Toward supervised shape-based behavioral authentication on smartphones
Graphical abstract
Introduction
Over the past decades, there is a revolution on the world motivated by the rapid development of technology. Mobile devices like smartphones are one of these innovations, which allow users to connect with their peers and the world more easily. According to the data from Statista, the current smartphone users in the world reach around 3.5 billion, which means up to 45.04% of the world’s population can have a smartphone [1]. Phone users can purchase online and use various mobile banking applications to manage finances. They can also store their personal data like images and private messages on the devices with the increase of internal storage. The report from IDC estimated that worldwide smartphone shipments would go up around 2.9% driven by the expected launch of 5G devices, and the overall smartphone market may reach nearly 1.49 billion units in 2023 [2].
The stored valuable information on smartphones has become a main target by intruders, and there is a need to deploy suitable authentication mechanisms to against unauthorized access [3]. Currently, passwords are still the most widely accepted authentication method, which requires users to remember textual information like numbers and characters for authentication [4]. However, traditional password-based authentication has well-known limitations regarding security and usability. For example, users are difficult to remember a strong textual password due to the long-term memory limitations [5]. In addition, passwords can be easily compromised under an adversary scenario, i.e., phone charging attacks enable the recording of the screen during the charging period [6], [7]. In the literature, various graphical passwords like [5], [8] are proposed aiming to ease the memory burden of users by interacting with images, but such kind of password still suffers the same issues like charging attacks.
To mitigate this challenge, behavioral authentication [9] receives much attention that utilizes users’ behavioral features for authentication. As most existing smartphones provide a touch screen as input interface, touch behavioral authentication becomes a popular topic in the research community. There are many behavioral authentication schemes have been developed for continuous authentication [10]. For instance, Frank et al. [11] introduced Touchalytics, a touch behavioral authentication scheme on smartphones with 30 features based on users’ touches, e.g., coordinates, median velocity. Meng et al. [12] designed a touch behavioral authentication on smartphones, based on 21 touch features like touch angle and speed.
In addition to continuously verifying a user, behavioral authentication can also be used to design phone unlock mechanisms. As an example, De Luca et al. [13] introduced an unlock pattern scheme by involving behavioral features and dynamic time warping (DTW). Then Meng et al. [14] showed a screen unlock scheme that validates users based on their touch movement. As the unlock mechanism is the first defense line on smartphones, in this work, we focus on a simple shape-based behavioral authentication scheme, in which users are required to draw shape(s) for unlocking phones. The contributions of our work are summarized as below.
- •
The purpose of our work is to investigate how to design a suitable shape-based behavioral authentication scheme in practice. We mainly focus on two research questions: (1) whether the authentication accuracy varies with different shapes, and (2) how many shapes can be used to achieve a good balance between security and usability.
- •
In our prototype, we mainly consider five shapes such as circle, square, rectangle, triangle, and diamond, which are common and easy to input on a smartphone. To explore the first research question, we design a sub-scheme with one shape, two shapes and three shapes for authentication, respectively. To study the second research question, we measure the authentication accuracy on each shape (a total of five shapes) based on all participants.
- •
In the evaluation, we conduct two user studies with a total of 60 participants and measure several typical supervised learning classifiers. Based on the collected data and users’ feedback, it is found that SVM classifier can outperform other classifiers in our settings, and that users are more likely to accept the two-shape scheme by making a tradeoff between security and usability.
This paper is structured as follows. In Section 2, we mainly introduce related work on phone unlock patterns and behavioral authentication. Section 3 describes our shape-based behavioral authentication with distinct schemes. Section 4 introduces several supervised learning classifiers, presents the study design and analyzes the collected results. We discuss some open challenges in Section 5, and conclude the work in Section 6.
Section snippets
Related work
In this section, we review relevant research studies on phone unlock mechanisms (including graphical passwords) and touch behavioral authentication.
Shape-based behavioral authentication
As discussed above, we advocate the design of unlock mechanisms by involving behavioral biometrics. In this work, we focus on simple shape-based behavioral authentication, which is more time efficient as compared with most existing behavioral authentication schemes.
The idea of authenticating users based on shapes is not new. In the literature, Abbas et al. [43] directly introduced a touch behavioral authentication scheme based on simple shape(s) in smart mobiles. They adopted some simple shapes
User study
In this section, we perform two user studies to investigate our research questions. The first study attempts to answer whether the authentication accuracy varies with different shapes. The second study aims to answer how many shapes can be used to achieve a good balance between security and usability, i.e., which scheme in Section 3 may receive more positive feedback from participants.
Discussion and challenges
In the user study, we performed two user studied to answer our two research questions. To the best knowledge, this is an early research focusing on evaluating the usability and security of simple shape-based behavioral authentication. Below are some open challenges and limitations that could be considered in our future work.
Conclusion
To protect smartphones from unauthorized access, behavioral features can be used to design unlock mechanisms. In this work, we focus on simple shape-based behavioral authentication and study two research questions: (1) whether the authentication accuracy varies with different shapes, and (2) how many shapes can be used to design a scheme with good security and usability. In the evaluation, we perform two user studies with 60 participants. For the first question, it is found that users would
CRediT authorship contribution statement
Wenjuan Li: Conceptualization, Methodology, Writing - original draft. Yu Wang: Writing - review & editing, Resources, Investigation. Jin Li: Writing - review & editing, Supervision. Yang Xiang: Resources, Writing - review & editing.
Declaration of Competing Interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
Acknowledgments
The work is funded by National Natural Science Foundation of China with No. 61772405 and No. 61802077, and Guangzhou University Research Project, China (RD2020076).
Wenjuan Li obtained the Ph.D degree from the Department of Computer Science, City University of Hong Kong (CityU) in 2019. She received both Research Tuition Scholarships and Outstanding Academic Performance Award during her doctorate studies. Before, she was a lecturer in the Department of Computer Science, Zhaoqing Foreign Language College, China, and a Research Assistant in the Department of Computer Science, CityU from 2013 to 2014. She was a Winner of Cyber Quiz and Computer Security
References (45)
- et al.
JFCGuard: Detecting Juice filming charging attack via processor usage analysis on smartphones
Comput Secur
(2018) - et al.
Towards detection of juice filming charging attacks via supervised CPU usage analysis on smartphones
Comput Electr Eng
(2019) - et al.
Passpoints: Design and longitudinal evaluation of a graphical password system
Int J Hum-Comput Stud
(2005) - et al.
BehaveSense: Continuous authentication for security-sensitive mobile apps using behavioral biometrics
Ad Hoc Netw
(2019) - et al.
A swipe-based unlocking mechanism with supervised learning on smartphones: Design and evaluation
J Netw Comput Appl
(2020) How Many People Have Smartphones in the world?
(2020)Smartphone Market Share
(2020)- et al.
Data-driven cybersecurity incident prediction: A survey
IEEE Commun Surv Tutor
(2019) Password management: Distribution, review and revocation
Comput J
(2015)Designing click-draw based graphical password scheme for better authentication
RouteMap: A route and map based graphical password scheme for better multiple password memory
TMGMap: Designing touch movement-based geographical password authentication on smartphones
Surveying the development of biometric user authentication on mobile phones
IEEE Commun Surv Tutor
Touchalytics: On the applicability of touchscreen input as a behavioral biometric for continuous authentication
IEEE Trans Inf Forensics Secur
Touch gestures based biometric authentication scheme for touchscreen mobile phones
Pass-Go: A proposal to improve the usability of graphical passwords
Int J Netw Secur
The design and analysis of graphical passwords
Smudge attacks on smartphone touch screens
A pilot study on the security of pattern screen-lock methods and soft side channel attacks
Token-based graphical password authentication
Int J Inf Sec
Cited by (8)
Design of double-cross-based smartphone unlock mechanism
2023, Computers and SecurityVerifiable Secure Aggregation Protocol Under Federated Learning
2024, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)A Comparison of a Touch-Gesture- and a Keystroke-Based Password Method: Toward Shoulder-Surfing Resistant Mobile User Authentication
2023, IEEE Transactions on Human-Machine SystemsBu-Dash: a universal and dynamic graphical password scheme (extended version)
2023, International Journal of Information SecurityTask-aware swapping for efficient DNN inference on DRAM-constrained edge systems
2022, International Journal of Intelligent SystemsVISEL: A visual and magnetic fusion-based large-scale indoor localization system with improved high-precision semantic maps
2022, International Journal of Intelligent Systems
Wenjuan Li obtained the Ph.D degree from the Department of Computer Science, City University of Hong Kong (CityU) in 2019. She received both Research Tuition Scholarships and Outstanding Academic Performance Award during her doctorate studies. Before, she was a lecturer in the Department of Computer Science, Zhaoqing Foreign Language College, China, and a Research Assistant in the Department of Computer Science, CityU from 2013 to 2014. She was a Winner of Cyber Quiz and Computer Security Competition, Final Round of Kaspersky Lab “Cyber Security for the Next Generation” Conference in 2014. Up to now, she had published more than 50 conference and journal papers. Her research interests include network management and security, intrusion detection, spam detection, trust management, blockchain security, and E-commerce security.
Yu Wang received his Ph.D. degree in computer science from Deakin University, Victoria, Australia. He is currently an associate professor with the Institute of Artificial Intelligence and Blockchain, Guangzhou University, China. His main research interests include network traffic analysis, mobile networks, social networks, and cyber security.
Jin Li received the B.S. degree in mathematics from Southwest University, Chongqing, China, in 2002, and the Ph.D. degree in information security from Sun Yat-sen University, Guangzhou, China, in 2007. He is currently a Professor with Guangzhou University, China. His current research interests include applied cryptography and security in cloud computing. He was selected as one of Youth Distinguished Scholars of China, Youth Yangzi-River Scholars of China, and New Stars of Science and Technology in Guangdong Province.
Yang Xiang received his Ph.D. in Computer Science from Deakin University, Australia. He is currently a full professor and the Dean of Digital Research & Innovation Capability Platform, Swinburne University of Technology, Australia. His research interests include cyber security, which covers network and system security, data analytics, distributed systems, and networking. He is also leading the Blockchain initiatives at Swinburne. In the past 20 years, he has been working in the broad area of cyber security, which covers network and system security, AI, data analytics, and networking. He has published more than 300 research papers in many international journals and conferences. He is the Editor-in-Chief of the SpringerBriefs on Cyber Security Systems and Networks. He serves as the Associate Editor of IEEE Transactions on Dependable and Secure Computing and IEEE Internet of Things Journal, and the Editor of Journal of Network and Computer Applications. He served as the Associate Editor of IEEE Transactions on Computers and IEEE Transactions on Parallel and Distributed Systems. He is the Coordinator, Asia for IEEE Computer Society Technical Committee on Distributed Processing (TCDP). He is a Fellow of the IEEE.