Authentication of users on mobile telephones – A survey of attitudes and practices
Introduction
In a relatively short time, the mobile phone has risen to become the most common IT device in everyday life, with a worldwide user base now in excess of a 1.5 billion (Cellular Online, 2005). Although many subscribers still use their devices primarily for telephony services, the underlying wireless technologies (such as GSM, GPRS and UMTS) can all enable access to a range of data-centric services. For example, email, web browsing, mCommerce, and video streaming are all viable applications for modern devices – significantly increasing their importance and value to the end user. In order to enable delivery of such services, mobile phones have become increasingly powerful: evolving from relatively basic terminals handling analogue telephony, to multi-purpose, mobile multimedia communication tools, providing much of the functionality of desktop computers and Personal Digital Assistants (PDAs). In parallel with this is the ability for new devices to store vastly more information than earlier generations, with many accepting solid-state memory such as Secure Digital (SD) cards, which are capable of providing storage in the order of gigabytes.
Even before the emergence of the current functionality, mobile phones had proven themselves to be highly attractive targets for theft. For example, statistics from the UK Home Office reported that over 700,000 handsets had been stolen in 2001 (Harrington and Mayhew, 2001), while unofficial reports have put this figure in the region of 1.3 million (Leyden, 2002). With the devices becoming more advanced, it can be predicted that their desirability as targets for theft can only increase.
The financial loss to the user in this case would not only be the theft of the device itself, but also the services accessed before network access is denied and the personal data stored upon the device.
Section snippets
Subscriber authentication on mobile handsets
As the range of data and services expands, it is increasingly desirable for subscribers to protect their devices via appropriate authentication methods. The dominant method for achieving this on current devices is the use of 4–8 digit Personal Identification Numbers (PINs), which can be applied to both the device and the user's Subscriber Identity Module (SIM) – a removable token containing the cryptographic keys required for network authentication.
The PIN is a secret-knowledge authentication
A survey of subscriber attitudes and practices
Given that a potential argument exists for incorporating stronger authentication, it is relevant to consider the needs and attitudes of the subscribers who would have to live with the technology. From a practical perspective, the level of authentication must be commensurate with the cost that could be incurred through misuse; otherwise an enhanced solution would simply represent an unnecessary overhead. For example, if subscribers as a whole still only wish to use their more advanced handsets
Discussion
From a subscriber's perspective, it can be suggested that the use of biometric techniques would be an acceptable method of authentication, with a large proportion being willing to utilise this authentication in a continuous and transparent manner. However, when considering which biometrics to implement within a mobile device, one must consider other factors in addition to user preference. Specifically, such factors will include cost, accuracy, and the intrusiveness of the authentication
Conclusions
The growth and popularity of mobile devices and wireless networking technologies have increased the need to ensure the validity of the user. Information held by these devices is no longer limited to names, telephone numbers and short messages, and they can consequently store and access a wide variety of personally and commercially sensitive data and services. This trend is only set to continue, and creates a resultant demand for security. Unfortunately, there are significant indications that
Dr Nathan Clarke is a senior lecturer in information systems security, based within the Network Research Group at the University of Plymouth. His research has given specific consideration to enhanced authentication for mobile devices, including the practical implementation and evaluation of related techniques.
References (19)
- et al.
Acceptance of subscriber authentication methods for mobile telephony devices
Computers and Security
(2002) 3G security; security threats and requirements
WAP makes resurgence
(8 January 2004)Mobile content shows revenue promise says Nokia report
Stats snapshot
- Clarke NL, Furnell SM, Reynolds PL. Biometric authentication for mobile devices. In: Proceedings of the third...
- Clarke N, Furnell S, Lines B, Reynolds P. Using keystroke analysis as a mechanism for subscriber authentication on...
Vodafone, Orange and T-Mobile. Reports on references under Section 13 of the Telecommunications Act 1984 on the charges made by Vodafone, O2, Orange and T-Mobile for terminating calls from fixed and mobile networks
- Harrington V, Mayhew P. Home office research study 235: mobile phone theft. Crown Copyright;...
Cited by (0)
Dr Nathan Clarke is a senior lecturer in information systems security, based within the Network Research Group at the University of Plymouth. His research has given specific consideration to enhanced authentication for mobile devices, including the practical implementation and evaluation of related techniques.
Dr Steven Furnell is the head of the Network Research Group at the University of Plymouth, UK, and an Adjunct Associate Professor with Edith Cowan University, Western Australia. His research has included several projects in the area of security for mobile devices. Related papers can be obtained from www.plymouth.ac.uk/nrg.