Upload
angela-ball
View
214
Download
0
Tags:
Embed Size (px)
Citation preview
2015 GenCyber Cybersecurity Workshop
Mobile Phone SecurityJuly 10, 2015
Design and User Acceptability Testing of Secure Mobile Phone Authentication Mechanism Based on Fingerprint Sensing and Geo-FencingLEIGH ANNE CLEVENGER PACE UNIVERSITY
DOCTOR OF PROFESSIONAL STUDIES IN COMPUTING PROGRAM
2015 GenCyber Cybersecurity Workshop
Acknowledgements
The authors to would like to thank Verizon for sponsoring the study. This study is solely the independent work of the authors. Any Verizon documents and trademarks included in this paper are the property of Verizon and are reproduced with permission.
2015 GenCyber Cybersecurity Workshop
Project Overview
To come up with a unique user authentication mechanism to achieve phone security without the user having to enter a passcode to unlock their phone
2015 GenCyber Cybersecurity Workshop
Agenda
Deciding on project details Use Cases Hardware and Software choices
Tasks Accomplished Operation of user authentication app Survey of interest in password-free security
New Directions for Future Projects Smartwatch sensors
2015 GenCyber Cybersecurity Workshop
User Story Under Consideration Unlock Student’s Phone in Dorm Room
A user story is a tool used in Agile software development to capture a description of a software feature from an end-user perspective. The user story describes the type of user, what they want and why. A user story helps to create a simplified description of a requirement.
User stories were developed keeping in mind the following: Do they reflect the user’s mental model of protection? Is the mechanism psychologically acceptable? Is it close to transparent to the users? Does it fit with their natural phone interactions?
Focus: student’s phone will unlock in their dorm room and lock at other times. This can be extended for future use cases.
2015 GenCyber Cybersecurity Workshop
Tasks Accomplished
A survey was conducted to evaluate user interest in a password-free mobile device authentication mechanism
An iOS app “Authenticator” was designed with authentication functionality based on fingerprint sensing and location information.
Developed by Tanya Sahin
2015 GenCyber Cybersecurity Workshop
Security Mechanisms
Widely used today: Passwords / PINs Pattern locks
Using an unlock mechanism would make it harder for unauthorized users to access valuable data
2015 GenCyber Cybersecurity Workshop
Burden of PIN-code Entry
Frequency of entering PIN-code
Although locking a phone may provide maximum protection, it also decreases usability by increasing PIN-code entry burden
As a result companies have launched user specific and easy unlock mechanisms:
Touch ID fingerprint reader (Apple and Samsung)
2015 GenCyber Cybersecurity Workshop
User Authentication Mechanisms
Bluetooth Low Energy (BLE) and Beacons
NFC (Near Field Communication) Geofencing Sensor capabilities
9
2015 GenCyber Cybersecurity Workshop
iBeacons and Geofencing
iBeacon is Apple's implementation of Bluetooth low-energy (BLE) wireless technology to provide location-based information and services to iPhones and other iOS devices.
The beacons themselves are small, cheap Bluetooth transmitters. Apps installed on your iPhone listen out for the signal transmitted by these beacons and respond accordingly when the phone comes into range.
For example, if you pass a beacon in a shop, the retailer's app (assuming you have it installed) could display a special offer alert for you. On a visit to a museum, the museum's app would provide information about the closest display, using your distance from beacons placed near exhibits to work out your position
iBeacons
2015 GenCyber Cybersecurity Workshop
Geo-fencing
Geofencing is a feature in a software program that uses the global positioning system (GPS) or radio frequency identification (RFID) to define geographical boundaries.
Our app uses iBeacons to define the geofence. When user enters the defined geofence, phone unlocks automatically
2015 GenCyber Cybersecurity Workshop
Programming Tasks Accomplished
An iOS app “Authenticator” was designed with authentication functionality based on fingerprint sensing and geofencing with Beacons
Since third party apps are not allowed to unlock the phone in iOS, successful authentication into the app displays some sensitive content
Display of sensitive information should be a useful example for user authentication using biometrics and geofencing
2015 GenCyber Cybersecurity Workshop
Authenticator - New iOS App
Supports three means of authentication:geofencing using iBeacon when in
range of iBeaconfingerprint biometrics (TouchID) if
outside of iBeacon rangepassword as fallback
Displays sensitive content if authentication is successful
2015 GenCyber Cybersecurity Workshop
Authenticator - iBeacons
Use CoreLocation framework to sense for iBeacons with specific UUID
If beacon is ranged the app bypasses the authentication screen and proceeds to the confidential content right away
If no beacon is ranged biometric authentication with Touch ID will be attempted next
Authenticator - Touch ID
fingerprints are evaluated using the method TouchIDevaluatePolicy —> sensitive content is unlocked
choice of Verizon statement or Terms (exemplary for sensitive content)
Authenticator - Document Access
Authenticator - Password Fallback
password prompt if beacons not in range (or user chose to not share location) and TouchID not available
set the UIA ApplicationExitsOnSuspend flag in the info.plist to true —> prevents the app from running in the background
2015 GenCyber Cybersecurity Workshop
Survey Results The survey consisted of 10 questions, most multiple choice with a
few fill-in data boxes.
Based on the results of the survey, the popular way of securing the mobile device seems to be with a password/PIN authentication with 54% of the participants.
As an alternate to password or swipe pattern entry, 73% of the participants stated in the survey that they would be most comfortable with interacting with the device with fingerprint or face recognition scan.
60% of the participants felt that fingerprint sensing is a more secure authentication than password/PIN authentication or other authentication mechanism.
Most people were unaware of NFC/ Geofencing based authentication mechanisms. Only 38% had similar apps installed on their phones
Majority of the people said they are uncomfortable having an app that requires location and bluetooth services turned on all the time
Overall, participants want a simple and easy way of unlocking their mobile device within minimal time, also giving them a secure feeling.
2015 GenCyber Cybersecurity Workshop
Future Work
A research study can be conducted for usability testing of designed apps and to test the comfort level of people with the current authentication mechanisms vs. the designed mechanism
Other physiological and behavioral sensors on smartphones and smartwatches can be used for user authentication.
Sensor data can be read using apps available from the Google Playstore or Apple AppStore or using a free, open source Software Development Kit for Android or iOS
21Smartwatches and their Sensors - July 2015 (1 of 2)
Sensors
Moto 360
gyro/Accelerometer/Compass, pedometer, optical heart reate monitor (PPG)
Samsung Gear Live
gyro/Accelerometer/Compass, optical heart rate monitor (PPG)
Apple Watch
screen is "force touch", distinguishes between tap and press. Gyro, accel, infrared, photodiode, visible-light LED, GPS + NFC for wireless payments
22Smartwatches and their Sensors - July 2015 (2 of 2)
Microsoft Band
Optical heart rate sensor
3-axis accelerometer
Gyrometer
GPS
Ambient light sensor
Skin temperature sensor
UV sensor
Capacitive sensor
Galvanic skin response
Microphone
LG Urbane
9-axis (gyro/accel/compass) + barometer + heart rate sensor (PPG)
LG Urbane LTE
9-axis (gyro/accel/compass) + barometer + heart rate sensor (PPG)+NFC for wireless payments, bluetooth, wifi, GPS
23
2015 GenCyber Cybersecurity Workshop
References for Smartwatches and Smartphones to get you started – more added every day
Smartwatches:
https://moto360.motorola.com
http://www.androidheadlines.com/2014/12/watch-comparisons-motorola-moto-360-vs-samsung-gear-live.html
http://www.macrumors.com/roundup/apple-watch
http://www.techradar.com/us/news/portable-devices/other-devices/microsoft-band-5-things-you-need-to-know-1271135
Galaxy S5 (has a lot of sensors, and open source android software development kit)
http://global.samsungtomorrow.com/?p=36031
http://www.gottabemobile.com/2014/04/11/galaxy-s5-tips-tricks-hidden-features/
https://play.google.com/store/apps/details?id=imoblife.androidsensorbox
http://downloadcenter.samsung.com/content/UM/201404/20140402111855054/SM-G900F_UM_EU_Kitkat_Eng_D06_140312.pdf
2015 GenCyber Cybersecurity Workshop
Contributors
Spring 2015 Pace University Master’s Students• Nikhita Gopidi• Nishant Patel• Nitish Pisal• Tanya Sahin• Shreyansh Shah• Sara Siddiqui Customers• Dr Kalyanasundaram, Verizon• Dr Charles Tappert, CSIS• Leigh Anne Clevenger, DPS’ 16• Javid Maghsoudi, DPS’ 16• Vinnie Monaco, PhD’ 15
2015 GenCyber Cybersecurity Workshop
Copyright for Material Reuse
Copyright© 2015 Leigh Anne Clevenger and Charles Tappert ([email protected]), Pace University. Please properly acknowledge the source for any reuse of the materials as below. Leigh Anne Clevenger and Charles Tappert, 2015 GenCyber
Cybersecurity Workshop, Pace University
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation. A copy of the license is available at http://www.gnu.org/copyleft/fdl.html.