In this project, we develop zero-effort authentication methods for mobile devices that leverage user behavioral characteristics to identify authorized users. It appears that physical behavioral patterns, such as a way a person is typing, tapping, swapping, scrolling, navigating and even holding a mobile device, are user-specific and can be used for authentication. We leverage established Machine Learning methods and demonstrate that they can effectively distinguish different users by analyzing data collected from movement sensors.
While online payments and online banking are not a recent development, during the last decade there has been a drastic shift towards using mobile devices for these and other applications involving sensitive user data. What distinguishes mobile apps from classic desktop web applications is that users tend to remain logged into the app for a longer period of time. This provides a larger attack surface for malware residing on the device, which can attempt to hijack user-established sessions, even at times when the user is not using the device. Since service providers, like banks and payment providers, have no control over the devices of end users, those need to be treated as untrusted environments. Furthermore, thieves who are more likely to steal mobile devices than desktop computers pose an additional risk.
While two factor authentication methods, such as one-time generated passwords, are gaining traction, these are often only enforced at the initial login or for protection of larger transactions, while not providing any protection against session hijacking attacks that can be launched, e.g., by co-residing malware. Furthermore, they require explicit user interaction, which is why they are sometimes perceived as a nuisance rather than a useful security mechanism, if used too often.
The goal of this project is to develop zero-effort user authentication methods that can enhance existing password-based authentication and provide additional protection against session hijacking attacks. In particular, we explore Machine Learning methods and various user behavioral features that could potentially be used for authentication, such as typing, tapping, swapping, UI navigation, scrolling, etc. The challenges we tackle in this project are scalability, fast enrollment, fast detection, and difficulty to extract unique behavioral features from limited information that can be collected from mobile movement sensors (gyroscope, magnetometer and accelerometer).
The project is funded by and is executed in cooperation with KOBIL and GmbHTU Darmstadt