A Framework for Assessing Factors Influencing User Interaction for Touch-based Biometrics

Touch-based behavioural biometrics is an emerging technique for passive and transparent user authentication on mobile devices. It utilises dynamics mined from users’ touch actions to model behaviour. The interaction of the user with the mobile device using touch is an important aspect to investigate as the interaction errors can influence the stability of sample donation and overall performance of the implemented biometric authentication system. In this paper, we are outlining a data collection framework for touch-based behavioural biometric modalities (signature, swipe and keystroke dynamics) that will enable us to study the influence of environmental conditions and body movement on the touch-interaction. In order to achieve this, we have designed a multi-modal behavioural biometric data capturing application “Touchlogger” that logs touch actions exhibited by the user on the mobile device. The novelty of our framework lies in the collection of users’ touch data under various usage scenarios and environmental conditions. We aim to collect touch data in two different environments - indoors and outdoors, along with different usage scenarios - whilst the user is seated at a desk, walking on a treadmill, walking outdoors and seated on a bus. The range of collected data may include swiping, signatures using finger and stylus, alphabetic, numeric keystroke data and writing patterns using a stylus

Augmenting Authentication with Context-Specific Behavioral Biometrics

Behavioral biometrics, being non-intrusive and cost-efficient, have the potential to assist user identification and authentication. However, user behaviors can vary significantly for different hardware, software, and applications. Research of behavioral biometrics is needed in the context of a specific application. Moreover, it is hard to collect user data in real world settings to assess how well behavioral biometrics can discriminate users. This work aims to improving authentication by behavioral biometrics obtained for user groups. User data of a webmail application are collected in a large-scale user experiment conducted on Amazon Mechanical Turk. Used in a continuous authentication scheme based on user groups, off-line identity attribution and online authentication analytic schemes are proposed to study the applicability of application-specific behavioral biometrics. Our results suggest that the useful user group identity can be effectively inferred from users’ operational interaction with the email application

Using Hover to Compromise the Confidentiality of User Input on Android

We show that the new hover (floating touch) technology, available in a number of today's smartphone models, can be abused by any Android application running with a common SYSTEM_ALERT_WINDOW permission to record all touchscreen input into other applications. Leveraging this attack, a malicious application running on the system is therefore able to profile user's behavior, capture sensitive input such as passwords and PINs as well as record all user's social interactions. To evaluate our attack we implemented Hoover, a proof-of-concept malicious application that runs in the system background and records all input to foreground applications. We evaluated Hoover with 40 users, across two different Android devices and two input methods, stylus and finger. In the case of touchscreen input by finger, Hoover estimated the positions of users' clicks within an error of 100 pixels and keyboard input with an accuracy of 79%. Hoover captured users' input by stylus even more accurately, estimating users' clicks within 2 pixels and keyboard input with an accuracy of 98%. We discuss ways of mitigating this attack and show that this cannot be done by simply restricting access to permissions or imposing additional cognitive load on the users since this would significantly constrain the intended use of the hover technology.Comment: 11 page

Heartbeats in the Wild: A Field Study Exploring ECG Biometrics in Everyday Life

This paper reports on an in-depth study of electrocardiogram (ECG) biometrics in everyday life. We collected ECG data from 20 people over a week, using a non-medical chest tracker. We evaluated user identification accuracy in several scenarios and observed equal error rates of 9.15% to 21.91%, heavily depending on 1) the number of days used for training, and 2) the number of heartbeats used per identification decision. We conclude that ECG biometrics can work in the wild but are less robust than expected based on the literature, highlighting that previous lab studies obtained highly optimistic results with regard to real life deployments. We explain this with noise due to changing body postures and states as well as interrupted measures. We conclude with implications for future research and the design of ECG biometrics systems for real world deployments, including critical reflections on privacy.Comment: 14 pages, 10 figures, CHI'2