Adapting Mobile Device Security: Passwords a Thing of the Past?

In an effort to increase the effectiveness of available protection for mobile devices, Professor Heather Crawford, Ph.D., of the Harris Institute for Assured Information (HIAI) and her research assistant Ebad Ahmadzadeh, Ph.D. candidate, conducted an experiment to address the current security shortcomings. Their research looks specifically at keystroke dynamics, the idea that the pattern with which you type on a particular keyboard can be used to identify you, and its role in password strengthening as it relates to mobile device authentication on the go. Last week, Crawford presented their findings at the Symposium On Useable Privacy and Security (SOUPS), one of the premiere conferences in the field of human factors and useable privacy and security.

Crawford and Ahmadzadeh’s method is unique because it combines two layers of identification. Keystroke dynamics, one of the layers, can help to add a level of security but doesn’t provide the needed accuracy when the typist and keyboard itself are on the go. That is where the other layer comes in; the gyroscope data of the movement of the smartphone that lets us know whether the user is seated, standing, or walking. The method that Crawford and Ahmadzadeh suggest is a two-step approach. Step one uses the movement data from the phone’s gyroscope to classify the user in one of three categories: seated, standing, or walking. Next, the keystroke dynamics for the determined category, based off previously built models, are used to identify the user. The combination of keystroke data and gyroscope data brought the user identification accuracy up to 98%, from a previous 52% without the gyroscope information.

“Private isn’t what people define it as. Private doesn’t mean ‘I don’t want someone to know about it.’ It means, ‘I want to have control over who I share it with’,” said Crawford.

Dr. Crawford speaking at SOUPS.

.@heathercrawfrd on using gyroscope & keystroke data to do continuous password-free mobile authentication #soups2017 | #future of #security

Elissa Redmiles (@eredmil1) July 13, 2017

When we think about mobile devices, like smartphones, we are thinking of devices designed to be easily used while we are in motion. These devices come with us everywhere, regardless of whether we feel we are going to need them. But there is a lot of information on our smartphones that we wish to keep private; from banking info and website passwords, to text messages and pictures. Because these devices essentially hold our entire lives on them, it is a wonder that the current available security features are not effectively providing protection. Most mobile devices, by design, inspire a bursty use pattern: we pick them up, authenticate by entering a password, use them for a few seconds, and then put them away again only to repeat the cycle a few minutes later. Because this repetitive pattern is annoying and frustrating, many people have resorted to simply disabling their phone’s security features in the name of convenience.

“We have this device that stores all this data. It’s highly portable, meaning it’s highly prone to being lost or stolen, and yet we don’t protect it,” said Crawford. “It blows my mind that people take the pain of having to enter in a PIN or a password away at the risk of their information.”

When these security measures are removed, all of this important information is vulnerable; especially when a device is lost or stolen. Of the millions of smartphones that are lost every year, we can assume a sizable percentage of those phones are not password protected. This research effort, entitled “Authentication on the Go: Assessing the Effect of Movement on Mobile Device Keystroke Dynamics”, aimed to incorporate keystroke dynamics and movement data into the normal password authentication technique in order to provide an authentication method that would not only be more secure but also more convenient.

If this method from their research can be ubiquitously incorporated into mobile device authentication, it will provide a more effective and more convenient way for users to keep their devices secure. Making it through a rigorous selection process, this research was accepted for publication by SOUPS, which had a 28% acceptance rate for papers at its 2016 conference. Born 13 years ago at Carnegie Melon University, SOUPS recently came under the umbrella of USENIX, the advanced computing systems association.