[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ Skip to main content

Advertisement

Springer Nature Link
Log in

Risk-Driven Behavioral Biometric-based One-Shot-cum-Continuous User Authentication Scheme

  • Published:
Journal of Signal Processing Systems Aims and scope Submit manuscript

Abstract

The paper presents a risk-driven behavioral biometric-based user authentication scheme for smartphones. Our scheme delivers one-shot-cum-continuous authentication, thus not only authenticates users at the start of the application sign-in process but also, throughout the active user session. The scheme leverages the widely used PIN/password-based authentication technology by giving flexibility to users to enter any random 8-digit alphanumeric text, instead of pre-configured PIN/Passwords. Internally, the scheme exploits two behavioral biometric traits, i.e., touch-timing-differences of the entered strokes and the hand-movement gesture recorded during the random text entry, to authenticate users. And, for the entire user session, the scheme continuously authenticates the user by computing the risk-score every time the user initiates a sensitive activity. If the risk-score is higher than the predefined threshold, the current user session terminates. Afterward, the scheme requests the user to re-authenticate. Thus, our scheme serves three main objectives: Firstly, it offers users the flexibility to enter an 8 − digit random alphanumeric text as their secret enhancing the usability of PIN/password-based schemes. Secondly, it strengthens the security of PIN/password-based schemes as verification decision is not binary, and mimicking the invisible touch-timings and hand-movements simultaneously, could be extremely difficult as our security analysis determined. Lastly, the scheme does not require any dedicated device (e.g., a smart token for OTP generation) for 2-factor authentication. The results obtained on 11,400 user-samples (collected by 3 days in-the-wild testing) and user-experience responses (received from the Software Usability Scale4 survey) of 95 testers demonstrate our scheme as an accurate and acceptable user authentication scheme.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
£29.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price includes VAT (United Kingdom)

Instant access to the full article PDF.

Institutional subscriptions

Figure 1
Figure 2
Figure 3
Figure 4
Figure 5
Figure 6

Similar content being viewed by others

Notes

  1. https://www.usability.gov/how-to-and-tools/methods/system-usability-scale.html

  2. https://ubertesters.com/

References

  1. Statista. (2018). What authentication methods do you usually use when logging in to your main bank? https://www.statista.com/statistics/786638/online-banking-authentication-security-methods-usage-united-kingdom/. online web resource.

  2. Gupta, S., Buriro, A., Crispo, B. (2019). Driverauth: Behavioral biometric-based driver authentication mechanism for on-demand ride and ridesharing infrastructure. ICT Express, 5(1), 16–20.

    Article  Google Scholar 

  3. Katsini, C., Belk, M., Fidas, C., Avouris, N., Samaras, G. (2016). Security and usability in knowledge-based user authentication: A review. In Proceedings of the 20th Pan-Hellenic conference on informatics (p. 63): ACM.

  4. Aviv, A.J., Gibson, K.L., Mossop, E., Blaze, M., Smith, J.M. (2010). Smudge attacks on smartphone touch screens. Woot, 10, 1–7.

    Google Scholar 

  5. Ye, G., Tang, Z., Fang, D., Chen, X., Kim, K.I., Taylor, B., Wang, Z. (2017). Cracking android pattern lock in five attempts. In Proceedings 2017 network and distributed system security symposium 2017 (NDSS’17).

  6. CAPEC-Release1.6. (2016). Common attack pattern enumeration and classification. online web resource.

  7. Bhattasali, T., Saeed, K., Chaki, N., Chaki, R. (2014). A survey of security and privacy issues for biometrics based remote authentication in cloud. In Proceeding of IFIP International conference on computer information systems and industrial management (pp. 112–121): Springer.

  8. Zhang-Kennedy, L., Chiasson, S., van Oorschot, P. (2016). Revisiting password rules: facilitating human management of passwords. In Proceedings of APWG symposium on electronic crime research (eCrime) (pp. 1–10): IEEE.

  9. Komanduri, S., Shay, R., Kelley, P.G., Mazurek, M.L., Bauer, L., Christin, N., Cranor, L.F., Egelman, S. (2011). Of passwords and people: measuring the effect of password-composition policies. In Proceedings of the SIGCHI conference on human factors in computing systems (pp. 2595–2604): ACM.

  10. Shila, D.M., & Srivastava, K. (2018). Castra: Seamless and unobtrusive authentication of users to diverse mobile services. IEEE Internet of Things Journal, 5(5), 4042–4057.

    Article  Google Scholar 

  11. Gupta, S., Buriro, A., Crispo, B. (2018). Demystifying authentication concepts in smartphones: Ways and types to secure access. Mobile Information Systems, 2018.

  12. Gupta, S. (2020). Next-generation user authentication schemes for iot applications, Ph.D. dissertation, University of Trento, Italy.

  13. Halunen, K., Häikiö, J., Vallivaara, V. (2017). Evaluation of user authentication methods in the gadget-free world. Pervasive and Mobile Computing, 40, 220–241.

    Article  Google Scholar 

  14. Ometov, A., Bezzateev, S., Mäkitalo, N., Andreev, S., Mikkonen, T., Koucheryavy, Y. (2018). Multi-factor authentication: a survey. Cryptography, 2(1), 1.

    Article  Google Scholar 

  15. Gupta, S., Buriro, A., Crispo, B. (2019). Smarthandle: A novel behavioral biometric-based authentication scheme for smart lock systems. In Proceeding of the 3rd international conference on biometric engineering and applications: ACM.

  16. Rui, Z., & Yan, Z. (2019). A survey on biometric authentication: Toward secure and privacy-preserving identification. IEEE Access, 7, 5994–6009.

    Article  Google Scholar 

  17. N. R. Council, W. B. Committee, et al. (2010). Biometric recognition: challenges and opportunities. Washington: National Academies Press.

    Google Scholar 

  18. EU, Principles of the gdpr, https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/principles-gdpr_en, Accessed on 16-08-2020, online web resource.

  19. C. Constitution, Ab-375 privacy: personal information: businesses, https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375, Accessed on 16-08-2020, online web resource.

  20. Krausova, A., & recognition, Online behavior. (2018). Can we consider it biometric data under gdpr. Masaryk UJL & Tech., 12, 161.

    Google Scholar 

  21. Minaee, S., Abdolrashidi, A., Su, H., Bennamoun, M., Zhang, D. (2019). Biometric recognition using deep learning: A survey. arxiv:1912.00271.

  22. Neal, T.J., & Woodard, D.L. (2016). Surveying biometric authentication for mobile device security. J Pattern Recognit Res, 1, 74–110.

    Article  Google Scholar 

  23. Still, J.D., Cain, A., Schuster, D. (2017). Human-centered authentication guidelines. Information & Computer Security.

  24. Gupta, S., & Crispo, B. (2019). A perspective study towards biometric-based rider authentication schemes for driverless taxis. In Proceedings of the international conference on innovation and intelligence for informatics, computing, and technologies (3ICT). IEEE (pp. 1–6).

  25. Buriro, A., Akhtar, Z., Crispo, B., Gupta, S. (2017). Mobile biometrics: Towards a comprehensive evaluation methodology. In Proceedings of the international carnahan conference on security technology (ICCST) (pp. 1–6): IEEE.

  26. Gupta, S., Buriro, A., Crispo, B. (2019). A risk-driven model to minimize the effects of human factors on smart devices. In Proceedings of the international workshop on emerging technologies for authorization and authentication (pp. 156–170): Springer.

  27. D. Insights Articles, Risk-based authentication: A primer, https://deloitte.wsj.com/cio/2013/10/30/risk-based-authentication-a-primer/, 2013, online web resource.

  28. O. M. S. Project, Owasp mobile security project. accessed: Dec. 2016, https://www.owasp.org/index.php/OWASP_Mobile_Security_Project, 2016, online web resource.

  29. Android, Developers guide: Sensorevent, https://developer.android.com/reference/android/hardware/SensorEvent.html, 2018, online web resource.

  30. Buriro, A., Gupta, S., Crispo, B. (2017). Evaluation of motion-based touch-typing biometrics in online financial environments. In BIOSIG, Vol. 2017.

  31. Pires, I., Garcia, N., Pombo, N., Flórez-Revuelta, F. (2016). From data acquisition to data fusion: a comprehensive review and a roadmap for the identification of activities of daily living using mobile devices. Sensors, 16(2), 184.

    Article  Google Scholar 

  32. Han, J., Pei, J., Kamber, M. (2011). Data mining: concepts and techniques. Amsterdam: Elsevier.

    MATH  Google Scholar 

  33. Demuth, H.B., Beale, M.H., De Jess, O., Hagan, M.T. (2014). Neural network design. Stillwater: Martin Hagan.

    Google Scholar 

  34. Breiman, L. (2001). Random forests. Machine Learning, 45(1), 5–32.

    Article  Google Scholar 

  35. Buriro, A., Crispo, B., Gupta, S., Del Frari, F. (2018). Dialerauth: A motion-assisted touch-based smartphone user authentication scheme. In Proceedings of the eighth ACM conference on data and application security and privacy (pp. 267–276): ACM.

  36. ISO9000:2015, Quality management systems — fundamentals and vocabulary, https://www.iso.org/obp/ui/#iso:std:iso:9000:ed-4:v1:en, 2015, online web resource.

  37. Wu, T., Blackhurst, J., & Chidambaram, V. (2006). A model for inbound supply risk analysis. Computers in Industry, 57(4), 350–365.

    Article  Google Scholar 

  38. Fawcett, T., & graphs, Roc. (2004). Notes and practical considerations for researchers. Machine Learning, 31(1), 1–38.

    Google Scholar 

  39. Usability, System usability scale (sus), https://www.usability.gov/how-to-and-tools/methods/system-usability-scale.html, 2018, online web resource.

  40. Trewin, S., Swart, C., Koved, L., Martino, J., Singh, K., Ben-David, S. (2012). Biometric authentication on a mobile device: a study of user effort, error and task disruption. In Proceedings of the 28th annual computer security applications conference (pp. 159–168): ACM.

  41. Nguyen, T.V., Sae-Bae, N., Memon, N. (2017). Draw-a-pin. Computers and Security, 66 (C), 115–128.

    Article  Google Scholar 

  42. Buriro, A., Crispo, B., DelFrari, F., Wrona, K. (2016). Hold and sign: A novel behavioral biometrics for smartphone user authentication. In Proceeding of IEEE security and privacy workshops (SPW) (pp. 276–285): IEEE.

  43. Sauro, J. (2011). Measuring usability with the system usability scale (sus).

  44. Ritchie, R., Rubino, D., Michaluk, K., Nickinson, P. (2013). The future of authentication: Biometrics, multi-factor, and co-dependency, https://www.androidcentral.com/talk-mobile/future-authentication-biometrics-multi-factor-and-co-dependency-talk-mobile. online web resource.

  45. Bhana, B., & Flowerday, S. (2020). Passphrase and keystroke dynamics authentication: Usable security. Computers & Security, 101925.

  46. De Luca, A., Hang, A., Brudy, F., Lindner, C., Hussmann, H. (2012). Touch me once and i know it’s you!: implicit authentication based on touch screen patterns. In Proceedings of conference on human factors in computing systems proceedings of the SIGCHI (pp. 987–996): ACM.

  47. Feng, T., Liu, Z., Kwon, K.-A., Shi, W., Carbunar, B., Jiang, Y., Nguyen, N. (2012). Continuous mobile authentication using touchscreen gestures. In Proceeding of IEEE conference on technologies for homeland security (HST). IEEE (pp. 451–456).

  48. Frank, M., Biedert, R., Ma, E., Martinovic, I., Song, D. (2013). Touchalytics: on the applicability of touchscreen input as a behavioral biometric for continuous authentication. IEEE Transactions on Information Forensics and Security, 8(1), 136–148.

    Article  Google Scholar 

  49. Sae-Bae, N., Memon, N., Isbister, K., Ahmed, K. (2014). Multitouch gesture-based authentication. IEEE Transactions on Information Forensics and Security, 9(4), 568–582.

    Article  Google Scholar 

  50. Xu, H., Zhou, Y., Lyu, M. R. (2014). Towards continuous and passive authentication via touch biometrics: An experimental study on smartphones. In Proceedings of symposium on usable privacy and security (SOUPS), (Vol. 14 pp. 187–198).

  51. Mantyjarvi, J., Lindholm, M., Vildjiounaite, E., Makela, S.-M., & Ailisto, H. (2005). Identifying users of portable devices from gait pattern with accelerometers. In Proceedings of IEEE international conference on acoustics, speech, and signal processing (ICASSP), (Vol. 2 pp. ii–973): IEEE.

  52. Li, L., Zhao, X., Xue, G. (2013). Unobservable re-authentication for smartphones. In Proceedings of NDSS, (Vol. 56 pp. 57–59).

  53. Zhu, J., Wu, P., Wang, X., Zhang, J. (2013). Sensec: Mobile security through passive sensing. In Proceedings of international conference on computing, networking and communications (ICNC) (pp. 1128–1133): IEEE.

  54. Shi, W., Yang, J., Jiang, Y., Yang, F., Xiong, Y. (2011). Senguard: Passive user identification on smartphones using multiple sensors. In Proceedings of the 7th international conference on wireless and mobile computing, networking and communications (WiMob) (pp. 141–148): IEEE.

  55. Buriro, A., Crispo, B., Del Frari, F., Wrona, K. (2015). Touchstroke: smartphone user authentication based on touch-typing biometrics. In Proceeding of international conference on image analysis and processing (pp. 27–34): Springer.

  56. Sitová, Z., Šeděnka, J., Yang, Q., Peng, G., Zhou, G., Gasti, P., Balagani, K.S. (2016). Hmog: New behavioral biometric features for continuous authentication of smartphone users. IEEE Transactions on Information Forensics and Security, 11(5), 877–892.

    Article  Google Scholar 

  57. Conti, M., Zachia-Zlatea, I., Crispo, B. (2011). Mind how you answer me!: transparently authenticating the user of a smartphone when answering or placing a call. In Proceedings of the 6th ACM symposium on information computer and communications security (pp. 249–259): ACM.

  58. Giuffrida, C., Majdanik, K., Conti, M., Bos, H. (2014). I sensed it was you: authenticating mobile users with sensor-enhanced keystroke dynamics. In Proceeding of international conference on detection of intrusions and malware, and vulnerability assessment (pp. 92–111): Springer.

  59. Buriro, A., Crispo, B., Eskandri, M., Gupta, S., Mahboob, A., Van Acker, R. (2018). Snap auth: a gesture-based unobtrusive smartwatch user authentication scheme. In Proceedings of the international workshop on emerging technologies for authorization and authentication (pp. 30–37): Springer.

  60. Schneier, B. (2013). Risk-based authentication, https://www.schneier.com/blog/archives/2013/11/risk-based_auth.html. online web resource.

  61. Butler, M., & Butler, R. (2015). Investigating the possibility to use differentiated authentication based on risk profiling to secure online banking. Information & Computer Security, 23(4), 421–434.

    Article  Google Scholar 

  62. Traoré, I., & Ahmed, A. A. E. (2011). Introduction to continuous authentication. In Continuous authentication using biometrics: data, models, and metrics: data, models, and metrics (p. 1).

  63. IBM. (2016). Ibm trusteer, http://www-03.ibm.com/software/products/en/category/advanced-fraud-protection. online web resource.

  64. IBM. (2016). Ibm tivoli federated identity manager, https://www.ibm.com/support/knowledgecenter/en/SSZSXU_6.2.2.7/com.ibm.tivoli.fim.doc_6227/rbaOverview.html. online web resource.

  65. Sepczuk, M., & Kotulski, Z. (2018). A new risk-based authentication management model oriented on user’s experience. Computers & Security, 73, 17–33.

    Article  Google Scholar 

  66. Preuveneers, D., & Joosen, W. (2015). Smartauth: dynamic context fingerprinting for continuous user authentication. In Proceedings of the 30th annual ACM symposium on applied computing (pp. 2185–2191): ACM.

  67. Hintze, D., Koch, E., Scholz, S., Mayrhofer, R. (2016). Location-based risk assessment for mobile authentication. In Proceedings of the 2016 ACM international joint conference on pervasive and ubiquitous computing: Adjunct (pp. 85–88): ACM.

  68. Haimes, Y.Y. (2015). Risk modeling, assessment, and management. Wiley: Hoboken.

    MATH  Google Scholar 

Download references

Acknowledgments

This project has received funding from the European Union’s Horizon 2020 research and innovation programme DS 2018-2019-2020 as part of the E-Corridor project (www.e-corridor.eu) under grant agreement No 883135.

Author information

Authors and Affiliations

  1. Department of Information Engineering and Computer Science (DISI), University of Trento, Trento, Italy

    Attaullah Buriro, Sandeep Gupta & Bruno Crispo

  2. Istituto di Informatica e Telematica, Consiglio Nazionale delle Ricerche, Pisa, Italy

    Sandeep Gupta & Artsiom Yautsiukhin

Authors
  1. Attaullah Buriro
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sandeep Gupta
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Artsiom Yautsiukhin
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Bruno Crispo
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Sandeep Gupta.

Additional information

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Appendices

Appendix A: Comparison of user authentication schemes

Study

Features

Evaluation

Participants

Performance

[46]

Touch features X and Y coordinates, touch-pressure, the size of touch and the time offset.

DTW

48

FRR: 19% and FAR: 21%

[47]

X & Y coordinates, the direction of finger motion, the pressure at each sample touch-point, and the distance between multi-touch points. Digital gloves add angular values from X, Y and Z direction in addition to roll, pitch, and yaw values.

Decision tree, Random Forest and Bayes net classifier.

40

FRR: 0.13% and FAR: 4.66%

[48]

Touchscreen gestures like navigational movements. (e.g., horizontal/vertical strokes)

KNN classifier and SVM with Gaussian Radial Basis Function (RBF) kernel

41

EER: < 4%

[49]

Single and multi touch gestures by combining static counter-clockwise rotation, closed and opened gesture with all five fingertips).

Ppairwise distance calculation and score calculation

34

EER: 7.88% (Single), 1.58% (Combined)

[50]

Simple touch actions, i.e., keystroke, sliding, pinch, and handwriting to extract features like coordinates, pressure, size, etc.

SVM classifier using RBF kernel

30

EER: 0.75% (Sliding gesture)

[54]

Extracts finger movements and touch features using accelerometer, touch screen, voice and location data

Naive Bayes classifier

7

TPR: 95.78%

[52]

Extracted touch positions, touch pressure, touch area, moving direction, distance, duration, average moving direction and curvature, average curvature distance, average pressure, average touch-area, max-area portion, min-area portion.

SVM classifier

75

Accuracy: 95.78%

[53]

Construct feature vectors from X, Y, Z values acquired from sensors and clustered them into V classes using K-means algorithm.

Continuous n-gram language model

20

Accuracy: 75%

[58]

Extract statistical features for touch dynamics from the raw data acquired from the sensors.

Distance metrics: Euclidean,Euclidean normed, Manhattan, Manhattan scaled.

20

EER: 4.97% (fixed-ṫext passwords), 0.08% (sensor data)

[63]

Static, contextual, and analytically calculated attributes

Provides policy rules that determine whether an access request must be permitted, denied, or challenged.

-

Calculates a risk scoreḃased on multipleẇeighted attributes

[67]

User location and contextual data are associated with different risk assessments and accordingly user authentication was applied.

Risk-aware Authentication as per the user location.

-

CORMORANT Framework

[66]

Acquire language, color depth, screen resolution, timezone, platform, plugins, etc. IP address range, time of access, geolocation, request headers, etc.

Adaptive and dynamic context fingerprinting based on Hoeffding trees

-

SmartAuth continuously assess the risk of fraudulent activities during long-lived user authenticated session.

Appendix B: Demographic Questionnaire

  1. 1.

    What is your gender?

    • Male

    • Female

    • I don’t want to disclose

  2. How old you are?

    • ≤ than 20 years.

    • > 20 years and ≤ 40 years.

    • > 40 years and ≤ 60 years.

    • > than 60 years.

    • I don’t want to disclose

  3. Tell us about your nationality.

    • __________________________

    • I don’t want to disclose

  4. Which hand(s) do you use for interacting with your smartphone?

    • Right

    • Left

    • Both

    • I don’t want to disclose

Appendix C: TAR comparison of RF classifier for individual users in 3 activities

Figure 7
figure 7

Comparison of RF classifier performance (TAR) on 5-sample training over full and IGAE features.

Full size image

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Buriro, A., Gupta, S., Yautsiukhin, A. et al. Risk-Driven Behavioral Biometric-based One-Shot-cum-Continuous User Authentication Scheme. J Sign Process Syst 93, 989–1006 (2021). https://doi.org/10.1007/s11265-021-01654-2

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11265-021-01654-2

Keywords

Search

Navigation