Keystroke and Touch-dynamics Based Authentication for Desktop and Mobile Devices

The most commonly used system on desktop computers is a simple username and password approach which assumes that only genuine users know their own credentials. Once broken, the system will accept every authentication trial using compromised credentials until the breach is detected. Mobile devices, such as smart phones and tablets, have seen an explosive increase for personal computing and internet browsing. While the primary mode of interaction in such devices is through their touch screen via gestures, the authentication procedures have been inherited from keyboard-based computers, e.g. a Personal Identification Number, or a gesture based password, etc.;This work provides contributions to advance two types of behavioral biometrics applicable to desktop and mobile computers: keystroke dynamics and touch dynamics. Keystroke dynamics relies upon the manner of typing rather than what is typed to authenticate users. Similarly, a continual touch based authentication that actively authenticates the user is a more natural alternative for mobile devices.;Within the keystroke dynamics domain, habituation refers to the evolution of user typing pattern over time. This work details the significant impact of habituation on user behavior. It offers empirical evidence of the significant impact on authentication systems attempting to identify a genuine user affected by habituation, and the effect of habituation on similarities between users and impostors. It also proposes a novel effective feature for the keystroke dynamics domain called event sequences. We show empirically that unlike features from traditional keystroke dynamics literature, event sequences are independent of typing speed. This provides a unique advantage in distinguishing between users when typing complex text.;With respect to touch dynamics, an immense variety of mobile devices are available for consumers, differing in size, aspect ratio, operating systems, hardware and software specifications to name a few. An effective touch based authentication system must be able to work with one user model across a spectrum of devices and user postures. This work uses a locally collected dataset to provide empirical evidence of the significant effect of posture, device size and manufacturer on user authentication performance. Based on the results of this strand of research, we suggest strategies to improve the performance of continual touch based authentication systems

Empirical techniques and algorithms to develop a resilient non-supervised touch-based authentication system

Touch dynamics (or touch based authentication) refers to a behavioral biometric for touchscreen devices wherein a user is authenticated based on his/her executed touch gestures. This work addresses two research topics. We first present a series of empirical techniques to detect habituation in the user’s touch profile, its detrimental effect on authentication accuracy and strategies to overcome these effects. Habituation here refers to changes in the user’s profile and/or noise within it due to the user’s familiarization with the device and software application. With respect to habituation, we show that habituation causes the user’s touch profile to evolve significantly and irrevocably over time even after the user is familiar with the device and software application. This phenomenon considerably degrades classifier accuracy. We demonstrate techniques that lower the error rate to 3.68% and sets the benchmark in this field for a realistic test setup. Finally, we quantify the benefits of vote-based reclassification of predicted class labels and show that this technique is vital for achieving high accuracy in realistic touch-based authentication systems. In the second half, we implement the first ever non-supervised classification algorithm in touch based continual authentication. This scheme incorporates clustering into the traditional supervised algorithm. We reduce the mis-classification rate by fusing supervised random forest algorithm and non-supervised clustering (either Bayesian learning or simple rule of combinations). Fusing with Bayesian clustering reduced the mis-classification rate by 50% while fusing with simple rule of combination reduced the mis-classification rate by as much as 59.5% averaged over all the users.Master of ScienceComputer Science & Information SystemsUniversity of Michigan-Flinthttp://deepblue.lib.umich.edu/bitstream/2027.42/134750/1/Palaskar2016.pdfDescription of Palaskar2016.pdf : Main articl

The role of effort in security and privacy behaviours online

As more and more aspects of users’ lives go online, they can interact with each other, access services and purchase goods with unprecedented convenience and speed. However, this also means that users’ devices and data become more vulnerable to attacks. As security is often added to tools and services as an after-thought, it tends to be poorly integrated into the processes and part of the effort of securing is often offloaded onto the user. Users are goal-driven and they go online to get things done, protecting their security and privacy might therefore not be a priority. The six studies described in this dissertation examine the role of effort in users’ security and privacy behaviours online. First, two security studies use authentication diaries to examine the user effort required for authentication to organisational and online banking systems respectively. Second, two further studies are laboratory evaluations of proposed mechanisms for authentication and verification. Third, two privacy studies examine the role of effort in users’ information disclosure in webforms and evaluate a possible solution that could help users manage how much they disclose. All studies illustrate the different coping strategies users develop to manage their effort. They show that demanding too much effort can affect productivity, cause frustration and undermine the security these mechanisms were meant to offer. The work stresses the importance of conducting methodologically robust user evaluations of both proposed and deployed mechanisms in order to improve user satisfaction and their security and privacy

An Investigation of Power Saving and Privacy Protection on Smartphones

With the advancements in mobile technology, smartphones have become ubiquitous in people\u27s daily lives and have greatly facilitated users in many aspects. For a smartphone user, power saving and privacy protection are two important issues that matter and draw serious attentions from research communities. In this dissertation, we present our studies on some specific issues of power saving and privacy protection on a smartphone. Although IEEE 802.11 standards provide Power Save Mode (PSM) to help mobile devices conserve energy, PSM fails to bring expected benefits in many real scenarios. We define an energy conserving model to describe the general PSM traffic contention problem, and propose a solution called HPSM to address one specific case, in which multiple PSM clients associate to a single AP. In HPSM, we first use a basic sociological concept to define the richness of a PSM client based on the link resource it consumes. Then we separate these poor PSM clients from rich PSM clients in terms of link resource consumption, and favor the former to save power when they face PSM transmission contention. Our evaluations show that HPSM can help the poor PSM clients effectively save power while only slightly degrading the rich\u27s performance in comparison to the existing PSM solutions. Traditional user authentication methods using passcode or finger movement on smartphones are vulnerable to shoulder surfing attack, smudge attack, and keylogger attack. These attacks are able to infer a passcode based on the information collection of user\u27s finger movement or tapping input. as an alternative user authentication approach, eye tracking can reduce the risk of suffering those attacks effectively because no hand input is required. We propose a new eye tracking method for user authentication on a smartphone. It utilizes the smartphone\u27s front camera to capture a user\u27s eye movement trajectories which are used as the input of user authentication. No special hardware or calibration process is needed. We develop a prototype and evaluate its effectiveness on an android smartphone. Our evaluation results show that the proposed eye tracking technique achieves very high accuracy in user authentication. While LBS-based apps facilitate users in many application scenarios, they raise concerns on the breach of privacy related to location access. We perform the first measurement of this background action on the Google app market. Our investigation demonstrates that many popular apps conduct location access in background within short intervals. This enables these apps to collect a user\u27s location trace, from which the important personal information, Points of Interest (PoIs), can be recognized. We further extract a user\u27s movement pattern from the PoIs, and utilize it to measure the potential privacy breach. The measurement results also show that using the combination of movement pattern related metrics and the other PoI related metrics can help detect the privacy breach in an earlier manner than using either one of them alone. We then propose a preliminary solution to properly handle these location requests from background

A Performance Assessment Framework for Mobile Biometrics

This project aims to develop and explore a robust framework for assessing biometric systems on mobile platforms, where data is often collected in non-constrained, potentially challenging environments. The framework enables the performance assessment given a particular platform, biometric modality, usage environment, user base and required security level. The ubiquity of mobile devices such as smartphones and tablets has increased access to Internet-based services across various scenarios and environments. Citizens use mobile platforms for an ever-expanding set of services and interactions, often transferring personal information, and conducting financial transactions. Accurate identity authentication for physical access to the device and service is, therefore, critical to ensure the security of the individual, information, and transaction. Biometrics provides an established alternative to conventional authentication methods. Mobile devices offer considerable opportunities to utilise biometric data from an enhanced range of sensors alongside temporal information on the use of the device itself. For example, cameras and dedicated fingerprint devices can capture front-line physiological biometric samples (already used for device log-on applications and payment authorisation schemes such as Apple Pay) alongside voice capture using conventional microphones. Understanding the performance of these biometric modalities is critical to assessing suitability for deployment. Providing a robust performance and security assessment given a set of deployment variables is critical to ensure appropriate security and accuracy. Conventional biometrics testing is typically performed in controlled, constrained environments that fail to encapsulate mobile systems' daily (and developing) use. This thesis aims to develop an understanding of biometric performance on mobile devices. The impact of different mobile platforms, and the range of environmental conditions in use, on biometrics' accuracy, usability, security, and utility is poorly understood. This project will also examine the application and performance of mobile biometrics when in motion

Phishing: message appraisal and the exploration of fear and self-confidence

Phishing attacks have threatened the security of both home users and organizations in recent years. Phishing uses social engineering to fraudulently obtain information that is confidential or sensitive. Individuals are targeted to take action by clicking on a link and providing information. This research explores fear arousal and self-confidence in subjects confronted by phishing attacks. The study collected data from multiple sources (including an attempted phishing attack). The survey results indicated that when individuals had a high level of fear arousal related to providing login credentials they had a decreased intention to respond to a phishing attack. Self-confidence did not significantly moderate the relationship between fear arousal and intention to respond to a phishing attack but it did have a significant direct positive influence on intention. The results from the experiment indicated that 18% of individuals overall clicked on the link. The combined data indicated that higher level of fear arousal resulted in a decreased intention to respond to a phishing attack and a decreased actual click behaviour. The research explores how fear of providing login credentials influences both intention to respond and actual response to a phishing attack. When fear arousal is high, individuals are less likely to respond

Supporting users in password authentication with persuasive design

Activities like text-editing, watching movies, or managing personal finances are all accomplished with web-based solutions nowadays. The providers need to ensure security and privacy of user data. To that end, passwords are still the most common authentication method on the web. They are inexpensive and easy to implement. Users are largely accustomed to this kind of authentication but passwords represent a considerable nuisance, because they are tedious to create, remember, and maintain. In many cases, usability issues turn into security problems, because users try to work around the challenges and create easily predictable credentials. Often, they reuse their passwords for many purposes, which aggravates the risk of identity theft. There have been numerous attempts to remove the root of the problem and replace passwords, e.g., through biometrics. However, no other authentication strategy can fully replace them, so passwords will probably stay a go-to authentication method for the foreseeable future. Researchers and practitioners have thus aimed to improve users' situation in various ways. There are two main lines of research on helping users create both usable and secure passwords. On the one hand, password policies have a notable impact on password practices, because they enforce certain characteristics. However, enforcement reduces users' autonomy and often causes frustration if the requirements are poorly communicated or overly complex. On the other hand, user-centered designs have been proposed: Assistance and persuasion are typically more user-friendly but their influence is often limited. In this thesis, we explore potential reasons for the inefficacy of certain persuasion strategies. From the gained knowledge, we derive novel persuasive design elements to support users in password authentication. The exploration of contextual factors in password practices is based on four projects that reveal both psychological aspects and real-world constraints. Here, we investigate how mental models of password strength and password managers can provide important pointers towards the design of persuasive interventions. Moreover, the associations between personality traits and password practices are evaluated in three user studies. A meticulous audit of real-world password policies shows the constraints for selection and reuse practices. Based on the review of context factors, we then extend the design space of persuasive password support with three projects. We first depict the explicit and implicit user needs in password support. Second, we craft and evaluate a choice architecture that illustrates how a phenomenon from marketing psychology can provide new insights into the design of nudging strategies. Third, we tried to empower users to create memorable passwords with emojis. The results show the challenges and potentials of emoji-passwords on different platforms. Finally, the thesis presents a framework for the persuasive design of password support. It aims to structure the required activities during the entire process. This enables researchers and practitioners to craft novel systems that go beyond traditional paradigms, which is illustrated by a design exercise.Heutzutage ist es möglich, mit web-basierten Lösungen Texte zu editieren, Filme anzusehen, oder seine persönlichen Finanzen zu verwalten. Die Anbieter müssen hierbei Sicherheit und Vertraulichkeit von Nutzerdaten sicherstellen. Dazu sind Passwörter weiterhin die geläufigste Authentifizierungsmethode im Internet. Sie sind kostengünstig und einfach zu implementieren. NutzerInnen sind bereits im Umgang mit diesem Verfahren vertraut jedoch stellen Passwörter ein beträchtliches Ärgernis dar, weil sie mühsam zu erstellen, einzuprägen, und verwalten sind. Oft werden Usabilityfragen zu Sicherheitsproblemen, weil NutzerInnen Herausforderungen umschiffen und sich einfach zu erratende Zugangsdaten ausdenken. Daneben verwenden sie Passwörter für viele Zwecke wieder, was das Risiko eines Identitätsdiebstals weiter erhöht. Es gibt zahlreiche Versuche die Wurzel des Problems zu beseitigen und Passwörter zu ersetzen, z.B. mit Biometrie. Jedoch kann bisher kein anderes Verfahren sie vollkommen ersetzen, so dass Passwörter wohl für absehbare Zeit die Hauptauthentifizierungsmethode bleiben werden. ExpertInnen aus Forschung und Industrie haben sich deshalb zum Ziel gefasst, die Situation der NutzerInnen auf verschiedene Wege zu verbessern. Es existieren zwei Forschungsstränge darüber wie man NutzerInnen bei der Erstellung von sicheren und benutzbaren Passwörtern helfen kann. Auf der einen Seite haben Regeln bei der Passworterstellung deutliche Auswirkungen auf Passwortpraktiken, weil sie bestimmte Charakteristiken durchsetzen. Jedoch reduziert diese Durchsetzung die Autonomie der NutzerInnen und verursacht Frustration, wenn die Anforderungen schlecht kommuniziert oder übermäßig komplex sind. Auf der anderen Seite stehen nutzerzentrierte Designs: Hilfestellung und Überzeugungsarbeit sind typischerweise nutzerfreundlicher wobei ihr Einfluss begrenzt ist. In dieser Arbeit erkunden wir die potenziellen Gründe für die Ineffektivität bestimmter Überzeugungsstrategien. Von dem hierbei gewonnenen Wissen leiten wir neue persuasive Designelemente für Hilfestellung bei der Passwortauthentifizierung ab. Die Exploration von Kontextfaktoren im Umgang mit Passwörtern basiert auf vier Projekten, die sowohl psychologische Aspekte als auch Einschränkungen in der Praxis aufdecken. Hierbei untersuchen wir inwiefern Mental Modelle von Passwortstärke und -managern wichtige Hinweise auf das Design von persuasiven Interventionen liefern. Darüber hinaus werden die Zusammenhänge zwischen Persönlichkeitsmerkmalen und Passwortpraktiken in drei Nutzerstudien untersucht. Eine gründliche Überprüfung von Passwortregeln in der Praxis zeigt die Einschränkungen für Passwortselektion und -wiederverwendung. Basierend auf der Durchleuchtung der Kontextfaktoren erweitern wir hierauf den Design-Raum von persuasiver Passworthilfestellung mit drei Projekten. Zuerst schildern wir die expliziten und impliziten Bedürfnisse in punkto Hilfestellung. Daraufhin erstellen und evaluieren wir eine Entscheidungsarchitektur, welche veranschaulicht wie ein Phänomen aus der Marketingpsychologie neue Einsichten in das Design von Nudging-Strategien liefern kann. Im Schlussgang versuchen wir NutzerInnen dabei zu stärken, gut merkbare Passwörter mit Hilfe von Emojis zu erstellen. Die Ergebnisse zeigen die Herausforderungen und Potenziale von Emoji-Passwörtern auf verschiedenen Plattformen. Zuletzt präsentiert diese Arbeit ein Rahmenkonzept für das persuasive Design von Passworthilfestellungen. Es soll die benötigten Aktivitäten während des gesamten Prozesses strukturieren. Dies erlaubt ExpertInnen neuartige Systeme zu entwickeln, die über traditionelle Ansätze hinausgehen, was durch eine Designstudie veranschaulicht wird

Broadening the Scope of Security Usability from the Individual to the Organizational : Participation and Interaction for Effective, Efficient, and Agile Authorization

Restrictions and permissions in information systems -- Authorization -- can cause problems for those interacting with the systems. Often, the problems materialize as an interference with the primary tasks, for example, when restrictions prevent the efficient completing of work and cause frustration. Conversely, the effectiveness can also be impacted when staff is forced to circumvent the measure to complete work -- typically sharing passwords among each other. This is the perspective of functional staff and the organization. There are further perspectives involved in the administration and development of the authorization measure. For instance, functional staff need to interact with policy makers who decide on the granting of additional permissions, and policy makers, in turn, interact with policy authors who actually implement changes. This thesis analyzes the diverse contexts in which authorization occurs, and systematically examines the problems that surround the different perspectives on authorization in organizational settings. Based on prior research and original research in secure agile development, eight principles to address the authorization problems are identified and explored through practical artifacts

Usability in biometric recognition systems

Mención Internacional en el título de doctorBiometric recognition, which is a technology already mature, grows nowadays in several contexts, including forensics, access controls, home automation systems, internet, etc. Now that technology is moving to mobile scenarios, biometric recognition is being also integrated in smartphones, tablets and other mobile devices as a convenient solution for guaranteeing security, complementing other methods such as PIN or passwords. Nevertheless, the use of biometric recognition is not as spread as desired and it is still unknown for a wide percentage of the population. It has been demonstrated [1] that some of the possible reasons for the slow penetration of biometrics could be related to usability concerns. This could lead to various drawbacks like worst error rates due to systems misuses and it could end with users rejecting the technology and preferring other approaches. This Thesis is intended to cover this topic including a study of the current state of the art, several experiments analysing the most relevant usability factors and modifications to a usability evaluation methodology. The chosen methodology is the H-B interaction, carried out by Fernandez-Saavedra [2], based on the ISO/IEC 19795 [3], the HBSI [4], the ISO 9241-210 [5] and on Common Criteria [6]. Furthermore, this work is focused on dealing with accessibility concerns in biometric recognition systems. This topic, usually included into the usability field, has been addressed here separately, though the study of the accessibility has followed the same steps as the usability study: reviewing the state of the art, pointing and analysing the main influential factors and making improvements to the state of the art. The recently published standard EN 301 549 – “Accessibility requirements suitable for public procurement of ICT products and services in Europe” [7] has been also analysed. These two topics have been overcome through the well-known user-centric-design approach. In this way, first the influential factors have been detected. Then, they have been isolated (when possible) and measured. The results obtained have been then interpreted to suggest new updates to the H-B interaction. This 3-steps approach has been applied cyclically and the factors and methodology updated after each iteration. Due to technology and usability trends, during this work, all the systems/applications developed in the experiments have been thought to be mobile directly or indirectly. The biometric modalities used during the experiments performed in this Thesis are those pointed as suitable for biometric recognition in mobile devices: handwritten recognition signature, face and fingerprint recognition. Also, the scenarios and the applications used are in line with the main uses of biometrics in mobile environments, such as sign documents, locking/unlocking devices, or make payments. The outcomes of this Thesis are intended to guide future developers in the way of designing and testing proper usable and accessible biometrics. Finally, the results of this Thesis are being suggested as a new International Standard within ISO/IEC/JTC1/SC37 – Biometric Recognition, as standardization is the proper way of guaranteeing usability and accessibility in future biometric systems. The contributions of this Thesis include: • Improvements to the H-B interaction methodology, including several usability evaluations. • Improvements on the accessibility of the ICT (Information and Communications Technology) products by means of the integration of biometric recognition systems • Adaptation and application of the EN 301 549 to biometric recognition systems.El reconocimiento biométrico, que es una tecnología ya madura, crece hoy en día en varios contextos, incluyendo la medicina forense, controles de acceso, sistemas de automatización del hogar, internet, etc. Ahora que la tecnología se está moviendo a los escenarios móviles, el reconocimiento biométrico está siendo también integrado en los teléfonos inteligentes, tabletas y otros dispositivos móviles como una solución conveniente para garantizar la seguridad, como complemento de otros métodos de seguridad como el PIN o las contraseñas. Sin embargo, el uso del reconocimiento biométrico es todavía desconocido para un amplio porcentaje de la población. Se ha demostrado [1] que algunas de las posibles razones de la lenta penetración de la biometría podrían estar relacionadas con problemas de usabilidad. Esto podría dar lugar a diversos inconvenientes, ofreciendo un rendimiento por debajo de lo esperado debido al mal uso de los sistemas y podría terminar con los usuarios rechazando la tecnología y prefiriendo otros enfoques. Esta tesis doctoral trata este tema incluyendo un estudio del estado actual de la técnica, varios experimentos que analizan los factores de usabilidad más relevantes y modificaciones a una metodología de evaluación de la usabilidad, la "H-B interaction" [2] basada en la ISO / IEC 19795 [3], el HBSI [4], la ISO 9241 [5] y Common Criteria [6]. Además, este trabajo se centra también en los problemas de accesibilidad de los sistemas de reconocimiento biométrico. Este tema, que por lo general se incluye en el campo de la usabilidad, se ha tratado aquí por separado, aunque el estudio de la accesibilidad ha seguido los mismos pasos que el estudio de usabilidad: revisión del estado del arte, análisis de los principales factores influyentes y propuesta de cambios en la metodología H-B interaction. Han sido también analizados los requisitos de accesibilidad para las Tecnologías de la Información y la Comunicación (TIC) en Europa, bajo la norma EN 301 549 [7]. Estos dos temas han sido estudiados a través de un enfoque centrado en el usuario (User Centric Design - UCD). De esta manera, se han detectado los factores influyentes. A continuación, dichos factores han sido aislados (cuando ha sido posible) y medidos. Los resultados obtenidos han sido interpretados para sugerir nuevos cambios a la metodología H-B interaction. Este enfoque de 3 pasos se ha aplicado de forma cíclica a los factores y a la metodología después de cada iteración. Debido a las tendencias tecnológicas y de usabilidad, durante este trabajo, todos los sistemas / aplicaciones desarrolladas en los experimentos se han pensado para ser móviles, directa o indirectamente. Las modalidades utilizadas durante los experimentos realizados en esta tesis doctoral son las que se señalaron como adecuados para el reconocimiento biométrico en dispositivos móviles: la firma manuscrita, la cara y el reconocimiento de huellas dactilares. Además, los escenarios y las aplicaciones utilizadas están en línea con los principales usos de la biometría en entornos móviles, como la firma de documentos, el bloqueo / desbloqueo de dispositivos, o hacer pagos. Los resultados de esta tesis tienen como objetivo orientar a los futuros desarrolladores en el diseño y evaluación de la usabilidad y la accesibilidad en los sistemas de reconocimiento biométrico. Por último, los resultados de esta tesis doctoral se sugerirán como un nuevo estándar de ISO / IEC / JTC1 / SC37 - Biometric Recognition, ya que la normalización es la manera adecuada de garantizar la usabilidad y la accesibilidad en los futuros sistemas biométricos. Las contribuciones de esta tesis incluyen: • Mejora de la metodología de evaluación H-B interaction, incluyendo varias evaluaciones de usabilidad. • Mejora de la accesibilidad de los sistemas de información / electrónicos mediante la integración de sistemas biométricos y varias evaluaciones. • Adaptación y aplicación de la norma de accesibilidad EN 301 549 al campo de los sistemas biométricos.Programa Oficial de Doctorado en Ingeniería Eléctrica, Electrónica y AutomáticaPresidente: Patrizio Campisi.- Secretario: Enrique Cabellos Pardo.- Vocal: Marcos Faundez Zanu