Introduction:As most Android users know, the draw a shape password
application is quick and easy to use. However, it is not as safe as one might
assume. First off, an attacker could easily watch the phone owner enter the
shape and then mimic the shape. Secondly, an attacker could simply look at the
smudge patterns on the screen and decipher the password pattern. These are
serious flaws with a pattern based password and in "Touch me once and I
know it’s you! Implicit authentication based on touch screen patterns,” a
research team attempts to address these issues.
Summary:Alexander De Luca, Alina Hang, Frederik Brudy, Christian
Lindner, and Heinrich Hussmann are from the University of Munich and are the
researchers for this paper. The research team is attempting to differentiate
between different users keying in the same pattern password. In addition, the
team will use this ability to increase protection of pattern based passwords by
checking for individual users’ identities. The team first observed user input
information, such as speed, pressure, and path taken, on trivial tasks, such as
horizontal swipe, vertical swipe, and horizontal swipe. Once they gathered this
data, they began developing a security application that will incorporate these
additional features into the existing pattern-based password programs. The
research team will then perform another research experiment which will utilize
the newly created program and test users and attackers input results. The
categories that will be tracked are false negatives, true negatives, false
positives, and true positives, which will then be used to calculate an overall
accuracy rate.
Related Work:A lot of research has been done regarding biometric
verification techniques, and I will name a few here. First, “Biometric
verification at a self service interface” investigates the use of physiological
biometrics to securely identify users. Second, a research team investigates
“How biometrics will fuse flesh and machine,” which further investigates
physiological biometric verification methods. Then, a research team
investigates the user acceptance of biometric verification methods in “Employee
acceptance of computerized biometrics security systems. Another paper that
references user acceptance of biometric verification systems is “Theoretical
examination of the effects of anxiety and electronic performance monitoring on
biometric security systems.” Next, in “A user study using images for
authentication” a research team studies using pictures for passwords all
together. An application of a very specific physiological biometric test is
used in “An iris biometric system for public and personal use.” In “An
introduction to evaluating biometric systems,” researchers study the broad
topic and application of physiological biometrics. “Bodycheck: Biometric access
protection devices and their programs put to the test,” is a study in which a
research team investigates both physiological and behavioral biometrics to improve
security functions. A study of privacy and big brother syndrome is conducted in
“Biometrics in the mainstream: what does the U.S. public think.” Finally, a
team studies the benefit of picture password regarding memory in “The
memorability and security of passwords – some empirical results.”
Evaluation:In order to evaluate the first part of the research,
including the base information regarding touch pressure and speed, the team
used quantitative objective methods. This allows the team to gather hard
evidence of their hypothesis. Then, the team uses quantitative objective
methods again when measuring the accuracy of the real users and attackers
keying in the correct pattern password. The results of the experiment can be
seen in the following chart.
True Positives
|
False Negatives
|
True Negatives
|
False Positives
|
Accuracy
|
|
398
|
92
|
852
|
231
|
77%
|
|
False Rejection Rate: 19%
|
False Acceptance Rate: 21%
|
||||
Discussion:I believe that this research paper did a great job at
investigating a cheap and logical solution to an everyday problem. The main
difference between the related works and this study is the type of biometrics
testing used. Most of the studies
investigate the idea of using physiological biometrics, such as finger prints
and retina scans. Alternatively, this study investigates the use of behavioral
physiological biometrics, such as pressure and speed. The main two benefits of
these two approaches are 1) no additional hardware is required in addition to
an Android smartphone and 2) no privacy questions come into play regarding the
storage of physiological biometric identity information. The main problem that
I see with this study is that a lot of times, multiple people use a phone. For
example, friends and significant others know each other’s password patterns and
this research paper does not account for this situation.
No comments:
Post a Comment