330 likes | 481 Views
Flexible & Non-Intrusive User Authentication on Mobile Devices. Dr. Nathan Clarke Centre for Information Security & Network Research. The Research Project. This research is funded by the Eduserv Foundation.
E N D
Flexible & Non-Intrusive User Authentication on Mobile Devices Dr. Nathan ClarkeCentre for Information Security & Network Research
The Research Project • This research is funded by the Eduserv Foundation. • Founded in 2003, Eduserv is a not-for-profit IT services group delivering innovative technology services. With contributions from Eduserv, the Eduserv Foundation funds initiatives supporting the effective application of IT in education • Grant awarded in 2005 for a 2 year study into Flexible and Non-Intrusive User Authentication for Mobile Devices • Research is being conducted by the Centre for Information Security & Network Research • Established in 1985 (formally the NRG) conducts research into IT Security, Internet and WWW technologies and mobility • Researchers active on the project: • Prof Steven Furnell • Dr Nathan Clarke • Miss Sevasti Karaztouni
Overview The Need for Advanced Authentication Biometrics Flexible & Transparent Authentication Looking a little deeper… Conclusions & Future Work
Worldwide Mobile Phone Subscribers Source: GSM Association 2006
The Need for Authentication What protects this data from attack?
Current Security Provision • Subscriber Authentication relies upon the Personal Identification Number (PIN) • Independently enabled OR disabled • “One-Off” security approach • The PIN is a secret knowledge approach • PINs are often badly selected, written down shared with colleagues, infrequently changed and kept the same on multiple systems 9876 190578 1234 1122 2468 1945 1066 0000
Current Security Provision • Existing PIN-based authentication has proven ineffective, unpopular and inconvenient • Survey of 297 mobile users: • 66% of respondents use the PIN • 30% considered the PIN inconvenient • 85% want additional security • Arguably commensurate for protecting basic voice and text services • less than ideal for more advanced mobile services Results extracted from a paper entitled “Authentication of users on mobile telephones – A survey of attitudes and practices” (Clarke et al., Computers & Security, 24, 519-527)
Biometric Characteristics 100 False Acceptance Rate (FAR) False Rejection Rate (FRR) Rate (%) Equal Error Rate 0 Tolerance / Threshold Setting Slack Tight Increasing end-user rejection
Signature Recognition Service Utilisation Facial Recognition Keystroke Dynamics Voice Verification Biometrics on Mobile Devices
Novel Authentication - Objectives • Authentication for mobile handsets must meet the following objectives: • Increase security beyond secret-knowledge techniques • Provide transparent authentication • Authenticate the user continuously/periodically throughout the day in order to maintain confidence in the identity of the user • The authentication mechanism must handle the varying hardware configurations of mobile handsets
Novel Architecture • To design an architecture capable of utilising existing handsets to provide biometric user authentication • A modular architecture capable of dynamically adapting to differing hardware configurations • Non-Intrusive & Continuous Authentication (NICA) System: • Periodic Authentication Process/Alert Level – Split into 4 levels • Rolling System Integrity Level
Security Process – Alert Level Authentication Request (Transparent, AL1) Most recent data in input cache Authentication Request (Transparent, AL2) Next Input Authentication Request (Intrusive, AL3) High Confidence Authentication Authentication Response Authentication Response Authentication Response Authentication Request (Transparent, AL1) Remaining data in input cache Authentication Request (Intrusive, AL3) High Confidence Authentication Lock Handset (Intrusive, AL4) Authentication Response Authentication Response
Security Process – Integrity Level Open System +5 Increasing access to information and services Service SI Text Message +1Telephone Call +1.5Video Call +3Micropayment +4Bank Account +5 Normal System Integrity Level 0 Decreasing access to information and services System Lock Down -5
System Administrator Hardware Compatibility Client Device Configuration System Parameter Setting Client Database Authentication Manager (Server) Communications Engine IAMS Device Biometric Profile Engine Authentication Engine Input Cache Profile Bio/Cog IAMS Server-Side Architecture
IAMS Client-Side Architecture Device Administrator AuthenticationAssets/History Authentication Response Output Device Security Status Authentication Manager (Device) Intrusion Interface Input Characteristics Biometric Profile Engine Authentication Engine Data Collection Engine Input Cache Profile Bio/Cog Communications Engine IAMS Server
Effectiveness of Biometrics on a Mobile Device • Unfortunately, the application of biometrics in the fashion previously described is somewhat overly simplistic • Biometrics have been proven to operate effectively within specific applications • Physical access control • Logical access to desktop computers • Typically, well defined environments and intrusive in nature
Keystroke Analysis • Several studies have been undertaken to establish the effectiveness of Keystroke Analysis on a mobile device
Handwriting Verification • Signature Recognition has been widely researched and generally well accepted • It has good levels of FAR and FRR • Algorithms are designed to classify a “signature” – very intrusive! • Need to develop an approach that will permit the user to scribble anything and the system is still able to successfully authenticate the user
Service Utilisation • An inherently transparent technique that is able to monitor your usage of the device • Who you call, where you call from, for how long and how frequently • Also a wide range of other factors could be utilised as a means of discriminating users • The approach is widely used in fraud detection scenarios • Credit card fraud detection; mobile phone abuse
Facial Recognition Biometric Samples Biometric Template
Voice Verification • Successful voice verification technologies exist • However, they are largely based upon: • Static based recognition • Pseudo dynamic based recognition • Concept: Utilise both voice recognition and voice verification to create an outwardly appearing dynamic approach based upon static technology
Architectural Issues • Mobile device technology – computational capabilities • Network traffic overheads • Network server requirements • Configuration and management • International roaming • Scalability • Personal mobility
Conclusions & Future Work • NICA introduces a level of intelligence to the authentication process • Biometrics still hold the authentication power • Further research should look into: • Designing more intelligent and robust biometric techniques • The practicalities of operating an authentication mechanism such as NICA in practice – network overhead, biometric threshold settings, personal mobility challenges etc. • More information: www.cisnr.org/NICA
References • Advanced User Authentication for Mobile DevicesClarke NL, Furnell SMComputers & Security, 2006 • Authenticating Mobile Phone Users Using Keystroke AnalysisClarke NL, Furnell SMInternational Journal of Information Security, vol. 6, no. 1, pp1-14, 2006 • Biometrics - The Promise Versus the PracticeClarke NL, Furnell SMComputer Fraud and Security, September, pp12-16, 2005 • Keystroke Analysis for Thumb-Based Keyboards on Mobile DevicesKaratzouni S, Clarke NLProceedings of the IFIP SEC 2006 Conference, Johannesburg, South Africa, May 2007 • Transparent Handwriting Verification for Mobile DevicesClarke NL, Mekala ARProceedings of the Sixth International Network Conference (INC2006), Plymouth, UK, 11-14 July, pp277-288, 2006 • Transparent Facial Recognition for Mobile DevicesClarke NL, Karatzouni S, Furnell SMProceedings of The Security Conference, Las Vegas, 2-4 June 2008 • User Authentication by Service Utilisation ProfilingAupy A, Clarke NLProceedings of the ISOneWorld 2005, Las Vegas, USA, 30 March - 1 April, 2005 • Using Keystroke Analysis as a Mechanism for Subscriber Authentication on Mobile HandsetsClarke NL, Furnell SM, Lines BL, Reynolds PLProceedings of the IFIP SEC 2003 Conference, Athens, Greece, May, pp97-108, 2003
Any Questions? Centre of Information Security & Network Research, University of Plymouth www.cisnr.org