Attack Types

Authentication mechanisms are only useful if they achieve a certain se- curity performance by being able to resist attacks. An attack is deemed successful if an attacker is able to forge the gesture of a genuine user.

We distinguish between three types of forgeries depending on the knowledge available to an attacker about the genuine gesture:

5.4 Gesture Based Authentication 157

• Naïve: an attacker that has no knowledge about the genuine ges- ture can only createnaïve forgeries(Ballard et al., 2007).

• Semi-Naïve: if an attacker has knowledge about the general shape if the genuine gesture, he can performsemi-naïve forgeries. • Visual: The most sophisticated class of attacks is based upon

visual disclosure of the genuine gesture (Liu et al., 2009a). We call thesevisual forgeries.

It is clear that the more knowledge about the genuine gesture is avail- able to an attacker, the more likely it is that he can produce successful forgeries. However the attacker must also be able to physically repro- duce the gesture with enough precision. The difficulty for the attacker thus depends on the complexity of the genuine gesture as well as the ability of the genuine user to reproduce the gesture with a variance that will pass the threshold set by our mechanism.

5.4.4

User Study

We conducted two user studies to evaluate three key aspects relevant to gesture-based user authentication on mobile devices: feasibility,us- abilityandresistanceagainst attacks.

(a)Left-Right (b)Circle (c)Left-Right-Arc

(d)In nity (e)Triangle (f)Hand Rotation

Figure 5.10: Visualization of the gestures we designed for use in the rst user study.

Feasibility addresses the question whether gesture-based authentica- tion (GBA) is in general possible using motion sensors embedded in

158 5 Motion Gestures

mobile devices. For the system to be usable, it needs to be perceived by users as a useful alternative or even a replacement for currently avail- able authentication mechanisms.

In the rst study 15 participants simulated the perspective of genuine users, so that we could study the feasibility and usability aspects of our system. We predened six gestures for use with our system (Figure 5.10). This way, we avoided burdening the participants with inventing their own gestures, giving them more time to understand the authen- tication mechanism itself. Also, this allowed us to evaluate semi-naïve forgeries. The gesture labels helped the test subjects to attach meaning to the gestures, such that they could memorize them more easily.

Each participant provided 5 enrollment and 15 validation samples for each predened gesture class. The enrollment samples were used to build a model for each gesture class and the validation samples were used to test the model’s accuracy. The enrollment samples and 10 vali- dation were recorded while the user was standing. Video recordings of the rst user study were used in the second user study to evaluate the risks due to visual disclosing the genuine gesture. We selected two in- terpretations of each designed gesture and showed the video recordings of the enrollment samples to the so-called forgers. In this study partic- ipated 10 persons that not participated in the rst user study, who did not know the visualization and description of the gestures.

We recorded the gesture entries during the rst user study so that we could use them in the second user study to evaluate the risks due to visual disclosure of the genuine gesture. We selected two interpreta- tions of each designed gesture and showed the video recordings of the enrollment samples to each participant (“forger”) of the second study. In total, 10 subjects participated in the second user study. None of those test subjects had participated in the rst study, and the visual- ization and description of the gestures was unknown to them.

We developed two questionnaires to evaluate the usability as well as the social acceptability of GBA. For the user study, we implemented an application for an iPhone 4, which displays the push-to-display button and logs motion sensor data at a frequency of 80 Hz.

5.4.5

Results

The results of the user study are promising. We found that a length constraint of±23%around the average sequence length of the enroll- ment gestures performs well. This constraint includes 97.3% of the enrollment and 90.7% of the validation samples. It excludes 58.3% of

5.4 Gesture Based Authentication 159

the naïve and semi-naïve forgeries and 36.9% of the visual forgeries. For DTW, we obtained the best results with a slope constraint of 1 and a non-diagonal alignment penalty. The integration of multiple samples for matching performed better than using only the enrollment sample with the lowest distance.

0 5 10 15 20 25 30 35 33 31 29 27 25 23 21 19 17 15 F A R i n % FRR in % DTW Semi-naïve DTW Visual HMM Semi-naïve HMM Visual

Figure 5.11: ROC for the 12 interpretations attacked in the 2nd user study. The x axis shows the false rejection rate (FRR) and they axis shows the false acceptance rate (FAR). (Guse, 2011).

As expected, naïve forgeries were rarely accepted as genuine by both algorithms. In Figure 5.11, the Receiver Operating Characteristics (ROC) of HMM and DTW for semi-naïve and visual forgeries are com- pared with the attacked interpretations. DTW performs as expected, because visual forgeries are more likely to be accepted than semi-naïve ones.

We obtained an unexpected result for HMMs. Above a certain thresh- old, HMMs accept a larger number of semi-naïve forgeries than visual forgeries. A possible cause for this is the use of likelihood as similarity metric. In general, HMMs perform better for visual forgeries than all variants of DTW we studied. In a detailed evaluation of DTW we found that 5 of the 12 attacked interpretations achieved a False-Rejection- Rate (FRR) of less than 20% without accepting any of the visual forg- eries. With one model, we achieved a FRR of 0% and a single model was completely unusable with a FRR of 93%.

According to the evaluation of the questionnaires, none of the partic- ipants of the rst user study perceived the mechanism as unnatural, annoying or fatiguing. 2/3 of them would use gestures for authenti- cation in public places. Nevertheless, 7 participants believed that a gesture is easily forgeable. The majority of forgers believed that they can create an exact forgery for 9 of the attacked gestures. However, as we demonstrated with the second user study, this is not true.

160 5 Motion Gestures

5.4.6

Discussion

Through our user study, we have shown that GBA isfeasible—an iden- tication based upon biometric input measurements of a user’s move- ment can be accomplished using the accelerometers and gyroscopes embedded in mobile devices.

Our results indicate that GBA isusable. It was not perceived negatively or as annoying or tiring by any participant. The only issue was that gestural authentication may not be suitable in certain social contexts. Possible solutions for this are to retain the existing (and socially non– critical) authentication mechanisms alongside GBA, or to extend the GBA mechanisms with implicit authentication mechanisms. There has already been work in this domain, i.e.(Jakobsson et al., 2009).

We have shown that GBA has the potential to besecure. Although, as shown in Figure 5.11, the FRR for a “reasonable ” FAR still remains high, with a FRR > 20% for a FAR < 5%, increasing the number of training templates or applying a more sophisticated learning algorithm than DTW should signicantly improve these values. The number of training templates should be trivial to increase, as the user supplies a new template upon every successful authentication. Of course, DTW will only scale performance-wise up to a certain number of templates. Thus, templates with lower similarity will have be discarded over time. This scheme would also help the system adapt to changes in the users’ movement characteristics over time. Alternatively, a more sophisti- cated supervised learning algorithm such as an Articial Neural Net- work. Every successful authentication could then be used for an addi- tional optimization step of the model. Even though it remains to be seen if the security level of PIN entry can be achieved with GBA, the gesture-based technique is a promising candidate for authentication tasks that need to be used repeatedly in low- to medium-risk scenar- ios, such as device unlocking or accessing highly frequented services with a relatively low damage potential, such as chat applications or so- cial networks⁸.

Finally, what is interesting to note is that theperceptionof the security of our system was lower than its actual performance, as most of the forg- ers believed they could successfully forge legitimate entries. A study may need to be made with professional movement practitioners, such as mimes or dancers, to see if the security of the system lies mainly in the ineptitude of the attackers to properly mimic the movements of the legitimate users or if the biometric movement characteristics that ⁸It is likely that individual users will have differing views on what the risk level of a particular task is. This risk-assessment is given solely for exemplication and represents the author’s opinion on the stated scenarios.