TMGuard: A Touch Movement-Based Security Mechanism for Screen Unlock Patterns on Smartphones

详细信息    查看全文

• 关键词：Mobile security ; User authentication ; Android unlock patterns ; Usability ; Touch gestures ; Behavioral biometric
• 刊名：Lecture Notes in Computer Science
• 出版年：2016
• 出版时间：2016
• 年：2016
• 卷：9696
• 期：1
• 页码：629-647
• 全文大小：784 KB
• 参考文献：1.Andriotis, P., Tryfonas, T., Oikonomou, G., Yildiz, C.: A pilot study on the security of pattern screen-lock methods, soft side channel attacks. In: Proceedings of WiSec, pp. 1–6. ACM (2013)
  2.Aviv, A.J., Gibson, K., Mossop, E., Blaze, M., Smith, J.M.: Smudge attacks on smartphone touch screens. In: Proceedings of the 4th USENIX Conference on Offensive Technologies, pp. 1–7. USENIX Association (2010)
  3.Churchill , B.:Unlock Pattern Generator (2013). https://​www.​berkeleychurchil​l.​com/​software/​android-pwgen/​pwgen.​php
  4.Bergadano, F., Gunetti, D., Picardi, C.: User authentication through keystroke dynamics. ACM Trans. Inf. Syst. Secur. 5(4), 367–397 (2002)CrossRef
  5.Bisson, D.: The state of security-Authentication and awareness: the anti-cybercrime duo, 30 October 2014. http://​www.​tripwire.​com/​state-of-security/​security-awareness/​authentication-and-awareness-the-anti-cybercrime-duo/​
  6.Brown, A.S., Bracken, E., Zoccoli, S., Douglas, K.: Generating and remembering passwords. Appl. Cogn. Psychol. 18, 641–651 (2004)CrossRef
  7.Conti, M., Zachia-Zlatea, I., Crispo, B.: Mind how you answer me! (transparently authenticating the user of a smartphone when answering or placing a call). In: Proceedings of the 6th ASIACCS, pp. 249–259 (2011)
  8.De Luca, A., Hang, A., Brudy, F., Lindner, C., Hussmann, H.: Touch me once and i know it’s you!: implicit authentication based on touch screen patterns. In: Proceedings of CHI, pp. 987–996. ACM (2012)
  9.Frank, M., Biedert, R., Ma, E., Martinovic, I., Song, D.: Touchalytics: on the applicability of touchscreen input as a behavioral biometric for continuous authentication. IEEE Trans. Inf. Forensics Secur. 8(1), 136–148 (2013)CrossRef
  10.Giuffrida, C., Majdanik, K., Conti, M., Bos, H.: I sensed it was you: authenticating mobile users with sensor-enhanced keystroke dynamics. In: Dietrich, S. (ed.) DIMVA 2014. LNCS, vol. 8550, pp. 92–111. Springer, Heidelberg (2014)
  11.IDC. Smartphone OS Market Share, Q2 2015, December 2015. http://​www.​idc.​com/​prodserv/​smartphone-os-market-share.​jsp
  12.Karlson, A.K., Brush, A.B., Schechter, S. Can i borrow your phone?: understanding concerns when sharing mobile phones. In: Proceedings of the 27th CHI, pp. 1647–1650. ACM (2009)
  13.Kotthoff, L., Gent, I.P., Miguel, I.: An evaluation of machine learning in algorithm selection for search problems. AI Commun. 25(3), 257–270 (2012)MathSciNet
  14.Li, L., Zhao, X., Xue, G.: Unobservable re-authentication for smartphones. In: Proceedings of the 20th Annual Network and Distributed System Security Symposium (NDSS), pp. 1–16 (2013)
  15.Meng, Y., Wong, D.S., Schlegel, R., Kwok, L.: Touch gestures based biometric authentication scheme for touchscreen mobile phones. In: Kutyłowski, M., Yung, M. (eds.) INSCRYPT 2012. LNCS, vol. 7763, pp. 331–350. Springer, Heidelberg (2013)CrossRef
  16.Meng, W., Wong, D.S., Kwok, L.F.: The effect of adaptive mechanism on behavioural biometric based mobile phone authentication. Inf. Manag. Comput. Secur. 22(2), 155–166 (2014)
  17.Meng, W., Wong, D.S., Furnell, S., Zhou, J.: Surveying the development of biometric user authentication on mobile phones. IEEE Commun. Surv. Tutorials 17(3), 1268–1293 (2015)CrossRef
  18.Nelson, D.L., Reed, V.S., Walling, J.R.: Pictorial superiority effect. J. Exp. Psychol.: Hum. Learn. Mem. 2(5), 523–528 (1976)
  19.Pereira Botelho, B.A., Nakamura, E.T., Uto, N.: Security analysis of touch inputted passwords. In: Lopez, J., Huang, X., Sandhu, R. (eds.) NSS 2013. LNCS, vol. 7873, pp. 714–720. Springer, Heidelberg (2013)CrossRef
  20.Tao, H., Adams, C.: Pass-go: a proposal to improve the usability of graphical passwords. Int. J. Netw. Secur. 7(2), 273–292 (2008)
  21.Van Thanh, D.: Security issues in mobile eCommerce. In: Proceedings of the 11th International Workshop on Database and Expert Systems Applications (DEXA), pp. 412–425 (2000)
  22.SplashData Inc, Password unseated by “123456” on SplashData’s annual Worst Passwords list (2013). http://​splashdata.​com/​press/​worstpasswords20​13.​htm
  23.Uellenbeck, S., Dürmuth, M., Wolf, C., Holz, T.: Quantifying the security ofgraphical passwords: the case of Android unlock patterns. In: Proceedings of the 2013 ACM Conference on Computer and Communications Security (CCS), pp. 161–172 (2013)
  24.Webroot. SURVEY: Mobile Threats are Real and Costly (2012). http://​www.​webroot.​com/​shared/​pdf/​byod-mobile-security-study.​pdf
  25.J. White. Cydia Tweak: How To Add An Android-Inspired Pattern Unlock Screen To The iPhone, 26 June 2013. http://​appadvice.​com/​appnn/​2013/​06/​cydia-tweak-how-to-add-an-android-inspired-pattern-unlock-screen-to-the-iphone
  26.Yan, J., Blackwell, A., Anderson, R., Grant, A.: Password memorability and security: empirical results. IEEE Secur. Priv. 2(5), 25–31 (2004)CrossRef
  27.Yan, Q., Han, J., Li, Y., Zhou, J., Deng, R.: Designing leakage-resilient passwordentry on touchscreen mobile devices. In: Proceedings of the 8th Asia CCS, pp. 37–48 (2013)
  28.Zahid, S., Shahzad, M., Khayam, S.A., Farooq, M.: Identification, keystroke-based user on smart phones. In: Proceedings of RAID, pp. 224–243 (2009)
  29.Zhang, Y., Xia, P., Luo, J., Ling, Z., Liu, B., Fu, X.: Fingerprint attack against touch-enabled devices. In: Proceedings of the 2nd ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, pp. 57–68 (2012)
  30.Zhao, X., Feng, T., Shi, W., Kakadiaris, I.A.: Mobile user authentication using statistical touch dynamics images. IEEE Trans. Inf. Forensics Secur. 9(11), 1780–1789 (2014)CrossRef
  
• 作者单位：Weizhi Meng (16)
  Wenjuan Li (17)
  Duncan S. Wong (18)
  Jianying Zhou (16)
  
  16. Infocomm Security Department, Institute for Infocomm Research, Singapore, Singapore
  17. Department of Computer Science, City University of Hong Kong, Hong Kong, China
  18. Applied Science and Technology Research Institute (ASTRI), Hong Kong, China
  
• 丛书名：Applied Cryptography and Network Security
• ISBN：978-3-319-39555-5
• 刊物类别：Computer Science
• 刊物主题：Artificial Intelligence and Robotics
  Computer Communication Networks
  Software Engineering
  Data Encryption
  Database Management
  Computation by Abstract Devices
  Algorithm Analysis and Problem Complexity
  
• 出版者：Springer Berlin / Heidelberg
• ISSN：1611-3349
• 卷排序：9696

文摘

Secure user authentication is a big challenge for smartphone security. To overcome the drawbacks of knowledge-based method, various graphical passwords have been proposed to enhance user authentication on smartphones. Android unlock patterns are one of the Android OS features aiming to authenticate users based on graphical patterns. However, recent studies have shown that attackers can easily compromise this unlock mechanism (i.e., by means of smudge attacks). We advocate that some additional mechanisms should be added to improve the security of unlock patterns. In this paper, we first show that users would perform a touch movement differently when interacting with the touchscreen and that users would perform somewhat stably for the same pattern after several trials. We then develop a touch movement-based security mechanism, called TMGuard, to enhance the authentication security of Android unlock patterns by verifying users’ touch movement during pattern input. In the evaluation, our user study with 75 participants demonstrate that TMGuard can positively improve the security of Android unlock patterns without compromising its usability.