Template Attacks

A biometric template attack takes place when the information used for comparison to a newly gathered biometric is altered to allow authentication of an impostor. The Framework refers to the biometric template as the trained classifier, or alternatively, the set of event objects in the training buffer. In this type of attack, the training event objects themselves may be replaced, or the trained classifier may be replaced with a pre-trained substitute that has been trained on the attacker’s patterns, or the entire training event object buffer may be replaced, as shown in Figure 8.1. In the latter case, periodic classifier retraining would replace the current model that represents the device owner with one that represents another.

To mitigate template attacks, protection must be given to the memory and communication channels between the Framework components. Furthermore, event objects that have not originated from biometrics gathering should be rejected. Since the data does not leave the device and all calculations are expected to take place on–device, it is unlikely that such attacks would be successful.

Mitigation techniques for biometrics–based attacks usually involve either watermarking, en- crypting or hashing the biometrics themselves. It is unlikely, given the environmental con- straints, that the Framework could support such processor- and memory-intensive operations, particularly on such large amounts of data. However, it is possible that the individual fea- ture vectors used may be protected via these techniques, particularly if a simple encryption technique is used.

8.5.5

Multimodal Biometrics

Using multimodal biometrics is itself a form of mitigation against biometric replay attacks since any attacker would have to provide more than one type of authorized biometric simul- taneously in order to create a multimodal biometric [174]. The transparent nature of the

8.6. Summary 164 authentication provided by the Framework makes spoofing biometrics more difficult since it is not obvious to observers what biometrics are being gathered. Furthermore, each applica- tion that uses the Framework as an authenticator may employ different biometrics, and could replace weak or subverted methods with others as needed. In terms of the Framework, us- ing multimodal biometrics is only a partial mitigation to replay attacks since the Framework also allows use of single biometrics in cases where only one type is available. Use of sev- eral biometrics to create multimodal biometrics within the Framework would help use this mitigation technique to its fullest potential.

8.6

Summary

Many types of attacks are specific to mobile device environments. While the Transparent Au- thentication Framework is vulnerable to these attacks to a greater or lesser extent because it runs on a mobile device, there are also specific attacks that exploit the Framework’s structure and components. These have been discussed in this chapter, and mitigation techniques have been suggested for each attack. Many of the suggested mitigation techniques rely on stan- dards such as cryptography, user education, and use of hash functions for software. These may not be worth pursuing in terms of the cost-benefit tradeoff.

In general, the Transparent Authentication Framework is vulnerable to many mobile device- based attacks, and may use the mitigation techniques for these as necessary. The Framework is no more susceptible to attacks than other mobile device software, with the possible excep- tion of biometrics-specific attacks. Many attacks depend on the mobile device environment being used; thus, a security risk assessment should be undertaken before implementing soft- ware based on this Framework.

165

Chapter 9

Conclusions and Future Work

This dissertation has provided details of the Transparent Authentication Framework, includ- ing the design, candidate biometrics and a perception study carried out to assess user ac- ceptability of the mechanism. The Transparent Authentication Framework delivers transpar- ent, continuous authentication on mobile devices by relating device confidence to tasks and data on the device. The Framework provides transparent authentication by using behavioral biometrics that are gathered in the background. It provides continuous authentication by recalculating device confidence whenever biometric samples are available.

To conclude this dissertation, design considerations for the Transparent Authentication Frame- work are provided. The purpose of providing these design considerations is to inform future iterations of the Framework and to highlight issues in transparent authentication design. The research contributions this dissertation has made are then related to the hypotheses and re- search questions that define this work. Finally, areas for future work based on the Transparent Authentication Framework are discussed.

9.1

Motivation Revisited

Three core considerations motivated this research. They have been addressed by the Frame- work in the following ways:

The Password Problem: The Framework may reduce the need for explicit authentication methods such as passwords and PINs by repositioning authentication provision as a background task. This provides the device owner with fewer chances to subvert secret knowledge techniques by using weak or shared secrets. Furthermore, the Framework provides a nuanced approach to security provision that goes beyond point-of-entry security to allow users to map device confidence to tasks and data on the device. This further reduces the reliance on typically weak passwords and PINs.

9.2. Framework Design Considerations 166