research-article

CORMORANT: On Implementing Risk-Aware Multi-Modal Biometric Cross-Device Authentication For Android

Authors:

Matthias Füller,

Sebastian Scholz,

Rainhard D. Findling,

Muhammad Muaaz,

Philipp Kapfer,

Wilhelm Nüßer,

René MayrhoferAuthors Info & Claims

MoMM2019: Proceedings of the 17th International Conference on Advances in Mobile Computing & Multimedia

Pages 117 - 126

https://doi.org/10.1145/3365921.3365923

Published: 22 February 2020 Publication History

Abstract

This paper presents the design and open source implementation of Cormorant, an Android authentication framework able to increase usability and security of mobile authentication. It uses transparent behavioral and physiological biometrics like gait, face, voice, and keystrokes dynamics to continuously evaluate the user's identity without explicit interaction. Using signals like location, time of day, and nearby devices to assess the risk of unauthorized access, the required level of confidence in the user's identity is dynamically adjusted. Authentication results are shared securely, end-to-end encrypted using the Signal messaging protocol, with trusted devices to facilitate cross-device authentication for co-located devices, detected using Bluetooth low energy beacons. Cormorant is able to reduce the authentication overhead by up to 97% compared to conventional knowledge-based authentication whilst increasing security at the same time. We share our perspective on some of the successes and shortcomings we encountered implementing and evaluating Cormorant to hope to inform others working on similar projects.

References

[1]

Yusuf Albayram, et al. 2017. "...better to use a lock screen than to worry about saving a few seconds of time": Effect of Fear Appeal in the Context of Smartphone Locking Behavior. In SOUPS. 49--63.

[2]

Sayedul Aman, et al. 2016. Reliability Evaluation of iBeacon for Micro-Localization. In Ubiquitous Computing, Electronics & Mobile Communication Conference (UEMCON). 1--5.

[3]

Frédéric Bimbot, et al. 2004. A Tutorial on Text-independent Speaker Verification. EURASIP J. Appl. Signal Process. 2004 (Jan. 2004), 430--451.

[4]

Jagmohan Chauhan, et al. 2018. Performance Characterization of Deep Learning Models for Breathing-based Authentication on Resource-Constrained Devices. Proc. ACM Interact. Mob. Wearable Ubiquitous Technol. 2, 4, Article 158 (Dec. 2018), 24 pages.

Digital Library

[5]

Richard Chow, Philippe J. P. Golle, and Jessica N. Staddon. 2012. Adjusting security level of mobile device based on presence or absence of other mobile devices nearby.

[6]

Katriel Cohn-Gordon, et al. 2017. A Formal Security Analysis of the Signal Messaging Protocol. Proceedings - 2nd IEEE European Symposium on Security and Privacy, EuroS and P 2017 November (2017), 451--466.

[7]

Heather Crawford, Karen Renaud, and Tim Storer. 2013. A framework for continuous, transparent mobile device authentication. Computers and Security 39, PART B (2013), 127--136.

[8]

Ingrid Daubechies. 1993. Orthonormal bases of compactly supported wavelets II. Variations on a theme. SIAM Journal on Mathematical Analysis 24, 2 (1993), 499--519.

Digital Library

[9]

Mohammad Omar Derawi. 2012. Smartphones and Biometrics: Gait and Activity Recognition. Ph.D. Dissertation. Gjøvik University College.

[10]

Serge Egelman, et al. 2014. Are You Ready to Lock? Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (2014), 750--761.

Digital Library

[11]

Rainhard D. Findling. 2013. Pan Shot Face Unlock: Towards Unlocking Personal Mobile Devices using Stereo Vision and Biometric Face Information from multiple Perspectives. Master's thesis. University of Applied Sciences Upper Austria, Hagenberg, Austria.

[12]

Rainhard D. Findling, Michael Hölzl, and René Mayrhofer. 2018. Mobile Match-on-Card Authentication Using Offline-Simplified Models with Gait and Face Biometrics. IEEE Transactions on Mobile Computing 17, 11 (Nov 2018), 2578--2590.

Digital Library

[13]

Rainhard D. Findling and René Mayrhofer. 2013. Towards Pan Shot Face Unlock: Using Biometric Face Information from Different Perspectives to Unlock Mobile Devices. International Journal of Pervasive Computing and Communications (2013), 190--208.

[14]

Dawud Gordon, John Tanios, and Oleksii Levkovskyi. 2019. Deep Learning for Behavior-Based, Invisible Multi-Factor Authentication. https://patents.justia.com/patent/20190044942

[15]

Nazirah Abd Hamid, et al. 2011. Mouse movement behavioral biometric systems. In 2011 International Conference on User Science and Engineering (i-USEr). 206--211.

[16]

Marian Harbach, et al. 2016. Keep on Lockin' in the Free World: A Multi-National Comparison of Smartphone Locking. Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems - CHI '16 (2016), 4823--4827.

Digital Library

[17]

Marian Harbach, et al. 2014. It's a Hard Lock Life: A Field Study of Smartphone (Un) Locking Behavior and Risk Perception. Symposium on Usable Privacy and Security (SOUPS) (2014), 213--230.

Digital Library

[18]

Avinatan Hassidim, et al. 2016. Ephemeral Identifiers: Mitigating Tracking & Spoofing Threats to BLE Beacons. (2016), 1--11.

[19]

Eiji Hayashi, et al. 2013. CASA: context-aware scalable authentication. In Symposium on Usable Privacy and Security (SOUPS).

Digital Library

[20]

Daniel Hintze. 2015. Towards transparent multi-device-authentication. In UbiComp/ISWC'15 Adjunct. ACM, 435--440.

[21]

Daniel Hintze, et al. 2015. CORMORANT: Towards Continuous Risk-Aware Multi-Modal Cross-Device Authentication. UbiComp 2015 Adjunct Publication (2015).

Digital Library

[22]

Daniel Hintze, et al. 2019. CORMORANT: Ubiquitous Risk-Aware Multi-Modal Biometric Authentication Across Mobile Devices. Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies 3, 85 (2019). Issue 3.

Digital Library

[23]

Daniel Hintze, et al. 2017. A Large-Scale, Long-Term Analysis of Mobile Device Usage Characteristics. Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies 1, 2 (2017), 1--21.

Digital Library

[24]

Daniel Hintze, et al. 2015. Confidence and Risk Estimation Plugins for Multi-Modal Authentication on Mobile Devices using CORMORANT. In Proceedings of MoMM 2015. 384--388.

Digital Library

[25]

Daniel Hintze, et al. 2016. Location-based Risk Assessment for Mobile Authentication. In Proceedings of the 2016 ACM International Joint Conference on Pervasive and Ubiquitous Computing: Adjunct. http://dx.doi.org/10.1145/2968219.2971448

Digital Library

[26]

Christopher G. Hocking, et al. 2011. Authentication Aura-A distributed approach to user authentication. Information Assurance and Security 6, 2 (2011).

[27]

Adam Hurkala and Jaroslaw Hurkala. 2014. Architecture of Context-Risk-Aware Authentication System for Web Environments. ICIEIS'2014 (2014), 219--228.

[28]

Markus Jakobsson, et al. 2009. Implicit authentication for mobile devices. Hot-Sec'09 (2009).

[29]

Philipp Kapfer. 2016. PhonyKeyboard: Sensor-enhanced Keystroke Dynamics Authentication on Mobile Devices. Master Thesis. Johannes Kepler University Linz.

[30]

Hassan Khan, Aaron Atwater, and Urs Hengartner. 2014. Itus: An Implicit Authentication Framework for Android. In Proceedings of the 20th annual international conference on Mobile computing and networking (2014), 507--518.

Digital Library

[31]

Dong Ju Kim, Kwang Woo Chung, and Kwang Seok Hong. 2010. Person Authentication using Face, Teeth and Voice Modalities for Mobile Device Security. IEEE Transactions on Consumer Electronics 56, 4 (2010), 2678--2685.

Digital Library

[32]

Jennifer R Kwapisz, Gary M Weiss, and Samuel A Moore. 2010. Cell phone-based biometric identification. In Biometrics: Theory Applications and Systems (BTAS), 2010 Fourth IEEE International Conference on. IEEE, 1--7.

[33]

Kuang-Chih Lee, J. Ho, and D. J. Kriegman. 2005. Acquiring linear subspaces for face recognition under variable lighting. IEEE Transactions on Pattern Analysis and Machine Intelligence 27, 5 (May 2005), 684--698.

[34]

Rainer Lienhart and Jochen Maydt. 2002. An Extended Set of Haar-Like Features for Rapid Object Detection. In IEEE International Conference on Image Processing 2002. 900--903.

[35]

Emanuele Maiorana, et al. 2011. Keystroke dynamics authentication for mobile phones. In Proceedings of the 2011 ACM Symposium on Applied Computing - SAC '11. ACM Press, New York, New York, USA, 21.

Digital Library

[36]

René Mayrhofer, et al. 2019. The Android Platform Security Model. CoRR abs/1904.05572 (2019). arXiv:1904.05572 http://arxiv.org/abs/1904.05572

[37]

Muhammad Muaaz and Rene Mayrhofer. 2014. Orientation Independent Cell Phone Based Gait Authentication. Proceedings of MoMM 2014 (2014).

Digital Library

[38]

M. Muaaz and R. Mayrhofer. 2017. Smartphone-Based Gait Recognition: From Authentication to Imitation. IEEE Transactions on Mobile Computing 16, 11 (Nov 2017), 3209--3221.

[39]

Claudia Nickel. 2012. Accelerometer-based Biometric Gait Recognition for Authentication on Smartphones. Ph.D. Dissertation. TU Darmstadt.

[40]

Open Whisper Systems. 2018. Signal Specification. https://signal.org/docs/

[41]

OSGi Alliance. 2004. Listeners Considered Harmful: The Whiteboard Pattern. (2004), 16 pages.

[42]

Douglas A. Reynolds, Thomas F. Quatieri, and Robert B. Dunn. 2000. Speaker Verification Using Adapted Gaussian Mixture Models. Digital Signal Processing 10, 1 (2000), 19--41.

Digital Library

[43]

Oriana Riva, et al. 2011. Progressive Authentication: Deciding When to Authenticate on Mobile Phones. Proceedings of the 21st USENIX Security Symposium (2011), 1--16.

Digital Library

[44]

Arun Ross and Anil K Jain. 2004. Multimodal Biometrics: an Overview. Signal Processing September (2004), 1221--1224.

[45]

Stefan Schneegass, et al. 2014. SmudgeSafe: Geometric Image Transformations for Smudge-resistant User Authentication. In Proceedings of the 2014 ACM International Joint Conference on Pervasive and Ubiquitous Computing (UbiComp '14). ACM, New York, NY, USA, 775--786.

Digital Library

[46]

S. Shekhar, et al. 2014. Joint Sparse Representation for Robust Multimodal Biometrics Recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence 36, 1 (Jan 2014), 113--126.

Digital Library

[47]

Signal Messenger. 2016. Facebook Messenger deploys Signal Protocol for end-to-end encryption. (2016). https://signal.org/blog/facebook-messenger

[48]

Signal Messenger. 2016. Open Whisper Systems partners with Google onend-to-end encryption for Allo. (2016). https://signal.org/blog/allo/

[49]

Signal Messenger. 2016. WhatsApp's Signal Protocol integration is now complete. (2016). https://signal.org/blog/whatsapp-complete

[50]

Hiew Moi Sim, et al. 2014. Multimodal biometrics: Weighted score level fusion based on non-ideal iris and face images. Expert Systems with Applications 41, 11 (2014), 5390--5404.

[51]

Frank Stajano. 2011. Pico: No more passwords! Lecture Notes in Computer Science 7114 LNCS (2011), 49--81.

[52]

Jiayao Tan, et al. 2018. SilentKey: A New Authentication Framework through Ultrasonic-based Lip Reading. Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies 2 (2018), 1--18.

Digital Library

[53]

P.Tresadern, et al. 2013. Mobile Biometrics: Combined Face and Voice Verification for a Mobile Platform. IEEE Pervasive Computing 12, 01 (2013), 79--87.

Digital Library

[54]

Alex Varshavsky, et al. 2007. Amigo: Proximity-Based Authentication of Mobile Devices. In UbiComp 2007: Ubiquitous Computing. Berlin, Heidelberg, 253--270.

Digital Library

[55]

P. Viola and M. Jones. 2001. Rapid object detection using a boosted cascade of simple features. Proceedings of these 2001 IEEE Computer Society Conference on Computer Vision and Pattern Recognition 1 (2001), 511--518.

[56]

Lei Wang, et al. 2018. Unlock with Your Heart: Heartbeat-based Authentication on Commercial Mobile Phones. Proc. ACM Interact. Mob. Wearable Ubiquitous Technol. 2, 3, Article 140 (Sept. 2018), 22 pages.

Digital Library

[57]

Emanuel Von Zezschwitz, Paul Dunphy, and Alexander De Luca. 2013. Patterns in the Wild: A field study of the usability of pattern and pin-based authentication on Mobile Devices. Proceedings of the 15th International Conference on HumanComputer Interaction with Mobile Devices and Services (2013), 261--270.

Digital Library

Cited By

Cariello NLevine SZhou GHoplight BGasti PBalagani K(2024)SMARTCOPEPervasive and Mobile Computing10.1016/j.pmcj.2023.10187397:COnline publication date: 1-Jan-2024
https://dl.acm.org/doi/10.1016/j.pmcj.2023.101873
Yang YGuo BLiang YZhao KYu Z(2024)Cross-device free-text keystroke dynamics authentication using federated learningPersonal and Ubiquitous Computing10.1007/s00779-024-01832-628:3-4(491-505)Online publication date: 10-Sep-2024
https://doi.org/10.1007/s00779-024-01832-6
Hu HWang DHong TZhang S(2024)Enhancing Cross-Device Security with Fine-Grained Permission ControlSecurity and Privacy in Communication Networks10.1007/978-3-031-64954-7_6(101-121)Online publication date: 15-Oct-2024
https://doi.org/10.1007/978-3-031-64954-7_6
Show More Cited By

Index Terms

CORMORANT: On Implementing Risk-Aware Multi-Modal Biometric Cross-Device Authentication For Android
1. Security and privacy
  1. Human and societal aspects of security and privacy
    1. Usability in security and privacy
  2. Security services
    1. Authentication
      1. Biometrics
      2. Multi-factor authentication

Recommendations

Cormorant: towards continuous risk-aware multi-modal cross-device authentication
UbiComp/ISWC'15 Adjunct: Adjunct Proceedings of the 2015 ACM International Joint Conference on Pervasive and Ubiquitous Computing and Proceedings of the 2015 ACM International Symposium on Wearable Computers

Nowadays, people own and carry an increasing number of mobile devices, such as smartphones and smartwatches. Since these devices store and provide access to sensitive information, authentication is required to prevent unauthorized access. Widely used ...
CORMORANT: Ubiquitous Risk-Aware Multi-Modal Biometric Authentication across Mobile Devices

People own and carry an increasing number of ubiquitous mobile devices, such as smartphones, tablets, and notebooks. Being small and mobile, those devices have a high propensity to become lost or stolen. Since mobile devices provide access to their ...
Confidence and Risk Estimation Plugins for Multi-Modal Authentication on Mobile Devices using CORMORANT
MoMM 2015: Proceedings of the 13th International Conference on Advances in Mobile Computing and Multimedia

Mobile devices, ubiquitous in modern lifestyle, embody and provide convenient access to our digital lives. Being small and mobile, they are easily lost or stole, therefore require strong authentication to mitigate the risk of unauthorized access. Common ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

MoMM2019: Proceedings of the 17th International Conference on Advances in Mobile Computing & Multimedia

December 2019

266 pages

ISBN:9781450371780

DOI:10.1145/3365921

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

In-Cooperation

Johannes Kepler University, Linz, Austria
@WAS: International Organization of Information Integration and Web-based Applications and Services

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 22 February 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article
Research
Refereed limited

Conference

MoMM2019

MoMM2019: The 17th International Conference on Advances in Mobile Computing & Multimedia

December 2 - 4, 2019

Munich, Germany

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
122
Total Downloads

Downloads (Last 12 months)21
Downloads (Last 6 weeks)5

Reflects downloads up to 07 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Cariello NLevine SZhou GHoplight BGasti PBalagani K(2024)SMARTCOPEPervasive and Mobile Computing10.1016/j.pmcj.2023.10187397:COnline publication date: 1-Jan-2024
https://dl.acm.org/doi/10.1016/j.pmcj.2023.101873
Yang YGuo BLiang YZhao KYu Z(2024)Cross-device free-text keystroke dynamics authentication using federated learningPersonal and Ubiquitous Computing10.1007/s00779-024-01832-628:3-4(491-505)Online publication date: 10-Sep-2024
https://doi.org/10.1007/s00779-024-01832-6
Hu HWang DHong TZhang S(2024)Enhancing Cross-Device Security with Fine-Grained Permission ControlSecurity and Privacy in Communication Networks10.1007/978-3-031-64954-7_6(101-121)Online publication date: 15-Oct-2024
https://doi.org/10.1007/978-3-031-64954-7_6
Rafuse MHengartner U(2021)PUPy: A Generalized, Optimistic Context Detection Framework for Implicit Authentication2021 18th International Conference on Privacy, Security and Trust (PST)10.1109/PST52912.2021.9647739(1-10)Online publication date: 13-Dec-2021
https://doi.org/10.1109/PST52912.2021.9647739
Carvalho Ota FAugusto Meira JFrank RState R(2020)Towards Privacy Preserving Data Centric Super App2020 Mediterranean Communication and Computer Networking Conference (MedComNet)10.1109/MedComNet49392.2020.9191550(1-4)Online publication date: Jun-2020
https://doi.org/10.1109/MedComNet49392.2020.9191550

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten