I Am How I Touch: Authenticating Users

Paper & ToCHI

May 8, 2012 @ 09:30, Room: Ballroom E

Chair: Xiang Cao, Microsoft Research Asia, China
Homogenous Physio-Behavioral Visual and Mouse Based Biometric - ToCHI
Contribution & Benefit: Describes a new biometric technique that uses cognitive features and mouse dynamics without the introduction of new hardware. This technique opens doors for advanced biometrics used for static authentication.
Abstract » In this research, we propose a novel biometric system for static user authentication that homogeneously combines mouse dynamics, visual search capability and short-term memory effect. The proposed system introduces the visual search capability, and short-term memory effect to the biometric-based security world for the first time. The use of a computer mouse for its dynamics, and as an input sensor for the other two biometrics, means no additional hardware is required than the standard mouse. Experimental evaluation showed the system effectiveness using variable or one-time passwords. All of these attributes qualify the proposed system to be effectively deployed as a static authentication mechanism.

Extensive experimentation was done using 2740 sessions collected from 274 users. To measure the performance, a computational statistics model was specially designed and used; a statistical classifier based on Weighted-Sum produced an Equal Error Rate (EER) of 2.11%.
Biometric-Rich Gestures: A Novel Approach to Authentication on Multi-touch Devices - Paper
Contribution & Benefit: Describes a new approach to login/authentication on multi-touch devices, using behavior-based biometrics gleaned from five-finger gestures. This approach better aligns usability with security, than is the case for text-based passwords.
Abstract » In this paper, we present a novel multi-touch gesture-based authentication technique. We take advantage of the multi- touch surface to combine biometric techniques with gestural input. We defined a comprehensive set of five-finger touch gestures, based upon classifying movement characteristics of the center of the palm and fingertips, and tested them in a user study combining biometric data collection with usability questions. Using pattern recognition techniques, we built a classifier to recognize unique biometric gesture characteristics of an individual. We achieved a 90% accuracy rate with single gestures, and saw significant improvement when multiple gestures were performed in sequence. We found user ratings of a gestures desirable characteristics (ease, pleasure, excitement) correlated with a gestures actual biometric recognition ratethat is to say, user ratings aligned well with gestural security, in contrast to typical text-based passwords. Based on these results, we conclude that multi-touch gestures show great promise as an authentication mechanism.
Touch me once and I know it's you! Implicit Authentication based on Touch Screen Patterns - Paper
Contribution & Benefit: Presents two user studies of an implicit authentication approach for touch screen phones. Proofs that it is possible to distinguish users by the way they perform the authentication.
Abstract » Password patterns, as used on current Android phones, and other shape-based authentication schemes are highly usable and memorable. In terms of security, they are rather weak since the shapes are easy to steal and reproduce. In this work, we introduce an implicit authentication approach that enhances password patterns with an additional security layer, transparent to the user. In short, users are not only authenticated by the shape they input but also by the way they perform the input. We conducted two consecutive studies, a lab and a long-term study, using Android applications to collect and log data from user input on a touch screen of standard commercial smartphones. Analyses using dynamic time warping (DTW) provided first proof that it is actually possible to distinguish different users and use this information to increase security of the input while keeping the convenience for the user high.
WebTicket: Account Management Using Printable Tokens - Paper
Contribution & Benefit: Describes development and evaluations of WebTicket that manages web accounts using paper-based or mobile-phone-based tickets. Demonstrates that WebTicket provides reliable and phishing-resilient user authentication.
Abstract » Passwords are the most common authentication scheme today. However, it is difficult for people to memorize strong passwords, such as random sequences of characters. Additionally, passwords do not provide protection against phishing attacks. This paper introduces WebTicket, a low cost, easy-to-use and reliable web account management system that uses "tickets", which are tokens that contain a two-dimensional barcode that can be printed or stored on smartphones. Users can log into accounts by presenting the barcodes to webcams connected to computers. Through two lab studies and one field study consisting of 59 participants in total, we found that WebTicket can provide reliable authentication and phishing resilience.