FORGET ABOUT PINS AND PASSWORDS — THE HUMAN BODY COULD PROVIDE THE ANSWERS TO ALL OUR SECURITY QUESTIONS.
DAVEY WINDER INVESTIGATES
Apple has reignited the biometric-security debate by including a fingerprint scanner on the iPhone Ss. However, the possibilities for authenticating our devices using our bodies goes much further than our fingers.
Forget fingerprints; passwords are passé: what about smartphones that measure he hands 'shake" when clicking icons; keyboards that analyse the speed and style of your typing: and wearable computers that track the way you walk and the pattern of your heartbeat?
All of the above are being researched and developed right now - which isn't as surprising as it may seem. The top-end smartphones in our pockets are already highly sophisticated sensor clusters containing accelerometers, gyroscopes, compasses, thermometers, GPS units and biometric readers.
In this feature, we reveal how these 'measurement of me" authentication systems work, when we're likely to be able to use them and whether they really do offer greater security than your existing password.
UNIQUE HUMAN BEHAVIOURSThink biometrics, and chances are you'll picture fingerprints. If you're more imaginative - or up on your security reading - you may also think of facial or iris recognition. However, biometrics has moved on from these relatively simplistic measures of an individual, and can therefore be used as a method of authentication within the security sphere.
There are many unique human behaviours that can be monitored and together build up a biosignature that's impossible to forge - think in terms of your gait as you walk, the pressure you exert when you tap or swipe a touchscreen, or even the routines you follow in a typical day. While such authentication alternatives sound advanced, they must prove their mettle against the oft-abused but ubiquitous password to ever become widely used.
To start, let's consider SitentSense! an authentication framework being developed by researchers at the Illinois Institute of Technology, which uses data mined from "touch behaviour", including user biometrics and micro-movements of a device as its used. Researchers gathered data in the background using the sensors already integated in a srnartphone and; with their own software, were able to monitor and measure operating dynamics, such as touch, that are unique to the user.
In their research paper, authors Cheng Bo, Lan Zhang and Xiang-Yang Li explain how the three principal gestures of tapping (such as clicking icons), scrolling (reading Prnails,browsing or tweeting) and flinging (turning pages in an ebouk reader) are used to identify an individual. The features analysed inctude the co-ordinates where the screen was touched, the pressure exerted and the duration of the contact, all of which can be extracted from Android's application programming interface (API).
Since people touch their smartphones differently depending on the app they're using, both touch and "reaction" are measured. To measure the "reaction", the researchers looked at the position of the device and the different amplitudes of vibration caused by each touch. These pattern can be readily observed by accessing the accelerometer and gyroscope built in to a smartphone.
The researchers also had to consider the context in which a. phone is being used: if the user is walking on a train or in a car, for example. They countered this problem by combining movement-based biometrics - which can identify your speed by the changes in movement of your device ¬with historical, touch-based biometrics to provide art authentication template that proved to be more than 99% accurate during trials on Android-based FITC Eva 30 and Samsung Galaxy 5 III devices.
The end result is a method of verifying whether the current user is the authorised owner of the device based upon historical behavioural biometrics - the 'Yneasurement of me", in other words. All this is done in the background, continuously monitoring user behaviour in order to maintain the verification of identity whenever the phone is being held. If the machine-learning algorithms determine that a pattern is no longer a match, the handset can lock that user out. The software will switch on automatically during the use of sensitive apps. such as Email or SMSZ for eicample) to ensure protection, and switch off during extended gameplay to save power.
The accuracy of such methods is impressive, with a result of 99% achieved in testing after a maximum of ten scr?en taps. However, while this figure may sound sufficientr would you be happy if the one phone call out of a hundred you were locked out of was an important one? The accuracy figure isn't good enough, which is why any successful behavioural monitoring solution will haw to combine methodologies.
CREATURES OF HABITMarkus jakobsson of mobile malware firm FatSkunk suggests in a co-authored papa' entitled "Implidt Authentication through Lea.ming User Behavice that implicit authentication ¬using cur daily routines, what we do and whore we go - as additional data for such schemes is one soludon.
Smartphones make collecting such data easy, thanks to GP and mapping. Also, as jakobsson says, we're mostly creatures of habit: we tend to follow the same route to work every day, stopping at the same coffee shop; once we're in the officer westay in one broadly defined area until lunchtime, and so on.
Collecting data on such patterns provides a model of a uses behaviour, but it also raises questions of privacy, However, jakobsson and his colleagues had ethics in mind, so all phone numbers, SSIDs and URLs collected in the trials were obfuscated using a keyed hash. The key was randomly generated during the software-installation process, and stored - and al] hashing performed - only on the device to which it pertained.
Using this data the system tots up scores based on whether a user is conforming to their standard behaviour versus acting out of the norm. The technique computes art authentication score based on recently observed behaviours and the identification of "good" events, such as calling the same person or buying coffee at the same shop.Conversely, the authentication score is lowered by a negative event such as calling an unicriown number cr visiting a new location., Even time itself is seen as a negative event, with scores degrading as time passes. When the score falls below a certain threshold, the user has to input a passcode to continue or else they're locked out successfully authenticating with the correct passcode is seen as a positive and boosts the score again. Its an interesting approach, andiakobsson says it was robust enough in testing to prevent 95% of attackers from being successful.
BIOMETRICS AREN'T DEADNot all of the "measuring me" security research is centered on behavioural patterns, however - biometrics is far from dead. Indeed, one huge advantage of biometric technology is that its available either now or very soon.
A good example of the Latter is llionyro's Nymi (www.bionym. cam/tech?), Smart wristbands that monitor your pulse and send that data to a srnartphone app are becoming commonplace among techie types for whom "fitness training" isn't a dirty phrase, and Bionyrn is hoping the Nymi password bracelet will become equally popular. Unlike other wearable authentication concepts, the Nymi doesn't act as a secure-code generator of one-time codes, but rather features an embedded electrocardiogram (ECG) sensor that monitors the heartbeat of the wearer.
Use of the heartbeat as a security metric is inherently more secure than a fingerprint the company says. Indeed,within days of the iPhone Ss going on sale, one German hacking group had revealed a method of lifting and cloning a fingerprint that would fool the Touch ID sensor. Although such fingerprint theft represents a very small risk to most people, the opportunity to steal somethinglilae your heartbeat pattern is smaller, given that it can't be left lying around and is protected inside your body.
Clasping the Nymi around your wrist turns it on, and touching the sensor on the top completes an electrical circuit, since your wrist is in contact with the bottom sensor that lets it monitor your heartbeat. The wristband will vibrate and the onboard LEDs light up to indicate that the monitoring and authentication process is complete. The Nymi knows you're wearing it, as will any connected devices and applications. The device itself also incorporates a built-in accelerometer and gyroscope; this combination means that it will support gesture-based unlocking.
Its. an interesting development, not least since Toronto-based Bionym is already taking pre-orders at $1679 per unit for delivery in the first quarter of 2014, but also since it provides three-factor security: authentication requires possession of the Nyrni, possession of your heartbeat and possession of an authorised authentication device, such as a phone registered with the Nyrni app.
But does it actually work? we haven't seen the Nymi in action, but one obvious question jumps out: will variations to your heartbeat - depending on stress, exercise, medication or illness - not affect the system? Bionym says that the device isn't looking at your heart rate, but rather the shape of your ECG wave_ Signal-processing and machine-learning algorithms are employed to find unique features within the wave that are static over time: these are converted into a biometric template for the user.
What's more the Nymi actually takes only one reading when you put it on - it doesn't continuously monitor your heartbeat, and this reading authenticates the user as Icing as they continue to wear the device. Once the Nymi is authenticated. the user can exercise as much as they like and it won't make any difference.
Anyone who has been unfortunate enough to require an ECG in hospital will know that performing an accurate one involves the attachment of numerous electrodes to the chest, arms and legs. Bionym insists, since this isn't a medical diagnostic reading, a]1 that's required to take an authentication reading is the ability to monitor the electrical signal in the wrists and hands via completion of a circuit that "crosses the heart" This is why the design of the Nymi requires the user to touch the bracelet with the opposite hand when ifs being activated.
That said Bionym admits that ifs still testing how people with a mechanical heart valve or those suffering from heart disease,. for .a.x.a.mple, will affect Nymi's accuracy. While this testing is ongoing, the company will offer a full refund to anyone enaountering problems. Privacy-wise, the ECG data captured by the Nymi is stored cryptographically within the hardware itself, and applications require user permission to access this digitally signed data.
THE END OF PASSWORDS?Such projects are intriguing, but are they necessary? Most people are happy using single-factor authentication (see Identifying authentication, right), but reliance upon passwords alone can't continue if we iArant our data to be safeguarded in an environment that's increasingly under the criminal microscope.
For now, two-factor authentication seems a good balance of security, distribution cost and ease of use, but it still has weaknesses. Ease of use has always been the primary driver for Ms and passwords, since security measures are useless if nobody employs them because they're too difficult or time-consuming. The problem is that the number of services we use and the complexity of passwords required to secure them has increased to the point of insanity. Password managers help, but they're only a sticking plaster. This is why the real solution may come in the shape of a third factor: who you are.
