Ask Me Again But Don't Annoy Me: Evaluating Re-authentication Strategies for Smartphones

Re-authenticating users may be necessary for smartphone authentication schemes that leverage user behaviour, device context, or task sensitivity. However, due to the unpredictable nature of re-authentication, users may get annoyed when they have to use the default, non-transparent authentication prompt for re-authentication. We address this concern by proposing several re-authentication configurations with varying levels of screen transparency and an optional time delay before displaying the authentication prompt. We conduct user studies with 30 participants to evaluate the usability and security perceptions of these configurations. We find that participants respond positively to our proposed changes and utilize the time delay while they are anticipating to get an authentication prompt to complete their current task. Though our findings indicate no differences in terms of task performance against these configurations, we find that the participants’ preferences for the configurations are context-based. They generally prefer the reauthentication configuration with a non-transparent background for sensitive applications, such as banking and photo apps, while their preferences are inclined towards convenient, usable configurations for medium and low sensitive apps or while they are using their devices at home. We conclude with suggestions to improve the design of our proposed configurations as well as a discussion of guidelines for future implementations of re-authentication schemes.

[1]  Shwetak N. Patel,et al.  SwitchBack: Using Focus and Saccade Tracking to Guide Users' Attention for Mobile Task Resumption , 2015, CHI.

[2]  Karin Strauss,et al.  Goldilocks and the two mobile devices: going beyond all-or-nothing access to a device's applications , 2012, SOUPS.

[3]  René Mayrhofer,et al.  An Analysis of Different Approaches to Gait Recognition Using Cell Phone Based Accelerometers , 2013, MoMM '13.

[4]  Ahmad-Reza Sadeghi,et al.  ConXsense: automated context classification for context-aware access control , 2013, AsiaCCS.

[5]  Tao Feng,et al.  Continuous Mobile Authentication Using Virtual Key Typing Biometrics , 2013, 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications.

[6]  Jun Yang,et al.  SenGuard: Passive user identification on smartphones using multiple sensors , 2011, 2011 IEEE 7th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob).

[7]  Shie Mannor,et al.  Activity and Gait Recognition with Time-Delay Embeddings , 2010, AAAI.

[8]  Heinrich Hußmann,et al.  SwiPIN: Fast and Secure PIN-Entry on Smartphones , 2015, CHI.

[9]  Michael R. Lyu,et al.  Towards Continuous and Passive Authentication via Touch Biometrics: An Experimental Study on Smartphones , 2014, SOUPS.

[10]  David A. Wagner,et al.  Are You Ready to Lock? , 2014, CCS.

[11]  David Kotz,et al.  ZEBRA: Zero-Effort Bilateral Recurring Authentication , 2014, IEEE Symposium on Security and Privacy.

[12]  Ted Taekyoung Kwon,et al.  TinyLock: Affordable defense against smudge attacks on smartphone pattern lock systems , 2014, Comput. Secur..

[13]  Karen Renaud,et al.  Understanding user perceptions of transparent authentication on a mobile device , 2014, Journal of Trust Management.

[14]  Emiliano Miluzzo,et al.  EyePhone: activating mobile phones with your eyes , 2010, MobiHeld '10.

[15]  Heinrich Hußmann,et al.  I Feel Like I'm Taking Selfies All Day!: Towards Understanding Biometric Authentication on Smartphones , 2015, CHI.

[16]  Alex X. Liu,et al.  Secure unlocking of mobile touch screen devices by simple gestures: you can see it but you can not do it , 2013, MobiCom.

[17]  Jiang Zhu,et al.  KeySens: Passive User Authentication through Micro-behavior Modeling of Soft Keyboard Interaction , 2013, MobiCASE.

[18]  Markus Jakobsson,et al.  Implicit Authentication through Learning User Behavior , 2010, ISC.

[19]  Florian Alt,et al.  SnapApp: Reducing Authentication Overhead with a Time-Constrained Fast Unlock Option , 2016, CHI.

[20]  Ian Oakley,et al.  CASA: context-aware scalable authentication , 2013, SOUPS.

[21]  Marc Langheinrich,et al.  Back-of-device authentication on smartphones , 2013, CHI.

[22]  Jorge Gonçalves,et al.  Contextual experience sampling of mobile application micro-usage , 2014, MobileHCI '14.

[23]  Lynne Baillie,et al.  Why aren't Users Using Protection? Investigating the Usability of Smartphone Locking , 2015, MobileHCI.

[24]  Prateek Mittal,et al.  Privacy concerns of implicit secondary factors for web authentication , 2014 .

[25]  Heinrich Hußmann,et al.  Vibrapass: secure authentication based on shared lies , 2009, CHI.

[26]  Daniel Vogel,et al.  Usability and Security Perceptions of Implicit Authentication: Convenient, Secure, Sometimes Annoying , 2015, SOUPS.

[27]  高田哲司,et al.  "Exploring the Design Space of Graphical Passwords on Smartphones"の紹介 , 2013 .

[28]  Guoliang Xue,et al.  Unobservable Re-authentication for Smartphones , 2013, NDSS.

[29]  Alexander De Luca,et al.  It's a Hard Lock Life: A Field Study of Smartphone (Un)Locking Behavior and Risk Perception , 2014, SOUPS.

[30]  Alexander De Luca,et al.  Patterns in the wild: a field study of the usability of pattern and pin-based authentication on mobile devices , 2013, MobileHCI '13.

[31]  Chuan Qin,et al.  Progressive Authentication: Deciding When to Authenticate on Mobile Phones , 2012, USENIX Security Symposium.

[32]  Jie Liu,et al.  Fast app launching for mobile devices using predictive user context , 2012, MobiSys '12.

[33]  Shari Trewin,et al.  Biometric authentication on a mobile device: a study of user effort, error and task disruption , 2012, ACSAC '12.

[34]  Mauro Conti,et al.  I Sensed It Was You: Authenticating Mobile Users with Sensor-Enhanced Keystroke Dynamics , 2014, DIMVA.

[35]  Dawn Xiaodong Song,et al.  Touchalytics: On the Applicability of Touchscreen Input as a Behavioral Biometric for Continuous Authentication , 2012, IEEE Transactions on Information Forensics and Security.

[36]  Sven G. Kratz,et al.  AirAuth: evaluating in-air hand gestures for authentication , 2014, MobileHCI '14.

[37]  Michael Weber,et al.  Password entry usability and shoulder surfing susceptibility on different smartphone platforms , 2012, MUM.

[38]  Urs Hengartner,et al.  Towards application-centric implicit authentication on smartphones , 2014, HotMobile.