Unobtrusive Mutual Mobile Authentication with Biometrics and Mobile Device Motion

Authentication is an integral part of protecting data on modern mobile devices from unauthorized physical access of third parties. However, it faces different challenges to suit users’ needs. On the one hand classic authentication approaches like PIN or password are obtrusive especially on mobile devices. They impose cognitive load on users and their input on mobile devices is cumbersome due to small user interfaces and limited haptic feedback. This is further intensified by mobile devices being used more frequently but for shorter durations than classic computers. On the other hand biometrics can provide for less obtrusive authentication. However, disclosure of biometric data to third parties can have significant impact as they cannot be changed as easily as PINs or passwords. To avert this additional risk, embedded smart cards (SCs) can be used to process and store biometric data. As those are computationally limited this often leads to feature transformations and matching procedures also being limited. In addition, in contrast to users authenticating to mobile devices, devices usually do not authenticate to users. This enables hardware phishing attacks (users unwittingly authenticating to an identically looking but malicious phishing device).
This dissertation investigates unobtrusive mobile authentication for diverse situations in which authentication can be required. It thereby focuses on authentication approaches that utilize mobile biometrics and embedded sensors. We investigate generic biometric match-on-card (MOC) authentication that combines offline machine learning with simplification of features and authentication models to enable their usage on SCs. As the approach is generic it can be applied to different biometrics – demonstrated with gait and face biometrics – which can facilitate the transition of further mobile biometrics to using MOC techniques. We further investigate mobile token authentication to transfer the authentication state from an unlocked device (e.g. wristwatch) to a locked one (e.g. phone) by briefly shaking both devices conjointly. As shaking patterns are difficult to forge it is difficult for attackers to perform authentication when they do not have both devices under their control. We also investigate mobile device-to-user authentication as countermeasure to hardware phishing attacks and let devices communicate an authentication secret to users with vibration patterns. We evaluate our approach using publicly available data, which reveals authentication durations around 1-2 s and error rates between 0.2 and 0.02. This indicates both that our approach is feasible and that room remains for further improving unobtrusive mobile authentication, e.g. with additional approaches utilizing biometrics and sensors on mobile devices.