This approach to user authentication, called behavioural biometrics, is not only considered more secure than password-based authentication but also claimed to beat traditional physiological biometrics (such as facial, voice, fingerprint, retina features) which clever hacks may be able to replicate. Without requiring any particular or conscious user input, a behavioural biometrics system monitors the unique parameters of the user’s device handling dynamics, continuously protecting the smartphone from being hacked.
In their paper, the researchers showed that the movement of the hand when answering an incoming call is unique for each person, making this information suitable for user authentication. The measured data is pre-processed and select features are converted into behavioural characteristics that form the inputs to a machine learning algorithm.
According to their research, only two seconds of data acquisition (a time interval sufficient enough for a user to take the call, bringing the phone to ear level) are necessary to correctly authenticate the user based on the behavioural biometrics data.
In their experiment, 25 movements performed as a training set were enough to train a model with satisfactory results. In cases when the algorithm would identify a gesture uncharacteristic of the legitimate user, then it could always prompt the user to type the answer to a secret question or require the user-defined password (as a backup).
This study echoes other research efforts to use Hand Movement, Orientation, and Grasp (HMOG) analytics to continuously authenticate smartphone users. Although motion characteristics may evolve slowly over time, small deviations may be taken into account by a machine learning algorithm.
See also: PIN-on-Mobile is coming
“Our scientific innovation is that for the first time ever, we used data analysis and machine learning technologies, as well as artificial neural networks, to monitor behavioural biometric characteristics in order to ensure the continuous authentication of the smartphone user. The sensitivity of sensors in today’s smartphones allows them to recognize the unique behavioural characteristics of each user and, based on the set of data collected from the touch screen and other sensors, to conduct high-accuracy authentication,” explained Konstantin Kogos, head of the project and associate professor at MEPhI’s Cryptology and Cybersecurity Department.
Together with his students and in cooperation with Kaspersky Lab engineers, Kogos wants to develop a mobile app dubbed InCallAuth to allow a smartphone to recognize its owner by the characteristic movement of the hand when answering the call.
Sensor data can give off the initial device position, the speed of the hand’s movement to the ear and the smartphone’s changes in position, all of which are fed to a neural network to identify the user with a precision of 95% (that means the phone may be blocked about once every 20 times, then requiring password entry or another authentication method).
The mobile app will only work on Android devices. Other OS (iOS and Windows) don’t allow third-party applications control incoming calls.
Senior research fellow of the laboratory of machine training and data representation of the Innopolis University Stanislav Protasov thinks that people’s authentication by hand movements and walk is the future, because it is more difficult to counterfeit these parameters.
“We study human identification by walk. Such methods are a response reaction to the fact that classical methods of biometrical identification can be easily deceived, while it is practically impossible to counterfeit walk or habitual hand movements” he says.