Toward supervised shape-based behavioral authentication on smartphones

https://doi.org/10.1016/j.jisa.2020.102591Get rights and content

Abstract

Currently, smartphone security has received much more attention as users may use their devices to perform various sensitive tasks. For example, users can utilize mobile banking applications for online shopping, which may store many sensitive data on their devices. Hence there is a need to authenticate users and detect imposters. However, traditional textual passwords are easily compromised and are not convenient for users to remember for a long time due to long-term memory limitation. To complement textual passwords, behavioral authentication is developed by authenticating a user based on the relevant biometric features. In this work, we focus on simple shape-based behavioral authentication that requires users to draw shape(s) for authentication, and investigate how to design such kind of behavioral authentication in practice. We consider two research questions: (1) whether the authentication accuracy varies with different shapes, and (2) how many shapes can be used to achieve good usability. In the evaluation, we perform two user studies with 60 participants and measure some typical supervised learning classifiers. Based on the results, we provide insights on designing a supervised shape-based behavioral authentication system, as compared with similar schemes.

Introduction

Over the past decades, there is a revolution on the world motivated by the rapid development of technology. Mobile devices like smartphones are one of these innovations, which allow users to connect with their peers and the world more easily. According to the data from Statista, the current smartphone users in the world reach around 3.5 billion, which means up to 45.04% of the world’s population can have a smartphone [1]. Phone users can purchase online and use various mobile banking applications to manage finances. They can also store their personal data like images and private messages on the devices with the increase of internal storage. The report from IDC estimated that worldwide smartphone shipments would go up around 2.9% driven by the expected launch of 5G devices, and the overall smartphone market may reach nearly 1.49 billion units in 2023 [2].

The stored valuable information on smartphones has become a main target by intruders, and there is a need to deploy suitable authentication mechanisms to against unauthorized access [3]. Currently, passwords are still the most widely accepted authentication method, which requires users to remember textual information like numbers and characters for authentication [4]. However, traditional password-based authentication has well-known limitations regarding security and usability. For example, users are difficult to remember a strong textual password due to the long-term memory limitations [5]. In addition, passwords can be easily compromised under an adversary scenario, i.e., phone charging attacks enable the recording of the screen during the charging period [6], [7]. In the literature, various graphical passwords like [5], [8] are proposed aiming to ease the memory burden of users by interacting with images, but such kind of password still suffers the same issues like charging attacks.

To mitigate this challenge, behavioral authentication [9] receives much attention that utilizes users’ behavioral features for authentication. As most existing smartphones provide a touch screen as input interface, touch behavioral authentication becomes a popular topic in the research community. There are many behavioral authentication schemes have been developed for continuous authentication [10]. For instance, Frank et al. [11] introduced Touchalytics, a touch behavioral authentication scheme on smartphones with 30 features based on users’ touches, e.g., coordinates, median velocity. Meng et al. [12] designed a touch behavioral authentication on smartphones, based on 21 touch features like touch angle and speed.

In addition to continuously verifying a user, behavioral authentication can also be used to design phone unlock mechanisms. As an example, De Luca et al. [13] introduced an unlock pattern scheme by involving behavioral features and dynamic time warping (DTW). Then Meng et al. [14] showed a screen unlock scheme that validates users based on their touch movement. As the unlock mechanism is the first defense line on smartphones, in this work, we focus on a simple shape-based behavioral authentication scheme, in which users are required to draw shape(s) for unlocking phones. The contributions of our work are summarized as below.

  • The purpose of our work is to investigate how to design a suitable shape-based behavioral authentication scheme in practice. We mainly focus on two research questions: (1) whether the authentication accuracy varies with different shapes, and (2) how many shapes can be used to achieve a good balance between security and usability.

  • In our prototype, we mainly consider five shapes such as circle, square, rectangle, triangle, and diamond, which are common and easy to input on a smartphone. To explore the first research question, we design a sub-scheme with one shape, two shapes and three shapes for authentication, respectively. To study the second research question, we measure the authentication accuracy on each shape (a total of five shapes) based on all participants.

  • In the evaluation, we conduct two user studies with a total of 60 participants and measure several typical supervised learning classifiers. Based on the collected data and users’ feedback, it is found that SVM classifier can outperform other classifiers in our settings, and that users are more likely to accept the two-shape scheme by making a tradeoff between security and usability.

This paper is structured as follows. In Section 2, we mainly introduce related work on phone unlock patterns and behavioral authentication. Section 3 describes our shape-based behavioral authentication with distinct schemes. Section 4 introduces several supervised learning classifiers, presents the study design and analyzes the collected results. We discuss some open challenges in Section 5, and conclude the work in Section 6.

Section snippets

Related work

In this section, we review relevant research studies on phone unlock mechanisms (including graphical passwords) and touch behavioral authentication.

Shape-based behavioral authentication

As discussed above, we advocate the design of unlock mechanisms by involving behavioral biometrics. In this work, we focus on simple shape-based behavioral authentication, which is more time efficient as compared with most existing behavioral authentication schemes.

The idea of authenticating users based on shapes is not new. In the literature, Abbas et al. [43] directly introduced a touch behavioral authentication scheme based on simple shape(s) in smart mobiles. They adopted some simple shapes

User study

In this section, we perform two user studies to investigate our research questions. The first study attempts to answer whether the authentication accuracy varies with different shapes. The second study aims to answer how many shapes can be used to achieve a good balance between security and usability, i.e., which scheme in Section 3 may receive more positive feedback from participants.

Discussion and challenges

In the user study, we performed two user studied to answer our two research questions. To the best knowledge, this is an early research focusing on evaluating the usability and security of simple shape-based behavioral authentication. Below are some open challenges and limitations that could be considered in our future work.

Conclusion

To protect smartphones from unauthorized access, behavioral features can be used to design unlock mechanisms. In this work, we focus on simple shape-based behavioral authentication and study two research questions: (1) whether the authentication accuracy varies with different shapes, and (2) how many shapes can be used to design a scheme with good security and usability. In the evaluation, we perform two user studies with 60 participants. For the first question, it is found that users would

CRediT authorship contribution statement

Wenjuan Li: Conceptualization, Methodology, Writing - original draft. Yu Wang: Writing - review & editing, Resources, Investigation. Jin Li: Writing - review & editing, Supervision. Yang Xiang: Resources, Writing - review & editing.

Declaration of Competing Interest

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

Acknowledgments

The work is funded by National Natural Science Foundation of China with No. 61772405 and No. 61802077, and Guangzhou University Research Project, China (RD2020076).

Wenjuan Li obtained the Ph.D degree from the Department of Computer Science, City University of Hong Kong (CityU) in 2019. She received both Research Tuition Scholarships and Outstanding Academic Performance Award during her doctorate studies. Before, she was a lecturer in the Department of Computer Science, Zhaoqing Foreign Language College, China, and a Research Assistant in the Department of Computer Science, CityU from 2013 to 2014. She was a Winner of Cyber Quiz and Computer Security

References (45)

  • W.Meng.

    RouteMap: A route and map based graphical password scheme for better multiple password memory

  • MengW. et al.

    TMGMap: Designing touch movement-based geographical password authentication on smartphones

  • MengW. et al.

    Surveying the development of biometric user authentication on mobile phones

    IEEE Commun Surv Tutor

    (2015)
  • FrankM. et al.

    Touchalytics: On the applicability of touchscreen input as a behavioral biometric for continuous authentication

    IEEE Trans Inf Forensics Secur

    (2013)
  • MengY. et al.

    Touch gestures based biometric authentication scheme for touchscreen mobile phones

  • De Luca A, Hang A, Brudy F, Lindner C, Hussmann H. Touch me once and i know it’s you!: Implicit authentication based on...
  • Meng W, Li W, Wong DS, Zhou J. TMGuard: A touch movement-based security mechanism for screen unlock patterns on...
  • TaoH. et al.

    Pass-Go: A proposal to improve the usability of graphical passwords

    Int J Netw Secur

    (2008)
  • JermynI. et al.

    The design and analysis of graphical passwords

  • AvivA.J. et al.

    Smudge attacks on smartphone touch screens

  • AndriotisP. et al.

    A pilot study on the security of pattern screen-lock methods and soft side channel attacks

  • GyorffyJ.C. et al.

    Token-based graphical password authentication

    Int J Inf Sec

    (2011)
  • Cited by (8)

    View all citing articles on Scopus

    Wenjuan Li obtained the Ph.D degree from the Department of Computer Science, City University of Hong Kong (CityU) in 2019. She received both Research Tuition Scholarships and Outstanding Academic Performance Award during her doctorate studies. Before, she was a lecturer in the Department of Computer Science, Zhaoqing Foreign Language College, China, and a Research Assistant in the Department of Computer Science, CityU from 2013 to 2014. She was a Winner of Cyber Quiz and Computer Security Competition, Final Round of Kaspersky Lab “Cyber Security for the Next Generation” Conference in 2014. Up to now, she had published more than 50 conference and journal papers. Her research interests include network management and security, intrusion detection, spam detection, trust management, blockchain security, and E-commerce security.

    Yu Wang received his Ph.D. degree in computer science from Deakin University, Victoria, Australia. He is currently an associate professor with the Institute of Artificial Intelligence and Blockchain, Guangzhou University, China. His main research interests include network traffic analysis, mobile networks, social networks, and cyber security.

    Jin Li received the B.S. degree in mathematics from Southwest University, Chongqing, China, in 2002, and the Ph.D. degree in information security from Sun Yat-sen University, Guangzhou, China, in 2007. He is currently a Professor with Guangzhou University, China. His current research interests include applied cryptography and security in cloud computing. He was selected as one of Youth Distinguished Scholars of China, Youth Yangzi-River Scholars of China, and New Stars of Science and Technology in Guangdong Province.

    Yang Xiang received his Ph.D. in Computer Science from Deakin University, Australia. He is currently a full professor and the Dean of Digital Research & Innovation Capability Platform, Swinburne University of Technology, Australia. His research interests include cyber security, which covers network and system security, data analytics, distributed systems, and networking. He is also leading the Blockchain initiatives at Swinburne. In the past 20 years, he has been working in the broad area of cyber security, which covers network and system security, AI, data analytics, and networking. He has published more than 300 research papers in many international journals and conferences. He is the Editor-in-Chief of the SpringerBriefs on Cyber Security Systems and Networks. He serves as the Associate Editor of IEEE Transactions on Dependable and Secure Computing and IEEE Internet of Things Journal, and the Editor of Journal of Network and Computer Applications. He served as the Associate Editor of IEEE Transactions on Computers and IEEE Transactions on Parallel and Distributed Systems. He is the Coordinator, Asia for IEEE Computer Society Technical Committee on Distributed Processing (TCDP). He is a Fellow of the IEEE.

    View full text