Authentication on Mobile Devices

spectacularscarecrowAI and Robotics

Nov 17, 2013 (3 years and 8 months ago)

64 views

Flexible & Non
-
Intrusive User
Authentication on Mobile Devices

Dr. Nathan Clarke

Centre for Information Security

& Network Research


The Research Project


This research is funded by the Eduserv Foundation.


Founded in 2003, Eduserv is a not
-
for
-
profit IT services
group delivering innovative technology services. With
contributions from Eduserv, the Eduserv Foundation funds
initiatives supporting the effective application of IT in
education


Grant awarded in 2005 for a 2 year study into
Flexible and
Non
-
Intrusive User Authentication for Mobile Devices



Research is being conducted by the Centre for
Information Security & Network Research


Established in 1985 (formally the NRG) conducts research
into IT Security, Internet and WWW technologies and
mobility


Researchers active on the project:


Prof Steven Furnell


Dr Nathan Clarke


Miss Sevasti Karaztouni


Overview


The Need for Advanced Authentication

Biometrics

Flexible & Transparent Authentication

Looking a little deeper…

Conclusions & Future Work

The Need for Authentication

Worldwide Mobile Phone Subscribers

Source: GSM Association 2006

0
500
1000
1500
2000
2500
3000
Q1
Q2
Q3
Q4
Q1
Q2
Q3
Q4
Q1
Q2
Q3
Q4
Q1
Q2
2003
2004
2005
2006
Subscribers (Millions)
The Need for Authentication

What protects this data from attack?

Current Security Provision


Subscriber Authentication relies upon the
Personal Identification Number (PIN)


Independently
enabled
OR
disabled


“One
-
Off” security approach


The PIN is a secret knowledge approach


PINs are often badly selected, written down
shared with colleagues, infrequently changed
and kept the same on multiple systems


1122

2468

1234

1945

0000

9876

1066

190578

Current Security Provision


Existing PIN
-
based authentication has proven
ineffective, unpopular and inconvenient



Survey of 297 mobile users:


66% of respondents use the PIN


30% considered the PIN inconvenient


85% want additional security



Arguably commensurate for protecting basic
voice and text services


less than ideal for more advanced mobile services

Results extracted from a paper entitled “Authentication of users on mobile telephones


A
survey of attitudes and practices” (Clarke et al., Computers & Security, 24, 519
-
527)

Biometrics

Biometric Characteristics

Physiological

Behavioural

Fingerprints

Hand Geometry

Vein Checking

Iris Scanning

Retinal Scanning

Facial Recognition

Facial Thermogram

Voiceprint

Signature Recognition

Keystroke Analysis

Mouse Dynamics

Biometric Characteristics

100

0

Rate
(%)

Increasing end
-
user rejection

Tolerance /
Threshold Setting

False Rejection
Rate (FRR)

False Acceptance
Rate (FAR)

Equal Error Rate

Slack

Tight

Flexible & Transparent
Authentication

Facial

Recognition

Signature

Recognition

Keystroke

Dynamics

Service

Utilisation

Voice

Verification

Biometrics on Mobile Devices

Novel Authentication
-

Objectives


Authentication for mobile handsets must meet
the following objectives:


Increase security beyond secret
-
knowledge
techniques


Provide transparent authentication


Authenticate the user continuously/periodically
throughout the day in order to maintain confidence in
the identity of the user



The authentication mechanism must handle the
varying hardware configurations of mobile handsets


Biometric Characteristics

Biometric Technique

Sample acquisition
capability as
standard?

Accuracy

Non
-
Intrusive?

Ear shape Recognition



High



Facial Recognition



High



Fingerprint Recognition



Very High



Hand Geometry



Very High



Signature Recognition



Medium



Iris Scanning



Very High



Keystroke Analysis



Medium



Service Utilisation



Low



Voice Verification



High



Novel Architecture


To design an architecture capable of utilising existing
handsets to provide biometric user authentication



A modular architecture capable of dynamically adapting
to differing hardware configurations



Non
-
Intrusive & Continuous Authentication (NICA)
System:


Periodic Authentication Process/Alert Level


Split into 4 levels


Rolling System Integrity Level


Security Process


Alert Level

Authentication Request

(Transparent, AL1)

Most recent data in

input cache

Authentication Response

Authentication Request

(Transparent, AL1)

Remaining data in

input cache

Authentication Response

Authentication Request

(Transparent, AL2)

Next Input

Authentication Response

Authentication Request

(Intrusive, AL3)

High Confidence

Authentication

Authentication Response

Authentication Request

(Intrusive, AL3)

High Confidence

Authentication

Authentication Response

Lock Handset

(Intrusive, AL4)

Security Process


Integrity Level

0

+5

-
5

Normal System Integrity Level

System Lock Down

Open System

Increasing access to
information and services

Decreasing access to
information and services

Service


SI

Text Message

+1

Telephone Call

+1.5

Video Call

+3

Micropayment

+4

Bank Account

+5


Authentication

Manager

(Server)

Profile

Bio/Cog

Input Cache

Authentication
Engine

Biometric Profile
Engine

System Administrator

Communications

Engine

IAMS
Device

Hardware
Compatibility


Client
Database

Client Device
Configuration

System Parameter
Setting

IAMS Server
-
Side
Architecture

Input
Characteristics


Authentication

Manager

(Device)

Intrusion

Interface

Profile

Bio/Cog

Input Cache

Authentication
Engine

Biometric Profile

Engine

Authentication

Response

Security

Status

Authentication

Assets/History

Device Administrator

Output
Device

Communications

Engine

IAMS Server

Data
Collection

Engine

IAMS Client
-
Side
Architecture

Traditional Performance

Biometric Technique

Sub
-
Category

FAR (%)

FRR (%)

Facial Recognition

-

0.2

7

Fingerprint

-

0.1

6

Keystroke Dynamics

PIN/Cognitive

3

40

Keystroke Dynamics

Text

15

28

Keystroke Dynamics

Telephone

18

29

Voice Verification

-

0.7

4

IAMS Performance

Mobile

Device

Authentication

Techniques

FRR at Stage 4

of the Process

Algorithm (%)

FAR at a System

Integrity

level of +5 (%)

Sony


Ericsson

T68

Keystroke Analysis

Voice Verification

0.001
-
0.4

0.000001
-
0.00002

HP IPAQ

H5550

Facial Recognition

Fingerprint Scanning

Voice Verification

0.00003
-
0.0001

0.00000007
-
0.0000008

Sony Clie

PEG NZ90

Facial Recognition

Keystroke Analysis

Voice Verification

0.0002
-
0.4

0.0000008
-
0.00002

Looking a little deeper…

Effectiveness of Biometrics on a
Mobile Device


Unfortunately, the application of biometrics in the
fashion previously described is somewhat overly
simplistic




Biometrics have been proven to operate
effectively within specific applications


Physical access control


Logical access to desktop computers



Typically, well defined environments and intrusive
in nature

Keystroke Analysis


Several studies have been undertaken to
establish the effectiveness of Keystroke Analysis
on a mobile device



Handwriting Verification


Signature Recognition has been
widely researched and generally
well accepted



It has good levels of FAR and
FRR



Algorithms are designed to
classify a “signature”


very
intrusive!



Need to develop an approach that
will permit the user to scribble
anything and the system is
still

able to successfully authenticate
the user


Service Utilisation


An inherently transparent technique that is able
to monitor your usage of the device


Who you call, where you call from, for how long and
how frequently


Also a wide range of other factors could be utilised as
a means of discriminating users



The approach is widely used in fraud detection
scenarios


Credit card fraud detection; mobile phone abuse

Facial Recognition

Biometric Template

Biometric Samples

Voice Verification


Successful voice verification technologies exist



However, they are largely based upon:


Static based recognition


Pseudo dynamic based recognition



Concept: Utilise both voice recognition and voice
verification to create an outwardly appearing
dynamic approach based upon static technology

Architectural Issues


Mobile device technology


computational
capabilities


Network traffic overheads


Network server requirements


Configuration and management


International roaming


Scalability


Personal mobility



Conclusions & Future Work


NICA introduces a level of intelligence to the
authentication process


Biometrics still hold the authentication power


Further research should look into:


Designing more intelligent and robust biometric
techniques


The practicalities of operating an authentication
mechanism such as NICA in practice


network
overhead, biometric threshold settings, personal
mobility challenges etc.


More information: www.cisnr.org/NICA


References


Advanced User Authentication for Mobile Devices

Clarke NL, Furnell SM

Computers & Security, 2006



Authenticating Mobile Phone Users Using Keystroke Analysis

Clarke NL, Furnell SM

International Journal of Information Security, vol. 6, no. 1, pp1
-
14, 2006



Biometrics
-

The Promise Versus the Practice

Clarke NL, Furnell SM

Computer Fraud and Security, September, pp12
-
16, 2005



Keystroke Analysis for Thumb
-
Based Keyboards on Mobile Devices

Karatzouni S, Clarke NL

Proceedings of the IFIP SEC 2006 Conference, Johannesburg, South Africa, May 2007



Transparent Handwriting Verification for Mobile Devices

Clarke NL, Mekala AR

Proceedings of the Sixth International Network Conference (INC2006), Plymouth, UK, 11
-
14 July, pp277
-
288,
2006



Transparent Facial Recognition for Mobile Devices

Clarke NL, Karatzouni S, Furnell SM

Proceedings of The Security Conference, Las Vegas, 2
-
4 June 2008



User Authentication by Service Utilisation Profiling

Aupy A, Clarke NL

Proceedings of the ISOneWorld 2005, Las Vegas, USA, 30 March
-

1 April, 2005



Using Keystroke Analysis as a Mechanism for Subscriber Authentication on Mobile Handsets

Clarke NL, Furnell SM, Lines BL, Reynolds PL

Proceedings of the IFIP SEC 2003 Conference, Athens, Greece, May, pp97
-
108, 2003

Any Questions?

Centre of Information Security & Network Research,
University of Plymouth


www.cisnr.org