350 likes | 556 Views
Graduate Institute of e-Learning, National Changhua University of Education. Ting-Yi Chang ( 張庭毅 ). E-mail: tychang@cc.ncue.edu.tw Phone: EXT 7381. A Graphical-based Password Keystroke Dynamic Authentication System for Touch Screen Handheld Mobile Devices .
E N D
Graduate Institute of e-Learning, National Changhua University of Education Ting-Yi Chang (張庭毅) E-mail: tychang@cc.ncue.edu.tw Phone: EXT 7381
A Graphical-based Password Keystroke Dynamic Authentication System for Touch Screen Handheld Mobile Devices appear in Journal of Systems and Software
Authentication • Text-based Authentication The password space of 8-character text-based password on the QWERTY keyboard: How to choose your password? dictionary attack shoulder surfing attack
PIN-based Authentication No the QWERTY keyboard, used in the mobile devices. The password space of 6-digit PIN-based password : guessing attack shoulder surfing attack
Graphical-based Authentication Graphical passwords are an alternative to alphanumeric passwords in which users click on images to authenticate themselves rather than type alphanumeric strings. In psychological studies , graphical passwords are easier to remember, since humans remember pictures better than words and numbers. • Images are recognized with very high accuracy (up to 98 percent) after a two hour delay, which is much higher than accuracy for words and sentences. • It has been found that error in recognition of images is only 17 percent after viewing 10,000 pictures.
Graphical-based Authentication • Recall-based graphical password: A user is askedto reproduce something that he or she created or selectedearlier during the registration stage. • Recognition-based graphical password: A user is authenticated by challenging him/her toidentify one or more images he or she chooses during theregistration stage.
Graphical-based Authentication Users choose sub-photos in the order. The password space of choosing 6 sub-photos from 36 photos: shoulder surfing attack
Graphical-based Authentication Users choose 3 icons (called pass icon) from 1,000 icons. During the authentication, the system shows the icons including pass icons. The user through pass icons to form an area and then click the icon that in the area. shoulder surfing attack
Graphical-based Authentication PassPoints: A user’s password consists of any chosen sequence of points in the image. Because users while they are being authenticated to reselect exactly the same points (pixel coordinates) selected during registration is too strict, all pixel-based graphical password authentication schemes will set a tolerance area. For a 5-click with a10×10 tolerance area on the 640×480, the password space is:
Keystroke Feature Four basic keystroke time features when a user types a string ‘ABCD’
Keystroke time feature • Methodology • Record user keystrokes process, each operation takes as feature data of user. • Verify the password and analysis these feature data to judge user identity. • Advantage • No additional operation and extra devices required. • Preventing password guessing attack and shoulder surfing attack.
# of training samples? design? Error?
System Assessment • Assessment • False Rejection Rate (FRR) • Type Ⅰ Error • False Acceptance Rate (FAR) • Type Ⅱ Error • Equal Error Rate (EER)
Classifier • Different types of classifier • Statistical • Neural network • Fuzzy logic • Support vector machine • Nearest neighbors • Clustering algorithm
Training Sample • Less training samples for the classifier is better! • Araújo et al.’s suggestion (2005) the number of training samples should be less than 10. • High quality samples is good for the classifier. • Chang et al. (2010) used the personalized rhythm to enhance the sample quality. However, the users should additionally memorize their personalized rhythm s and thus loading.
Keystroke Features on Mobile Devices • Some studies uses the concept of keystroke time features in mobile devices. (text-based or PIN-based passwords) • The size or layout of keypads is different. • A user may not get used to entering his/her PIN or password via different devices. • Some touch mobile devices has no keypad! • The system utility for mobile devices is worse than that for QWERTY keyboards.
Touch Screen Mobile Devices A large password space? Easy-to-remember? No matter what the size and the layout? Other keystroke features? No loading? # of training samples for the classifier? Efficient classifier for low-power devices? Low EER?
Enrollment Phase No matter the size of the image, it is transformed into 49mm×58mm frame and the system cuts it into 30 thumbnail photos each with an identical size of 9.5mm×9.66mm. The user chooses 3 to 6 photos through the touch panel on the mobile device and the sequence of these photos is the user’s graphical password. No matter what the size and the layout? Easy-to-remember? Comparing with 4~6 digits PIN-based password: V.S. A large password space?
After observing users using touch screen handheld mobile devices, we found that users enter their data through the touch screen in characteristic fashion. The force of each person clicking or touching the touch panel is not necessarily the same when they enter their data, thus, the system captures different pressures from the touch panels on mobile devices
Other keystroke features? No loading? Keystroke time features and press feature when a user enters a graphical password ‘photo1, photo2, photo3, photo4’
These sets of the ith training sample are denoted as: Note that every user in the system only needs to provide five training samples (i=1 to 5) in the enrollment phase, which is smaller than that in Araújo et al.’s suggestion (<10). # of training samples for the classifier?
Classifier Building Phase • The classifier is built to verify the user’s identity after obtaining the personal features. • This paper employs a computation-efficient statistical classifier. • The mean and the standard deviation are calculated for each element in by Eq. (1) and Eq. (2), respectively.
Authentication Phase • An unknown user’s features are denoted as and the system calculates the average distance between each element in and by Eq. (3). The system then accepts or rejects the user’s login based on a threshold . If , then the user is legitimate. Otherwise, the system rejects the user’s login
Experimental results • This paper provides a graphical-based password keystroke system developed by Java language and implemented in Android-compatible devices. • The handheld mobile devices used in the experiment were a Motorola Milestone (with an ARM Cortex A8 550 MHz CPU and 256 MB memory), an HTC Desire HD (with a Qualcomm 8255 Snapdragon 1GHz CPU and 768 MB memory), and a ViewsonicViewpad(with an Intel Atom N455 1.66GHz CPU and 1 GB memory).
The one hundred users could freely choose their favorite photos to construct their graphical passwords and provide ten samples. • Five samples were collected at the same time through the same mobile phone (Motorola Milestone 3.7 inch screen) and used in the enrollment phase to build the classifier. • The other five samples were collected over a period of five weeks through two mobile devices (HTC Desire HD 4.3 inch screen and ViewsonicViewpad10.1inch screen). • These had different screen sizes in the enrollment phase provided for users and for the legitimate user's login test. No matter what the size and the layout? The total number of legitimate user samples was 100×5=500. The total number of impostor samples was 10×100×5=5000, which was obtained by ten people who were given the graphical passwords of the one hundred users and told to act as an impostor five times.
java.lang.Object ↳ android.view.InputEvent ↳ android.view.MotionEvent getPressure(): Returns the current pressure of this event for the given pointer index. getDownTime(): Returns the time (in ms) when the user originally pressed down to start a stream of position events. getEventTime(): Returns the time (in ms) when this specific event was generated.
# of training samples for the classifier? Low EER?
Efficient classifier for low-power devices?
Conclusion A large password space? Easy-to-remember? No matter what the size and the layout? Other keystroke features? No loading? # of training samples for the classifier? Efficient classifier for low-power devices? Low EER?
Future Work • Recall-based graphical password A large password space? Easy-to-remember? No matter what the size and the layout? Other keystroke features? No loading? # of training samples for the classifier? Efficient classifier for low-power devices? Low EER?
Other keystroke features? Pressure Size Angle
Thank You Q & A E-mail: tychang@cc.ncue.edu.tw Phone: EXT 7381 Ting-Yi Chang