2015 GenCyber Cybersecurity Workshop Mobile Phone SecurityJuly 10, 2015 Design and User Acceptability Testing of Secure Mobile Phone Authentication Mechanism

2015 GenCyber Cybersecurity Workshop

Mobile Phone SecurityJuly 10, 2015

Design and User Acceptability Testing of Secure Mobile Phone Authentication Mechanism Based on Fingerprint Sensing and Geo-FencingLEIGH ANNE CLEVENGER PACE UNIVERSITY

DOCTOR OF PROFESSIONAL STUDIES IN COMPUTING PROGRAM


Acknowledgements

The authors to would like to thank Verizon for sponsoring the study. This study is solely the independent work of the authors. Any Verizon documents and trademarks included in this paper are the property of Verizon and are reproduced with permission.


Project Overview

To come up with a unique user authentication mechanism to achieve phone security without the user having to enter a passcode to unlock their phone


Agenda

Deciding on project details Use Cases Hardware and Software choices

Tasks Accomplished Operation of user authentication app Survey of interest in password-free security

New Directions for Future Projects Smartwatch sensors


User Story Under Consideration Unlock Student’s Phone in Dorm Room

A user story is a tool used in Agile software development to capture a description of a software feature from an end-user perspective. The user story describes the type of user, what they want and why. A user story helps to create a simplified description of a requirement.

User stories were developed keeping in mind the following: Do they reflect the user’s mental model of protection? Is the mechanism psychologically acceptable? Is it close to transparent to the users? Does it fit with their natural phone interactions?

Focus: student’s phone will unlock in their dorm room and lock at other times. This can be extended for future use cases.


Tasks Accomplished

A survey was conducted to evaluate user interest in a password-free mobile device authentication mechanism

An iOS app “Authenticator” was designed with authentication functionality based on fingerprint sensing and location information.

Developed by Tanya Sahin


Security Mechanisms

Widely used today: Passwords / PINs Pattern locks

Using an unlock mechanism would make it harder for unauthorized users to access valuable data


Burden of PIN-code Entry

Frequency of entering PIN-code

Although locking a phone may provide maximum protection, it also decreases usability by increasing PIN-code entry burden

As a result companies have launched user specific and easy unlock mechanisms:

Touch ID fingerprint reader (Apple and Samsung)


User Authentication Mechanisms

Bluetooth Low Energy (BLE) and Beacons

NFC (Near Field Communication) Geofencing Sensor capabilities

9


iBeacons and Geofencing

iBeacon is Apple's implementation of Bluetooth low-energy (BLE) wireless technology to provide location-based information and services to iPhones and other iOS devices.

The beacons themselves are small, cheap Bluetooth transmitters. Apps installed on your iPhone listen out for the signal transmitted by these beacons and respond accordingly when the phone comes into range.

For example, if you pass a beacon in a shop, the retailer's app (assuming you have it installed) could display a special offer alert for you. On a visit to a museum, the museum's app would provide information about the closest display, using your distance from beacons placed near exhibits to work out your position

http://support.apple.com/kb/HT6048

http://support.apple.com/kb/HT6048

iBeacons


Geo-fencing

Geofencing is a feature in a software program that uses the global positioning system (GPS) or radio frequency identification (RFID) to define geographical boundaries.

Our app uses iBeacons to define the geofence. When user enters the defined geofence, phone unlocks automatically


Programming Tasks Accomplished

An iOS app “Authenticator” was designed with authentication functionality based on fingerprint sensing and geofencing with Beacons

Since third party apps are not allowed to unlock the phone in iOS, successful authentication into the app displays some sensitive content

Display of sensitive information should be a useful example for user authentication using biometrics and geofencing


Authenticator - New iOS App

Supports three means of authentication:geofencing using iBeacon when in

range of iBeaconfingerprint biometrics (TouchID) if

outside of iBeacon rangepassword as fallback

Displays sensitive content if authentication is successful


Authenticator - iBeacons

Use CoreLocation framework to sense for iBeacons with specific UUID

If beacon is ranged the app bypasses the authentication screen and proceeds to the confidential content right away

If no beacon is ranged biometric authentication with Touch ID will be attempted next

Authenticator - Touch ID

fingerprints are evaluated using the method TouchIDevaluatePolicy —> sensitive content is unlocked

choice of Verizon statement or Terms (exemplary for sensitive content)

Authenticator - Document Access

Authenticator - Password Fallback

password prompt if beacons not in range (or user chose to not share location) and TouchID not available

set the UIA ApplicationExitsOnSuspend flag in the info.plist to true —> prevents the app from running in the background


Survey Results The survey consisted of 10 questions, most multiple choice with a

few fill-in data boxes.

Based on the results of the survey, the popular way of securing the mobile device seems to be with a password/PIN authentication with 54% of the participants.

As an alternate to password or swipe pattern entry, 73% of the participants stated in the survey that they would be most comfortable with interacting with the device with fingerprint or face recognition scan.

60% of the participants felt that fingerprint sensing is a more secure authentication than password/PIN authentication or other authentication mechanism.

Most people were unaware of NFC/ Geofencing based authentication mechanisms. Only 38% had similar apps installed on their phones

Majority of the people said they are uncomfortable having an app that requires location and bluetooth services turned on all the time

Overall, participants want a simple and easy way of unlocking their mobile device within minimal time, also giving them a secure feeling.


Future Work

A research study can be conducted for usability testing of designed apps and to test the comfort level of people with the current authentication mechanisms vs. the designed mechanism

Other physiological and behavioral sensors on smartphones and smartwatches can be used for user authentication.

Sensor data can be read using apps available from the Google Playstore or Apple AppStore or using a free, open source Software Development Kit for Android or iOS

21Smartwatches and their Sensors - July 2015 (1 of 2)

Sensors

Moto 360

gyro/Accelerometer/Compass, pedometer, optical heart reate monitor (PPG)

Samsung Gear Live

gyro/Accelerometer/Compass, optical heart rate monitor (PPG)

Apple Watch

screen is "force touch", distinguishes between tap and press. Gyro, accel, infrared, photodiode, visible-light LED, GPS + NFC for wireless payments

22Smartwatches and their Sensors - July 2015 (2 of 2)

Microsoft Band

Optical heart rate sensor

3-axis accelerometer

Gyrometer

GPS

Ambient light sensor

Skin temperature sensor

UV sensor

Capacitive sensor

Galvanic skin response

Microphone

LG Urbane

9-axis (gyro/accel/compass) + barometer + heart rate sensor (PPG)

LG Urbane LTE

9-axis (gyro/accel/compass) + barometer + heart rate sensor (PPG)+NFC for wireless payments, bluetooth, wifi, GPS

23


References for Smartwatches and Smartphones to get you started – more added every day

Smartwatches:

https://moto360.motorola.com

http://www.androidheadlines.com/2014/12/watch-comparisons-motorola-moto-360-vs-samsung-gear-live.html

http://www.macrumors.com/roundup/apple-watch

http://www.techradar.com/us/news/portable-devices/other-devices/microsoft-band-5-things-you-need-to-know-1271135

Galaxy S5 (has a lot of sensors, and open source android software development kit)

http://global.samsungtomorrow.com/?p=36031

http://www.gottabemobile.com/2014/04/11/galaxy-s5-tips-tricks-hidden-features/

https://play.google.com/store/apps/details?id=imoblife.androidsensorbox

http://downloadcenter.samsung.com/content/UM/201404/20140402111855054/SM-G900F_UM_EU_Kitkat_Eng_D06_140312.pdf

https://moto360.motorola.com/






















Contributors

Spring 2015 Pace University Master’s Students• Nikhita Gopidi• Nishant Patel• Nitish Pisal• Tanya Sahin• Shreyansh Shah• Sara Siddiqui Customers• Dr Kalyanasundaram, Verizon• Dr Charles Tappert, CSIS• Leigh Anne Clevenger, DPS’ 16• Javid Maghsoudi, DPS’ 16• Vinnie Monaco, PhD’ 15


Copyright for Material Reuse

Copyright© 2015 Leigh Anne Clevenger and Charles Tappert ([email protected]), Pace University. Please properly acknowledge the source for any reuse of the materials as below. Leigh Anne Clevenger and Charles Tappert, 2015 GenCyber

Cybersecurity Workshop, Pace University

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation. A copy of the license is available at http://www.gnu.org/copyleft/fdl.html.

Documents

2015 GenCyber Cybersecurity Workshop Mobile Phone SecurityJuly 10, 2015 Design and User Acceptability Testing of Secure Mobile Phone Authentication Mechanism