user-habit-oriented authentication model: toward secure ... · scanning security system by simply...

IEEE TRANSACTIONS ON

EMERGING TOPICSIN COMPUTING

Received 25 June 2014; revised 20 October 2014; accepted 2 December 2014. Date of publication 17 December, 2014;date of current version 6 March, 2015.

Digital Object Identifier 10.1109/TETC.2014.2379991

User-Habit-Oriented Authentication Model:Toward Secure, User-Friendly Authentication

for Mobile DevicesJAMIE SETO, YE WANG, AND XIAODONG LIN, (Senior Member, IEEE)

Faculty of Business and Information Technology, University of Ontario Institute of Technology, Oshawa, ON L1H 7K4, Canada

CORRESPONDING AUTHOR: X. LIN ([email protected])

ABSTRACT Mobile device security has become increasingly important as we become more dependenton mobile devices. One fundamental security problem is user authentication, and if not executed correctly,leaves the mobile user vulnerable to harm like impersonation and unauthorized access. Although many userauthentication mechanisms have been presented in the past, studies have shown mobile users preferringusability over security. Furthermore, mobile users often unlock their devices in public spaces, inevitablyresulting in a high possibility of user credentials disclosure. Motivated by the above, we introduce a noveluser-habit-oriented authentication model, where mobile users can integrate their own habits (or hobbies) withuser authentication on mobile devices. The user-habit-oriented authentication turns a tedious security actioninto an enjoyable experience. In addition, we propose a rhythm-based authentication scheme, providing thefirst proof of concept toward secure user-habit-oriented authentication for mobile devices. The proposedscheme also takes the first step toward using the theory of mind into security field. Experimental resultsshow that the proposed scheme has high accuracy in terms of false rejection rate. In addition, the proposedscheme is able to protect from attacks caused by credential disclosure, which could be fatal if it was donethrough the traditional schemes.

INDEX TERMS Authentication, habit-oriented, mobile, theory of mind, security, usability.

I. INTRODUCTIONMobile devices are becoming more integrated in our lives.They are no longer just used to make phone calls, but a devicethat aids us in our daily lives. We use it to connect with socialmedia, makemobile payment, carry sensitive information likephone addresses. And with each new implement and feature,we become more dependent on it. It has been evidencedby Cisco VNI Global Mobile Data Traffic Forecast that thenumber of global mobile devices and connections in 2013 hasgrown to 7 billions, which will exceed the world’s populationby 2014 [1]. Thus, it’s no surprises that threats began toemerge. One fundamental security problem is user authen-tication, and if not executed correctly, leaves the mobileuser vulnerable to harm like impersonation or unauthorizedaccess.

User authentication often involves users proving evidenceslike digital identity (e.g. user name) and a correspondingcredential (e.g. password) to verify themselves online.Password based approach is the easiest and cheapest

way to authenticate a user; however, it’s susceptible todictionary attack, brute-force attack, and software cracking.While combining letters, number, and special symbols tocreate long and complicated passwords does somewhat detourattacks and delays attackers from compromising accounts, itisn’t user-friendly. Researcher and industries have proposedmany alternatives to this problem such as OTP (One TimePassword), grid unlock pattern, and biometric [2], but theyalso have their limitations and weaknesses. For instance,because of complex algorithms for matching a scan inbiometric, it is possible to have false positives or rejectgenuine ones caused by immaculate particles like sweat ordirt. As such, only a few device support this approach now asit requires special hardware, which can be costly for smallor even large businesses. It is also difficult to change andreinstate a unique physical characteristic (e.g. iris, finger-print) once it has been compromised because we have onlyone set of them. Furthermore, there is no standard appli-cation programming interfaces (APIs) provided by mobile

VOLUME 3, NO. 1, MARCH 2015

2168-6750 2014 IEEE. Translations and content mining are permitted for academic research only.Personal use is also permitted, but republication/redistribution requires IEEE permission.

See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. 107


EMERGING TOPICSIN COMPUTING Seto et al.: User-Habit-Oriented Authentication Model

computing platforms that an application can use to gatherbiometric information. And apparently it isn’t hard to obtaina copy of a scan and fool the device too. The new iPhone5is a great example, which utilities finger scanner technol-ogy. Since the launch of the Apples iPhone5, a collectiveof German students have successfully hacked its fingerprint-scanning security system by simply taking a fingerprint froma glass and using the imprint to fool the sensor [9]. Also,attacker are able to defeat facial recognition technology byfooling the smartphone authenticator into believing he/she isthe person by simply using a high-resolution photo of theuser. In addition to hardware and security concerns, biometricauthentication methods raise questions of ethical and socialissues. For instances, like many conventional forms of identi-fications there is a privacy concerns around collecting user’sinformation. According to McAffee mobile security reportfor 2014, over 80% of Apps are collecting some sort of datawhenever a person uses a mobile phone [6]. Furthermore,it’s insanitary as germs of user’s finger, for instance, cancultivate on the readers that are used to obtain biometricinformation. Meanwhile, OTP (One Time Password) and gridpattern lock are susceptible to smudges attacks (a method thatcan be used to discern password patterns based on smearson the touchscreen) and touch-logging/touch-stroke-loggers(similar to key-loggers malware on computers but track thesensitive input of the touchscreen). In fact, a researcher hasdemoed at the RSA Conference that various swiping motioncan be used to infer when a user is entering a password,browsing through his/her home screen, or inputting text froma pull-up keyboard [7].

User authentication is crucial to mobile device security,but unfortunately, many studies have shown that mobile usersprefer usability over security. Yet, a higher level of securityoften entails sacrificing usability. As such, most people don’tlock their devices at all because of two reasons. Reason one,entering a passcode is inconvenient on a small screen likea mobile phone. Reason two, mobile users are limited to orgiven no user-friendly options.

Motivated by the aforementioned observations, we aim atsecuringmobile phones in a user-friendlymanner by allowingmobile users to authenticate themselves using authenticationservices combined with their habit since it is likely thatthe user would prefer to use an authentication scheme thatfits their habits. A preliminary version of this work hasbeen reported in [8]. A habit is something a person developunconsciously as oppose to a hobby, where you choose toperform the action and enjoy it at a leisure time. We takethis uniqueness to establish ownership appropriately calledUser-Habit-Oriented Authentication model as illustratedin Fig. 1. This combination could change users’ view onsmart phone security as an enjoyable experiences rather thana tedious action, making users more likely to secure theirphones. In other words, we think about user authenticationin smart phone from a different perspective, particularly, con-sidering mobile user personal habits. Also, habits are uniqueto each individual person and difficult to reproduce because it

FIGURE 1. An example of user-habit-oriented authenticationmodel.

happens in the unconscious layer of the human mind. To thebest of our knowledge, this is the first effort toward user-habit-oriented authentication model for mobile devices in order toeffectively address usability and security issues simultane-ously; these have usually been considered conflicting fromthe mobile user perspective.Due to the fact that many mobile users are also music

lovers, in the paper, we further proposed a rhythm basedauthentication scheme, in which a music lover would tapa set of rhythm on his/her phone with his/her registeredcomposition tempo to authenticate himself/herself.It’s possible because smartphones are becoming more power-ful (e.g. increasing CPU processing power, a wide variety ofsensors built into it, and user-friendly touchscreen interface);and thus, we are able to accurately capture motion infor-mation from users. In this case, the accelerometer in mostmodern smartphone is an excellent instrument in collectingusers’ rhythm input. Security is usually imagined as a tediousand boring task, and mobile user are willing to give up theirsecurity in favour of ease of use. But through rhythm authen-tication, the image of authentication can be re-imagined assomething exciting and appealing. This also makes it bothconvenient and reasonably secure, and will undoubtedlyresult in a major increase in the number of people lockingtheir devices. This study provides the first proof of concepttoward secure user-habit-oriented authentication for mobiledevices, where mobile users can integrate their own habitswith user authentication on mobile devices.Rhythm based authentication can be considered as a type

of cognitive behavior based authentication. Thus, it is asecure verification method due to the fact that the activity is‘‘hidden’’; meaning there is no visual input like keyboard orkeypad. Our experiments also have shown that even if thetapping procedure is observed by others, it is still very dif-ficult to replicate the pattern because the authentication isbased on the user’s cognitive-behaviour. This is especiallyimportant property considering the fact that users often usetheir mobile phone, tablets, and e-reader in public spacesand frequently unlock their devices, which results in a highpossibility of user credential disclosure. For instances, anypassers-by could look over the user’s shoulder when he/she

108 VOLUME 3, NO. 1, MARCH 2015

Seto et al.: User-Habit-Oriented Authentication Model



are entering his/her password. This is a problem that mobileusers face every day. In traditional user authenticationschemes, if the user’s credential (e.g. password) is com-promised, the scheme’s security is gone. However, for ourproposed rhythm based authentication, it is not easy for thebad guys to replicate the tapping motion of the user, evenwhen they know the rhythm. This is because they may inter-pret the rhythm differently. An enthusiasticmusic lover wouldcompose a more complex rhythm pattern as their brain aremore tuned to the music, and pick up certain beats comparedto a person who isn’t extensively familiar to the genre ofmusic they’ve registered (e.g. slow classical vs. fast pacetechno music). User can also easily change their registeredpattern with a new set of rhythm if it has gotten compromisedas oppose to biometric scan, where user only have one setof fingers and eyes at their disposal. There are billions ofpossible rhythm combinations, all with a fair chance of beingused; although, it may be skewed based on population ortrend.

The rest of the paper is organized as follows. In Section II,we propose a rhythm based authentication scheme. The exper-imental evaluation of the proposed scheme is presented anddiscussed in Section III. Finally, we conclude the paper withan outlook on future works in Section IV.

II. PROPOSED RHYTHM BASEDAUTHENTICATION SCHEMEIn this section, we will first discuss the motivation for usinghabits (or hobbies) to secure smartphone. Then, we designa new rhythm based authentication scheme.

A. HABIT IS A SECURITY ARSENALHabit occurs in the subconscious mind whether it is good orbad. Hobbies develop from good habits; one that we get plea-sure from doing and have the conscious to execute. The typeof habits we are talking about is actions that are hardwiredin our brains that can be taken into various form of output.For our case, tapping to a music rhythm is a habit for a musiclover. The form of output is the different songs a person cantap. Thus, a mobile user can choose a song that he loves toprotect his/her smartphone. Because an individual can inter-pret music in several different ways (e.g. a rock enthusiastcomes up with a rhythm based on the subtle beats of the drumin the background while another focus on the secondary sologuitar), applying it to security is perfect as there is no formof authentication as we know that provides enjoyment andcomplexity as habit-oriented authentication does. Also, weassume that more users will be willing to apply a strongersecurity approach to protect their smartphones because of theusability of this scheme. Another benefit is it is changeableunlike biometric, but still remain unique to that individualbecause people have different cognitive processing.

B. OVERVIEW OF THE PROPOSED SCHEMEThe proposed scheme consists of two phases: Registrationand Authentication, as shown in Fig. 2.

In the registration phase, the user needs to set thepersonal rhythm that will be captured by accelerometersensor of smartphone. The original data captured willthen be processed using the ‘‘data transformation’’ and‘‘zero-shrinkage’’, in which a binary sequence template iscreated and the number of input beats is obtained. The userthen confirms his/her rhythm a second time. However, itis very challenging for a user to input the exactly samerhythm twice due to various causes, such as holding insta-bility, human cognitive behavior variance and input errors.Also, it is very difficult to digitally capture user’s behavioraccurately given only a limited number of inputs. Therefore,to effectively validate two inputs and minimize the requirednumber of input that are often seen during registrationphase of other authentication methods, we proposed a fastverification algorithm consisting of ‘‘threshold matching’’,‘‘zero-shrinkage’’ and ‘‘e-error correction’’ mechanisms. Theregistration process is completed once the two inputs match.In the authentication phase, we propose a Fuzzy

ARTMAP (FAM) based authentication scheme. FAM isan extension of ARTMAP neural network that performsincremental supervised learning of recognition categories inresponse to input vectors (analog or binary) presented inarbitrary order [11]. Compared with other artificial neuralnetworks, FAM has many remarkable characteristics,including on-line learning, fast learning about rare events,many-to-one and one-to-many learning, extendibility andavoidance of local extremum. These characteristics makeFAM an effective candidate for user authentication in thiswork. However, FAM system requires several logons samplesto train the system before classifying, which greatly hampersthe users’ experience. To avoid this problem, we proposea two-step authentication model. For the first several loginattempts, we will adopt the fast verification algorithm usedin the registration phase. At the same time, the original datacaptured and the results from the fast verification algorithmwill be used for the supervised learning of FAM. WhenFAM is well-trained, user authentication will switch from fastverification algorithm to FAM.Notation: For notational simplicity, in this paper, all

variables associated with template setting signal, verificationsignal and authentication signal are labelled by subscripttext letter ‘‘Template’’, ‘‘Verification’’ and ‘‘Authentication’’,respectively, such as BTemplate, and data that’s been pro-cessed by zero-shrinkage are labelled by superscript text letteras ‘‘ZS’’, such as BZSTemplate.Prior to elaborate the proposed authentication, we first

introduce the original data acquisition, which will impactthe following algorithm design and performance to a largeextent. After that, we will explain Registration Processand Authentication in detail based on the obtained originaldata.

C. ORIGINAL DATA ACQUISITIONUnlike traditional PC devices, a growing number of smart-phones are equipped with a variety of powerful sensors,

VOLUME 3, NO. 1, MARCH 2015 109



FIGURE 2. Workflow of the proposed authentication scheme.

such as accelerometer, digital compass, gravity, gyroscope,GPS, fingerprint sensor, and thermometer. These sensorsmake smartphones possible to capture diversity users’ input.We intended to use the accelerometer sensor to capture therhythm entered by users for our proposed authenticationscheme. This is accomplished by measuring the force ofacceleration, the angle, and direction phone being held whilerecording the settle vibration caused when the user taps thephones corner or back.

The accelerometer is one kind of common hardware sen-sors used to capture a users’ shake motion. In most smart-phones, the accelerometer adopts a standard 3-axis coordinatesystem that is defined relative to the device’s screen andexpresses them as data values, as shown in Fig. 3. The X axisand the Y axis are parallel with the screen, where the X axisis horizontal and points to the right, and the Y axis is verticaland points up. The Z axis is perpendicular to the screen andpoints outwards relative to the screen.

According to the coordinate system, the data capturedby the accelerometer can be represented as a triple-tupletime series S(t) = {X (t),Y (t),Z (t)}, where t is the inputtime, X (t), Y (t) and Z (t) represent the instantaneous accel-eration value of X axis, Y axis and Z axis, respectively.

TABLE 1. Optional mode for android accelerometer.

Moreover, some Android accelerometers provide 4 samplingfrequency to sample data S(t) as shown in Table 1.By using certain sampling mode, the input signal will

be transformed from analog signal to digital signal, whereS(n) = S(n/Fs) and Fs is the sampling frequency. Generally,low sampling frequency means low process complexity, butit will sacrifice the accuracy and security. In order to recordusers’ input as precise as possible, we adopt the mode ofSENSOR_DELAY_FASTEST.Tapping position is also an important factor to capture and

process the original data because it influences the accelerationvalues on the three axis. Through a great deal measurements,we suggest three effective positions on smartphones as can-didate input points, the top left corner (Point A), the topright (Point B), and the back of the smartphone (Point C),as shown in Fig. 3. When tapping a set of rhythm from





FIGURE 3. Illustration of data acquisition process (acquisitiontime: 5 seconds, accelerometer sampling mode:SENSOR_DELAY_FASTEST).

Point A and Point B, the corresponding impulses of bothX axis and Y axis are distinguishable from the noise, whilesome beats on Z axis are lost. This is because the direction ofacting force is mainly parallel to the screen. In contrast, whenthe set of rhythm is input fromPoint C, input becomes clear onZ axis. Thus, we will elaborate on how different input pointsaffect our proposed scheme, in terms of both authenticationaccuracy and security in Section III. Note that when a rhythmis input on a specific point of the test smartphone, a sequenceS(n) is obtained and saved as the original data.

D. FAST VERIFICATION ALGORITHMThe registration process is performed during a user’s initiallog on. A well-designed authentication scheme is requiredto have a user-friendly registration process with less useroperations, which is the key factor that impact the user’sexperience. Due to human cognitive behavior variance andinput errors, it is very difficult for most users to input thesame rhythms twice as opposed to traditional authenticationschemes like password or grid pattern. Although some arti-ficial intelligence system (such as Hidden Markov Model,HMM, or FAM) can learn the user’s specific usage habits,

it usually requires many samples to train the system,which sacrifices the users’ experience [10]. Motivated by thisfactor, we propose a fast verification algorithm, by whichuser only needs to use two similar rhythms (the first onefor template setting and the second one for verification) tocomplete the registration process with adjustable precisionlevel. Moreover, the proposed fast verification algorithm isalso in charge of providing effective sample data for thetraining of the FAM system in the authenticate phase.

FIGURE 4. Illustration of data transformation and zero-shrinkage.

Fig. 4 shows an amplified original data from Point A. It canbe observed that the captured original data consists of notonly the rhythm input, but also the noise due to unstablesmartphone holding. In addition, due to the samplingprecision, the accelerometer maybe too sensitive interms of capturing both rhythm’s amplitude and duration(in milliseconds) between the first initial input and secondconfirmation input. We may have two relatively differentsignals because of this, when in fact, they are the samerhythm entered by the same user. To avoid false positives,the proposed fast verification algorithm includes a thresholdcomparison approach that transforms the original data tothe binary data, aiming at reducing the noise and the ran-domness of signal amplitude; and three techniques, namedzero-shrinkage, threshold matching and e-error correction,to control the tolerable precision between two consecutivesamples.

1) DATA TRANSFORMATIONTo reduce the uncertainty of the amplitude (due to the tappingspeed), we first transform the original data from the real num-ber S(n) to the binary data BTemplate(n) by using a comparisonthresholdmethod.When the beat of a rhythm peak beyond thethreshold η, whether it is larger or smaller, it will be labeledas 1. Otherwise, it will be labeled as 0.According to the discussions in Section II-A, when we

tap a rhythm on different points, the acceleration valueson the three axis work differently, and therefore, we needto specify the threshold based on the merits. Particularly,when Point A and Point B are used, data Sx(n) from X axis




is dominated, and when Point C is used, data Sz(n) isconsidered. This process of data transformation can be per-formed using the following equations,

BTemplate (n)

=

1cond. 1 : Sx (n) ≥ E

[Sx (n)

]+ ηA

cond. 2 : Sx (n) > Sx (n± m)0 otherwise

Point A

1cond. 1 : Sx (n) ≤ E

[Sx (n)

]+ ηB

cond. 2 : Sx (n) ≤ Sx (n± m)0 otherwise

Point B

1cond. 1 : Sz (n) ≥ E

[Sz (n)

]+ ηC

cond. 2 : Sz (n) > Sz (n± m)0 otherwise

Point C

(1)

where BTemplate (n) is the transformed binary data and E[x]is the expected value of signal x. Furthermore, condition 1means the data is greater or smaller than η plus the mean oforiginal data and condition 2 implies it is the local extremum,andm defines the range of ‘‘local’’. In the rest of this paper, ifno otherwise specified, we just discuss the method to processsignals from Point A. All discussions on Point B and Point Care easily obtained by simple adjustments.

This data transformation process is only used for the user’sfirst input, i.e. template setting stage, and we have no infor-mation about the acting force of user input. Therefore, a fixedvalue of η is necessary. Here, we suggest ηA = ηC = 10, andηB = −10 because we found from our experiment that 10 isa statistically good threshold that can be reached by mostmobile users.1

2) ZERO-SHRINKAGEUsing data transformation, we obtain the binary dataBTemplate consisting of two alternating symbols ‘‘0’’ and ‘‘1’’,where ‘‘0’’ represents the idle time waiting for input, and‘‘1’’ refers to the rhythm user input. The time interval betweentwo symbols is 1/Fs seconds. In order to control the preci-sion level while maintaining useful information, we designa zero-shrinkage approach that reduces the number ofsymbols ‘‘0’’ in proportion but keeps ‘‘1’’ unchanged.

Specifically, we define d as the shrinkage factor.If BTemplate(ni) and BTemplate(nj) are two consecutive ‘‘1’’,ni and nj are respective index number, then the number ofsymbol ‘‘0’’ between BTemplate(ni) and BTemplate(nj) will bereduced to [(nj − ni − 1)/d] after zero-shrinkage, where [·]is the rounding operation. We take Eq. (2) as an example toillustrate how the zero-shrinkage works.

BTemplate = [1, 0, . . . , 0︸︷︷︸k1

, 1, 0, . . . , 0︸︷︷︸k2

, 1]Zero-ShrinkageHHHHHHHH⇒

BZSTemplate = [1, 0, . . . , 0︸︷︷︸[k1/d]

, 1, 0, . . . , 0︸︷︷︸[k2/d]

, 1] (2)

As a result, the precision level can be controlled withind/Fs seconds. For example, when Fs = 200 Hz, and d = 40,

1It is also worth noting that this threshold may change according to thedifferent sensor chips, and the suggested value is verified in Google Nexus 4.

the proposed scheme can tolerate at most 0.2 seconds errorof users input. We denote the transformed template data andthe number of the beats user input with BZSTemplate and N,respectively.

3) THRESHOLD MATCHINGIn the verification and the following stages, as the templateinformation have been obtained, we can relax the constraintof fixed threshold by using an adaptive threshold matchingapproach, thereby further lowering the number of times theuser is required to input during the training stage. In Fig. 4, wecan see that when user enters a beat from Point A, a positiveimpulse appears, which usually distributes on the relativelyfixed interval (positive impulse (E(S)+ [0, 40])). In addition,a positive impulse is immediately followed by a negativeimpulse (E(S)+ [−10, 0])) because of counter acting force ofholding hand. Utilizing these features, we can search a moreproper threshold in case the tapping motions are unstable.Specifically, we first set η = ηA

2 = 5 to filter noisysignal. Then, perform the data transformation by Eq. (1), anddenote the number of symbols ‘‘1’’ be Nmatching. If conditionNmatching = N holds, the threshold matching stops. Other-wise, increase η with a small increment η = η+4 and repeatthe above process until Nmatching equals to N or η is largerthan the maximal threshold ηmax. If a threshold η cannotbe determined, then the threshold matching sequences williterate through an opposite direction by resetting η = −1.Those local minimum samples smaller than η plus E(S) willbe labeled as symbols ‘‘1’’ and denoteNmatching as the numberof ‘‘1’’. Then gradually reduce η = η − 4 until conditionNmatching = N is satisfied or η reaches the minimal thresh-old ηmin. If there is no proper threshold to make conditionNmatching = N satisfied after threshold matching, the currentinput will be rejected.

4) e-ERROR CORRECTIONThis is an additional precision control process used for theverification and authentication input. Denote the number ofsymbols ‘‘0’’ between any two consecutive ‘‘1’’ of BZSTemplateand BZSVerification be ZZS

Template(k) and ZZSVerification(k), respec-

tively, where 1 ≤ k ≤ N − 1. If

|ZZSTemplate(k)− Z

ZSVerification(k)| ≤ e, ∀k (3)

holds, then input ZZSVerification is considered similar to the

rhythm template, where scalar e is the correction factor thatcan be adjusted. For example, when the template data isBZSTemplate = [1, 0, 0, 1, 0, 1, 0, 0, 1, 0, 0, 1], and the veri-fication input is BZSVerification[1, 0, 0, 1, 0, 0, 1, 0, 0, 1, 0, 0, 1],then ZZS

Template = [2, 1, 2, 2] and ZZSVerification = [2, 2, 2, 2].

If e = 1, then it means the two data are similar and theregistration process takes affect.

E. FAM BASED AUTHENTICATION ALGORITHMIn this subsection, we propose an FAM-based authenticationalgorithm to further improve the performance of the rhythm





authentication scheme. Compared with the fast authenticationalgorithm, the advantages of the FAM-based algorithm arefour-folds: (1) it is independent on the algorithm parameters,such as d and e in the fast authentication algorithm, whichmakes the proposed authentication scheme more flexible fordifferent users; (2) by means of the extendibility feature ofthe FAM system, it is easy to extend the proposed authen-tication scheme for more application scenarios, like multi-user authentication; (3) more characteristics of the rhythminput might be utilized as the input of the FAM system, tofurther improve the security and accuracy of the proposedauthentication scheme; and, (4) a well-trained FAM systemperforms better in terms of computation complexity.Review on Fuzzy ARTMAP: FAM is an extension of

ARTMAP neural network that perform incremental super-vised learning of recognition categories andmultidimensionalmaps in response to input vectors (analog or binary) pre-sented in arbitrary order. Fig. 5 shows the structure of FAMsystem that is composed by two adaptive resonance theorymodules (ARTa and ARTb) units and a map field into a super-vised learning structure, where ARTa takes the input data,ARTb is the supervisory data, and the map field forms theassociative mapping relationship between ARTa and ARTb.Each ART system consists of three fields, F0 is the inputfield to represent the current input vector; F1 is the statefield to represent the coded or weighted vector by F0 or F2respectively; F2 is the recognition field to represent the activecategory. Between each category node j ( j = 1, 2, . . . , J ) infield F2 and all nodes in field F1, there is a weight vectorωj = (ωj,1, . . . , ωj,M ), where M is the data dimension in F1field. Specifically, in the proposed authentication scheme, weinitialize the parameter M = 2(N − 1) and ωj = 1,∀j.

FIGURE 5. The structure of FAM.

In the proposed authentication scheme, FAM systemworksin two stages, training and authentication. During the trainingstage, ARTa receives the rhythm input verified by fast verifi-cation algorithm, and the input of ARTb is the correspondingverification results. Specifically, we adopt the duration timebetween two consecutive rhythms ZAuthentication as the inputof ARTa. Note that data ZAuthentication is not processed byzero-shrinkage as oppose to ZZS

Authentication, in order to pro-tect against loss detail information of user input as possible.The input of ARTb is one bit decision variable, denoted as

‘‘1 (login)’’ or ‘‘0 (deny)’’ based on the result of the fastverification algorithm. Correspondingly, the FAM networkinitializes two categories in F2 field of both ARTa and ARTb,i.e. the value of two nodes j inF2 field is either 0 or 1. After thetraining stage, we obtain an updated weight vector ωj,∀j anda well-designed FAM system that can be used to authenticatethe next user input.

1) TRAININGIn this stage, ARTa receives a stream of training rhythmpatterns that was verified by the fast verification algorithm,and the normalization of (N − 1)-dimensional ZAuthentication.In order to avoid the unattractive problem of category prolif-eration, complement coding that doubles the number of inputdata to a 2 × (N − 1)-dimensional vector ZCC

Authentication isnecessary, i.e.,

ZCCAuthentication =

[ZAuthentication

Dmax ,

(ZAuthentication

Dmax

)c]=

[ZAuthentication

Dmax , 1−ZAuthentication

Dmax

], (4)

where 1 is (N − 1)-dimensional vector with all elementsof 1 andDmax is the predefinedmaximal interval between twoconsecutive rhythm.Then, the input sample ZCC

Authentication connects to all nodesin Fa2 using the following choice function Tj(x),

Tj(ZCCAuthentication) =

|ZCCAuthentication ∧ ωj|1

|ωj|1 + α,∀j (5)

where ‘‘∧’’ is a min operator, | · |1 is l1 norm, and α is a biasparameter that is slightly larger than 0. To simplify we denoteTj(ZCC

Authentication) be Tj, and ∀j rearrange Tj in descendingorder, such that Tj1 ≥ Tj2 ≥ · · · ≥ TjJ .To begin with i = 1, substitute ωji into the following match

function Mj(x) and check against a vigilance parameter ρ,

Mji (ZCCAuthentication) =

|ZCCAuthentication ∧ wji |1|ZCC

Authentication|1≥ ρ (6)

where ρ ∈ (0, 1]. If Eq. (6) cannot be satisfied, seti = i + 1, and check the next category in the sortedcategory list. Otherwise, we say the resonance betweenARTa and ARTb occurs. Then, the map field will check ifcategory ji is matched with the input of ARTb. If so, we saythe current input is learned by FAM and the weight vector ωjiis updated by the following equation,

ωnextji = β(Z

CCAuthentication ∧ ωji )+ (1− β)ωji (7)

where β ∈ [0, 1] is the learning rate. Eq. (7) guarantees thatthe ωj,∀j is non-increasing during the whole training stage,and hence converges to a limit.Otherwise, if category ji is mismatched with the input of

ARTb, a wrong resonance appears, and FAM will triggermatching tracking mechanism by increasing the vigilanceparameter ρ as

ρ = Mji (ZCCAuthentication)+ δ, (8)




to break the current resonance, where δ is slightly largerthan 0. Repeat the above procedure to find another categoryin Fa2 by setting i = i+ 1. In the case where the FAM networkcannot find out a right category to match the current traininginput from ARTb after going through all categories, a newcategory (labeled the same as the input of ARTb) will becreated by J = J + 1 and ωJ = 1. For the new createdcategory J , we can get MJ (ZCC

Authentication) = 1 ≥ ρ.In our proposed scheme, FAM network is considered

well-trained when the number of effective training samples(verified as the legitimate users by fast verification algorithm)has reached the predefined value.

2) AUTHENTICATIONAfter training, the FAM network can be used to verifythe given input data with the specified vigilance parame-ter. Specifically, when a new authentication data is receivedand processed by threshold matching, we first check ifNmatching = N is satisfied. If so. the input data will beprocessed by component coding, and substituted into thematching function Eq. (6) that will calculate the matchingvalueMj

(ZCCAuthentication

)for each category in Fa2 . It later finds

the category with the maximal matching value, i.e.,

j∗ ∈ argmaxjMj(ZCCAuthentication

)(9)

Afterwards, checkM∗j(ZCCAuthentication

)against the vigilance

parameter ρ, if

Mj∗(ZCCAuthentication

)> ρ, (10)

is satisfied and category j∗ equals to 1, then the authenticationis successful, and the user would be logged in. Otherwise, theuser would be denied.

3) MUSIC CONFIRMATIONWe further provide an optional authentication step, ‘‘MusicConfirmation’’, for some security-aware users or in an inse-cure environment (e.g. public area). The optional step is ableto increase the security of our proposed scheme significantly,while at little expense of user experience.

The illustration of the music confirmation step is shownin Fig. 6.When the input rhythm passed the proposed verifica-tion algorithm, a question page appears to ask the user to typethe name of the music just input. Obviously, a legitimate userwould be easy to answer what he/she has tapped is. However,it will be very difficult for attackers to guess the connectionbetween the observed tapping motions and the correspondingmusic.

The security mechanism of our proposed optional stepcomes from a sophisticated concept in the field of psychol-ogy, coined as Theory of Mind [12]. According to the the-ory of mind, a huge gap exists between observing others’actions and inferring the real intention behind these actions.Imagine that as you are tapping rhythm on your smartphone,the corresponding music is playing through your mind,which consists of the voice of the singer, the melody,

FIGURE 6. Illustration of matching between music and rhythm.

the rhythm, and even your specific feeling about the song.In fact, music lovers are usually hard to avoid colouring whatthey are tapping with dynamics, accentuation, and phrasing,depending on their personal musicality. On the other hand,all that an attacker can obtain is a bunch of disconnectedbeats, like a kind of bizarre Morse Code. Without any contextbehind it, they cannot derive the user’s rhythm. Therefore,the loss of diversity information impedes attackers to set upthe connection between what they observed and the rightmusic.On a related note, there was a famous experiment [13]

that involved a group of subjects tapping out a rhythmof songs to another participant whose goal was to iden-tify the song based on the rhythm they listened. Over thecourse of the experiment, only 2.5% of listeners couldcorrectly identify the song (3 out of 120 trials). Takingfrom this ‘‘Tapper and Listener’’ experiment result, it wouldbe harder for attackers to guess what the legitimate usertaps out in our proposed scheme based on the followingreasons:

• In Tapper and Listener experiment, two conditions arenecessary. First, they selected 25 music well-known forboth tapper and listener. Besides, the goal of tappersin this experiment is to make their partners understandwhat they try to convey as much as possible as they can,but our proposed scheme is for security purpose. Hence,people are allowed to choice their music piece referencethat can be renowned or unknown to the attacker.

• Rhythm are based on a persons own understanding of amusic piece.

• Users can intentionally break the connection betweeninputs and correct rhythm by selecting an irrelevantmusic to match their input rhythm to confuse attackers,and thereby eliminate the slight probability that attackersguess correctly.

III. EXPERIMENTS AND EVALUATIONSTo verify the feasibility and security, we invited15 participants with different music comprehension level(5 basic, 5 intermediate, and 5 advanced) to test the pro-posed authentication scheme. The test smartphone and





FIGURE 7. Waveforms of the referenced music.

TABLE 2. Experiment environment and parameters list.

authentication algorithm related parameters are list in Table 2.The experiments were divided into two parts. The first exper-iment is aimed at verifying the reliability and feasibilityof our proposed scheme. We had each participant perform100 verification trials, where we measure the False Rejec-tion Rate (FRR), i.e. the percentage of failed login whenauthorized users try to login. The second experiment teststhe resilience of the proposed authentication scheme againstthe credential disclosure. The balance between the securityand useability of our proposed authentication scheme is alsoanalyzed.

A. FEASIBILITYPeople with music talent tend to like music. As a result, theproposed scheme will easily be adopted by them. To verifythe feasibility of the proposed authentication scheme, wemeasure the FRR of each participants with 4 reference musicpieces. The difficulty of these music pieces (where music 1is easy and music 4 is hard) are evaluated according to thenumber of beats and their complexity of waveforms, as shownin Fig. 7. The first rhythm is based on a music piece called‘‘What Makes You Beautiful,’’ which includes 10 clear beats.The second rhythm is based on a music piece called ‘‘SHE,’’which includes 9 clear beats and 2-3 blurry beats. The third isbased on a music piece called ‘‘Moves Like Jagger,’’ whichincludes 11 clear beats and some blurry beats. The last rhythmis based on a music piece called ‘‘The Hottest Ethnic Trend,’’which includes 13 clear beats, and some blurry beats andbackground noise.After the registration procedure, each participant is

required to perform the 4 referencemusic pieces from Point Aaccording to their personal understanding. The experimentresults are shown in Table 3, which present value of FRRaccording to the different music levels of the participants.From the results we gathered, we found that there is thehigh correlate between the FRR and the person’s level ofmusic expertise. For instance, as the person’s level of musicproficiency increase, the FRR decreases greatly as one wouldexpect, and vice versa. This is because a person who has abasic level of understanding of music will be less sensitiveto the subtle music beats in a rhythm, while an intermediateand advance participate will be more sensitive to the rhythm.Therefore, users are able to reproduce a complex rhythm andachieve a lower FRR. People with music talent tend to likemusic. As a result, the proposed schemewill easily be adoptedby them.

TABLE 3. False rejection rate (enter rhythm on the top left cornerof the smartphone).




As shown in the Table 3, the participants with basicunderstanding of music achieve an FRR average of 16%.In other words, most users will fall in this category, and missthe lock code 1 in every 7 tries. It is also worth noting that thisaverage is shared across all 4 reference music pieces becausethe participants could not distinguish the difficult level of apiece and would register similar number of beats; thus, resultin the same level of FRR percentage. The intermediate andadvanced participant have an FRR average of 3% and 1%because they are able to distinguish the difficulty levelof each reference music piece. Moreover, FRR percentagewould increases slightly the more input of beats a personregister.

B. RESILIENCE AGAINST CREDENTIAL DISCLOSURETo evaluate the security of the proposed authenticationscheme, we consider two possible user credentialdisclosure risk scenarios. The first case had the users’tapping motion disclosed, dubbed as ‘‘Rhythm CredentialDisclosure’’, and the second case had the referral music (usedas the baseline in our proposed scheme) disclosed, dubbedas ‘‘Music Credential Disclosure’’. In the following, we willdiscuss the effectiveness of our proposed scheme against suchtwo credential disclosure risks according to the experimentresults.

1) RHYTHM CREDENTIAL DISCLOSUREThere are two defensive approaches against rhythmcredential disclosure attack in our propose authenticationscheme. The first one allows user to input their rhythmcredential in various places on the phone. For instance,tapping at point A or point B as previously mentionedin Fig. 3, because our proposed scheme can adopt differentsignal processing method for different input positions. Forexample, as to Point A and Point B, we extract the datafrom X axis, and different threshold matching parametersare used. For Point C, we extract the data from Z axisas users’ input. In contrast to traditional authenticationmethods that must input the credential in a specific way(eg. keyboard, screen), the proposed scheme utilizes its abilityto accept different inputs to add another security measure. Forinstances, it is difficult for a malicious attacker to hack therhythm authenticated phone without prior knowledge of howa user held the device when entering their rhythm. This isbecause the method of entering the credential correlates thestrength of the waves being read and processed.

Despite that, the proposed authentication scheme is stillsusceptible to shoulder-surfing to some extent. In this case,the way of how a person inputs his/her chosen rhythm greatlydictates the security of the proposed scheme. For example,tapping the rhythm credentials at the back of the phone isharder to observe. Compared to input at the top corner ofthe smartphone, the security perspective of inputting at theback of the phone seems to be promising option, becausethe motions will be less visible to an individual who may bewatching the users enter their credentials.

If all else fail and the users’ motions is disclosed, thereis the ‘‘Music Confirmation’’ option to protect their rhythmcredential. According to our design, the rhythm input andmusic determination are respectively performed at the backof the phone and on the touchscreen, whereby the wholeauthentication process is hard to be observed by the sameattacker. Through the results of ‘‘Tapper and Listener’’ exper-iment, the rate of success in connecting the music andtapped rhythm is 2.5%, even though tappers select a well-knownmusic and do their best to delivery correct informationto listeners. In our proposed authentication scheme, usersare free to select their favorite music (popular or special-interest), and tap the rhythm based on their own under-standing, which will hamper the attacker effort of correctlymatching the rhythm they observedwith correspondingmusicpiece. Therefore, it is believed that the successful rate to breakour authentication scheme will be no more than the figureof 2.5%.However, we want to see if there is any drawbacks with

this method, and if those shortcomings are worth the trouble.For instances, maybe the rhythm data being captured is lessaccurate when enter from the backside as oppose to cornerside. Or it is less usability for the user to enter from theback because of the way they have to hold their phone.We conducted an experiment to see if our hypothesis supportour conclusion, and based on our analysis, decide on a goodbalance. Also, depending on the different security perspec-tives, we decided on the best security practices to use for eachenvironment: public, home, and work spaces.

TABLE 4. False rejection rate (enter rhythm at the backof the smartphone).

Table 4 shows the FRR of participants who enter theircredentials at the back of the phone. From the result we gath-ered, we found that the FRR of our proposed authenticationscheme becomes slightly higher for all music comprehensionlevels of participants. The basic, intermediate and advancedparticipants have an FRR average of 22%, 11% and 3.5%,respectively. However, there are two problems with havingthe user enter via the phone back. The first problem is theusability of the user’s action. They have some of distrac-tion to hold their phone, and therefore input errors increase.In addition, compared to input on the corner of the phone,the tapping speed becomes slower, which impacts the ampli-tude of accelerometer. As illustrated in Fig. 3, when usercredential is input from Point C, the negative accelerationimpulses caused by counter force are not as clear as enteringfrom Point A or Point B. This results in the performanceloss of threshold matching mechanism. For the first problem,





we observe that as participants become more adaptable to theauthentication scheme, the FRR will decrease to some extent.From the experiment result, we can see some participantshave lower failure rate when they input the second musicin contrast to the first music. As to the second problem,some advanced signal processing approaches, such as edgedetection, wavelet analysis, etc., might be helpful to mitigatethe negative effects.

2) MUSIC CREDENTIAL DISCLOSUREAnother way in which user’s credential is disclosed is whenthe referral music piece is stolen. For instance, when users aresuffering from shoulder-surfing and the music confirmationis observed. Generally, users may just select a fragment ofsome music (several seconds) as a reference to remembertheir setting rhythm, and it is believed that attackers willhave a hard time guessing the fragment completely since itoverlaps with that the legitimate users used. Even in extremesituation, where it is assumed that the attacker know the samefragment of the music, the understanding about this fragmentmay be different. Fig. 8 illustrates this case. Three participantstapping the same piece of the hard reference music (The first3 seconds of the Hottest Ethnic Trend). As shown in Fig. 8,we found that the waveforms of the three input rhythm aredifferent, not only from the interval between two consecutivebeats, but also from the number of the rhythm. Accordingto our proposed algorithm, these three samples would beregistered different from each other.

FIGURE 8. Waveforms of the first 3 seconds of the Hottest EthnicTrend from different participants.

IV. CONCLUSION AND FUTURE WORKIn this paper, we have presented a user-friendly rhythmbased authentication scheme. To the best of our knowledge,this is the first effort toward user-habit-oriented authen-tication model for mobile devices, where mobile users

can integrate their own habits with user authentication onmobile devices. The user-habit-oriented authentication turnsa tedious security action into an enjoyable experience.Compared with the traditional authentication methods, theproposed scheme can significantly enhance user-friendlinessand significantly improve security, without adding extra hard-ware devices. This, in turn, satisfies the use-in-motion anduser friendliness requirements in smartphone authentication.We have also implemented the proposed scheme on a pop-ular mobile computing platform, Android, and performedexperiments. The experimental results show that the pro-posed scheme has high accuracy in terms of false rejectionrate.In future work, we may extend this scheme to incorporate

multiple online users. For instances, user will have the optionto login to a site using rhythm base authentication as opposeto the weak password based authentication. We can alsoimprove the accuracy and security of the capturing featureof rhythm authentication. We will also explore other possiblealternative habits to use and study their feasibility on mobileauthentication.

ACKNOWLEDGMENTThe authors would like to thank NSERC (Natural Sciencesand Engineering Research Council of Canada) for financialsupport. Also, the authors would like to thank all the partici-pants who took part in our experiments.

REFERENCES[1] Cisco. (Feb. 2014). Cisco Visual Networking Index: Global

Mobile Data Traffic Forecast Update, 2013–2018. [Online].Available: http://www.cisco.com/c/en/us/solutions/collateral/service-provider/visual-networking-index-vni/white_paper_c11-520862.pdf

[2] A. Sethi, O.Manzoor, and T. Sethi,User Authentication onMobile Devices,Cigital, Dulles, VA, USA, 2012.

[3] N. L. Clarke and S. M. Furnell, ‘‘Authenticating mobile phone usersusing keystroke analysis,’’ Int. J. Inf. Secur., vol. 6, no. 1, pp. 1–14,Jan. 2007.

[4] S. Furnell, N. Clarke, and S. Karatzouni, ‘‘Beyond the PIN: Enhancing userauthentication for mobile devices,’’Comput. Fraud Secur., vol. 2008, no. 8,pp. 12–17, Aug. 2008.

[5] M. Jakobsson, E. Shi, P. Golle, and R. Chow, ‘‘Implicit authentication formobile devices,’’ in Proc. 4th USENIX Conf. Hot Topics Secur. (HotSec),2009, pp. 9–15.

[6] McAfee. (Feb. 2014). Who’s Watching You? [Online].Available: http://www.mcafee.com/ca/resources/reports/rp-mobile-security-consumer-trends.pdf

[7] D. Drinkwater. (Feb. 2014). RSA 2014: Touchloggingthe New Attack Vector for Mobile Hackers. [Online].Available: http://www.scmagazine.com/rsa-2014-touchlogging-the-new-attack-vector-for-mobile-hackers/article/335997/

[8] J. Seto, Y. Wang, and X. Lin, ‘‘Toward secure user-habit-orientedauthentication for mobile devices,’’ in Proc. IEEE Int. Conf. GlobalCommun. (GLOBECOM), Dec. 2014, pp. 1242–1248.

[9] Has the iPhone 5S Fingerprint Scanner Already Been Hacked? [Online].Available: http://www.ctvnews.ca/sci-tech/has-the-iphone-5s-fingerprint-scanner-already-been-hacked-1.1468316, accessed Dec. 12, 2014.

[10] R. A. Dora, P. D. Schalk, J. E. McCarthy, and S. A. Young, ‘‘Remotesuspect identification and the impact of demographic features on keystrokedynamics,’’ Proc. SPIE, vol. 8757, p. 87570B, May 2013.

[11] G. A. Carpenter, S. Grossberg, N. Markuzon, J. H. Reynolds, andD. B. Rosen, ‘‘Fuzzy ARTMAP: A neural network architecture for incre-mental supervised learning of analog multidimensional maps,’’ IEEETrans. Neural Netw., vol. 3, no. 5, pp. 698–713, Sep. 1992.




[12] D. Premack and G. Woodruff, ‘‘Does the chimpanzee have a the-ory of mind?’’ Behavioral Brain Sci., vol. 1, no. 4, pp. 515–526,1978.

[13] E. L. Newton, ‘‘The rocky road from actions to intentions,’’Ph.D. dissertation, Dept. Psychol., Stanford Univ., Stanford, CA,USA, 1990.

[14] M. Dong, T. Kimata, K. Sugiura, and K. Zettsu, ‘‘Quality-of-experience (QoE) in emerging mobile social networks,’’ IEICE Trans.Inf. Syst., vol. E97-D, no. 10, pp. 2606–2612, Oct. 2014.

JAMIE SETO received the bachelor’s degreein information technology from the Universityof Ontario Institute of Technology, Oshawa,ON, Canada, in 2013, where she is cur-rently pursuing the master’s degree with theFaculty of Business and Information Technology.Her research interests include smartphone secu-rity, authentication and identity management, andsecurity and usability.

YE WANG received the Ph.D. degree in infor-mation and communication engineering from theHarbin Institute of Technology, Harbin, China,in 2013. He is currently a Post-Doctoral Fellow ofInformation Security with the Faculty of Businessand Information Technology, University of OntarioInstitute of Technology, Oshawa, ON, Canada.His research interests include wireless network-ing, cognitive radios networks, and radio resourcemanagement.

XIAODONG LIN (S’07–M’09–SM’12) receivedthe Ph.D. degree in information engineering fromthe Beijing University of Posts and Telecommu-nications, Beijing, China, and the Ph.D. degreein electrical and computer engineering from theUniversity of Waterloo, Waterloo, ON, Canada,with the Outstanding Achievement in GraduateStudies Award. He is currently an Associate Pro-fessor of Information Security with the Faculty ofBusiness and Information Technology, University

of Ontario Institute of Technology, Oshawa, ON, Canada. His researchinterests include wireless network security, applied cryptography, computerforensics, software security, and wireless networking and mobile computing.He was the recipient of the Natural Sciences and Engineering ResearchCouncil of Canada (NSERC) Canada Graduate Scholarships-Doctoral andthe Best Paper Awards of the 18th International Conference on ComputerCommunications and Networks in 2009, the 5th International Conference onBody Area Networks in 2010, and the 2007 IEEE International Conferenceon Communications.


user-habit-oriented authentication model: toward secure ... · scanning security system by simply...

Documents