Mobile user terminals such as smartphones nowadays are very popular. They offer support for an increasing number of applications such as web browsers, e-mail clients, applications for editing documents, taking pictures, and so on. This increase of capabilities and usage creates also the need to improve the security of these devices. However, authentication methods already available for smartphones do not offer sufficient transparency and security.
A transparent authentication method is in general a method not requiring the aware implication of the user to perform an authentication action.
Classical, non transparent, non biometric authentication solutions, like PIN based methods or graphical passwords, have been proposed in the past. However, being non transparent, these methods ask for the aware participation from the user. This can be annoying for the use, in view, for instance, of the continuously prompting for requests. As a result, many users tend to remove such authentication methods. Moreover, classical methods based on PINs or passwords are easy to break, since often predictable passwords are chosen. Similar considerations can be applied to graphical passwords using secret drawings, instead of secret strings of characters. Also in this case users tend to choose symmetric figures which are more predictable and easy to break. Finally, of course, access code can be stolen by a third person by observing, in particular filming with a camera, the user while inputs the secret password or drawing.
Some of the problems of classical authentication methods just described can be solved by biometric authentication methods. In fact, these methods increase the security since the secret information on which are based can not be easily spied and reproduced as they identify the user based on the user's natural features. Biometric measures are classified into two main categories: physiological biometrics and behavioural biometrics. Physiological biometrics identify the user on the basis of the physiological features, such features including face recognition, fingerprint recognition, external ear shape recognition, internal acoustic ear shape recognition (i.e. measuring the shape of the ear channel using acoustic data). The current physiological biometric solutions are affected by one or more of the following problems: non transparent usage; performances are heavily influenced by external factors such as illumination, position or occlusion; lack of required hardware on current mobile terminals.
By way of example, a good recognition rate could be obtained when using external ear shape recognition (recognition rate of some 90%) or internal acoustic ear recognition (Equal Error Rate, EER, of some 5.5%). However, these methods are heavily influenced by external factors, e.g. it is hard to transparently get a useful picture of the ear, or get a useful acoustic feedback that characterizes the internal shape, when the ear might be obstructed by hair, or hats or veils. Also, the camera should be at a distance appropriate to get the correct focus on the target. Such measurements require, in order to properly operate, a specific setup for capturing the image and an active participation of the user, These constraints result in a completely non transparent authentication of the user.
Among physiological biometric measures, methods that do not suffer much by obstruction problems are fingerprint recognition and internal ear recognition. The area that needs to be captured for fingerprint is small, and usually there is no occlusion that may intervene between the user's finger and the scanner. However, this method is not transparent to the user and, most important, it cannot be operated with the technologies commonly available in smartphones. Also, internal ear recognition needs a special device that is placed in the ear to emit acoustic signals and a special microphone needs to be attached to the smartphone.
The other category of biometric measures is behavioural biometrics, where user is identified based on the behavioural features: e.g. keystroke dynamics, voice pattern, or gesture (e.g. the user's walking pattern). However, for these currently implemented methods the recognition process takes a long period of time. For example, in order to recognize the user from the walking pattern, the user is required to walk before the device can figure out whether is the correct user or not. For keystroke dynamics the user has to type a phrase, e.g. up to over 100 characters before recognition can be performed. Similarly, for voice recognition the user has to output some predefined phrases, or sounds, before being authenticated.
Recently, other authentication methods have been proposed which are not biometric but use devices normally present is modern smartphones, such as accelerometers. These mechanisms, such as the one depicted in J. Liu, L. Zhong, J. Wickramasuriya, and V. Vasudevan, “User evaluation of lightweight user authentication with a single tri-axis accelerometer”, in MobileHCI '09, pages 1-10, 2009, aim at identifying the user based on a secret movement pattern which is measured using data from the accelerometer sensor. The security obtained is high. However also such a movement can be potentially examined by another person and replayed to gain access to the smartphone and its data.