Elsevier

Computers & Security

Volume 24, Issue 7, October 2005, Pages 519-527
Computers & Security

Authentication of users on mobile telephones – A survey of attitudes and practices

https://doi.org/10.1016/j.cose.2005.08.003Get rights and content

Abstract

With the ever-increasing functionality and services accessible via mobile telephones, there is a strong argument that the level of user authentication implemented on the devices should be extended beyond the Personal Identification Number (PIN) that has traditionally been used. This paper presents the results of a survey of 297 mobile subscribers, which attempted to assess their use of mobile devices, their use of current authentication methods, and their attitudes towards future security options. The findings revealed that the majority of the respondents make significant use of their devices, with clear demands for protection against unauthorised use. However, the use of current PIN-based authentication is problematic, with a third of the respondents indicating that they do not use it at all, and other problems being reported amongst those that do. In view of this, the respondents' opinions in relation to future security options are interesting, with 83% being willing to accept some form of biometric authentication on their device. The discussion considers these findings, and the potential applicability of the preferred techniques to mobile devices.

Introduction

In a relatively short time, the mobile phone has risen to become the most common IT device in everyday life, with a worldwide user base now in excess of a 1.5 billion (Cellular Online, 2005). Although many subscribers still use their devices primarily for telephony services, the underlying wireless technologies (such as GSM, GPRS and UMTS) can all enable access to a range of data-centric services. For example, email, web browsing, mCommerce, and video streaming are all viable applications for modern devices – significantly increasing their importance and value to the end user. In order to enable delivery of such services, mobile phones have become increasingly powerful: evolving from relatively basic terminals handling analogue telephony, to multi-purpose, mobile multimedia communication tools, providing much of the functionality of desktop computers and Personal Digital Assistants (PDAs). In parallel with this is the ability for new devices to store vastly more information than earlier generations, with many accepting solid-state memory such as Secure Digital (SD) cards, which are capable of providing storage in the order of gigabytes.

Even before the emergence of the current functionality, mobile phones had proven themselves to be highly attractive targets for theft. For example, statistics from the UK Home Office reported that over 700,000 handsets had been stolen in 2001 (Harrington and Mayhew, 2001), while unofficial reports have put this figure in the region of 1.3 million (Leyden, 2002). With the devices becoming more advanced, it can be predicted that their desirability as targets for theft can only increase.

The financial loss to the user in this case would not only be the theft of the device itself, but also the services accessed before network access is denied and the personal data stored upon the device.

Section snippets

Subscriber authentication on mobile handsets

As the range of data and services expands, it is increasingly desirable for subscribers to protect their devices via appropriate authentication methods. The dominant method for achieving this on current devices is the use of 4–8 digit Personal Identification Numbers (PINs), which can be applied to both the device and the user's Subscriber Identity Module (SIM) – a removable token containing the cryptographic keys required for network authentication.

The PIN is a secret-knowledge authentication

A survey of subscriber attitudes and practices

Given that a potential argument exists for incorporating stronger authentication, it is relevant to consider the needs and attitudes of the subscribers who would have to live with the technology. From a practical perspective, the level of authentication must be commensurate with the cost that could be incurred through misuse; otherwise an enhanced solution would simply represent an unnecessary overhead. For example, if subscribers as a whole still only wish to use their more advanced handsets

Discussion

From a subscriber's perspective, it can be suggested that the use of biometric techniques would be an acceptable method of authentication, with a large proportion being willing to utilise this authentication in a continuous and transparent manner. However, when considering which biometrics to implement within a mobile device, one must consider other factors in addition to user preference. Specifically, such factors will include cost, accuracy, and the intrusiveness of the authentication

Conclusions

The growth and popularity of mobile devices and wireless networking technologies have increased the need to ensure the validity of the user. Information held by these devices is no longer limited to names, telephone numbers and short messages, and they can consequently store and access a wide variety of personally and commercially sensitive data and services. This trend is only set to continue, and creates a resultant demand for security. Unfortunately, there are significant indications that

Dr Nathan Clarke is a senior lecturer in information systems security, based within the Network Research Group at the University of Plymouth. His research has given specific consideration to enhanced authentication for mobile devices, including the practical implementation and evaluation of related techniques.

References (19)

  • N.L. Clarke et al.

    Acceptance of subscriber authentication methods for mobile telephony devices

    Computers and Security

    (2002)
  • 3GPP

    3G security; security threats and requirements

  • M. Broersma

    WAP makes resurgence

    (8 January 2004)
  • Cellular Online

    Mobile content shows revenue promise says Nokia report

  • Cellular Online

    Stats snapshot

  • Clarke NL, Furnell SM, Reynolds PL. Biometric authentication for mobile devices. In: Proceedings of the third...
  • Clarke N, Furnell S, Lines B, Reynolds P. Using keystroke analysis as a mechanism for subscriber authentication on...
  • Competition Commission

    Vodafone, Orange and T-Mobile. Reports on references under Section 13 of the Telecommunications Act 1984 on the charges made by Vodafone, O2, Orange and T-Mobile for terminating calls from fixed and mobile networks

  • Harrington V, Mayhew P. Home office research study 235: mobile phone theft. Crown Copyright;...
There are more references available in the full text version of this article.

Cited by (0)

Dr Nathan Clarke is a senior lecturer in information systems security, based within the Network Research Group at the University of Plymouth. His research has given specific consideration to enhanced authentication for mobile devices, including the practical implementation and evaluation of related techniques.

Dr Steven Furnell is the head of the Network Research Group at the University of Plymouth, UK, and an Adjunct Associate Professor with Edith Cowan University, Western Australia. His research has included several projects in the area of security for mobile devices. Related papers can be obtained from www.plymouth.ac.uk/nrg.

View full text