research-article

CORMORANT: On Implementing Risk-Aware Multi-Modal Biometric Cross-Device Authentication For Android

Authors:
Daniel Hintze

Johannes Kepler University Linz, Linz, Austria

Johannes Kepler University Linz, Linz, Austria
View Profile

,
Matthias Füller

FHDW Paderborn, Paderborn, Germany

FHDW Paderborn, Paderborn, Germany
View Profile

,
Sebastian Scholz

FHDW Paderborn, Paderborn, Germany

FHDW Paderborn, Paderborn, Germany
View Profile

,
Rainhard D. Findling

Aalto University, Espoo, Finland

Aalto University, Espoo, Finland
View Profile

,
Muhammad Muaaz

Johannes Kepler University Linz, Linz, Austria

Johannes Kepler University Linz, Linz, Austria
View Profile

,
Philipp Kapfer

Johannes Kepler University Linz, Linz, Austria

Johannes Kepler University Linz, Linz, Austria
View Profile

,
Wilhelm Nüßer

FHDW Paderborn, Paderborn, Germany

FHDW Paderborn, Paderborn, Germany
View Profile

,
René Mayrhofer

Johannes Kepler University Linz, Linz, Austria

Johannes Kepler University Linz, Linz, Austria
View Profile

MoMM2019: Proceedings of the 17th International Conference on Advances in Mobile Computing & MultimediaDecember 2019Pages 117–126https://doi.org/10.1145/3365921.3365923

Published:22 February 2020Publication History

MoMM2019: Proceedings of the 17th International Conference on Advances in Mobile Computing & Multimedia

Pages 117–126

ABSTRACT

This paper presents the design and open source implementation of Cormorant, an Android authentication framework able to increase usability and security of mobile authentication. It uses transparent behavioral and physiological biometrics like gait, face, voice, and keystrokes dynamics to continuously evaluate the user's identity without explicit interaction. Using signals like location, time of day, and nearby devices to assess the risk of unauthorized access, the required level of confidence in the user's identity is dynamically adjusted. Authentication results are shared securely, end-to-end encrypted using the Signal messaging protocol, with trusted devices to facilitate cross-device authentication for co-located devices, detected using Bluetooth low energy beacons. Cormorant is able to reduce the authentication overhead by up to 97% compared to conventional knowledge-based authentication whilst increasing security at the same time. We share our perspective on some of the successes and shortcomings we encountered implementing and evaluating Cormorant to hope to inform others working on similar projects.

References

Yusuf Albayram, et al. 2017. "...better to use a lock screen than to worry about saving a few seconds of time": Effect of Fear Appeal in the Context of Smartphone Locking Behavior. In SOUPS. 49--63.Google Scholar
Sayedul Aman, et al. 2016. Reliability Evaluation of iBeacon for Micro-Localization. In Ubiquitous Computing, Electronics & Mobile Communication Conference (UEMCON). 1--5.Google Scholar
Frédéric Bimbot, et al. 2004. A Tutorial on Text-independent Speaker Verification. EURASIP J. Appl. Signal Process. 2004 (Jan. 2004), 430--451.Google Scholar
Jagmohan Chauhan, et al. 2018. Performance Characterization of Deep Learning Models for Breathing-based Authentication on Resource-Constrained Devices. Proc. ACM Interact. Mob. Wearable Ubiquitous Technol. 2, 4, Article 158 (Dec. 2018), 24 pages.Google ScholarDigital Library
Richard Chow, Philippe J. P. Golle, and Jessica N. Staddon. 2012. Adjusting security level of mobile device based on presence or absence of other mobile devices nearby.Google Scholar
Katriel Cohn-Gordon, et al. 2017. A Formal Security Analysis of the Signal Messaging Protocol. Proceedings - 2nd IEEE European Symposium on Security and Privacy, EuroS and P 2017 November (2017), 451--466.Google ScholarCross Ref
Heather Crawford, Karen Renaud, and Tim Storer. 2013. A framework for continuous, transparent mobile device authentication. Computers and Security 39, PART B (2013), 127--136.Google Scholar
Ingrid Daubechies. 1993. Orthonormal bases of compactly supported wavelets II. Variations on a theme. SIAM Journal on Mathematical Analysis 24, 2 (1993), 499--519.Google ScholarDigital Library
Mohammad Omar Derawi. 2012. Smartphones and Biometrics: Gait and Activity Recognition. Ph.D. Dissertation. Gjøvik University College.Google Scholar
Serge Egelman, et al. 2014. Are You Ready to Lock? Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (2014), 750--761.Google ScholarDigital Library
Rainhard D. Findling. 2013. Pan Shot Face Unlock: Towards Unlocking Personal Mobile Devices using Stereo Vision and Biometric Face Information from multiple Perspectives. Master's thesis. University of Applied Sciences Upper Austria, Hagenberg, Austria.Google Scholar
Rainhard D. Findling, Michael Hölzl, and René Mayrhofer. 2018. Mobile Match-on-Card Authentication Using Offline-Simplified Models with Gait and Face Biometrics. IEEE Transactions on Mobile Computing 17, 11 (Nov 2018), 2578--2590.Google ScholarDigital Library
Rainhard D. Findling and René Mayrhofer. 2013. Towards Pan Shot Face Unlock: Using Biometric Face Information from Different Perspectives to Unlock Mobile Devices. International Journal of Pervasive Computing and Communications (2013), 190--208.Google Scholar
Dawud Gordon, John Tanios, and Oleksii Levkovskyi. 2019. Deep Learning for Behavior-Based, Invisible Multi-Factor Authentication. https://patents.justia.com/patent/20190044942Google Scholar
Nazirah Abd Hamid, et al. 2011. Mouse movement behavioral biometric systems. In 2011 International Conference on User Science and Engineering (i-USEr). 206--211.Google ScholarCross Ref
Marian Harbach, et al. 2016. Keep on Lockin' in the Free World: A Multi-National Comparison of Smartphone Locking. Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems - CHI '16 (2016), 4823--4827.Google ScholarDigital Library
Marian Harbach, et al. 2014. It's a Hard Lock Life: A Field Study of Smartphone (Un) Locking Behavior and Risk Perception. Symposium on Usable Privacy and Security (SOUPS) (2014), 213--230.Google ScholarDigital Library
Avinatan Hassidim, et al. 2016. Ephemeral Identifiers: Mitigating Tracking & Spoofing Threats to BLE Beacons. (2016), 1--11.Google Scholar
Eiji Hayashi, et al. 2013. CASA: context-aware scalable authentication. In Symposium on Usable Privacy and Security (SOUPS).Google ScholarDigital Library
Daniel Hintze. 2015. Towards transparent multi-device-authentication. In UbiComp/ISWC'15 Adjunct. ACM, 435--440.Google Scholar
Daniel Hintze, et al. 2015. CORMORANT: Towards Continuous Risk-Aware Multi-Modal Cross-Device Authentication. UbiComp 2015 Adjunct Publication (2015).Google ScholarDigital Library
Daniel Hintze, et al. 2019. CORMORANT: Ubiquitous Risk-Aware Multi-Modal Biometric Authentication Across Mobile Devices. Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies 3, 85 (2019). Issue 3.Google ScholarDigital Library
Daniel Hintze, et al. 2017. A Large-Scale, Long-Term Analysis of Mobile Device Usage Characteristics. Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies 1, 2 (2017), 1--21.Google ScholarDigital Library
Daniel Hintze, et al. 2015. Confidence and Risk Estimation Plugins for Multi-Modal Authentication on Mobile Devices using CORMORANT. In Proceedings of MoMM 2015. 384--388.Google ScholarDigital Library
Daniel Hintze, et al. 2016. Location-based Risk Assessment for Mobile Authentication. In Proceedings of the 2016 ACM International Joint Conference on Pervasive and Ubiquitous Computing: Adjunct. http://dx.doi.org/10.1145/2968219.2971448Google ScholarDigital Library
Christopher G. Hocking, et al. 2011. Authentication Aura-A distributed approach to user authentication. Information Assurance and Security 6, 2 (2011).Google Scholar
Adam Hurkala and Jaroslaw Hurkala. 2014. Architecture of Context-Risk-Aware Authentication System for Web Environments. ICIEIS'2014 (2014), 219--228.Google Scholar
Markus Jakobsson, et al. 2009. Implicit authentication for mobile devices. Hot-Sec'09 (2009).Google Scholar
Philipp Kapfer. 2016. PhonyKeyboard: Sensor-enhanced Keystroke Dynamics Authentication on Mobile Devices. Master Thesis. Johannes Kepler University Linz.Google Scholar
Hassan Khan, Aaron Atwater, and Urs Hengartner. 2014. Itus: An Implicit Authentication Framework for Android. In Proceedings of the 20th annual international conference on Mobile computing and networking (2014), 507--518.Google ScholarDigital Library
Dong Ju Kim, Kwang Woo Chung, and Kwang Seok Hong. 2010. Person Authentication using Face, Teeth and Voice Modalities for Mobile Device Security. IEEE Transactions on Consumer Electronics 56, 4 (2010), 2678--2685.Google ScholarDigital Library
Jennifer R Kwapisz, Gary M Weiss, and Samuel A Moore. 2010. Cell phone-based biometric identification. In Biometrics: Theory Applications and Systems (BTAS), 2010 Fourth IEEE International Conference on. IEEE, 1--7.Google ScholarCross Ref
Kuang-Chih Lee, J. Ho, and D. J. Kriegman. 2005. Acquiring linear subspaces for face recognition under variable lighting. IEEE Transactions on Pattern Analysis and Machine Intelligence 27, 5 (May 2005), 684--698.Google Scholar
Rainer Lienhart and Jochen Maydt. 2002. An Extended Set of Haar-Like Features for Rapid Object Detection. In IEEE International Conference on Image Processing 2002. 900--903.Google Scholar
Emanuele Maiorana, et al. 2011. Keystroke dynamics authentication for mobile phones. In Proceedings of the 2011 ACM Symposium on Applied Computing - SAC '11. ACM Press, New York, New York, USA, 21.Google ScholarDigital Library
René Mayrhofer, et al. 2019. The Android Platform Security Model. CoRR abs/1904.05572 (2019). arXiv:1904.05572 http://arxiv.org/abs/1904.05572Google Scholar
Muhammad Muaaz and Rene Mayrhofer. 2014. Orientation Independent Cell Phone Based Gait Authentication. Proceedings of MoMM 2014 (2014).Google ScholarDigital Library
M. Muaaz and R. Mayrhofer. 2017. Smartphone-Based Gait Recognition: From Authentication to Imitation. IEEE Transactions on Mobile Computing 16, 11 (Nov 2017), 3209--3221.Google ScholarCross Ref
Claudia Nickel. 2012. Accelerometer-based Biometric Gait Recognition for Authentication on Smartphones. Ph.D. Dissertation. TU Darmstadt.Google Scholar
Open Whisper Systems. 2018. Signal Specification. https://signal.org/docs/Google Scholar
OSGi Alliance. 2004. Listeners Considered Harmful: The Whiteboard Pattern. (2004), 16 pages.Google Scholar
Douglas A. Reynolds, Thomas F. Quatieri, and Robert B. Dunn. 2000. Speaker Verification Using Adapted Gaussian Mixture Models. Digital Signal Processing 10, 1 (2000), 19--41.Google ScholarDigital Library
Oriana Riva, et al. 2011. Progressive Authentication: Deciding When to Authenticate on Mobile Phones. Proceedings of the 21st USENIX Security Symposium (2011), 1--16.Google ScholarDigital Library
Arun Ross and Anil K Jain. 2004. Multimodal Biometrics: an Overview. Signal Processing September (2004), 1221--1224.Google Scholar
Stefan Schneegass, et al. 2014. SmudgeSafe: Geometric Image Transformations for Smudge-resistant User Authentication. In Proceedings of the 2014 ACM International Joint Conference on Pervasive and Ubiquitous Computing (UbiComp '14). ACM, New York, NY, USA, 775--786.Google ScholarDigital Library
S. Shekhar, et al. 2014. Joint Sparse Representation for Robust Multimodal Biometrics Recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence 36, 1 (Jan 2014), 113--126.Google ScholarDigital Library
Signal Messenger. 2016. Facebook Messenger deploys Signal Protocol for end-to-end encryption. (2016). https://signal.org/blog/facebook-messengerGoogle Scholar
Signal Messenger. 2016. Open Whisper Systems partners with Google onend-to-end encryption for Allo. (2016). https://signal.org/blog/allo/Google Scholar
Signal Messenger. 2016. WhatsApp's Signal Protocol integration is now complete. (2016). https://signal.org/blog/whatsapp-completeGoogle Scholar
Hiew Moi Sim, et al. 2014. Multimodal biometrics: Weighted score level fusion based on non-ideal iris and face images. Expert Systems with Applications 41, 11 (2014), 5390--5404.Google ScholarCross Ref
Frank Stajano. 2011. Pico: No more passwords! Lecture Notes in Computer Science 7114 LNCS (2011), 49--81.Google Scholar
Jiayao Tan, et al. 2018. SilentKey: A New Authentication Framework through Ultrasonic-based Lip Reading. Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies 2 (2018), 1--18.Google ScholarDigital Library
P.Tresadern, et al. 2013. Mobile Biometrics: Combined Face and Voice Verification for a Mobile Platform. IEEE Pervasive Computing 12, 01 (2013), 79--87.Google ScholarDigital Library
Alex Varshavsky, et al. 2007. Amigo: Proximity-Based Authentication of Mobile Devices. In UbiComp 2007: Ubiquitous Computing. Berlin, Heidelberg, 253--270.Google ScholarDigital Library
P. Viola and M. Jones. 2001. Rapid object detection using a boosted cascade of simple features. Proceedings of these 2001 IEEE Computer Society Conference on Computer Vision and Pattern Recognition 1 (2001), 511--518.Google Scholar
Lei Wang, et al. 2018. Unlock with Your Heart: Heartbeat-based Authentication on Commercial Mobile Phones. Proc. ACM Interact. Mob. Wearable Ubiquitous Technol. 2, 3, Article 140 (Sept. 2018), 22 pages.Google ScholarDigital Library
Emanuel Von Zezschwitz, Paul Dunphy, and Alexander De Luca. 2013. Patterns in the Wild: A field study of the usability of pattern and pin-based authentication on Mobile Devices. Proceedings of the 15th International Conference on HumanComputer Interaction with Mobile Devices and Services (2013), 261--270.Google ScholarDigital Library

Index Terms

CORMORANT: On Implementing Risk-Aware Multi-Modal Biometric Cross-Device Authentication For Android
1. Security and privacy
  1. Human and societal aspects of security and privacy
    1. Usability in security and privacy
  2. Security services
    1. Authentication
      1. Biometrics
      2. Multi-factor authentication

Recommendations

Cormorant: towards continuous risk-aware multi-modal cross-device authentication
UbiComp/ISWC'15 Adjunct: Adjunct Proceedings of the 2015 ACM International Joint Conference on Pervasive and Ubiquitous Computing and Proceedings of the 2015 ACM International Symposium on Wearable Computers

Nowadays, people own and carry an increasing number of mobile devices, such as smartphones and smartwatches. Since these devices store and provide access to sensitive information, authentication is required to prevent unauthorized access. Widely used ...
Read More
Confidence and Risk Estimation Plugins for Multi-Modal Authentication on Mobile Devices using CORMORANT
MoMM 2015: Proceedings of the 13th International Conference on Advances in Mobile Computing and Multimedia

Mobile devices, ubiquitous in modern lifestyle, embody and provide convenient access to our digital lives. Being small and mobile, they are easily lost or stole, therefore require strong authentication to mitigate the risk of unauthorized access. Common ...
Read More
CORMORANT: Ubiquitous Risk-Aware Multi-Modal Biometric Authentication across Mobile Devices

People own and carry an increasing number of ubiquitous mobile devices, such as smartphones, tablets, and notebooks. Being small and mobile, those devices have a high propensity to become lost or stolen. Since mobile devices provide access to their ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
MoMM2019: Proceedings of the 17th International Conference on Advances in Mobile Computing & Multimedia
December 2019
266 pages
ISBN:9781450371780
DOI:10.1145/3365921
Editors:
Pari Delir Haghighi,
Ivan Luiz Salvadori,
Matthias Steinbauer,
Ismail Khalil,
Gabriele Anderst-Kotsis
Copyright © 2019 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 22 February 2020
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Qualifiers
- research-article
- Research
- Refereed limited
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 2
  Total Citations
  View Citations
- 108
  Total Downloads
- Downloads (Last 12 months)13
- Downloads (Last 6 weeks)7
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

CORMORANT: On Implementing Risk-Aware Multi-Modal Biometric Cross-Device Authentication For Android

MoMM2019: Proceedings of the 17th International Conference on Advances in Mobile Computing & Multimedia

ABSTRACT

References

Cited By

Index Terms

Recommendations

Cormorant: towards continuous risk-aware multi-modal cross-device authentication

Confidence and Risk Estimation Plugins for Multi-Modal Authentication on Mobile Devices using CORMORANT

CORMORANT: Ubiquitous Risk-Aware Multi-Modal Biometric Authentication across Mobile Devices