1 / 33

Flexible & Non-Intrusive User Authentication on Mobile Devices

Flexible & Non-Intrusive User Authentication on Mobile Devices. Dr. Nathan Clarke Centre for Information Security & Network Research. The Research Project. This research is funded by the Eduserv Foundation.

may
Download Presentation

Flexible & Non-Intrusive User Authentication on Mobile Devices

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Flexible & Non-Intrusive User Authentication on Mobile Devices Dr. Nathan ClarkeCentre for Information Security & Network Research

  2. The Research Project • This research is funded by the Eduserv Foundation. • Founded in 2003, Eduserv is a not-for-profit IT services group delivering innovative technology services. With contributions from Eduserv, the Eduserv Foundation funds initiatives supporting the effective application of IT in education • Grant awarded in 2005 for a 2 year study into Flexible and Non-Intrusive User Authentication for Mobile Devices • Research is being conducted by the Centre for Information Security & Network Research • Established in 1985 (formally the NRG) conducts research into IT Security, Internet and WWW technologies and mobility • Researchers active on the project: • Prof Steven Furnell • Dr Nathan Clarke • Miss Sevasti Karaztouni

  3. Overview The Need for Advanced Authentication Biometrics Flexible & Transparent Authentication Looking a little deeper… Conclusions & Future Work

  4. The Need for Authentication

  5. Worldwide Mobile Phone Subscribers Source: GSM Association 2006

  6. The Need for Authentication What protects this data from attack?

  7. Current Security Provision • Subscriber Authentication relies upon the Personal Identification Number (PIN) • Independently enabled OR disabled • “One-Off” security approach • The PIN is a secret knowledge approach • PINs are often badly selected, written down shared with colleagues, infrequently changed and kept the same on multiple systems 9876 190578 1234 1122 2468 1945 1066 0000

  8. Current Security Provision • Existing PIN-based authentication has proven ineffective, unpopular and inconvenient • Survey of 297 mobile users: • 66% of respondents use the PIN • 30% considered the PIN inconvenient • 85% want additional security • Arguably commensurate for protecting basic voice and text services • less than ideal for more advanced mobile services Results extracted from a paper entitled “Authentication of users on mobile telephones – A survey of attitudes and practices” (Clarke et al., Computers & Security, 24, 519-527)

  9. Biometrics

  10. Biometric Characteristics

  11. Biometric Characteristics 100 False Acceptance Rate (FAR) False Rejection Rate (FRR) Rate (%) Equal Error Rate 0 Tolerance / Threshold Setting Slack Tight Increasing end-user rejection

  12. Flexible & Transparent Authentication

  13. Signature Recognition Service Utilisation Facial Recognition Keystroke Dynamics Voice Verification Biometrics on Mobile Devices

  14. Novel Authentication - Objectives • Authentication for mobile handsets must meet the following objectives: • Increase security beyond secret-knowledge techniques • Provide transparent authentication • Authenticate the user continuously/periodically throughout the day in order to maintain confidence in the identity of the user • The authentication mechanism must handle the varying hardware configurations of mobile handsets

  15. Biometric Characteristics

  16. Novel Architecture • To design an architecture capable of utilising existing handsets to provide biometric user authentication • A modular architecture capable of dynamically adapting to differing hardware configurations • Non-Intrusive & Continuous Authentication (NICA) System: • Periodic Authentication Process/Alert Level – Split into 4 levels • Rolling System Integrity Level

  17. Security Process – Alert Level Authentication Request (Transparent, AL1) Most recent data in input cache Authentication Request (Transparent, AL2) Next Input Authentication Request (Intrusive, AL3) High Confidence Authentication Authentication Response Authentication Response Authentication Response Authentication Request (Transparent, AL1) Remaining data in input cache Authentication Request (Intrusive, AL3) High Confidence Authentication Lock Handset (Intrusive, AL4) Authentication Response Authentication Response

  18. Security Process – Integrity Level Open System +5 Increasing access to information and services Service SI Text Message +1Telephone Call +1.5Video Call +3Micropayment +4Bank Account +5 Normal System Integrity Level 0 Decreasing access to information and services System Lock Down -5

  19. System Administrator Hardware Compatibility Client Device Configuration System Parameter Setting Client Database Authentication Manager (Server) Communications Engine IAMS Device Biometric Profile Engine Authentication Engine Input Cache Profile Bio/Cog IAMS Server-Side Architecture

  20. IAMS Client-Side Architecture Device Administrator AuthenticationAssets/History Authentication Response Output Device Security Status Authentication Manager (Device) Intrusion Interface Input Characteristics Biometric Profile Engine Authentication Engine Data Collection Engine Input Cache Profile Bio/Cog Communications Engine IAMS Server

  21. Traditional Performance

  22. IAMS Performance

  23. Looking a little deeper…

  24. Effectiveness of Biometrics on a Mobile Device • Unfortunately, the application of biometrics in the fashion previously described is somewhat overly simplistic  • Biometrics have been proven to operate effectively within specific applications • Physical access control • Logical access to desktop computers • Typically, well defined environments and intrusive in nature

  25. Keystroke Analysis • Several studies have been undertaken to establish the effectiveness of Keystroke Analysis on a mobile device

  26. Handwriting Verification • Signature Recognition has been widely researched and generally well accepted • It has good levels of FAR and FRR • Algorithms are designed to classify a “signature” – very intrusive! • Need to develop an approach that will permit the user to scribble anything and the system is still able to successfully authenticate the user

  27. Service Utilisation • An inherently transparent technique that is able to monitor your usage of the device • Who you call, where you call from, for how long and how frequently • Also a wide range of other factors could be utilised as a means of discriminating users • The approach is widely used in fraud detection scenarios • Credit card fraud detection; mobile phone abuse

  28. Facial Recognition Biometric Samples Biometric Template

  29. Voice Verification • Successful voice verification technologies exist • However, they are largely based upon: • Static based recognition • Pseudo dynamic based recognition • Concept: Utilise both voice recognition and voice verification to create an outwardly appearing dynamic approach based upon static technology

  30. Architectural Issues • Mobile device technology – computational capabilities • Network traffic overheads • Network server requirements • Configuration and management • International roaming • Scalability • Personal mobility

  31. Conclusions & Future Work • NICA introduces a level of intelligence to the authentication process • Biometrics still hold the authentication power • Further research should look into: • Designing more intelligent and robust biometric techniques • The practicalities of operating an authentication mechanism such as NICA in practice – network overhead, biometric threshold settings, personal mobility challenges etc. • More information: www.cisnr.org/NICA

  32. References • Advanced User Authentication for Mobile DevicesClarke NL, Furnell SMComputers & Security, 2006 • Authenticating Mobile Phone Users Using Keystroke AnalysisClarke NL, Furnell SMInternational Journal of Information Security, vol. 6, no. 1, pp1-14, 2006 • Biometrics - The Promise Versus the PracticeClarke NL, Furnell SMComputer Fraud and Security, September, pp12-16, 2005 • Keystroke Analysis for Thumb-Based Keyboards on Mobile DevicesKaratzouni S, Clarke NLProceedings of the IFIP SEC 2006 Conference, Johannesburg, South Africa, May 2007 • Transparent Handwriting Verification for Mobile DevicesClarke NL, Mekala ARProceedings of the Sixth International Network Conference (INC2006), Plymouth, UK, 11-14 July, pp277-288, 2006 • Transparent Facial Recognition for Mobile DevicesClarke NL, Karatzouni S, Furnell SMProceedings of The Security Conference, Las Vegas, 2-4 June 2008 • User Authentication by Service Utilisation ProfilingAupy A, Clarke NLProceedings of the ISOneWorld 2005, Las Vegas, USA, 30 March - 1 April, 2005 • Using Keystroke Analysis as a Mechanism for Subscriber Authentication on Mobile HandsetsClarke NL, Furnell SM, Lines BL, Reynolds PLProceedings of the IFIP SEC 2003 Conference, Athens, Greece, May, pp97-108, 2003

  33. Any Questions? Centre of Information Security & Network Research, University of Plymouth www.cisnr.org

More Related