Design Considerations - A framework for continuous, transparent authentication on mobile device

3.5.2 Bootstrapping

During bootstrapping, biometric samples are gathered from the user and classified. This continues until sufficient data is available for the biometric to be used in the overall device confidence calculation. It is distinct from Enrolment because it requires a trained classifier. This stage is when newly gathered biometrics resulting from regular device use are compared to those provided during Enrolment, and the device confidence is increasing to a point where regular device tasks are allowed. Access to applications, tasks, and data is restricted in this stage, but can be accessed via the explicit authentication method. Each time a viable biometric pattern is seen, it is used immediately to increase (or decrease) device confidence. This continues until the minimum confidence threshold is reached, as set by the device owner during Enrolment.

This stage holds a certain amount of security risk since there is not yet a device confidence to use to allow or disallow tasks, which implies that all tasks are available to all users. How- ever, the device will have minimal functionality since device confidence defaults to 0% in new implementations, so the risk is minimized. The other concern is owner frustration – it is likely that the device owner will be required to use the explicit authentication method more frequently in this stage, which may lead to frustration and concern that transparent authentication is no less frustrating than password and PIN entry.

3.5.3 Continuous, Transparent Authentication

This represents the normal working of the continuous, transparent authentication system, in which new biometric patterns gathered as the device is used are presented to the trained classifier model. Prior to the start of this stage, the device confidence has been increased to the user–selected minimum confidence threshold via the Bootstrapping phase. The pattern classification results are used to update the device confidence, and then to allow or disallow access to tasks and data on the device.

3.6 Design Considerations

This section describes options for the biometrics and pattern classifiers that may be used in the Framework.

3.6. Design Considerations 60

3.6.1 Biometrics

The Framework uses one or more biometrics to make decisions regarding the identity of the current mobile device user. The Transparent Authentication Framework supports the use of more than one type of biometric in order to reduce the error rates seen with many behavioral biometrics. The type and number of biometrics is not specified in the Framework; they should be chosen on an individual basis based on the needs of the specific authentication system being developed. The biometrics are interchangeable so that future improvements to existing or discoveries of new biometrics may be leveraged to reduce the error rates and improve security levels beyond those provided by passwords and PINs. While the number and type of biometrics is meant to be flexible, the biometrics used in the Framework should have a majority of the following properties:

Universality: each mobile device owner should have the characteristic being measured; Distinctiveness: any two people should have sufficiently different characteristics that their

identity can be verified (as opposed to matching an identity to the person using the device);

Collectability: the characteristic can be measured in a quantitative manner;

Acceptability: device owners should consent to using the characteristic to identify them on their device;

Transparency: the characteristic can be collected while the device owner goes about other tasks;

Minimality: collecting the characteristic should not require additional hardware other than that provided by the mobile device alone.

The first four properties are common to all biometrics [59]; the last two are specific to this Framework.

Possibilities for the biometrics chosen for this Framework include, but are not limited to, device use, keystroke dynamics, gait analysis, and voice–related patterns. These are all behavioral biometrics since most physiological biometrics require explicit participation, such as providing a fingerprint or iris for scanning, adopting a specific facial expression, orien- tation, or lighting condition for facial recognition. Furthermore, physiological biometrics often require an enrolment phase that has its own security concerns such as confirming that the person providing the biometric is the genuine owner of the device. Therefore, most physiological biometrics conform to the first four properties listed above, but fall short on the last two: transparency and minimality. Since these are the two that are most related to

3.6. Design Considerations 61 a continuous, transparent authentication method, physiological biometrics were disqualified from use with this Framework. Should these biometrics adhere to the need for transparency and minimality in the future, they may be added to this Framework without changing its structure.

While the suggested behavioral biometrics all have the required properties, two stand out as ideal for use with mobile devices: keystroke dynamics and speaker verification. Both take advantage of common mobile device tasks: typing and speaking. Keystroke dynamics can be gathered while the device owner types emails and text messages, and voice patterns may be gathered during phone calls, recording voice memos, or using voice–activated search capabilities such as those provided by Apple’s Siri1_{and the Google voice search application}2_.

Neither biometric requires anything beyond what is already provided on the mobile device, specifically a keyboard and a microphone, thereby fulfilling the minimality requirement. The outstanding properties are collectability, acceptability and distinctiveness; Chapters 4 and 5 in this dissertation have provided initial evidence to conclude that keystroke dynamics and speaker verification also have these properties.

Keystroke dynamics is straightforward since it can be gathered while the owner goes about common tasks. Voice patterns, however, are somewhat more complex because the biometric itself is more complex. Work on speaker verification has the most parallels to a transparent authentication mechanism for mobile devices because it is concerned only with verifying the speaker’s identity rather than knowing their identity (speaker recognition) or discovering their role in a conversation (conversation analysis). Thus, speaker verification along with keystroke dynamics are recommended as the biometrics for the Transparent Authentication Framework, although it is the intent that these could be replaced with other biometrics as required. Furthermore, it is suggested that whatever biometrics are chosen for use be com- bined into multimodal biometrics since this is a widely accepted way of reducing error rates seen with individual biometrics.

3.6.2 Pattern Classifiers

Classifier algorithm choice is non–trivial and depends on the biometric chosen and the distinctiveness of the feature vectors calculated from them. Feasibility studies into the applicability of various classification algorithms should be performed after the biometrics used have been chosen. Important considerations for initial classifier choice are speed of classification, ease of development, processor and memory requirements, and accuracy. Suggested initial classifiers to test are k-nearest neighbor, decision trees, and Na¨ıve Bayes variations since they meet these requirements. Justification for these choices is given in Chapters 4

1_{http://www.apple.com/ios/siri/}

3.7. Summary 62 and 5, that describe classifier comparisons for keystroke dynamics and speaker verification on iPhone and iPod Touch devices. Neural networks may be investigated, but are likely too computationally intensive for use on a mobile device. More information on classifier selection properties can be found in Chapter 2.

3.7 Summary

This chapter has presented the Transparent Authentication Framework, a device and oper- ating system independent model that allows developers to create a continuous, transparent authentication mechanism that fits the needs of their particular implementation. The Frame- work was described in terms of data structures and their associated processes. The concept of device confidence was presented, and a method for mapping device confidence to particular tasks on the device in question was offered. The biometric lifecycle was described, with particular focus on how a user might work with an application that was based on the Frame- work. Specific mention was made of the design considerations specific to the Bootstrapping stage of the lifecycle, since this stage may require more attention to user education in order to avoid misconceptions regarding the frequency of explicit authentication method use.

Chapter 4 Keystroke Dynamics Feasibility

Study

This chapter provides details on the study performed to determine whether keystroke dynamics is a suitable behavioral biometric for use in the Transparent Authentication Frame- work. First, the Keystroke Dynamics Feasibility study1 is introduced, then details of the study’s methodology are given including participants, apparatus, materials, and procedure. The study’s results are then presented, along with a discussion of their applicability. Fi- nally, the results of the keystroke dynamics feasibility study are related to the Transparent Authentication Framework and to this research as a whole.

In document A framework for continuous, transparent authentication on mobile devices (Page 73-77)