Keystroke dynamics-based authentication for mobile devices

Abstract

Recently, mobile devices are used in financial applications such as banking and stock trading. However, unlike desktops and notebook computers, a 4-digit personal identification number (PIN) is often adopted as the only security mechanism for mobile devices. Because of their limited length, PINs are vulnerable to shoulder surfing and systematic trial-and-error attacks. This paper reports the effectiveness of user authentication using keystroke dynamics-based authentication (KDA) on mobile devices. We found that a KDA system can be effective for mobile devices in terms of authentication accuracy. Use of artificial rhythms leads to even better authentication performance.

Introduction

Use of mobile devices is diversified more and more (Chen et al., 2008). Cell phones and personal digital assistants (PDA) are used for banking and stock trading nowadays. However, there are three reasons why security of mobile devices has a lot to be desired. First a PIN comprises only four digits, thus, the number of candidate passwords is limited to only 10,000 (from 0000 to 9999). It is much easier for a potential impostor to acquire the password by shoulder surfing and systematic trial-and-error attacks. Second, mobile devices may be easily lost or stolen because of their small sizes. For example, more than one million mobile phones are stolen in Europe for a typical year (Kowalski and Goldstein, 2006). Third, we tend to lend mobile phones easily to other people, thus they are exposed to a higher risk of surreptitious use.

Recently, biometrics has been proposed to improve the security of mobile devices. The term “biometrics” is defined by International Biometric Group as “the automated use of physiological or behavioral characteristics to determine or verify identity.” Physiological biometrics relies upon a physical attribute such as a fingerprint, a face and an iris, whereas behavioral approaches utilize some characteristic behavior, such as the way we speak or sign our name (Clarke and Furnell, 2005). Clarke and Furnell (2007a) concluded that the two-factor authentication, combining PIN code and biometrics, improves the overall reliability of authentication.

Keystroke dynamics-based authentication (KDA) is one of biometrics-based authentication methods, motivated by the observation that a user's keystroke patterns are consistent and distinct from those of other users. When implemented for mobile devices, KDA has the following advantages over other biometrics-based methods. First, most biometrics-based methods require an extra device, e.g. a finger-scanner or an iris-scanner (Clarke and Furnell, 2005), which restricts mobility as well as increases cost. On the other hand, KDA requires no additional device. Second, users tend to be reluctant to provide their fingerprints or irises. On the other hand, a user always has to type his or her password to log in, so collecting keystroke patterns can be done without causing any extra inconvenience to the user. Third, a scanned fingerprint or iris requires a large volume of memory, a higher computing power and communication bandwidth than keystroke timing vectors. The efficiency of KDA is particularly important in mobile environment which tends to have a smaller memory, a lower computing power and slower wireless Internet than a PC on the wired Internet.

Behavioral attributes are more subject to deviation from norms than physical ones. A high variability leads to a high authentication error. The variability is a measure of data quality. Another measure of data quality is how unique the typing patterns are. The more unique, the less likely the patterns are similarly replicated by impostors. Recently, artificial rhythms and tempo cues were proposed to improve the quality of typing patterns: uniqueness and consistency in particular (Cho and Hwang, 2006). Improving the data quality by decreasing variability and increasing uniqueness helps us alleviate the weakness of a short PIN.

In this paper, we propose KDA with artificial rhythms and tempo cues for mobile user authentication. To compare between “Natural Rhythm without Cue” and “Artificial Rhythms with Cues,” we completed the following tasks. First, we implemented KDA system on a mobile phone which is connected to a remote server through a wireless network. The novelty detector classifier was built since only valid users' patterns are available in practice. Second, subjects were asked to perform enrollment, login, and even intrusion to other subjects' accounts. Whenever a subject types his or her password, the typing pattern is collected, sent to a server and stored. Third, a comparative analysis was conducted to verify the superiority of artificial rhythms and cues over natural rhythms without cues. We also tested hypotheses to compare the performance involving different typing strategies.

The organization of this paper is as follows. The following section introduces keystroke dynamics-based authentication for mobile devices and describes our methods to improve the quality of typing patterns. Section 3 presents the data collected and experimental results. Finally, conclusions and a list of future work are discussed in Section 4.