Embed Size (px)
Citation preview
BY CHEN YEAH TECK
Image-Based Authentication for Mobile Phones: Performance
and User Opinions
Source: Slippery Brick (2006)
Outline
IntroductionMotivation Literature ReviewResearch QuestionsResearch MethodologyFindingsLimitationsFuture Work
Introduction
Increasingly sophisticated mobile devicesMore data generated, more services availableMore than 200,000 phones reported stolen
each year in Australia alone (AMTA, 2008)How do you protect your phone?
Motivation
Improper use of embedded mobile phone security (Clarke & Furnell 2005) 30% believe PIN troublesome 34% disable PIN 66% of those who use PIN
38% forgotten PIN at least once 45% use default PIN 42% change once (after purchase) 13% change more than once
Motivation (Cont)
Password and PIN still the most used authentication mechanisms but often result inappropriate use and have memorability issues
Token and Biometrics have limitationsResearch on image based authentication
(IBA) shows promiseLittle focus on usability of new authentication
methods
Literature Review
The “Security Guard” AnalogyAuthentication
Something you know Something you have Someone you are Also, someone you know
Literature Review (Cont)
PIN and password Used to be machine generated Led to user generated Mobile device needs instantaneous access,
authentication in the way get disabledLimitation
Memorability and usability issues In secure PIN and Password
Literature Review (Cont)
Token Authentication Removes need to
remember password Store digital
certificate Smart media Transient
AuthenticationLimitation
Extra hardware/cost Left in situ Can be forgotten or
lost Use PIN or password
as fallback
Source: Nicholson, Corner & Noble 2006
Literature Review (Cont)
Biometrics Physiological
(Fingerprint, Face, Iris)
Behavioural (Voice, Keystroke pattern, Gait, Signature)
Limitation Extra hardware/cost Accuracy issues Privacy issues Use PIN or password
as fallback Source: Furnell, S, Clarke & Karatzouni 2008
Literature Review (Cont)
Graphical Based Authentication Recognition based Recall based
Source: Takada & Koike 2003
Source: Weiss & Luca 2008
Research Questions
Questions Which IBA authenticates faster? Which IBA has higher authentication success rates? What are users’ opinionson user authentication and
IBA?Contributions
Usability studies for user authentication especially for IBA
Improving user authentication experience can result better acceptance and usage among consumers
Research Methodology
Develop prototypeCompare PIN, Password, Picture Password,
and Awase-EData Collection
Enrolment and learning Test 1 (Survey then verification) Test 2 (Verification after 1 week)
Authentication speed and success rate
Findings
Authentication SpeedAuthentication Success RateUser Opinions
Authentication Speed
Stage 1 Stage 2 Stage 3 Mean
PIN 3.49166666666667 4.655 6.94180555555555 5.02949074074074
Password 12.0325 15.7475 19.0728333333333 15.6176111111111
Picture Pass-word
9.64833333333333 12.9566666666667 19.6323333333333 14.0791111111111
Awase-E 8.095 8.4375 13.2205 9.91766666666667
2.50
7.50
12.50
17.50
22.50
Time to Complete Authentication
PIN
Password
Picture Password
Awase-E
Tim
e (
se
co
nd
s)
Authentication Speed Summary
Pin was the fastest, speed decreased but significantly faster than other techniques
Password was at least twice as slow as PINPicture Password was similar to password’s
speedAwase-E was surprisingly faster than
predicted and reportedUser may still prefer PIN as it is the fastest
technique, may tolerate slower authentication if only authenticate once or several times only
Authentication Success Rate
Stage 1 Stage 2 Stage 3 Mean
PIN 1 0.85 0.75 0.866666666666667
Password 1 0.85 0.65 0.833333333333334
Picture Password 1 0.85 0.55 0.800000000000001
Awase-E 0.9 0.95 0.95 0.933333333333333
10.00%
30.00%
50.00%
70.00%
90.00%
110.00%
Authentication Success Rate on First Trial
PIN
Password
Picture Password
Awase-E
Su
cces
s R
ate
Authentication Success Rate Summary
PIN and Password expected to decline over time and did, password did worse
Picture Password performed well initially, but experienced a huge drop after a week to 55%
Awase-E performed as expected, maintaining high success rate
User still prefer PIN and password despite doing worse than Awase-E, probably due to familiarity, 35% still prefer PIN and password despite making an error
User Opinions
Authentication Frequency 15% none, 40% once, 25% several times, 20% every
time Total 85% willing to use some sort of authentication
Usage of mobile authentication Only 35% use it – protect data, email account,
unintended use 65% do not use it – don’t know how to set it up,
unnecessary, no significant data, troublesome, time consuming, had never let other people use their phone
Opportunities to persuade user to adopt mobile security function, including IBA
User Preference
Techniques/ PIN Password Picture Password Awase-E
Preference 0 week 1 week 0 week 1 week 0 week 1 week 0 week 1 week
Top 1 15% 25% 20% 35% 25% 0% 45% 40%
Top 2 45% 50% 45% 55% 45% 30% 70% 65%
Preference for PIN due to speed and success rate
Preference for Password also increased although it did worse than initially
Significant drop for Picture Password expected due to poor performance
Awase-E maintained high preference
Limitation and Future work
Sample size (20 participants) Use average, and standard deviation not taken into
consideration Exploratory research to provide indication of the
performance of IBA techniques and future research direction
Future Research This research is an exploratory endeavour to provide
indication for the usabilities of IBA techniques and also direction for future research
Larger sample size Incorporate other factors such as age and social
groups
References
ATMA 2008, '2008 Annual Report', AMTA Publication. Clarke, N & Furnell, S 2005, 'Authentication of users on mobile telephones–A
survey of attitudes and practices', Computers & Security, vol. 24, no. 7, pp. 519-527.
Furnell, S, Clarke, N & Karatzouni, S 2008, 'Beyond the PIN: Enhancing user authentication for mobile devices', Computer Fraud and Security, vol. 2008, no. 8, pp. 12-17.
Nicholson, AJ, Corner, MD & Noble, BD 2006, 'Mobile device security using transient authentication', IEEE Transactions on Mobile Computing, vol. 5, no. 11, pp. 1489-502.
SliperryBrick, 2006, “LG KE850 Touch Screen Mobile Phone”, viewed 3 June 2009, <http://www.slipperybrick.com/2006/12/lg-ke850-touch-screen-mobile-phone>
Takada, T & Koike, H 2003, 'Awase-E: image-based authentication for mobile phones using user's favorite images', Lecture Notes in Computer Science, pp. 347-351.
Takada, T, Onuki, T & Koike, H 2006, 'Awase-E: Recognition-based Image Authentication Scheme Using Users’ Personal Photographs', Innovations in Information Technology, 2006, pp. 1-5.
Weiss, R & Luca, AD 2008, PassShapes: utilizing stroke based authentication to increase password memorability, ACM, Lund, Sweden.
Q & A
Thank You
