AnswerAuth: A bimodal behavioral biometric-based user authentication scheme for smartphones

Abstract In this paper, we present a behavioral biometric-based smartphone user authentication mechanism, namely, AnswerAuth , which relies on the very common users’ behavior. Behavior, here, refers to the way a user slides the lock button on the screen, to unlock the phone, and brings the phone towards her ear. The authentication mechanism works with the biometric behavior based on the extracted features from the data recorded using the built-in smartphone sensors, i.e., accelerometer, gyroscope, gravity, magnetometer and touchscreen, while the user performed sliding and phone-lifting actions. We tested AnswerAuth on a dataset of 10,200 behavioral patterns collected from 85 users while they performed the unlocking actions, in sitting, standing, and walking postures, using six state-of-the-art conceptually different machine learning classifiers in two settings, i.e., with and without simultaneous feature selection and classification. Among all the chosen classifiers, Random Forest (RF) classifier proved to be the most consistent and accurate classifier on both full and reduced features and provided a True Acceptance Rate (TAR) as high as 99.35%. We prototype proof-of-the-concept Android app, based on our findings, and evaluate it in terms of security and usability. Security analysis of AnswerAuth confirms its robustness against the possible mimicry attacks. Similarly, the usability study based on Software Usability Scale (SUS) 1 questionnaire verifies the user-friendliness of the proposed scheme (SUS Score of 75.11). Experimental results prove AnswerAuth as a secure and usable authentication mechanism.

[1]  Jugal K. Kalita,et al.  Authentication of Smartphone Users Using Behavioral Biometrics , 2016, IEEE Communications Surveys & Tutorials.

[2]  Deron Liang,et al.  A Novel Non-intrusive User Authentication Method Based on Touchscreen of Smartphones , 2013, 2013 International Symposium on Biometrics and Security Technologies.

[3]  Michael Weber,et al.  Password entry usability and shoulder surfing susceptibility on different smartphone platforms , 2012, MUM.

[4]  Nasir D. Memon,et al.  Multitouch Gesture-Based Authentication , 2014, IEEE Transactions on Information Forensics and Security.

[5]  Senén Barro,et al.  Do we need hundreds of classifiers to solve real world classification problems? , 2014, J. Mach. Learn. Res..

[6]  Mauro Conti,et al.  I Sensed It Was You: Authenticating Mobile Users with Sensor-Enhanced Keystroke Dynamics , 2014, DIMVA.

[7]  Xiao Wang,et al.  SenSec: Mobile security through passive sensing , 2013, 2013 International Conference on Computing, Networking and Communications (ICNC).

[8]  Mark A. Hall,et al.  Correlation-based Feature Selection for Machine Learning , 2003 .

[9]  Rajesh Kumar,et al.  Continuous authentication of smartphone users by fusing typing, swiping, and phone movement patterns , 2016, 2016 IEEE 8th International Conference on Biometrics Theory, Applications and Systems (BTAS).

[10]  Qing Yang,et al.  HMOG: A New Biometric Modality for Continuous Authentication of Smartphone Users , 2015, ArXiv.

[11]  Heikki Ailisto,et al.  Identifying users of portable devices from gait pattern with accelerometers , 2005, Proceedings. (ICASSP '05). IEEE International Conference on Acoustics, Speech, and Signal Processing, 2005..

[12]  Dawn Xiaodong Song,et al.  Touchalytics: On the Applicability of Touchscreen Input as a Behavioral Biometric for Continuous Authentication , 2012, IEEE Transactions on Information Forensics and Security.

[13]  Heinrich Hußmann,et al.  Touch me once and i know it's you!: implicit authentication based on touch screen patterns , 2012, CHI.

[14]  Robert Biddle,et al.  A Usability Study and Critique of Two Password Managers , 2006, USENIX Security Symposium.

[15]  Michael R. Lyu,et al.  Towards Continuous and Passive Authentication via Touch Biometrics: An Experimental Study on Smartphones , 2014, SOUPS.

[16]  Bruno Crispo,et al.  Hold and Sign: A Novel Behavioral Biometrics for Smartphone User Authentication , 2016, 2016 IEEE Security and Privacy Workshops (SPW).

[17]  Rui Zhang,et al.  TouchIn: Sightless two-factor authentication on multi-touch mobile devices , 2014, 2014 IEEE Conference on Communications and Network Security.

[18]  Duncan S. Wong,et al.  Touch Gestures Based Biometric Authentication Scheme for Touchscreen Mobile Phones , 2012, Inscrypt.

[19]  A. N. Rajagopalan,et al.  Gait-based recognition of humans using continuous HMMs , 2002, Proceedings of Fifth IEEE International Conference on Automatic Face Gesture Recognition.

[20]  Claudia Picardi,et al.  User authentication through keystroke dynamics , 2002, TSEC.

[21]  Attaullah Buriro Behavioral Biometrics for Smartphone User Authentication , 2017 .

[22]  Sharath Pankanti,et al.  Biometrics: Personal Identification in Networked Society , 2013 .

[23]  Sonia Chiasson,et al.  Improving user authentication on mobile devices: a touchscreen graphical password , 2013, MobileHCI '13.

[24]  Jian Wang,et al.  A Continuous Identity Authentication Scheme Based on Physiological and Behavioral Characteristics , 2018, Sensors.

[25]  Markus Jakobsson,et al.  Implicit authentication for mobile devices , 2009 .

[26]  Tom Fawcett,et al.  ROC Graphs: Notes and Practical Considerations for Researchers , 2007 .

[27]  Erik Wästlund,et al.  Exploring Touch-Screen Biometrics for User Identification on Smart Phones , 2011, PrimeLife.

[28]  Guoliang Xue,et al.  Unobservable Re-authentication for Smartphones , 2013, NDSS.

[29]  Bruno Crispo,et al.  DIALERAUTH: A Motion-assisted Touch-based Smartphone User Authentication Scheme , 2018, CODASPY.

[30]  Shari Trewin,et al.  Biometric authentication on a mobile device: a study of user effort, error and task disruption , 2012, ACSAC '12.

[31]  Thingom Bishal Singha,et al.  Person Recognition using Smartphones' Accelerometer Data , 2017, ArXiv.

[32]  Zhi-Li Zhang,et al.  Multi-touch Authentication Using Hand Geometry and Behavioral Information , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[33]  Ken Thompson,et al.  Password security: a case history , 1979, CACM.

[34]  Bruno Crispo,et al.  Please hold on: Unobtrusive user authentication using smartphone's built-in sensors , 2017, 2017 IEEE International Conference on Identity, Security and Behavior Analysis (ISBA).

[35]  Rama Chellappa,et al.  Continuous User Authentication on Mobile Devices: Recent progress and remaining challenges , 2016, IEEE Signal Processing Magazine.

[36]  Jun Yang,et al.  SenGuard: Passive user identification on smartphones using multiple sensors , 2011, 2011 IEEE 7th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob).

[37]  Muhammad Usman Ilyas,et al.  Activity recognition using smartphone sensors , 2013, 2013 IEEE 10th Consumer Communications and Networking Conference (CCNC).

[38]  Anton H. M. Akkermans,et al.  Acoustic ear recognition for person identification , 2005, Fourth IEEE Workshop on Automatic Identification Advanced Technologies (AutoID'05).

[39]  Ivan Martinovic,et al.  Evaluating Behavioral Biometrics for Continuous Authentication: Challenges and Metrics , 2017, AsiaCCS.

[40]  Bruno Crispo,et al.  Mobile biometrics: Towards a comprehensive evaluation methodology , 2017, 2017 International Carnahan Conference on Security Technology (ICCST).

[41]  Adam J. Aviv,et al.  Smudge Attacks on Smartphone Touch Screens , 2010, WOOT.

[42]  Alex X. Liu,et al.  Secure unlocking of mobile touch screen devices by simple gestures: you can see it but you can not do it , 2013, MobiCom.

[43]  Steven Furnell,et al.  Surveying the Development of Biometric User Authentication on Mobile Phones , 2015, IEEE Communications Surveys & Tutorials.

[44]  Rajesh Kumar,et al.  Context-Aware Active Authentication Using Smartphone Accelerometer Measurements , 2014, 2014 IEEE Conference on Computer Vision and Pattern Recognition Workshops.

[45]  A. Ant Ozok,et al.  A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords , 2006, SOUPS '06.

[46]  Hai Huang,et al.  You Are How You Touch: User Verification on Smartphones via Tapping Behaviors , 2014, 2014 IEEE 22nd International Conference on Network Protocols.

[47]  Steven Furnell,et al.  Authenticating mobile phone users using keystroke analysis , 2006, International Journal of Information Security.

[48]  Bruno Crispo,et al.  Touchstroke: Smartphone User Authentication Based on Touch-Typing Biometrics , 2015, ICIAP Workshops.

[49]  Janusz Konrad,et al.  Towards Gesture-Based User Authentication , 2012, 2012 IEEE Ninth International Conference on Advanced Video and Signal-Based Surveillance.

[50]  Mauro Conti,et al.  Mind how you answer me!: transparently authenticating the user of a smartphone when answering or placing a call , 2011, ASIACCS '11.

[51]  Bruno Crispo,et al.  Multimodal smartphone user authentication using touchstroke, phone-movement and face patterns , 2017, 2017 IEEE Global Conference on Signal and Information Processing (GlobalSIP).

[52]  Sharath Pankanti,et al.  Biometrics: a tool for information security , 2006, IEEE Transactions on Information Forensics and Security.

[53]  Arun Ross,et al.  An introduction to biometrics , 2008, ICPR 2008.

[54]  Nasir D. Memon,et al.  DRAW-A-PIN: Authentication using finger-drawn PIN on touch devices , 2017, Comput. Secur..

[55]  Vir V. Phoha,et al.  When kids' toys breach mobile phone security , 2013, CCS.

[56]  Trevor Hastie,et al.  An Introduction to Statistical Learning , 2013, Springer Texts in Statistics.

[57]  Ruby B. Lee,et al.  Implicit Smartphone User Authentication with Sensors and Contextual Machine Learning , 2017, 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).