More Web Proxy on the site http://driver.im/

research-article

Public Access

Challenge-response behavioral mobile authentication: a comparative study of graphical patterns and cognitive games

Authors:

Prakash Shrestha,

Nitesh SaxenaAuthors Info & Claims

ACSAC '19: Proceedings of the 35th Annual Computer Security Applications Conference

Pages 355 - 365

https://doi.org/10.1145/3359789.3359838

Published: 09 December 2019 Publication History

Abstract

The most researched behavioral biometrics for mobile device authentication involves the use of touch gestures as the user enters a graphical pattern password (like the one used on Android) or otherwise interacts with the device. However, due to the inherent static nature of these schemes, they are vulnerable to impersonation attacks. In this paper, we investigate challenge-response mechanisms to address this security vulnerability underlying the traditional static biometric schemes. We study the performance, security, and usability of two schemes of such challenge-response interactive biometric authentication geared for mobile devices and contrast them to static graphical pattern based biometrics. The first scheme is based on random graphical patterns. The second scheme, recently introduced for PC class of devices (not mobile), is based on a simple cognitive game involving semantic interactive random challenges. Our results show that the accuracy of user identification with these approaches is similar to static pattern based biometric scheme. Finally, we argue that utilizing interactivity and randomization significantly enhance the security against impersonation attacks. As an independent result, our work demonstrates that the use of motion sensors available on mobile device serves to improve the identification accuracy of schemes that only use touch-based gestures (static and interactive).

References

[1]

Zahid Akhtar, Attaullah Buriro, Bruno Crispo, and Tiago H Falk. 2017. Multimodal smartphone user authentication using touchstroke, phone-movement and face patterns. In 2017 IEEE Global Conference on Signal and Information Processing (GlobalSIP). IEEE, 1368--1372.

[2]

Asadullah Al Galib and Reihaneh Safavi-Naini. 2015. User Authentication Using Human Cognitive Abilities. In Financial Cryptography and Data Security. Springer, 254--271.

[3]

Abdulaziz Alzubaidi and Jugal Kalita. 2016. Authentication of smartphone users using behavioral biometrics. IEEE Communications Surveys & Tutorials 18, 3 (2016), 1998--2026.

Digital Library

[4]

Panagiotis Andriotis, Theo Tryfonas, George Oikonomou, and Can Yildiz. 2013. A pilot study on the security of pattern screen-lock methods and soft side channel attacks. In Proceedings of the sixth ACM conference on Security and privacy in wireless and mobile networks. ACM, 1--6.

Digital Library

[5]

Real User Personal Authentication. 2004. The Science Behind Passfaces. White Paper, June (2004).

[6]

Adam J Aviv, Katherine Gibson, Evan Mossop, Matt Blaze, and Jonathan M Smith. 2010. Smudge Attacks on Smartphone Touch Screens. WOOT 10 (2010), 1--7.

Digital Library

[7]

Robert Biddle, Sonia Chiasson, and Paul Van Oorschot. 2009. Graphical passwords: Learning from the first generation. In Technical Report TR-09-09, School of Computer Science, Carleton University.

[8]

John Brooke. 1996. SUS: a "Quick and Dirty" Usability Scale. In Usability Evaluation in Industry, P. W. Jordan, B. Thomas, B. A. Weerdmeester, and A. L. McClelland (Eds.). Taylor and Francis, London.

[9]

Attaullah Buriro, Bruno Crispo, and Mauro Conti. 2019. AnswerAuth: A bimodal behavioral biometric-based user authentication scheme for smartphones. Journal of information security and applications 44 (2019), 89--103.

[10]

Attaullah Buriro, Bruno Crispo, Sandeep Gupta, and Filippo Del Frari. 2018. Dialerauth: A motion-assisted touch-based smartphone user authentication scheme. In Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy. ACM, 267--276.

Digital Library

[11]

Attaullah Buriro, Bruno Crispo, and Yury Zhauniarovich. 2017. Please hold on: Unobtrusive user authentication using smartphone's built-in sensors. In 2017 IEEE International Conference on Identity, Security and Behavior Analysis (ISBA). IEEE, 1--8.

[12]

P Campisi, E Maiorana, M Lo Bosco, and A Neri. 2009. User authentication using keystroke dynamics for cellular phones. IET Signal Processing 3, 4 (2009).

[13]

Kuan-Ta Chen and Li-Wen Hong. 2007. User identification based on game-play activity patterns. In Proceedings of the 6th ACM SIGCOMM workshop on Network and system support for games. ACM, 7--12.

Digital Library

[14]

Mauro Conti, Irina Zachia-Zlatea, and Bruno Crispo. 2011. Mind how you answer me!: transparently authenticating the user of a smartphone when answering or placing a call. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security. ACM, 249--259.

Digital Library

[15]

Alexander De Luca, Alina Hang, Frederik Brudy, Christian Lindner, and Heinrich Hussmann. 2012. Touch Me Once and I Know It's You!: Implicit Authentication Based on Touch Screen Patterns. In SIGCHI Conference on Human Factors in Computing Systems (CHI).

[16]

Paul Dunphy and Jeff Yan. 2007. Do background images improve "draw a secret" graphical passwords?. In CCS '07: Proceedings of the 14th ACM conference on Computer and communications security. ACM, 36--47.

Digital Library

[17]

Clayton Epp, Michael Lippold, and Regan L Mandryk. 2011. Identifying emotional states using keystroke dynamics. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 715--724.

Digital Library

[18]

M. Frank, R. Biedert, E. Ma, I. Martinovic, and D. Song. 2013. Touchalytics: On the Applicability of Touchscreen Input as a Behavioral Biometric for Continuous Authentication. IEEE Transactions on Information Forensics and Security (2013).

Digital Library

[19]

Hugo Gascon, Sebastian Uellenbeck, Christopher Wolf, and Konrad Rieck. 2014. Continuous Authentication on Mobile Devices by Analysis of Typing Motion Behavior. In Sicherheit.

[20]

Abdenour Hadid, Nicholas Evans, Sébastien Marcel, and Julian Fierrez. 2015. Biometrics systems under spoofing attack: an evaluation methodology and lessons learned. IEEE Signal Processing Magazine 32, 5 (2015), 20--30.

[21]

Ian Jermyn, Alain Mayer, Fabian Monrose, Michael K. Reiter, and Aviel D. Rubin. 1999. The design and analysis of graphical passwords. In SSYM'99: Proceedings of the 8th conference on USENIX Security Symposium.

[22]

Wei-Han Lee and Ruby B Lee. 2017. Implicit smartphone user authentication with sensors and contextual machine learning. In 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, 297--308.

[23]

Lingjun Li, Xinxin Zhao, and Guoliang Xue. 2013. Unobservable Re-authentication for Smartphones. In Network and Distributed System Security Symposium (NDSS).

[24]

Roy A Maxion and Kevin S Killourhy. 2010. Keystroke biometrics with number-pad input. In Dependable Systems and Networks (DSN), 2010 IEEE/IFIP International Conference on. IEEE, 201--210.

[25]

William Melicher, Darya Kurilova, Sean M Segreti, Pranshu Kalvani, Richard Shay, Blase Ur, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Michelle L Mazurek. 2016. Usability and security of text passwords on mobile devices. In Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems. ACM, 527--539.

Digital Library

[26]

Manar Mohamed, Niharika Sachdeva, Michael Georgescu, Song Gao, Nitesh Saxena, Chengcui Zhang, Ponnurangam Kumaraguru, Paul C van Oorschot, and Wei-Bang Chen. 2014. A three-way investigation of a game-CAPTCHA: automated attacks, relay attacks and usability. In Proceedings of the 9th ACM symposium on Information, computer and communications security. ACM, 195--206.

Digital Library

[27]

Manar Mohamed and Nitesh Saxena. 2016. Gametrics: Strong Behavioral Authentication with Simple Cognitive Games. In Computer Security Applications Conference (ACSAC).

Digital Library

[28]

Manar Mohamed, Babins Shrestha, and Nitesh Saxena. 2016. SMASheD: Sniffing and Manipulating Android Sensor Data. In Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy. ACM, 152--159.

Digital Library

[29]

Adrian Perrig and Dawn Song. 1999. Hash Visualization: a New Technique to Improve Real-World Security. In CrypTEC.

[30]

Jeff Sauro. 2015. Measuring Usability with the System Usability Scale (SUS). February 2, 2011. URL http://www.measuringusability.com/sus.php (2015).

[31]

Florian Schaub, Ruben Deyhle, and Michael Weber. 2012. Password entry usability and shoulder surfing susceptibility on different smartphone platforms. In Proceedings of the 11th international conference on mobile and ubiquitous multimedia. ACM.

Digital Library

[32]

Abdul Serwadda and Vir V Phoha. 2013. When kids' toys breach mobile phone security. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, 599--610.

Digital Library

[33]

Muhammad Shahzad, Alex X Liu, and Arjmand Samuel. 2013. Secure unlocking of mobile touch screen devices by simple gestures: you can see it but you can not do it. In Proceedings of the 19th annual international conference on Mobile computing & networking. ACM, 39--50.

Digital Library

[34]

Youngbae Song, Geumhwan Cho, Seongyeol Oh, Hyoungshick Kim, and Jun Ho Huh. 2015. On the effectiveness of pattern lock strength meters: Measuring the strength of real world pattern locks. In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems. ACM, 2343--2352.

Digital Library

[35]

Xiaoyuan Suo, Ying Zhu, and G Scott Owen. 2005. Graphical passwords: A survey. In 21st Annual Computer Security Applications Conference (ACSAC'05). IEEE.

Digital Library

[36]

F. Tari, A. Ant Ozok, and S. H. Holden. 2006. A Comparison of Perceived and Real Shoulder-surfing Risks Between Alphanumeric and Graphical Passwords. In SOUPS: Proceedings of the second symposium on Usable privacy and security.

[37]

Chee Meng Tey, Payas Gupta, and Debin Gao. 2013. I can be You: Questioning the use of Keystroke Dynamics as Biometrics. In The 20th Annual Network & Distributed System Security Symposium (NDSS 2013).

[38]

Sebastian Uellenbeck, Markus Dürmuth, Christopher Wolf, and Thorsten Holz. 2013. Quantifying the security of graphical passwords: the case of android unlock patterns. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, 161--172.

Digital Library

[39]

Toan Van Nguyen, Napa Sae-Bae, and Nasir Memon. 2017. DRAW-A-PIN: Authentication using finger-drawn PIN on touch devices. computers & security 66 (2017), 115--128.

[40]

Susan Wiedenbeck, Jim Waters, Jean-Camille Birget, Alex Brodskiy, and Nasir D. Memon. 2005. PassPoints: Design and Longitudinal Evaluation of a Graphical Password System. In International Journal of Human Computer Studies.

[41]

Susan Wiedenbeck, Jim Waters, Leonardo Sobrado, and Jean-Camille Birget. 2006. Design and Evaluation of a Shoulder-surfing Resistant Graphical Password Scheme. In Proceedings of the working conference on Advanced visual interfaces (AVI).

Digital Library

Cited By

Huang LWang C(2025)Biometric Encoding for Replay-Resistant Smartphone User Authentication Using HandgripsIEEE Transactions on Mobile Computing10.1109/TMC.2024.347467324:2(1230-1248)Online publication date: Feb-2025
https://doi.org/10.1109/TMC.2024.3474673
Cambou BPhilabaum CHoffstein JHerlihy M(2023)Methods to Encrypt and Authenticate Digital Files in Distributed Networks and Zero-Trust EnvironmentsAxioms10.3390/axioms1206053112:6(531)Online publication date: 29-May-2023
https://doi.org/10.3390/axioms12060531
Huang LWang C(2022)PCR-Auth: Solving Authentication Puzzle Challenge with Encoded Palm Contact Response2022 IEEE Symposium on Security and Privacy (SP)10.1109/SP46214.2022.9833564(1034-1048)Online publication date: May-2022
https://doi.org/10.1109/SP46214.2022.9833564
Show More Cited By

Index Terms

Challenge-response behavioral mobile authentication: a comparative study of graphical patterns and cognitive games
1. Security and privacy
  1. Security services
    1. Authentication

Recommendations

Forgery-Resistant Touch-based Authentication on Mobile Devices
ASIA CCS '16: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security

Mobile devices store a diverse set of private user data and have gradually become a hub to control users' other personal Internet-of-Things devices. Access control on mobile devices is therefore highly important. The widely accepted solution is to ...
Brain Password: A Secure and Truly Cancelable Brain Biometrics for Smart Headwear
MobiSys '18: Proceedings of the 16th Annual International Conference on Mobile Systems, Applications, and Services

In recent years, biometric techniques (e.g., fingerprint or iris) are increasingly integrated into mobile devices to offer security advantages over traditional practices (e.g., passwords and PINs) due to their ease of use in user authentication. However, ...
User Input Pattern-Based Authentication Method to Prevent Mobile E-Financial Incidents
ISPAW '11: Proceedings of the 2011 IEEE Ninth International Symposium on Parallel and Distributed Processing with Applications Workshops

Owing to the increase in the use of mobile banking services, mobile banking has become an attractive target for attackers. Even though many security measures are taken with current mobile services, some threats against mobile devices such as physical ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '19: Proceedings of the 35th Annual Computer Security Applications Conference

December 2019

821 pages

ISBN:9781450376280

DOI:10.1145/3359789

Conference Chair:
David Balenson
SRI International

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 December 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Science Foundation
Google Faculty Research Award

Conference

ACSAC '19

ACSAC '19: 2019 Annual Computer Security Applications Conference

December 9 - 13, 2019

Puerto Rico, San Juan, USA

Acceptance Rates

ACSAC '19 Paper Acceptance Rate 60 of 266 submissions, 23%;

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
437
Total Downloads

Downloads (Last 12 months)108
Downloads (Last 6 weeks)23

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Huang LWang C(2025)Biometric Encoding for Replay-Resistant Smartphone User Authentication Using HandgripsIEEE Transactions on Mobile Computing10.1109/TMC.2024.347467324:2(1230-1248)Online publication date: Feb-2025
https://doi.org/10.1109/TMC.2024.3474673
Cambou BPhilabaum CHoffstein JHerlihy M(2023)Methods to Encrypt and Authenticate Digital Files in Distributed Networks and Zero-Trust EnvironmentsAxioms10.3390/axioms1206053112:6(531)Online publication date: 29-May-2023
https://doi.org/10.3390/axioms12060531
Huang LWang C(2022)PCR-Auth: Solving Authentication Puzzle Challenge with Encoded Palm Contact Response2022 IEEE Symposium on Security and Privacy (SP)10.1109/SP46214.2022.9833564(1034-1048)Online publication date: May-2022
https://doi.org/10.1109/SP46214.2022.9833564
Mayrhofer RSigg S(2021)Adversary Models for Mobile Device AuthenticationACM Computing Surveys10.1145/347760154:9(1-35)Online publication date: 8-Oct-2021
https://dl.acm.org/doi/10.1145/3477601

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Figures

Tables

Media

View Table of Conten