Mobile devices store a diverse set of private user data and have gradually
become a hub to control users' other personal Internet-of-Things devices.
Access control on mobile devices is therefore highly important. The widely
accepted solution is to protect access by asking for a password. However,
password authentication is tedious, e.g., a user needs to input a password
every time she wants to use the device. Moreover, existing biometrics such as
face, fingerprint, and touch behaviors are vulnerable to forgery attacks.
We propose a new touch-based biometric authentication system that is passive
and secure against forgery attacks. In our touch-based authentication, a user's
touch behaviors are a function of some random "secret". The user can
subconsciously know the secret while touching the device's screen. However, an
attacker cannot know the secret at the time of attack, which makes it
challenging to perform forgery attacks even if the attacker has already
obtained the user's touch behaviors. We evaluate our touch-based authentication
system by collecting data from 25 subjects. Results are promising: the random
secrets do not influence user experience and, for targeted forgery attacks, our
system achieves 0.18 smaller Equal Error Rates (EERs) than previous touch-based
authentication.Comment: Accepted for publication by ASIACCS'1