Usability and Security Perceptions of Implicit Authentication: Convenient, Secure, Sometimes Annoying

Implicit authentication (IA) uses behavioural biometrics to provide continuous authentication on smartphones. IA has been advocated as more usable when compared to traditional explicit authentication schemes, albeit with some security limitations. Consequently researchers have proposed that IA provides a middle-ground for people who do not use traditional authentication due to its usability limitations or as a second line of defence for users who already use authentication. However, there is a lack of empirical evidence that establishes the usability superiority of IA and its security perceptions. We report on the first extensive two-part study (n = 37) consisting of a controlled lab experiment and a field study to gain insights into usability and security perceptions of IA. Our findings indicate that 91% of participants found IA to be convenient (26% more than the explicit authentication schemes tested) and 81% perceived the provided level of protection to be satisfactory. While this is encouraging, false rejects with IA were a source of annoyance for 35% of the participants and false accepts and detection delay were prime security concerns for 27% and 22% of the participants, respectively. We point out these and other barriers to the adoption of IA and suggest directions to overcome them.

[1]  Alex X. Liu,et al.  Secure unlocking of mobile touch screen devices by simple gestures: you can see it but you can not do it , 2013, MobiCom.

[2]  Blase Ur,et al.  Biometric authentication on iPhone and Android: Usability, perceptions, and influences on adoption , 2015 .

[3]  Karin Strauss,et al.  Goldilocks and the two mobile devices: going beyond all-or-nothing access to a device's applications , 2012, SOUPS.

[4]  Michael R. Lyu,et al.  Towards Continuous and Passive Authentication via Touch Biometrics: An Experimental Study on Smartphones , 2014, SOUPS.

[5]  Jun Yang,et al.  SenGuard: Passive user identification on smartphones using multiple sensors , 2011, 2011 IEEE 7th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob).

[6]  Tulsidas Patil,et al.  Usability Evaluation Using Specialized Heuristics with Qualitative Indicators for Intrusion Detection System , 2012, ACITY.

[7]  Tao Feng,et al.  Continuous Mobile Authentication Using Virtual Key Typing Biometrics , 2013, 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications.

[8]  Shie Mannor,et al.  Activity and Gait Recognition with Time-Delay Embeddings , 2010, AAAI.

[9]  Xiang-Yang Li,et al.  SilentSense: silent user identification via touch and movement behavioral biometrics , 2013, MobiCom.

[10]  Urs Hengartner,et al.  Itus: an implicit authentication framework for android , 2014, MobiCom.

[11]  René Mayrhofer,et al.  An Analysis of Different Approaches to Gait Recognition Using Cell Phone Based Accelerometers , 2013, MoMM '13.

[12]  Brian P. Bailey,et al.  On the need for attention-aware systems: Measuring effects of interruption on task performance, error rate, and affective state , 2006, Comput. Hum. Behav..

[13]  Steven Furnell,et al.  Flexible and Transparent User Authentication for Mobile Devices , 2009, SEC.

[14]  David A. Wagner,et al.  Are You Ready to Lock? , 2014, CCS.

[15]  J. B. Brooke,et al.  SUS: A 'Quick and Dirty' Usability Scale , 1996 .

[16]  Tao Feng,et al.  TIPS: context-aware implicit user identification using touch screen in uncontrolled environments , 2014, HotMobile.

[17]  Shari Trewin,et al.  Biometric authentication on a mobile device: a study of user effort, error and task disruption , 2012, ACSAC '12.

[18]  Guoliang Xue,et al.  Unobservable Re-authentication for Smartphones , 2013, NDSS.

[19]  Alexander De Luca,et al.  It's a Hard Lock Life: A Field Study of Smartphone (Un)Locking Behavior and Risk Perception , 2014, SOUPS.

[20]  Alexander De Luca,et al.  Patterns in the wild: a field study of the usability of pattern and pin-based authentication on mobile devices , 2013, MobileHCI '13.

[21]  Kasia Muldner,et al.  The challenges of using an intrusion detection system: is it worth the effort? , 2008, SOUPS '08.

[23]  Urs Hengartner,et al.  A Comparative Evaluation of Implicit Authentication Schemes , 2014, RAID.

[24]  Jiang Zhu,et al.  KeySens: Passive User Authentication through Micro-behavior Modeling of Soft Keyboard Interaction , 2013, MobiCASE.

[25]  Dawn Xiaodong Song,et al.  Touchalytics: On the Applicability of Touchscreen Input as a Behavioral Biometric for Continuous Authentication , 2012, IEEE Transactions on Information Forensics and Security.

[26]  C. Spielberger,et al.  Manual for the State-Trait Anxiety Inventory , 1970 .

[27]  Karen Renaud,et al.  Understanding user perceptions of transparent authentication on a mobile device , 2014, Journal of Trust Management.

[28]  C. Spielberger Manual for the State-Trait Anxiety Inventory (STAI) (Form Y , 1983 .

[29]  Markus Jakobsson,et al.  Implicit Authentication through Learning User Behavior , 2010, ISC.

[30]  Mauro Conti,et al.  I Sensed It Was You: Authenticating Mobile Users with Sensor-Enhanced Keystroke Dynamics , 2014, DIMVA.