A graphical-based password keystroke dynamic authentication system for touch screen handheld mobile devices

doi:10.1016/j.jss.2011.12.044

Journal of Systems and Software

Volume 85, Issue 5, May 2012, Pages 1157-1165

https://doi.org/10.1016/j.jss.2011.12.044 Get rights and content

Abstract

Since touch screen handheld mobile devices have become widely used, people are able to access various data and information anywhere and anytime. Most user authentication methods for these mobile devices use PIN-based (Personal Identification Number) authentication, since they do not employ a standard QWERTY keyboard for conveniently entering text-based passwords. However, PINs provide a small password space size, which is vulnerable to attacks. Many studies have employed the KDA (Keystroke Dynamic-based Authentication) system, which is based on keystroke time features to enhance the security of PIN-based authentication. Unfortunately, unlike the text-based password KDA systems in QWERTY keyboards, different keypad sizes or layouts of mobile devices affect the PIN-based KDA system utility. This paper proposes a new graphical-based password KDA system for touch screen handheld mobile devices. The graphical password enlarges the password space size and promotes the KDA utility in touch screen handheld mobile devices. In addition, this paper explores a pressure feature, which is easy to use in touch screen handheld mobile devices, and applies it in the proposed system. The experiment results show: (1) EER is 12.2% in the graphical-based password KDA proposed system. Compared with related schemes in mobile devices, this effectively promotes KDA system utility; (2) EER is reduced to 6.9% when the pressure feature is used in the proposed system. The accuracy of authenticating keystroke time and pressure features is not affected by inconsistent keypads since the graphical passwords are entered via an identical size (50 mm × 60 mm) human–computer interface for satisfying the lowest touch screen size and a GUI of this size is displayed on all mobile devices.

Highlights

► A graphical-based password KDA system is proposed for touch screen devices. ► The pressure feature is explored in touch screen handheld mobile devices. ► The pressure feature increases the system utility from EER = 12.2% to EER = 6.9%. ► The performance is excellent and is suitable for low-power mobile devices.

Introduction

Whenever people use services such as e-bank and e-mail, servers should have the ability to authenticate the users’ identities. Otherwise, anyone can easily impersonate a legal user to login to the server. Password-based authentication schemes are simple and practical solutions to user identification because they allow people to choose their own passwords without any device to generate or store them. For personal computers, passwords consist of letters, numbers, and special punctuations on a standard QWERTY keyboard. This is called text-based (alphanumeric-based) password authentication. Handheld mobile devices do not have standard QWERTY keyboard to conveniently enter text-based passwords. Mobile devices often use numeric passwords, which is called PIN-based (Personal Identification Number) authentication. Though the password space size of text-based passwords is larger than that of PINs (i.e., the password space size of an 8-character text-based password and an 8-digital PIN are 64⁸ ≅ 2.8 × 10¹⁴ and 10⁸, respectively), text-based passwords are preferred natural language phrases that people can recognize easily and are therefore susceptible to dictionary attacks. On the other hand, PIN-based authentication is widely used in mobile devices, but it provides a small password space size and therefore compromises security.

The KDA (Keystroke Dynamic-based Authentication) system was first proposed by Gaines et al. (1980). It is a biometric measurement method to provide additional security for text-based passwords. Many studies (Araújo et al., 2005, Bergadano et al., 2002, Bleha et al., 1990, Boechat et al., 2007, Chang and Yang, in press, Haider et al., 2000, Harun et al., 2010, Hwang et al., 2009b, Killourhy and Maxion, 2009, Ru and Eloff, 1997, Shih and Lin, 2008, Xi et al., 2011) have been proposed to improve the text-based password KDA system utility. KDA systems confirm the correctness of passwords and also identify users based on individual password keystroke time features. The keystroke time features include the duration of a keystroke (keystroke hold time) and the interval of the keystrokes (keystroke latency time). Even if the password is revealed by dictionary attacks or shoulder surfing attacks, the probability of breaking authentication is reduced. The KDA system has the following advantages. It is low-cost with no extra device to obtain the user's features, and does not require complex computations to capture the user's features. Since the process of capturing features is done when the user enters his or her password, it does not create any additional burden on users. Compared with other biometric authentication methods such as fingerprints, eye scan, iris, and signature, the KDA system is simple and useful for providing additional security in identity verification.

As is well known, mobile devices are widely used for accessing various data and information. Campisi et al. (2009) proposed a text-password KDA system that uses a cellular phone keypad. On the other hand, many studies (Clarke and Furnell, 2007a, Clarke and Furnell, 2007b, Hwang et al., 2009a) have applied KDA systems to enhance the security of PIN-based authentication in mobile devices. However, the sizes or layouts of keypads of the mobile devices produced by different manufacturers are inconsistent. A user may not get used to entering his or her PIN or text-based password through different mobile devices. This will result in the user's features being entered inconsistently and KDA system verification failing if users enter their PINs or text-based passwords through difference mobile devices. Consequently, the KDA system utility for mobile devices (Campisi et al., 2009, Clarke and Furnell, 2007a, Clarke and Furnell, 2007b, Hwang et al., 2009a) is worse than that for QWERTY keyboards (Killourhy and Maxion, 2009, Shih and Lin, 2008).

This paper develops a novel graphical-based password KDA system to improve PIN-based authentication for mobile devices. The password space size of the proposed system is larger than those of PIN-based authentication schemes. Regardless of the size of the user's mobile touch screen, users enter their graphical passwords through clicking or touching an identical human–computer interface. Therefore, the accuracy of users authentication is not affected by inconsistent keypads. In addition, this paper explores the pressure feature, which is a new biometric keystroke feature found in touch screens. The proposed graphical-based password KDA system is implemented in an Android-compatible phone. Serial experiments show the utility of the proposed graphical-based password KDA system is better than the related text-based password and PIN-based KDA systems (Campisi et al., 2009, Clarke and Furnell, 2007a, Clarke and Furnell, 2007b). Moreover, when the pressure feature is applied in the proposed system, it further promotes system utility.

The organization of this paper is as follows. Section 2 reviews and discusses studies on graphical-based password authentication and the PIN-based KDA system, respectively. Section 3 proposes the architecture of the methodology, which includes the enrollment phase, the classifier building phase, and the authentication phase. The pressure feature is also introduced in this section. Section 4 presents the experimental results of this paper and compares them with other related studies. At the same time, the performance of the proposed system is presented. It is suitable for low-power mobile devices. Finally, conclusions are given in Section 5.

Section snippets

Related works

To improve on the drawbacks of PIN-based KDA systems, this paper first combines a graphical password with the KDA system. This section introduces these two related studies in 2.1 Graphical-based password authentication, 2.2 Keystroke Dynamic-based Authentication, respectively.

Methodology

This paper develops a graphical-based password KDA system for touch screen mobile devices. After observing users using touch screen handheld mobile devices, we found users enter their data through the touch screen in characteristic fashion. The force of each person clicking or touching the touch panel is not necessarily the same when they enter their data, thus, the system captures different pressures from the touch panels on mobile devices. Therefore, this paper assumes the pressure feature

Experimental results

This paper provides a graphical-based password KDA system developed by Java language and implemented in Android-compatible devices. The handheld mobile devices used in the experiment were a Motorola Milestone (with an ARM Cortex A8 550 MHz CPU and 256 MB memory), an HTC Desire HD (with a Qualcomm 8255 Snapdragon 1 GHz CPU and 768 MB memory), and a Viewsonic Viewpad (with an Intel Atom N455 1.66 GHz CPU and 1 GB memory). The features in our system were obtained by Android API MotionEvent function

Conclusion

In this paper, we proposed a graphical-based password KDA system for touch screen handheld mobile devices. A user enters his or her graphical password through an identical human–computer interface and therefore the user's keystroke features will not be affected if the user uses different devices. In the experiment, the novel pressure feature applied to touch screens could improve data quality and further promote KDA system utility. The time and pressure features are obtained when a user enters

Acknowledgments

I would like to thank the referees for many valuable comments and suggestions which have resulted in several improvements of the presentation of the paper. This research was partially supported by the National Science Council, Taiwan, ROC, under contract nos.: NSC100-2221-E-018-025, NSC100-2221-E-018-034 and NSC100-2622-E-018-004-CC3.

Ting-Yi Chang received his M.S. from the Graduate Institute of Computer Science and Information Engineering at Chaoyang University of Technology, and his Ph.D in the Department of Computer Science at National Chiao Tung University, Taiwan. Currently, he is an Associate Professor with the Graduate Institute of e-Learning, National Changhua University, Taiwan. His current research interests include artificial intelligence, e-Learning, information security, cryptography, and mobile communications.

References (36)

ClarkeN.L. et al.
Advanced user authentication for mobile devices
Computers & Security
(2007)
FawcettT.
An introduction to ROC analysis
Pattern Recognition Letters
(2006)
GiotR. et al.
Unconstrained keystroke dynamics authentication with shared secret
Computers & Security
(2011)
HwangS. et al.
Keystroke dynamics-based authentication for mobile devices
Computers & Security
(2009)
HwangS. et al.
Improving authentication accuracy using artificial rhythms and cues for keystroke dynamics-based authentication
Expert Systems with Applications
(2009)
WiedenbeckS. et al.
Passpoints: design and longitudinal evaluation of a graphical password system
International Journal of Human–Computer Studies
(2005)
AraújoL.C.F. et al.
User authentication through typing biometrics features
IEEE Transactions on Signal Processing
(2005)
BergadanoF. et al.
User authentication through keystroke dynamics
ACM Transactions on Information and System Security
(2002)
BlehaS.A. et al.
Computer-access security systems using keystroke dynamics
IEEE Transactions on Pattern Analysis and Machine Intelligence
(1990)
Blonder, G.E., 1996. Graphical Passwords. United States Patent...

BoechatG.C. et al.

Authentication personal

BrostoffS. et al.

Are passfaces more usable than passwords? a field trial investigation

CampisiP. et al.

User authentication using keystroke dynamics for cellular phones

IET Signal Processing

(2009)

Chang, T.Y., Yang, Y.J. A simple keystroke dynamics-based authentication system using means and standard deviation....

ChangT.Y. et al.

A personalized rhythm click-based authentication system

Information Management and Computer Security

(2010)

ChernickM.R.

Bootstrap Methods: A Guide for Practitioners and Researchers. Wiley Series in Probability and Statistics

(2007)

ClarkeN.L. et al.

Authenticating mobile phone users using keystroke analysis

International Journal of Information Security

(2007)

DhamijaR. et al.

Déjà vu: A user study using images for authentication

Cited by (105)

Biometric keystroke barcoding: A next-gen authentication framework
2021, Expert Systems with Applications
Investigation of new intelligent solutions for user identification and authentication is and will be essential for enhancing the security of the alphanumeric passwords entered on touchscreen and traditional keyboards. Extraction of the keystrokes has been very beneficial given the intelligent authentication protocols operating in time-domain; while the time-domain solutions drastically lose their efficiency over time due to converging inter-key times. Realistically reflecting the habitual traits, the frequency-domain solutions, however, reveal unique biometric characteristics better, without any risk of convergence. On the contrary, the existing frequency-based frameworks don’t provide storable biometric data for further classification of the attempts. Therefore, we propose a novel barcoding framework converting habitual biometric information into storable barcodes as very low-size barcode images. The key-press times are extracted and turned into pseudo-signals exhibiting binary-train characteristics for continuous wavelet transformation (CWT). The transformed signals are primarily categorized with 4-scale scalograms by various complex frequency B-spline wavelets and subsequently superposed to create the unique barcodes. One-class support vector machines (SVM) is employed as the main classifier for training and testing the barcodes and very promising results are achieved given the lowest equal error rate (EER) of 1.83%.
Utilizing binary code to improve usability of pressure-based authentication
2021, Computers and Security
Citation Excerpt :
In addition, we convert a pressure-based password to a digit number in order to reduce the learning time. Instead of traditional textual passwords, Chang et al. used a sequence of user selected photos as a graphical password, which is combined with keystroke dynamic to implement an authentication system for mobile devices, and concluded that the pressure feature of keystroke can reduce the error rate (Chang et al., 2012). Orozco et al. proposed a graphical password as connected nodes on a grid and used pressure as an extra feature in characterizing the password (Orozco et al., 2006; Malek et al., 2006).
Due to its invisibility feature, pressure is useful to enhance the security of authentication, especially preventing the shoulder surfing attack. However, users are more familiar with digital passwords than pressure-based passwords. In order to improve the usability of pressure-based authentication, this paper instantiates a pressure-based password (i.e., a sequence of pressures) to a decimal number. In addition, our approach features personalized pressure detection. The personalization further enhances security since an attacker must have a pressure habit that is consistent with the user. We conducted a series of user studies to compare the traditional four-digit password with our pressure-based password. The empirical result indicates that a pressure-based password is more resistant to the shoulder surfing attack than a four-digit password. However, it takes more time to input a pressure-based password on the first-time usage. The slowdown is caused by a modality change from vision to pressure. A field study that lasted for 10 days revealed that the side effect of modality change can be overcome through regular usages.
Keyword-based approach for recognizing fraudulent messages by keystroke dynamics
2020, Pattern Recognition
Citation Excerpt :
Messerman et al.’s study [26] required up to 12 months of training. According to our investigation in our previously performed keystroke-dynamics-related experiments [8,9,36], we observed that the users felt bored and were unwilling to use an authentication system if the training time was greater than 30 min. Furthermore, our investigation demonstrated that approximately 90% of the users were unwilling to use an authentication system if the training time was longer than 30 min, even if such a system could protect them from fraudulent messages.
In recent years, many approaches that use keystroke dynamics in free text authentication have been proposed. The major drawback of the proposed approaches is that training generally requires several months, thereby resulting in low practicality. In this study, a method to detect U.S. English fraudulent messages by analyzing keyboard users' keystroke dynamics is proposed. To the best of our knowledge, this is the first study to apply keystroke dynamics to detect fraudulent instant messages. In the proposed system, each user requires only approximately 20 min of training in U.S. English keystroke dynamics. Furthermore, a voting-based statistical classifier is presented to improve the recognition accuracy of instant messages and prevent phishing messages. Experimental results indicate that the proposed approach outperforms other relevant published methods in terms of shorter training time, fewer false alarms, and comparable recognition accuracy.
An XML transformed method to improve effectiveness of graphical password authentication
2020, Journal of King Saud University - Computer and Information Sciences
Graphical passwords are already examined as the reliable authentication scheme over the textual passwords. These passwords promise the better robustness and memorability. Various available applications use the image and graphical passwords based authentication systems. But, such authentication systems suffer from the problem of managing pictorial or image data. To map the user input image or graphical password over the larger database, slow down the authentication process. In this present work, XML based schema is proposed to represent the graphical image. As a password image with the graphical pattern is loaded by the user, the server processed the pattern and verifies it for valid pattern based on stroke length and drift. Various forms of graphical patterns are obtained on input graphical pattern by applying the numerous transformations. The extracted pixel values from these practices are kept in an XML pattern DB. Then the server also updated the pattern bits in input image using LSB steganography approach and returns it back to the user as password image. Each time, user input the password image, the password pattern extraction is performed, and mapping is done on XML pattern DB. The implementation of the presented model is done as Mobile and Desktop application. The comparative performance evaluation signifies that the method is more effective than other image password mappers. As the complete information is extracted from the query password pattern image, the 100% accuracy in password mapping is obtained. The applied qualitative measures also verify that the proposed model has improved the reliability and robustness against various aspects.
TAPSTROKE: A novel intelligent authentication system using tap frequencies
2019, Expert Systems with Applications
Citation Excerpt :
Enhancements in authentication protocols providing additional security are definitely more crucial for touchscreens, since the majority of the touchscreen devices are mobile and thus easy to be stolen. Therefore, in recent years, there are many papers published on user verification (Angulo & Wästlund, 2012; Shahzad, Zahid & Farooq, 2009; Zheng, Bai, Huang & Wang, 2012) biometric identification (Schaub, Deyhle & Weber, 2012; Kwapisz, Weiss & Moore, 2010), gesture analysis (Shahzad, Liu & Samuel, 2013; Sae-Bae, Ahmed, Isbister & Memon, 2012), authentication (Chang, Tsai & Lin, 2012; Maiorana, Campisi, González-Carballo & Neri, 2011; Rao, Aparna, Akash & Mounica, 2014; De Luca, Hang, Brudy, Lindner & Hussmann, 2012) and touchstroke analysis (Kambourakis, Damopoulos, Papamartzivanos & Pavlidakis, 2014). The most remarkable studies published in recent years are (Jeanjaitrong & Bhattarakosol, 2013; Tasia, Chang, Cheng & Lin, 2014; Do et al., 2014; Trojahn, Arndt & Ortmeier, 2013; Rogowski, Saeed, Rybnik, Tabedzki & Adamski, 2013; Bours & Masoudian, 2014; Frank, Biedert, Ma, Martinovic & Song, 2013; Sae-Bae, Memon, Isbister & Ahmed, 2014; Zhao, Feng, Shi & Kakadiaris, 2014; Alpar & Krejcar, 2015a; Alpar & Krejcar, 2015b) that all introduce several enhancements for touchscreen authentication systems.
Emerging security requirements lead to new validation protocols to be implemented to recent authentication systems by employing biometric traits instead of regular passwords. If an additional security is required in authentication phase, keystroke recognition and classification systems and related interfaces are very promising for collecting and classifying biometric traits. These systems generally operate in time-domain; however, the conventional time-domain solutions could be inadequate if a touchscreen is so small to enter any kind of alphanumeric passwords or a password consists of one single character like a tap to the screen. Therefore, we propose a novel frequency-based authentication system, TAPSTROKE, as a prospective protocol for small touchscreens and an alternative authentication methodology for existing devices. We firstly analyzed the binary train signals formed by tap passwords consisting of taps instead of alphanumeric digits by the regular (STFT) and modified short time Fourier transformations (mSTFT). The unique biometric feature extracted from a tap signal is the frequency-time localization achieved by the spectrograms which are generated by these transformations. The touch signals, generated from the same tap-password, create significantly different spectrograms for predetermined window sizes. Finally, we conducted several experiments to distinguish future attempts by one-class support vector machines (SVM) with a simple linear kernel for Hamming and Blackman window functions. The experiments are greatly encouraging that we achieved 1.40%–2.12% and 2.01%–3.21% equal error rates (EER) with mSTFT; while with regular STFT the classifiers produced quite higher EER, 7.49%–11.95% and 6.93%–10.12%, with Hamming and Blackman window functions, separately. The whole methodology, as an expert system for protecting the users from fraud attacks sheds light on new era of authentication systems for future smart gears and watches.
Continuous user identification in distance learning: a recent technology perspective
2023, Smart Learning Environments

View all citing articles on Scopus

Cheng-Jung Tsai was born in Tainan, Taiwan, Republic of China, 1973. He received the B.S. degree in mathematics and science education from National Ping Tung University of Education in 1995, the M.S. degree in information education from National University of Tainan in 2000, and the Ph.D degree in computer science and information engineering from National Chiao Tung University in 2008. Currently, he is an Assistant Professor in the Graduate Institute of Statistics and Information Sciencethe, National Changhua University, Taiwan. His current research interests include data mining, information security, and e-learning.

Jyun-Hao Lin received his M.S. degree from the Graduate Institute of e-Learning at National Changhua University, Taiwan. His research interests include keystroke dynamic systems.

View full text

A graphical-based password keystroke dynamic authentication system for touch screen handheld mobile devices

Abstract

Highlights

Introduction

Section snippets

Related works

Methodology

Experimental results

Conclusion

Acknowledgments

Computers & Security

Pattern Recognition Letters

Computers & Security

Computers & Security

Expert Systems with Applications

International Journal of Human–Computer Studies

User authentication through typing biometrics features

IEEE Transactions on Signal Processing

User authentication through keystroke dynamics

ACM Transactions on Information and System Security

Computer-access security systems using keystroke dynamics

IEEE Transactions on Pattern Analysis and Machine Intelligence

Authentication personal

Are passfaces more usable than passwords? a field trial investigation

User authentication using keystroke dynamics for cellular phones

IET Signal Processing

A personalized rhythm click-based authentication system

Information Management and Computer Security

Bootstrap Methods: A Guide for Practitioners and Researchers. Wiley Series in Probability and Statistics

Authenticating mobile phone users using keystroke analysis

International Journal of Information Security

Déjà vu: A user study using images for authentication