SHAKEIN: SECURE USER AUTHENTICATION OFSMARTPHONES WITH HABITUAL SINGLE-HANDEDSHAKES
ABSTRACT
Smartphones have been widely used with a vast array of sensitive and private information stored on these devices. Tosecure such information from being leaked, user authentication schemes are necessary. Current password/pattern-based userauthentication schemes are vulnerable to shoulder surfing attacks and smudge attacks. In contrast, stroke/gait-based schemes aresecure but inconvenient for users to input. In this paper, we propose ShakeIn, a handy user authentication scheme for secure unlockingof a smartphone by simply shaking the phone. With embedded motion sensors, ShakeIn can effectively capture the unique and reliablebiometrical features of users about how they shake. In this way, even if an attacker sees a user shaking his/her phone, the attacker canhardly reproduce the same behaviour. Furthermore, by allowing users to customise the way how they shake the phone, ShakeInendows users with the maximum operation flexibility. We implement ShakeIn and conduct both intensive trace-driven simulations andreal experiments on 20 volunteers with about 530; 555 shaking samples collected over multiple months. The results show that ShakeInachieves an average equal error rate of 1:2% with a small number of shakes using only 35 training samples even in the presence ofshoulder-surfing attacks.
PROPOSED SYSTEM:
we propose a smartphone user authenticationscheme, called ShakeIn, based on customised single-handed shakes. As shown in Figure 1(a), a shake refers to ato-and-fro movement with one hand holding a smartphoneand swinging the x- and y-axis coordinate plane of thephone around the elbow in the air. In essence, ShakeInadopts a machine learning methodology, consisting of atraining phase and an authentication phase. More specifically,in the training phase, ShakeIn first asks a legitimateuser to choose his/her preferred shaking styles and collectsa small number of shakes. For each of such shakes, uniqueand reliable biometrical features are derived from the rawreadings of the embedded 3D accelerometer and the gyroscopesensors, and then utilised to establish a SupportingVector Machines (SVM) classifier. In the authenticationphase, ShakeIn use the pre-trained classifier to verify thelegitimacy of shaking attempts from a user and unlock thephone if the user passes the verification. The key insightbehind ShakeIn is that people have consistent and distinguishingphysiological characteristics (e.g., the physicalstructure of the arm) and behavioural characteristics (e.g.,shaking behaviour patterns) while doing shakes
EXISTIONG SYSTEM:
Several schemes have been proposed that utilise theaccelerometer in smartphones to recognise human biometricgait. In general, these schemes have low true positive ratesas it is sensitive to many uncontrollable factors such as thephone placement and the types of the ground surface andshoes. Other physiological characteristics such as fingerprints, face and sound could be utilised for authentication.Typing behaviour with physical keyboards can be utilisedto authenticate users but the performance of theseschemes when applied to smartphones is uncertain as typingbehaviour on touch screens is more difficult to model.Some schemes have been proposed to draw specialgestures on the touch screen of a smartphone for authentication.OpenSesame and uWave are the two schemesmostly related to our work. OpenSesame allows users toshake or roll their phones with no special requirementsand derives four types of geometric features with threeaxisraw acceleration readings. Probability density functions(PDFs) of those feature samples are further used to trainclassifiers and verify a user. UWave can verify the legitimacyof a user by comparing the time series of three-axisacceleration readings of a testing gesture drawn in the airto a pre-defined template library by employing dynamictime warping (DTW). These schemes have relatively highfalse positive errors especially under shoulder-surfing attacks.ShakeIn differs from both schemes essentially in howfeatures are extracted. In ShakeIn, both physiological andbehavioural characteristics are considered, which makesShakeIn easy to use and at the same time resilient toshoulder-surfing attacks
CONCLUSION
In this paper, we have proposed a smartphone user authenticationscheme, called ShakeIn, based on customised onehandshakes. ShakeIn is resilient to shoulder-surfing andbiometrics hacking attacks as it adopts both physiologicaland behavioural characteristics to profile users. Furthermore,ShakeIn is handy as it allows customised shakes andsingle-hand operations. ShakeIn is quite reliable and canwork well with different modes of transport. As ShakeInneeds only off-the-shelf devices, it is easy to gain a widedeployment. Nevertheless, ShakeIn also has several limitations.For example, if a user forgets how he/she shakesduring the training phase, it is very likely for ShakeInto refuse this user for unlocking. We suggest that a userchooses the most comfortable shaking styles as his/her“passwords”. Another limitation of ShakeIn is that currentlyit can work with two common people postures, i.e., sittingand standing. It would be more practical if more posturesare supported. In addition, extending ShakeIn to other mobiledevices bigger than smartphones in size such as tabletsis also challenging. Moreover, we would also investigate touse more advanced classifiers such as Structural MinimaxProbability Machine in the future.
REFERENCES
[1] European Union Agency for Network and InformationSecurity, “Top Ten Smartphone Risks,”https://www.enisa.europa.eu/activities/Resilience-andCIIP/critical-applications/smartphone-security-1/top-ten-risks.
[2] F. Tari, A. Ozok, and S. H. Holden, “A Comparison of Perceivedand Real Shoulder-surfing Risks between Alphanumeric andGraphical Passwords,” in Proceedings of the second ACM Symposiumon Usable privacy and security, 2006, pp. 56–66.
[3] F. Schaub, R. Deyhle, and M. Weber, “Password Entry Usabilityand Shoulder Surfing Susceptibility on Different Smartphone Platforms,”in Proceedings of the 11th ACM International Conference onMobile and Ubiquitous Multimedia, 2012.[4] A. J. Aviv, K. Gibson, E. Mossop, M. Blaze, and J. M. Smith,“Smudge Attacks on Smartphone Touch Screens,” WOOT, vol. 10,pp. 1–7, 2010.
[5] The Apple Inc., “About Touch ID Security on iPhone and iPad,”https://support.apple.com/en-us/HT204587.
[6] M. Shahzad, A. X. Liu, and A. Samuel, “Secure Unlocking ofMobile Touch Screen Devices by Simple Gestures: You can seeit but you can not do it,” in Proceedings of ACM MobiCom, 2013.
[7] J. R. Kwapisz, G. M. Weiss, S. Moore et al., “Cell Phone-basedBiometric Identification,” in Proceedings of IEEE Biometrics Compendium,2010.[8] D. Gafurov, K. Helkala, and T. Søndrol, “Biometric Gait AuthenticationUsing Accelerometer Sensor,” Journal of Computers, vol. 1,no. 7, pp. 51–59, 2006.
[9] C. Yuan, X. Sun, and R. Lv, “Fingerprint Liveness Detection Basedon Multi-Scale LPQ and PCA,” China Communications, vol. 13,no. 7, pp. 60–65, 2016.
[10] F. Monrose, M. K. Reiter, and S. Wetzel, “Password HardeningBased on Keystroke Dynamics,” International Journal of InformationSecurity, vol. 1, no. 2, pp. 69–83, 2002.
[11] S. Zahid, M. Shahzad, S. A. Khayam, and M. Farooq, “KeystrokebasedUser Identification on Smart Phones,” in Proceedings ofthe 12th International Symposium on Recent Advances in IntrusionDetection. Springer, 2009.
[12] A. De Luca, A. Hang, F. Brudy, C. Lindner, and H. Hussmann,“Touch Me Once and I Know It’s You!: Implicit AuthenticationBased on Touch Screen Patterns,” in Proceedings of ACM SIGCHI,2012.