While the present disclosure is susceptible to various modifications and alternative forms, specific embodiments or implementations have been shown by way of example in the drawings and will be described in detail herein. It should be understood, however, that the disclosure is not intended to be limited to the particular forms disclosed. Rather, the disclosure is to cover all modifications, equivalents, and alternatives falling within the spirit and scope of an invention as defined by the appended claims.
While the below description is written for mobile devices, it would be apparent to one having skill in the art that the embodiments described below could equally be applied to fixed or stationary devices and terminals with sensors as well.
Mobile devices such as smartphones, tablets and including wearable computing devices such as Google® Glass are vulnerable to being used by unauthorized individuals. Examples of unauthorized individuals include:                a thief who steals a mobile device from a purse on a subway,        a romantic partner checking text messages for signs of an affair,        a person who obtains user credentials such as passwords or other explicit identifiers from other sources without consent, or        a child looking to play games.        
Mobile device users run serious risks when unauthorized users obtain access to such devices. These risks include fraud, theft, and release of private data. Therefore, there is a need for strong authentication for mobile devices.
Explicit and Implicit Authentication Schemes
Many users use explicit authentication schemes that are protected by a variety of mechanisms including personal identification numbers (PINs), passwords, gestures, and fingerprints, for primary authentication of mobile devices. As an example, similar to the use of lock screens in desktop-oriented operating systems, mobile devices such as smartphones all include, at the very least, a text-based lock screen authentication option.
Such explicit authentication schemes suffer from disadvantages when used as “stand-alone” primary authentication schemes.
For example, while lock screens can provide significant protections when properly used, they can also degrade the usability of a device for the following reasons. Firstly, several factors specific to mobile devices make text-based lock screen authentication less usable and secure than on desktop or notebook computers. For example, modern smartphones primarily employ touch-based on-screen keyboards that require switching between multiple screens in order to access infrequently used characters and use text prediction to improve typing accuracy. Good passwords, however, are long strings of characters that cannot be easily predicted and include multiple infrequently used characters. Secure passwords are thus hard to enter on smartphones.
PIN-based lock screens have advantages over text-based lock screens, as PINs are simpler to enter due to the larger, and fewer, buttons that are needed, and their shorter length. However, PINs are still not as easy to enter as on a physical keyboard. Furthermore, PINs are particularly easy for an attacker or impostor to observe, given their simplistic nature, by “shoulder surfing” or taking a video of a person typing in their PIN. Shoulder surfing is a significant problem as mobile devices such as smartphones are heavily used in public environments, places where an attacker/impostor can more easily observe PIN entry and steal a device.
The burden is so significant that many users forego the protection of lock screens. Even when users do use these explicit authentication schemes on a stand-alone basis, users may configure these schemes using weak credentials such as simple-to-enter passwords, or setting the device such that it locks itself infrequently.
A number of different approaches have been proposed to reduce the usability strain of text-based and PIN-based lock screen authentication mechanisms on mobile devices such as smartphones while maintaining high security. One popular alternative is a swipe pattern unlock screen, such as the standard Android pattern unlock interface. In the Android implementation, the password is an ordered series of connected points which the user connects by dragging their finger on the screen. While this is a usability improvement over text entry, the approach is still vulnerable to shoulder surfing by impostors, smudge attacks by impostors, as well as random guessing of common patterns.
Further, the protection provided is also incomplete, as some “unauthorized users” in fact, will know how to bypass the lock screen. For example, a user who obtains passwords or other explicit identifiers from other sources without consent may be able to bypass the lock screen.
Implicit authentication mechanisms provide a solution to overcome these problems when used as a primary authentication scheme. These mechanisms allow the device to identify the user without the user performing any explicit authentication actions. Some implicit authentication schemes for smartphones are based upon how users interact with a touchscreen. Implicit authentication schemes include how users hold the phone or may be based on a user's gait or movement.
To date, however, commercially available implicit authentication systems have offered only improved security guarantees, such as by ensuring the correct person is entering a PIN or password pattern, rather than the improved usability of a non-intrusive authentication system.
Biometric Approaches to Mobile Authentication: Static Biometrics
Biometrics have become an increasingly popular primary mobile authentication mechanism, especially in the past year with the introduction of fingerprint identification to Apple® iOS® Security and more recently Samsung smartphones.
Many primary authentication schemes use static biometrics, in that they are based upon one or more characteristics of the human body that remains stable over time. For example, fingerprint scanners, facial recognition systems, and eye scan-based authentication mechanisms are all commercially available for smartphones. Static biometrics generally have high true positive rates, that is, authorized users can easily unlock the device, and high true negative rates, that is, unauthorized users are rejected.
There are, however, limitations to using static biometrics as a primary mechanism. The first is that static biometric approaches require that the user take explicit action to authenticate themselves by exposing some part of their anatomy to a sensor. Such an explicit action is a distraction from the user's primary task, and as such frequent authentication checks will be unacceptable to most users. The second is that static biometrics can often be mimicked by impostors using relatively simple techniques known to those of skill in the art, for example, a picture of a person's face to fool a facial recognition sensor; or a latex finger to subvert a fingerprint scanner. This mimicry is fundamentally hard to stop because the primary sensor used is, essentially, a camera, and there are many ways of fooling cameras, and there are many ways of obtaining a copy of the original person's biometric data, for example, gathering fingerprints left elsewhere on a device.
Furthermore, some static biometrics may persist even when the user has either been killed or seriously injured by an impostor, such as, for example, retina scans and fingerprint authentication. Liveness detection, such as checking for blinking in an image while doing facial recognition, are, in practice, insignificant barriers to attackers because these sensors can also be defeated using means known to those of skill in the art.
While mimicry attacks against static biometrics is a concern, of greater concern are the extra steps required for authentication using static biometrics, similar to the problems posed by explicit authentication schemes. These authentication actions, no matter how simple, introduce friction that mobile device users will want to minimize, if not eliminate. A trade-off for lower security is often perceived as being worth the cost, at least until a device is compromised. This reduces the utility of static biometric approaches for primary authentication schemes.
Biometric Approaches to Mobile Authentication: Behavioral Biometrics
Biometrics in general distinguish users based upon invariants in “who they are.” As previously discussed, static biometrics are based upon invariants in physical characteristics. Another possible biometric approach for primary authentication, is by using dynamic biometrics.
Dynamic biometrics or behavioral biometrics are based upon invariants in an individual's behavior. Generally, this behavior is consistent because of subconscious factors affecting how human bodies operate. While some schemes are based upon characteristics that are primarily involuntary, such as heartbeats, neural signals and other brain activity recorded in response to a specific visual or auditory stimulus most are based upon behavior that is under more conscious control.
Behavioral biometrics are, in general, more challenging to develop and deploy than static biometrics because human behavior is fundamentally variable. Despite this, the accuracy can be comparable to that of static biometrics-based systems because behavioral biometrics can take advantage of many more observations than static biometrics, and can do so in ways that require no additional work from the user. Behavioral biometrics have a long history, including, keyboard typing patterns, facial recognition, and handwriting recognition.
However, for primary authentication, there is a need to focus on behavioral biometrics that are easily observed during the course of normal mobile device usage, specifically behavioral biometrics that utilize mobile device sensors such as the camera, touchscreen, the accelerometer and the gyroscope. Furthermore, for primary authentication, these behavioral biometrics should be used within implicit authentication schemes, so as to be able to enjoy all the advantages of implicit authentication while avoiding the pitfalls of explicit authentication schemes.
Behavioral biometrics can be grouped into three categories: continuous, secondary and task-based. With a continuous behavioral biometric, the behavior of the user is continually observed and modeled, with the system detecting abnormal usage patterns associated with unauthorized use on an ongoing basis. With secondary biometrics, user behavior is monitored only while performing an explicit authentication task, such as a PIN entry. A task-based biometric is similar in spirit to a secondary biometric, except that any task can be observed and modeled, not just an explicit authentication task.
Each of these categories has strengths and weaknesses when employed on their own as a primary authentication mechanism. Since secondary biometrics are used together with explicit authentication tasks, these schemes may be intrusive for a user. This may impact usability as a primary authentication mechanism.
Continuous behavioral biometrics offer some advantages as a primary authentication mechanism. Since these biometrics can be integrated into an implicit authentication mechanism, they provide the most coverage with the least impact on regular user interactions. However, the prior art systems in continuous behavioral biometrics suffer from some issues. First, given the nature of continuous monitoring, such schemes must deal with a large, dynamic state space produced by the output of multiple sensors. This results in a highly complex, multi-modal data landscape that is very challenging to model as it changes with context. For example, if the user starts playing a game on their phone, then the data obtained may be very different from the case where the user is answering emails. Secondly, these schemes return high levels of false positive results when used for authentication, which means these schemes are not suitable for use in primary authentication. Finally, these schemes do not offer sufficient validation against adaptive attackers.
Task-based behavioral biometric primary authentication schemes also offer some advantages. Task-based biometrics leverage the muscle memory users build up doing a common task. The more habitual the activity, the more likely it will be to characterize normal behavior, and consequently, the easier it will be to detect anomalies. Also, it makes it harder to imitate thus making it more resistant to mimicry attacks.
However, these task-based behavioral schemes suffer from some limitations. Firstly, these schemes only model user behavior when doing specific tasks, which may make up only a small portion of overall device usage. Consequently, if an attacker can circumvent these actions they can perform their attack without being detected.
Furthermore, these tasks must be manually defined which makes them expensive to implement from a development perspective. This is because each task to be monitored has to be selected and explicitly defined. To further complicate the situation, the selected task may not be performed in all contexts and situations, which necessitates selection of different tasks for different contexts and situations.
Therefore, there is a need for an implicit primary authentication scheme which combines the advantages of task-based behavioral schemes and continuous behavioral biometric schemes but overcomes the disadvantages of both these schemes. That is, such a scheme should be difficult to circumvent, not require manual definition, have relatively low computational complexity, return sufficiently low levels of false positive results thus making the scheme suitable for use in authentication, and offer sufficient validation against adaptive attackers.