96.8 | 96.3 | 93.2 | 10.5 | 88.3 | 90.7 | 88.7 | 16.7 | 87.3 | 85.8 | |
n = 6 | 99.2 | 0.0 | 99.6 | 99.5 | 97.1 | 7.7 | 92.1 | 93.8 | 95.2 | 14.5 | 91.8 | 90.4 | |
App | n = 1 | 89.6 | 3.7 | 93.0 | 92.2 | 88.3 | 12.9 | 85.9 | 87.3 | 86.5 | 21.3 | 85.7 | 82.7 |
n = 3 | 95.0 | 0.0 | 97.3 | 97.1 | 93.8 | 2.8 | 94.7 | 95.7 | 92.7 | 5.0 | 94.3 | 93.4 | |
n = 6 | 94.7 | 0.0 | 97.2 | 97.1 | 94.0 | 0.2 | 96.5 | 97.6 | 92.8 | 0.6 | 95.8 | 95.9 | |
Music | n = 1 | 83.1 | 6.5 | 87.0 | 87.7 | 79.9 | 16.7 | 76.1 | 81.6 | 78.2 | 28.7 | 76.2 | 74.2 |
n = 3 | 94.2 | 0.2 | 96.7 | 96.8 | 91.9 | 9.3 | 88.7 | 91.1 | 88.6 | 15.6 | 87.7 | 85.9 | |
n = 6 | 96.5 | 0.0 | 98.2 | 98.2 | 95.9 | 5.7 | 93.3 | 94.8 | 95.2 | 9.3 | 93.4 | 92.6 | |
Activity | n = 1 | 93.3 | 6.2 | 93.4 | 93.2 | 87.2 | 17.2 | 81.5 | 83.9 | 83.1 | 27.1 | 81.5 | 78.1 |
n = 3 | 95.9 | 0.0 | 97.8 | 98.0 | 93.5 | 7.4 | 90.8 | 92.6 | 91.4 | 17.1 | 90.1 | 86.8 | |
n = 6 | 96.5 | 0.0 | 98.2 | 98.0 | 95.5 | 4.0 | 94.4 | 95.6 | 93.7 | 7.6 | 94.2 | 93.2 | |
Battery | n = 1 | 89.3 | 7.2 | 91.8 | 90.3 | 86.4 | 8.0 | 87.9 | 89.5 | 84.9 | 8.8 | 88.5 | 87.7 |
n = 3 | 94.0 | 1.8 | 96.1 | 95.9 | 90.7 | 2.0 | 93.5 | 95.3 | 90.5 | 3.0 | 94.0 | 93.6 | |
n = 6 | 95.3 | 0.0 | 97.5 | 97.3 | 92.9 | 0.0 | 96.0 | 97.4 | 93.1 | 0.0 | 96.2 | 96.4 |
User’s opinions regarding autobiographical authentication
“- Yes, I think this is a very good system because I always have trouble resetting my password because I try to use different questions on different website so that if I get hacked, it’s only that one website that gets hacked, and therefore I have trouble remembering the answers that I put for the questions. This proved to be very easy to guess my own questions but very difficult to answer questions about my pair and about a stranger, therefore I would feel very comfortable and protected using this system to protect my accounts.”
“- Yes, I think that this system could potentially be much more secure than existing systems, as it would require either a very constant update on my behavior to successfully guess or a very thorough understanding of my daily habits, both of which I feel would be more difficult to easily identify than a single piece of information.”
“- I would use this system to replace the old one. It is probably more secure than what is used now and does not require memorization. It seems easy to use and ...”
“-A personal anecdote: my ex-boyfriend knew all of my passwords while we were in a relationship and of course a lot of personal information (i.e., mother’s maiden name, pet’s name, etc), but when we broke up, he still had all of this information and could easily hack my accounts, so I had to go to ALL of my accounts and change the passwords. On the other hand, in the case of this system, he might be able to guess at my cell phone activities while we are together (not all, but most information). BUT, once the relationship is over, my cell phone usage would be significantly harder to guess for him as my activities and habits change much faster than personal questions such as pet name.”
“-Sometimes it is hard for me to recall sms and call logs because I text so many different people.”
“-Who you text/call, what apps you use and what music you listen to, it all changes a lot quite frequently in my life. So while probably way more secure, I would be worried that I would lock myself out of my accounts a lot.”
Statement | Call | SMS | Location | App | Music | Battery | Activity | |||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Mode | Med | Mode | Med | Mode | Med | Mode | Med | Mode | Med | Mode | Med | Mode | Med | |
It was easy for me to recall | 4 | 4 | 4 | 3.5 | 5 | 4 | 4 | 4 | 5 | 4 | 5 | 4 | 3 | 3 |
It was easy for my close friends to guess | 1 | 2 | 1 | 2 | 3 | 3 | 3 | 3 | 1 | 3 | 2 | 2 | 2 | 2 |
It was easy for me to guess my close friends’ questions | 1 | 3 | 2 | 2.5 | 3 | 3 | 3 | 3 | 2 | 2 | 2 | 2.5 | 2 | 2 |
It was easy for a stranger to guess | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1.5 | 1 | 1 | 2 | 2 | 1 | 1 |
It was easy for me to guess stranger’s questions | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 2 | 1 | 1 | 2 | 2 | 1 | 1 |