University of Twente Student Theses


Contextual Authentication : Using Mobile Phone Movements to Authenticate Owners Implicitly

Badin, Y. (2016) Contextual Authentication : Using Mobile Phone Movements to Authenticate Owners Implicitly.

[img] PDF
Abstract:Current security approaches used on mobile phones such as PIN and passwords have been proven to have weaknesses. These weaknesses include susceptibility to shoulder surfing attacks and to smudge attacks. These kinds of security mechanics work on an all-or-nothing basis, meaning that once a password is entered correctly, the user has access to everything. Another weakness comes from the discrepancy between security and usability; users tend to intentionally use weak passwords for the sake of usability. The reason for this comes from the fact that the usage pattern of mobile devices is characterized by small bursts of activity. This in turn leads the users to type their passwords/PIN every time they want to use the phone. Moreover, users tend to not use a password or PIN at all in some occasions. Advanced techniques like face and fingerprint recognition can also be circumvented, they hinder usability, and they might need special hardware. For example, fingerprint recognition needs a special sensor and a fingerprint can be reconstructed relatively easy from a surface or even from a photograph. Then, it can be used to access any fingerprint-secured device. The solution to these problems is authenticating owners of mobile phones implicitly using context. Implicitly means not requiring the user to perform any additional task, but instead using the available data a mobile phone produces when users interact with their phones. Context can include rich information such as location and device fingerprints, but the interesting type of context is behavior analysis, which takes advantage of the relation between a phone and its owner. Hence, contextual authentication aims to increase both security and usability by authenticating users through the way they interact with their phones rather than requiring them to perform specific tasks, such as entering a password. The purpose of this work is to explore the possibility of providing continuous and implicit authentication from owner to mobile phone while assuring high accuracy that can be acceptable in practical situations. We focus on utilizing movements that are natural to phone usage. Natural movements happen when users are interacting with their phones. This means that the solution should not require users to perform any additional tasks to authenticate themselves, they should only use their phones. Movements that are natural to the phone usage that we will investigate are (1) the way users pick up their phones from a table, and (2) the micro-movements of the phone when users interact with them. Both mentioned movements serve one of the established goals which is "implicit authentication". The micro-movements serve another goal which is "continuous authentication". Continuous authentication means that the user is always being authenticated in the background, especially when the user wants to access a critical function such as a banking app. An important aspect of the pick-up motion is that it usually precedes any other interaction, meaning that the user needs to first pick up the phone before starting to use it. Thus, the pick-up motion can serve as a first line of defense. On the other hand, the micro-movements authentication can serve as a second, and continuous, line of defense. An important objective to accomplish is to extract features from the collected data (such as average, standard deviation, amplitude, etc) that can be informative of this data and then select some of these features that give a distinction to the two motions and can be utilized to identify the owner of a mobile device. Another important objective is to choose the right classification algorithm that suits these two types of movements. In addition, classification algorithms usually have specific parameters that need to be chosen carefully to get the best out of the produced model. The last objective is to build a pattern recognition process that can correctly detect a pick-up motion (regardless of the user) at the right time, otherwise the pick-up authentication mechanism would be useless. The first step of this work was to build a simple Android app to collect sensor data (accelerometer and orientation sensor). A group of participants were asked to pick up the phone from a table and type on the phone multiple times while the app collected the acceleration on X, Y, and Z axes and the orientation angles Yaw, Pitch, and Roll. This data then was manually analyzed and it was apparent that there are noticeable differences between different users. Then, machine learning was used to build a classification model. The model included two classes: owner and non-owner. When new data is supplied to the model, it can predict to which class the current user belongs. To this end, two algorithms were used: Dynamic Time Warping (DTW) for the pick-up motion, and Support Vector Machine (SVM) for the micro-movements. Raw sensor data were used with DTW to build a model. In the case of SVM, multiple features were extracted from sensor data to help build the model. Subsequently, a test was performed to evaluate the accuracy of the model. For this purpose, a prototype was created (Android app) to perform the tests. During the test, participants would pick up the phone or type, and the app would display the algorithm decision. The results showed that those two motions can successfully be used to differentiate between the owner of the device and intruders. The pick-up motion achieved 3.3% FRR and 0% FAR. The micro-movement achieved 9.5% FRR and 9.2% FAR for the Polynomial kernel and 6.8% FRR and 12.3% FAR for the Sigmoid kernel.
Item Type:Essay (Master)
Faculty:EEMCS: Electrical Engineering, Mathematics and Computer Science
Subject:54 computer science
Programme:Computer Science MSc (60300)
Link to this item:
Export this item as:BibTeX
HTML Citation
Reference Manager


Repository Staff Only: item control page