Alina N. Filina and Konstantin G. Kogos from National Research Nuclear University, Moscow, report a method for continuous authentication to control access to a mobile device. They propose to use non-invasive behavioral biometrics to authenticate a person, controlling access to the device.
“Continuous authentication allows you to grant rights to the user, without requiring from him any unusual activities.” (, p. 69)
The basic idea is to use the sensors on the device to detect gestures, and use machine learning to identify a unique, individual “signature”. This is used in combination with other context (e.g., whether the network is trusted or not), to detect when the correct person is holding the device.
Continuous authentication is a great idea, and some kind of biometrics might be useful to achieve this.
But I have doubts about the F&K’s approach.
First, I have to wonder if the method can be accurate enough to be practical. Machine learning based recognition always has some percentage of false positives and negatives. In this application, the former would grant access when it shouldn’t, and the latter will block access to the authorized user. This is particularly problematic in this continuous authentication scenario, which repeatedly tests your identity. Imagine the inconvenience of your device dropping out every so often just because the recognizer has a 1% chance of a false rejection, and misses every few minutes.
Second, the supposedly unobtrusive behaviors used to recognize the person require active interaction. The researchers point out the need to detect context such as setting the device on a table, which produces no motion, idiomatic or not. This case and others should not lock out the user.
The general point about using active behaviors is that in order to be unobtrusive the training samples should be selected from the users “common” or “normal” behavior. And to be continuously checked, the training samples much cover an array of behaviors that cover a substantial proportion of normal use. It is not clear to me how to identify and capture such training samples.
Third, this method is vulnerable to changes in user behavior. If the user enters a new environment or begins a new activity, will his phone block him out? There is also a problem if the user is injured or incapacitated. For example, if the user is hurt, his movements may be altered, which could lock out the device. (This is especially problematic should the user be prevented from calling for medical assistance because his device doesn’t recognize him.)
I would think that the sample behaviors used to authenticate should be difficult to mimic. The method rests on the assumption that users can be distinguished with high probability. The current study does not explore how effectively the method discriminates users, or possible imitation or replay attacks. (I note that a robot might be used to generate replays.)
I’ll also point out that this method requires that all the sensors and data be continuously collected. This is an immense amount of trust to place in the device, and an invitation to intrusive tracking. This might be appropriate for high security environments which are already heavily monitored, but less desirable for broad consumer use.
This is an interesting study, but I think it needs a lot more work to show that it will really work.
- Alina N. Filina and Konstantin G. Kogos. 2017. “Mobile authentication over hand-waving.” 2017 International Conference “Quality Management,Transport and Information Security, Information Technologies” (IT&QM&IS), 24-30 Sept. 2017. http://ieeexplore.ieee.org/document/8085764/