DRAW-A-PIN: Authentication using finger-drawn PIN on touch devices

This paper presents Draw-A-PIN, a user authentication system on a device with a touch interface that supports the use of PINs. In the proposed system, the user is asked to draw her PIN on the touch screen instead of typing it on a keypad. Consequently, Draw-A-PIN could offer better security by utilizing drawing traits or behavioral biometrics as an additional authentication factor beyond just the secrecy of the PIN. In addition, Draw-A-PIN inherently provides acceptability and usability by leveraging user familiarity with PINs. To evaluate the security and usability of the approach, Draw-A-PIN was implemented on Android phones and 3203 legitimate finger-drawn PINs and 4655 forgery samples were collected through an extensive and unsupervised field experiment over 10 consecutive days. Experimental results show that Draw-A-PIN achieves an equal error rate of 4.84% in a scenario where the attacker already knows the PIN by shoulder surfing. Finally, results from a user study based on the System Usability Scale questionnaire confirm that Draw-A-PIN is highly usable.

[1]  Marcos Fatindez-Zanuy On the Vulnerability of Biometric Security Systems , 2004 .

[2]  Stephanie Schuckers,et al.  Spoofing and Anti-Spoofing Measures , 2002, Inf. Secur. Tech. Rep..

[3]  Nasir D. Memon,et al.  Biometric-rich gestures: a novel approach to authentication on multi-touch devices , 2012, CHI.

[4]  Satoshi Hoshino,et al.  Impact of artificial "gummy" fingers on fingerprint systems , 2002, IS&T/SPIE Electronic Imaging.

[5]  S. Chiba,et al.  Dynamic programming algorithm optimization for spoken word recognition , 1978 .

[6]  Konstantin Beznosov,et al.  Know your enemy: the risk of unauthorized access in smartphones by insiders , 2013, MobileHCI '13.

[7]  Giacomo Boracchi,et al.  A fast eavesdropping attack against touchscreens , 2011, 2011 7th International Conference on Information Assurance and Security (IAS).

[8]  Michael K. Reiter,et al.  The Design and Analysis of Graphical Passwords , 1999, USENIX Security Symposium.

[9]  Radu-Daniel Vatavu,et al.  Gestures as point clouds: a $P recognizer for user interface prototypes , 2012, ICMI '12.

[10]  Nasir D. Memon,et al.  Design and Analysis of Shoulder Surfing Resistant PIN Based Authentication Mechanisms on Google Glass , 2015, Financial Cryptography Workshops.

[11]  Nasir D. Memon,et al.  Multitouch Gesture-Based Authentication , 2014, IEEE Transactions on Information Forensics and Security.

[12]  Ângelo Cardoso,et al.  Handwritten digit recognition using biologically inspired features , 2013, Neurocomputing.

[13]  Luca Maria Gambardella,et al.  Deep Big Multilayer Perceptrons for Digit Recognition , 2012, Neural Networks: Tricks of the Trade.

[14]  Alexander De Luca,et al.  It's a Hard Lock Life: A Field Study of Smartphone (Un)Locking Behavior and Risk Perception , 2014, SOUPS.

[15]  Cheng-Lin Liu,et al.  Handwritten digit recognition: benchmarking of state-of-the-art techniques , 2003, Pattern Recognit..

[16]  Jeff Yan,et al.  Do background images improve "draw a secret" graphical passwords? , 2007, CCS '07.

[17]  Endra,et al.  Online Signature Verification on Mobile Devices , 2015 .

[18]  Richa Singh,et al.  On Iris Spoofing Using Print Attack , 2014, 2014 22nd International Conference on Pattern Recognition.

[19]  Serge Egelman,et al.  The Anatomy of Smartphone Unlocking: A Field Study of Android Lock Screens , 2016, CHI.

[20]  Oscar Miguel-Hurtado,et al.  Analysis of handwritten signature performances using mobile devices , 2011, 2011 Carnahan Conference on Security Technology.

[21]  Rui Zhang,et al.  TouchIn: Sightless two-factor authentication on multi-touch mobile devices , 2014, 2014 IEEE Conference on Communications and Network Security.

[22]  Anil K. Jain,et al.  Design and Fabrication of 3D Fingerprint Targets , 2016, IEEE Transactions on Information Forensics and Security.

[23]  Sharath Pankanti,et al.  Biometric Recognition: Security and Privacy Concerns , 2003, IEEE Secur. Priv..

[24]  Ross J. Anderson,et al.  A Birthday Present Every Eleven Wallets? The Security of Customer-Chosen Banking PINs , 2012, Financial Cryptography.

[25]  Thomas S. Tullis,et al.  A Comparison of Questionnaires for Assessing Website Usability , 2004 .

[26]  Alessandro Neri,et al.  Keystroke dynamics authentication for mobile phones , 2011, SAC.

[27]  Philip A. Gable,et al.  Time Flies When You’re Having Approach-Motivated Fun , 2012, Psychological science.

[28]  Gonzalo Bailador,et al.  Analysis of pattern recognition techniques for in-air signature biometrics , 2011, Pattern Recognit..

[29]  Dawn Xiaodong Song,et al.  Touchalytics: On the Applicability of Touchscreen Input as a Behavioral Biometric for Continuous Authentication , 2012, IEEE Transactions on Information Forensics and Security.

[30]  Heinrich Hußmann,et al.  Touch me once and i know it's you!: implicit authentication based on touch screen patterns , 2012, CHI.

[31]  Frank Stajano,et al.  The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes , 2012, 2012 IEEE Symposium on Security and Privacy.

[32]  R. Ragot,et al.  How emotional auditory stimuli modulate time perception. , 2007, Emotion.

[33]  Nasir D. Memon,et al.  Finger-drawn pin authentication on touch devices , 2014, 2014 IEEE International Conference on Image Processing (ICIP).

[34]  Zhen Wang,et al.  uWave: Accelerometer-based Personalized Gesture Recognition and Its Applications , 2009, PerCom.

[35]  Tao Feng,et al.  Continuous Mobile Authentication Using Virtual Key Typing Biometrics , 2013, 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications.

[36]  Alex X. Liu,et al.  Secure unlocking of mobile touch screen devices by simple gestures: you can see it but you can not do it , 2013, MobiCom.

[37]  F. Roli,et al.  Security evaluation of biometric authentication systems under real spoofing attacks , 2012, IET Biom..

[38]  Adam J. Aviv,et al.  Smudge Attacks on Smartphone Touch Screens , 2010, WOOT.

[39]  Rajesh Kumar,et al.  Beware, Your Hands Reveal Your Secrets! , 2014, CCS.

[40]  Jin Hyung Kim,et al.  Online Handwriting Recognition , 2014, Handbook of Document Image Processing and Recognition.

[41]  Lin Zhong,et al.  User evaluation of lightweight user authentication with a single tri-axis accelerometer , 2009, Mobile HCI.

[42]  Wenyuan Xu,et al.  KinWrite: Handwriting-Based Authentication Using Kinect , 2013, NDSS.

[43]  Nasir D. Memon,et al.  Quality of online signature templates , 2015, IEEE International Conference on Identity, Security and Behavior Analysis (ISBA 2015).

[44]  Vir V. Phoha,et al.  When kids' toys breach mobile phone security , 2013, CCS.

[45]  Philip T. Kortum,et al.  Determining what individual SUS scores mean: adding an adjective rating scale , 2009 .

[46]  Anil K. Jain,et al.  Template-based online character recognition , 2001, Pattern Recognit..

[47]  Wm. Arthur Conklin,et al.  The appropriate use of force-on-force cyberexercises , 2004, IEEE Security & Privacy Magazine.

[48]  James T. Miller,et al.  An Empirical Evaluation of the System Usability Scale , 2008, Int. J. Hum. Comput. Interact..

[49]  Harris Drucker,et al.  Comparison of learning algorithms for handwritten digit recognition , 1995 .

[50]  J. B. Brooke,et al.  SUS: A 'Quick and Dirty' Usability Scale , 1996 .

[51]  Giovanni Vigna,et al.  ClearShot: Eavesdropping on Keyboard Input from Video , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[52]  Shridatt Sugrim,et al.  User-generated free-form gestures for authentication: security and memorability , 2014, MobiSys.