You Are How You Play: Authenticating Mobile Users via Game Playing

Nowadays, user authentication on mobile devices is principally based on a secret (e.g., password, PIN), while recently two-factors authentication methods have been proposed to make more secure such secret-based methods. Two-factors authentication methods typically combine knowledge factors with user’s characteristics or possessions, obtaining high authentication performances. In this paper, we propose a novel two-factors authentication method based on users’ cognitive skills. Cognitive abilities are caught through the users’ performance to small games, which replicated the classical attentional paradigms of cognitive psychology. In particular, we introduced three games that rely on selective attention, attentional switch and Stroop effect. While users were solving a game on their smartphones, we collected cognitive performance (in terms of accuracy and reaction times), touch features (interactions with touch screen), and sensors features (data from accelerometer and gyroscope). Results show that our cognitive-based games can be used as a two-factors authentication mechanism on smartphones. Relying on touch and sensors features as behavior biometrics, we are able to achieve an authentication accuracy of \(97\%\), with a Equal Error Rate of \(1.37\%\).

[1]  Mauro Conti,et al.  I Sensed It Was You: Authenticating Mobile Users with Sensor-Enhanced Keystroke Dynamics , 2014, DIMVA.

[2]  Romit Roy Choudhury,et al.  Tapprints: your finger taps have fingerprints , 2012, MobiSys '12.

[3]  Saurabh Singh,et al.  Pattern construction by extracting user specific features in keystroke authentication system , 2013, 2013 4th International Conference on Computer and Communication Technology (ICCCT).

[4]  Markus Jakobsson,et al.  Implicit Authentication through Learning User Behavior , 2010, ISC.

[5]  Alex X. Liu,et al.  Secure unlocking of mobile touch screen devices by simple gestures: you can see it but you can not do it , 2013, MobiCom.

[6]  J. Stroop Studies of interference in serial verbal reactions. , 1992 .

[7]  Matthias Trojahn BIOMETRIC AUTHENTICATION THROUGH A VIRTUAL KEYBOARD FOR SMARTPHONES , 2012 .

[8]  E. Capitani,et al.  Trail making test: normative values from 287 normal adult controls , 1996, The Italian Journal of Neurological Sciences.

[9]  Mauro Conti,et al.  DELTA: Data Extraction and Logging Tool for Android , 2018, IEEE Transactions on Mobile Computing.

[10]  Hao Chen,et al.  TouchLogger: Inferring Keystrokes on Touch Screen from Smartphone Motion , 2011, HotSec.

[11]  Shridatt Sugrim,et al.  User-generated free-form gestures for authentication: security and memorability , 2014, MobiSys.

[12]  Dawn Xiaodong Song,et al.  Touchalytics: On the Applicability of Touchscreen Input as a Behavioral Biometric for Continuous Authentication , 2012, IEEE Transactions on Information Forensics and Security.

[13]  John R. Anderson,et al.  MACHINE LEARNING An Artificial Intelligence Approach , 2009 .

[14]  Hai Huang,et al.  You Are How You Touch: User Verification on Smartphones via Tapping Behaviors , 2014, 2014 IEEE 22nd International Conference on Network Protocols.

[15]  Steven Furnell,et al.  Authenticating mobile phone users using keystroke analysis , 2006, International Journal of Information Security.

[16]  Konrad Rieck,et al.  Continuous Authentication on Mobile Devices by Analysis of Typing Motion Behavior , 2014, Sicherheit.

[17]  Gaël Varoquaux,et al.  Scikit-learn: Machine Learning in Python , 2011, J. Mach. Learn. Res..

[18]  Martin S. Olivier,et al.  Gamifying authentication , 2012, 2012 Information Security for South Africa.

[19]  Zhi Xu,et al.  TapLogger: inferring user inputs on smartphone touchscreens using on-board motion sensors , 2012, WISEC '12.

[20]  Duncan S. Wong,et al.  TMGuard: A Touch Movement-Based Security Mechanism for Screen Unlock Patterns on Smartphones , 2016, ACNS.

[21]  Douglas A. Reynolds,et al.  A Tutorial on Text-Independent Speaker Verification , 2004, EURASIP J. Adv. Signal Process..

[22]  Sacha Brostoff,et al.  Transforming the ‘Weakest Link’ — a Human/Computer Interaction Approach to Usable and Effective Security , 2001 .

[23]  Heinrich Hußmann,et al.  Making graphic-based authentication secure against smudge attacks , 2013, IUI '13.

[24]  Jun Han,et al.  ACCessory: password inference using accelerometers on smartphones , 2012, HotMobile '12.

[25]  Christopher Millard,et al.  Data security and multi-factor authentication: Analysis of requirements under EU law and in selected EU Member States , 2016, Comput. Law Secur. Rev..

[26]  Bruce A. Draper,et al.  An introduction to the good, the bad, & the ugly face recognition challenge problem , 2011, Face and Gesture 2011.

[27]  Yvonne Rogers,et al.  Interaction Design: Beyond Human-Computer Interaction , 2002 .

[28]  Guoliang Xue,et al.  Unobservable Re-authentication for Smartphones , 2013, NDSS.

[29]  Sebastian Möller,et al.  Identity theft, computers and behavioral biometrics , 2009, 2009 IEEE International Conference on Intelligence and Security Informatics.

[30]  Mauro Conti,et al.  On the Effectiveness of Sensor-enhanced Keystroke Dynamics Against Statistical Attacks , 2016, CODASPY.