58 research outputs found

    Continuous User Authentication Using Multi-Modal Biometrics

    Get PDF
    It is commonly acknowledged that mobile devices now form an integral part of an individual’s everyday life. The modern mobile handheld devices are capable to provide a wide range of services and applications over multiple networks. With the increasing capability and accessibility, they introduce additional demands in term of security. This thesis explores the need for authentication on mobile devices and proposes a novel mechanism to improve the current techniques. The research begins with an intensive review of mobile technologies and the current security challenges that mobile devices experience to illustrate the imperative of authentication on mobile devices. The research then highlights the existing authentication mechanism and a wide range of weakness. To this end, biometric approaches are identified as an appropriate solution an opportunity for security to be maintained beyond point-of-entry. Indeed, by utilising behaviour biometric techniques, the authentication mechanism can be performed in a continuous and transparent fashion. This research investigated three behavioural biometric techniques based on SMS texting activities and messages, looking to apply these techniques as a multi-modal biometric authentication method for mobile devices. The results showed that linguistic profiling; keystroke dynamics and behaviour profiling can be used to discriminate users with overall Equal Error Rates (EER) 12.8%, 20.8% and 9.2% respectively. By using a combination of biometrics, the results showed clearly that the classification performance is better than using single biometric technique achieving EER 3.3%. Based on these findings, a novel architecture of multi-modal biometric authentication on mobile devices is proposed. The framework is able to provide a robust, continuous and transparent authentication in standalone and server-client modes regardless of mobile hardware configuration. The framework is able to continuously maintain the security status of the devices. With a high level of security status, users are permitted to access sensitive services and data. On the other hand, with the low level of security, users are required to re-authenticate before accessing sensitive service or data

    Passphrase and keystroke dynamics authentication: security and usability

    Get PDF
    It was found that employees spend a total 2.25 days within a 60 day period on password related activities. Another study found that over 85 days an average user will create 25 accounts with an average of 6.5 unique passwords. These numbers are expected to increase over time as more systems become available. In addition, the use of 6.5 unique passwords highlight that passwords are being reused which creates security concerns as multiple systems will be accessible by an unauthorised party if one of these passwords is leaked. Current user authentication solutions either increase security or usability. When security increases, usability decreases, or vice versa. To add to this, stringent security protocols encourage unsecure behaviours by the user such as writing the password down on a piece of paper to remember it. It was found that passphrases require less cognitive effort than passwords and because passphrases are stronger than passwords, they don’t need to be changed as frequently as passwords. This study aimed to assess a two-tier user authentication solution that increases security and usability. The proposed solution uses passphrases in conjunction with keystroke dynamics to address this research problem. The design science research approach was used to guide this study. The study’s theoretical foundation includes three theories. The Shannon entropy formula was used to calculate the strength of passwords, passphrases and keystroke dynamics. The chunking theory assisted in assessing password and passphrase memorisation issues and the keystroke-level model was used to assess password and passphrase typing issues. Two primary data collection methods were used to evaluate the findings and to ensure that gaps in the research were filled. A login assessment experiment collected data on user authentication and user-system interaction for passwords and passphrases. Plus, an expert review was conducted to verify findings and assess the research artefact in the form of a model. The model can be used to assist with the implementation of a two-tier user authentication solution which involves passphrases and keystroke dynamics. There are a number of components that need to be considered to realise the benefits of this solution and ensure successful implementation

    Enhancing Usability and Security through Alternative Authentication Methods

    Get PDF
    With the expanding popularity of various Internet services, online users have be- come more vulnerable to malicious attacks as more of their private information is accessible on the Internet. The primary defense protecting private information is user authentication, which currently relies on less than ideal methods such as text passwords and PIN numbers. Alternative methods such as graphical passwords and behavioral biometrics have been proposed, but with too many limitations to replace current methods. However, with enhancements to overcome these limitations and harden existing methods, alternative authentications may become viable for future use. This dissertation aims to enhance the viability of alternative authentication systems. In particular, our research focuses on graphical passwords, biometrics that depend, directly or indirectly, on anthropometric data, and user authentication en- hancements using touch screen features on mobile devices. In the study of graphical passwords, we develop a new cued-recall graphical pass- word system called GridMap by exploring (1) the use of grids with variable input entered through the keyboard, and (2) the use of maps as background images. as a result, GridMap is able to achieve high key space and resistance to shoulder surfing attacks. to validate the efficacy of GridMap in practice, we conduct a user study with 50 participants. Our experimental results show that GridMap works well in domains in which a user logs in on a regular basis, and provides a memorability benefit if the chosen map has a personal significance to the user. In the study of anthropometric based biometrics through the use of mouse dy- namics, we present a method for choosing metrics based on empirical evidence of natural difference in the genders. In particular, we develop a novel gender classifi- cation model and evaluate the model’s accuracy based on the data collected from a group of 94 users. Temporal, spatial, and accuracy metrics are recorded from kine- matic and spatial analyses of 256 mouse movements performed by each user. The effectiveness of our model is validated through the use of binary logistic regressions. Finally, we propose enhanced authentication schemes through redesigned input, along with the use of anthropometric biometrics on mobile devices. We design a novel scheme called Triple Touch PIN (TTP) that improves traditional PIN number based authentication with highly enlarged keyspace. We evaluate TTP on a group of 25 participants. Our evaluation results show that TTP is robust against dictio- nary attacks and achieves usability at acceptable levels for users. We also assess anthropometric based biometrics by attempting to differentiate user fingers through the readings of the sensors in the touch screen. We validate the viability of this biometric approach on 33 users, and observe that it is feasible for distinguishing the fingers with the largest anthropometric differences, the thumb and pinkie fingers

    When keystroke meets password: Attacks and defenses

    Get PDF

    A practical application of a text-independent speaker authentication system on mobile devices

    Get PDF
    The growing market of mobile devices forces to question about how to protect users’ credentials and data stored on such devices. Authentication mechanisms remain the first layer of security in the use of mobile devices. However, several of such mechanisms that have been already proposed were designed in a machine point of view. As a matter of fact, they are not compatible with behaviors human have while using their mobile devices in the daily life. Consequently, users adopted unsafe habits that may compromise the proper functioning of authentication mechanisms according to the safety aspect. The first main objective of this research project is to highlight strengths and weaknesses of current authentication systems, from the simpler ones such as PIN (Personal Identification Number) to the more complex biometric systems such as fingerprint. Then, this thesis offers an exhaustive evaluation of existing schemes. For this evaluation, we rely on some existing criteria and we also propose some new ones. Suggested criteria are chiefly centered on the usability of these authentica-tion systems. Secondly, this thesis presents a practical implementation of a text-independent speaker au-thentication system for mobile devices. We place a special attention in the choice of algorithms with low-computational costs since we want that the system operates without any network communication. Indeed, the enrollment, as well as the identification process are achieved onto the device itself. To this end, our choice was based on the extraction of Linear Prediction Cepstral Coefficients (LPCCs) (Furui 1981; O'Shaughnessy 1988) to obtain relevant voice features and the Naïve Bayes classifier (Zhang 2004) to predict at which speaker a given utterance corresponds. Furthermore, the authenti-cation decision was enhanced in order to overcome misidentification. In that sense, we introduced the notion of access privileges (i.e. public, protected, private) that the user has to attribute to each appli-cation installed on his/her mobile device. Then, the safest authority is granted through the result of the speaker identification decision as well as the analysis of the user’s location and the presence of a headset. In order to evaluate the proposed authentication system, eleven participants were involved in the experiment, which was conducted in two different environments (i.e. quiet and noisy). Moreover, we also employed public speech corpuses to compare this implementation to existing methods. Results obtained have shown that our system is a relevant, accurate and efficient solution to authenticate users on their mobile devices. Considering acceptability issues which were pointed out by some users, we suggest that the proposed authentication system should be either employed as part of a multilayer authentication, or as a fallback mechanism, to cover most of the user needs and usages. La croissance du marché des dispositifs mobiles implique de se questionner au sujet de comment protéger l’identité ainsi que les données personnelles des utilisateurs qui sont stockées sur ces appareils. En ce sens, les mécanismes d’authentification demeurent la première couche de sécurité dans l’utilisation des mobiles. Cependant, il apparaît que la plupart des mécanismes d’authentification qui ont été proposés, ont été conçus suivant un point de vue orienté machine plutôt qu’humain. En effet, ceux-ci ne s’adaptent généralement pas avec l’usage quotidien qu’ont les utilisateurs lorsqu’ils se servent leur téléphone. En conséquence, ils ont adopté des habitudes dangereuses qui peuvent compromettre le bon fonctionnement des systèmes d’authentification. Celles-ci peuvent alors remettre en question la sécurité de leur identité ainsi que la confidentialité de leur contenu numérique. Le premier objectif principal de ce projet de recherche est de faire ressortir les forces et les faiblesses des méthodes d’authentification qui existent actuellement, des plus simples comme le NIP (Numéro d’Identification Personnel) aux solutions biométriques plus complexes comme l’empreinte digitale. Par la suite, ce mémoire offre une évaluation exhaustive de ces solutions, basée sur des critères existant ainsi que de nouveaux critères que nous suggérons. Ces derniers sont majoritairement centrés sur l’utilisabilité des mécanismes d’authentification qui ont été examinés. Dans un second temps, ce mémoire présente une implémentation pratique, pour périphériques mobiles, d’un système d’authentification d’orateur indépendant de ce qui est prononcé par l’utilisateur. Pour concevoir un tel système, nous avons porté une attention particulière dans le choix d’algorithmes admettant un faible temps d’exécution afin de se prémunir des communications réseau. En effet, ceci nous permet alors de réaliser le processus d’entraînement ainsi que la reconnaissance, directement sur le mobile. Les choix technologiques se sont arrêtés sur l’extraction de coefficients spectraux (Linear Prediction Cepstral Coefficients) (Furui 1981; O'Shaughnessy 1988) afin d’obtenir des caractéristiques vocales pertinentes, ainsi que sur une classification naïve bayésienne (Zhang 2004) pour prédire à quel utilisateur correspond un énoncé donné. La décision finale, quant à elle, a été améliorée afin de se prémunir des mauvaises identifications. En ce sens, nous avons introduit la notion de droits d’accès spécifiques (i.e. publique, protégé ou privé) que l’utilisateur doit attribuer à chacune des applications installées sur son mobile. Ensuite, l’autorisation d’accès la plus adaptée est accordée, grâce au résultat retournée par l’identification de l’orateur, ainsi que par l’analyse de la localisation de l’utilisateur et de l’emploi d’un micro-casque. Pour réaliser l’évaluation du système que nous proposons ici, onze participants ont été recrutés pour la phase d’expérimentation. Cette dernière a été menée dans deux types d’environnements différents (i.e. silencieux et bruyant). De plus, nous avons aussi exploité des corpus de voix publiques afin de comparer notre implémentation à celles qui ont été proposées par le passé. Par conséquent, les résultats que nous avons obtenus ont montré que notre système constitue une solution pertinente, précise et efficace pour authentifier les utilisateurs sur leurs périphériques mobiles. Compte tenu des problèmes d’acceptabilité qui ont été mis en avant par certains testeurs, nous suggérons qu’un tel système puisse être utilisé comme faisant part d’une authentification à plusieurs facteurs, mais aussi comme une solution de repli, en cas d’échec du mécanisme principal, afin de couvrir la majorité des besoins et des usages des utilisateurs

    Finger Movements Based on Biometric Authentication for Touch Devices

    Get PDF
    The primary goal of this thesis is to collect and compare the touch parameters of finger movements on touch devices and build personal profile with good-recognition parameters to indicate the touch characteristics of individual users using the touch devices. In order to study the possibility of implementation of touch-style identification for touch devices, this work mainly focuses on finding and testing the possible touch parameters which could be used to compose a profile to verify the users. A full test with an developed anroid application on tablet was performed by 20 subjects to collect touch information, including location of finger points, finger pressure force and speed of finger movements. Statistical analysis was applied on each dataset of the users. The finding has shown that each user can be identified by the discriminative information of finger movements on the touch screen. The results show huge difference in mean, standard deviation and skewness for the dataset of each user giving a reason to hope the implementation of finger movements based on biometric authentication for touch devices. Hopefully, the result of this project will be valuable for further research of implementation of biometric authentication on touch devices based on the finger movements

    Non-Intrusive Continuous User Authentication for Mobile Devices

    Get PDF
    The modern mobile device has become an everyday tool for users and business. Technological advancements in the device itself and the networks that connect them have enabled a range of services and data access which have introduced a subsequent increased security risk. Given the latter, the security requirements need to be re-evaluated and authentication is a key countermeasure in this regard. However, it has traditionally been poorly served and would benefit from research to better understand how authentication can be provided to establish sufficient trust. This thesis investigates the security requirements of mobile devices through literature as well as acquiring the user’s perspectives. Given the findings it proposes biometric authentication as a means to establish a more trustworthy approach to user authentication and considers the applicability and topology considerations. Given the different risk and requirements, an authentication framework that offers transparent and continuous is developed. A thorough end-user evaluation of the model demonstrates many positive aspects of transparent authentication. The technical evaluation however, does raise a number of operational challenges that are difficult to achieve in a practical deployment. The research continues to model and simulate the operation of the framework in an controlled environment seeking to identify and correlate the key attributes of the system. Based upon these results and a number of novel adaptations are proposed to overcome the operational challenges and improve upon the impostor detection rate. The new approach to the framework simplifies the approach significantly and improves upon the security of the system, whilst maintaining an acceptable level of usability

    Free-text keystroke dynamics authentication with a reduced need for training and language independency

    Get PDF
    This research aims to overcome the drawback of the large amount of training data required for free-text keystroke dynamics authentication. A new key-pairing method, which is based on the keyboard’s key-layout, has been suggested to achieve that. The method extracts several timing features from specific key-pairs. The level of similarity between a user’s profile data and his or her test data is then used to decide whether the test data was provided by the genuine user. The key-pairing technique was developed to use the smallest amount of training data in the best way possible which reduces the requirement for typing long text in the training stage. In addition, non-conventional features were also defined and extracted from the input stream typed by the user in order to understand more of the users typing behaviours. This helps the system to assemble a better idea about the user’s identity from the smallest amount of training data. Non-conventional features compute the average of users performing certain actions when typing a whole piece of text. Results were obtained from the tests conducted on each of the key-pair timing features and the non-conventional features, separately. An FAR of 0.013, 0.0104 and an FRR of 0.384, 0.25 were produced by the timing features and non-conventional features, respectively. Moreover, the fusion of these two feature sets was utilized to enhance the error rates. The feature-level fusion thrived to reduce the error rates to an FAR of 0.00896 and an FRR of 0.215 whilst decision-level fusion succeeded in achieving zero FAR and FRR. In addition, keystroke dynamics research suffers from the fact that almost all text included in the studies is typed in English. Nevertheless, the key-pairing method has the advantage of being language-independent. This allows for it to be applied on text typed in other languages. In this research, the key-pairing method was applied to text in Arabic. The results produced from the test conducted on Arabic text were similar to those produced from English text. This proves the applicability of the key-pairing method on a language other than English even if that language has a completely different alphabet and characteristics. Moreover, experimenting with texts in English and Arabic produced results showing a direct relation between the users’ familiarity with the language and the performance of the authentication system

    Electronic capture and analysis of fraudulent behavioral patterns : an application to identity fraud

    Get PDF
    The objective of this research was to find a transparent and secure solution for mitigating identity fraud and to find the critical factors that determine the solution\u27s acceptance. Identity fraud is identified as a key problem with total losses exceeding fifty two billion dollars (Javelin Strategy and Research 2005). A common denominator in most identity-fraud-prone transactions is the use of a keypad; hence this research focuses on keypad data entry and proposes a biometric solution. Three studies develop, evaluate and investigate the feasibility of this solution. The first study was done in three stages. Stage one investigated the technical feasibility of the biometric keypad, stage two evaluated the keypad under different field conditions and stage three investigated acceptable user parameters. A key shortcoming with current authentication methods is the use of external identifiers that are prone to theft, unlike biometric patterns. A biometric keypad that supplements the present external identifiers was proposed, prototyped and evaluated. The results demonstrated that a biometric keypad can be a feasible medium performance solution. Addition of pressure and higher typing speeds were found to enhance discrimination accuracy while typing patterns were found to vary with elapsed time which led to deterioration in accuracy. The second study interviewed executives with experience in the introduction of new technologies with the objective of identifying and ranking critical factors that are important in the adoption of new biometrics. Performance, ease-of-use and trust-privacy issues were the most cited factors. A biometric acceptance model was formulated and five hypotheses were proposed from these interviews and prior research. Executives rated the keypad\u27s ease-of-use high in comparison to other biometric approaches but were concerned about its accuracy. The third study was a user attitude survey whose objective was to validate the formulated biometric acceptance model and acquire data on acceptable usage parameters. The proposed biometric model was validated and the proposed hypotheses were supported. Acceptable error rates and training times indicated that the biometric keypad would be more complex to engineer. The dissertation concludes by summarizing the contributions and limitations of the three studies followed by several suggestions for future research

    Biometrics

    Get PDF
    Biometrics uses methods for unique recognition of humans based upon one or more intrinsic physical or behavioral traits. In computer science, particularly, biometrics is used as a form of identity access management and access control. It is also used to identify individuals in groups that are under surveillance. The book consists of 13 chapters, each focusing on a certain aspect of the problem. The book chapters are divided into three sections: physical biometrics, behavioral biometrics and medical biometrics. The key objective of the book is to provide comprehensive reference and text on human authentication and people identity verification from both physiological, behavioural and other points of view. It aims to publish new insights into current innovations in computer systems and technology for biometrics development and its applications. The book was reviewed by the editor Dr. Jucheng Yang, and many of the guest editors, such as Dr. Girija Chetty, Dr. Norman Poh, Dr. Loris Nanni, Dr. Jianjiang Feng, Dr. Dongsun Park, Dr. Sook Yoon and so on, who also made a significant contribution to the book
    • …
    corecore