Implicit Authentication for Mobile Devices

Markus Jakobsson Elaine Shi Philippe Golle Richard ChowPalo Alto Research Center

{mjakobss, eshi, pgolle, rchow}@parc.com

Abstract. We introduce the notion ofimplicit authentication– the ability to authenticate mobile users based on actions theywould carry out anyway. We develop a model for how to per-form implicit authentication, and describe experiments aimedat assessing the benefits of our techniques. Our preliminaryfindings support that this is a meaningful approach, whetherused to increase usability or increase security.

1 Introduction

Mobile commerce (M-commerce) is experiencing rapidgrowth, and there is a trend toward hosting of applica-tions and services on the web. This results in increaseddemand for authentication – whether of computers orusers. In particular, higher-assurance authentication,such as through augmenting passwords with SecurID-like devices, has become standard in the enterprise andis beginning to penetrate high-value consumer markets,such as banking. The concern with these second-factorauthentication devices has been their usability and cost.Another factor in the new authentication landscape is thegreater market penetration of Mobile Internet Devices(MIDs), which complicate password entry due to the lim-itations of their input interfaces. We conducted a surveyof 50 iPhone, BlackBerry, and gPhone users. The surveyshowed that 40% of users enter a password on a daily ba-sis, and that 56% mistype a password at least one time inten. Users find password entry on MIDs more annoyingthan lack of coverage, small screen size, or poor voicequality. Therefore, MIDs give rise to a need for authen-tication techniques without active user involvement, orwith very limited user involvement.

In this paper we propose using observed user behav-ior to authenticate users, an approach we refer to asimplicit authentication. Implicit authentication can beused to meet the following general authentication needs:1) Used as a secondary factor for authentication, im-plicit authentication can augment passwords to achievehigher-assurance authentication in a cost-effective anduser-friendly manner. 2) Used as a primary method of

authentication, implicit authentication can replace pass-words altogether, relieving users from the burden of en-tering passwords. 3) A third use of the technology is toprovide additional assurance for credit card transactions,based on the security posture of the device owner. (Wenote that it is not necessary for the payment transactionsin question to involve the device used to collect user data,or even to involve the user when collecting the data; theywould also not need to be put on the critical path for per-forming the payment, but simply be used as an auxiliaryfraud indicator.)

Implicit authentication can be implemented for anykind of computer, but is particularly suitable for portablecomputers – these are often characterized by a combi-nation of text input constraints and access to rich infor-mation. For example, for MIDs the input data typicallyincludes location, motion, phone activity, and other ap-plication activity. Medical devices often have input con-straints similar to MIDs and are used to access and ma-nipulate centrally maintained patient records. In spite ofHIPAA requirements, password and account sharing iscommon for such devices. The ability to authenticate aperson implicitly – and to log a person out due to a failedimplicit authentication – can help maintain high securityand privacy of patient records even under stressful con-ditions where account sharing would otherwise be verytempting. Implicit authentication finds applications tosecure military equipment as well, where usability is asimportant as securing devices against enemy take-over.Finally, out-of-band transaction verification is anothernatural application. For example, when a consumer paysfor an item with a credit card, his phone location historycan be queried silently to see whether the recent use ofthe phone is consistent with the card use, including, ofcourse, whether it is near the point-of-purchase or – foronline transactions – at a location consistent with the ob-served IP address. For the sake of concreteness, we focusour study on MIDs herein.

We introduce and evaluate techniques to compute and

maintain anauthentication score for each user, based onthe recent activities of the user. This is based on identi-fying positive events, such as common habits, and boost-ing the score when a habitual event is observed; and ondetecting negative events and degrading the score whenthese are observed. A negative event is one that is notcommonly seen for a user, or which is associated witha common type of attack.Time is also a negative eventin the sense that scores degrade over time. When thescore falls below an event-specific threshold, that eventcan no longer be performed without the user first havingto explicitly authenticate herself, e.g., by giving a pass-word. Correct explicit authentication is a highly positiveevent, and a failed explicit authentication is a negativeevent. We describe an architecture that supports implicitauthentication, and report on findings from preliminaryexperiments. Our findings support that this is an ap-proach with great potential for use with devices with richinputs.

Related work. Single Sign-On (SSO) addresses theproblem of much-too-frequent authentication require-ments, but – after a first password entry – only vouchesfor the identity of thedevice, and not its user. There-fore, SSO does not defend against theft and compromiseof devices well, and does not address voluntary accountsharing at all.

In a study of users’ perceptions of authentication onmobile devices, Furnell et al. [5] showed that users wanta solution to authentication that increases security, pro-vides transparent authentication and “authenticates theuser continuously/periodically throughout the day in or-der to maintain confidence in the identity of the user”.The study found users receptive to the use of biometricsand other behavioral indicators, but not receptive to se-curity tokens.

Some biometric authentication methods, notablykeystroke dynamics and typing patterns (e.g., [10–12])areimplicit in the sense that they continually observe theuser behavior and make authentication decisions basedon the observations. Recently, Chang et al. used ac-celerometers in television remote controls to identify in-dividuals [3]. Kale et al. [9] and Gafurov et al. [6] usedgait recognition to detect whether a device is being usedby the owner. There has also been a lot of work in com-bining several biometric inputs to produce an aggregateauthentication score [1, 2]. In location-based authenti-cation and access control [4, 14], the subject’s locationis used to decide whether the subject should be allowedto access a certain resource. Greendstadt and Beale [7]noted the need for “cognitive security” for personal de-vices. Specifically, they proposed a multi-modal ap-proach “in which many different low-fidelity streams ofbiometric information are combined to produce an ongo-ing positive recognition of a user”. Our efforts are a step

in the direction of realizing the vision laid out in [7].Centralized analysis of data collected on resource-

constrained devices is also beneficial in the context ofdefending against malware [8, 13], and it is likely thatthere will be functional overlap between an implicit au-thentication engine and a centralized anti-virus compo-nent. Whereas both security technologies benefit fromcollection and centralized analysis of data from mobiledevices, and some of this data could be obtained fromcarriers and service providers, it is important to note thatthey do not in any sense require a departure from netneutrality. In other words, the technologies can be im-plemented in a way that makes them independent of theselection of provider of connectivity, software, and hard-ware.

2 Adversarial ModelWe consider adversaries that acquire physical access tothe device, such as a family member or co-worker at-tempting to access the device or associated resources, ora stranger who steals or finds the device and tries to mon-etize it and its information.

Malware can also pose a threat. One potential attackby malware is the cloning attack: the malware sends allinformation on the infected device to a colluding hoston the network, and then – remotely, and with no furtheraccess to recent information – attempts to create an eventto be accepted. We can defend against cloning attacksby having packets signed by a SIM card which is hardto clone. Persistent malware on a device can performmore powerful attacks, as it is able to control and observeall events, and is able to mimick the user’s behavioralpatterns. By logging keystrokes, malware can also obtaina user’s password tobank.com and thus acquire accessto the user’s online banking account. Malware defense isoutside the scope of this paper, and should be seen as anorthogonal issue. We refer readers to [8] for a treatmentof mobile malware defenses.

3 Data and ArchitectureThe data sources used to make authentication decisionscan be grouped into three classes:data primarily avail-able on the device, data available to the carrier, anddataavailable from other providers. Some data may belong tomore than one class; and some data are device specific,depending on the type of hardware and the type of use.

Device data. Modern mobile devices provide richsources of data for implicit authentication: 1) Lo-cation and co-location data from GPS coordinatespossibly augmented by accelerometer measurements.WiFi/Bluetooth connections and USB connections indi-cate co-location. Moreover, successful authentication toa known access point or sync with a known PC is a strongpositive indicator. 2) Application usage, such as brows-

ing patterns and software installations. 3) Biometric-style measurements, such as keyboard typing patternsand voice data. Touch-screen devices might also be ableto fingerprint users, or at least measure the size and shapeof any portion of fingers in contact with the screen. Fu-ture devices may also have user-configured auxiliary sen-sors, e.g., to monitor the user’s pulse, temperature andblood pressure. 4) Contextual data, such as the contentsof calendar entries, the current time of day, day of week,etc.

Carrier data. Carriers know users’ approximate loca-tion, as identified by the selection of cellular tower. Car-riers also know the users’ phone call patterns and mayalso have voice data. For users who access the Internetthrough the cellular network, the carrier may also knowtheir Internet access patterns, for example, by examiningtheir DNS requests and network packets in general.

Cloud data. An increasing number of applications arehosted on the network, and have usage information ofrelevance – whether this amounts simply to what appli-cations were used and when, or the data content, such ascalendar entries.

System architecture. We now explain possible architec-ture choices and discuss their pros and cons. The authen-tication decision may be made by the mobile device, bythe carrier or by another trusted third party. Consumersof the authentication decision (or score) include 1) themobile device (e.g., to decide whether a password is nec-essary to unlock the device or use a certain application);2) a service provider that wishes to authenticate the user(e.g., an online banking website or a cashier’s register ifthe device is used as an electronic credit card.)

The mobile device can make authentication decisionslocally to decide whether a password is necessary to un-lock the device or use a certain application. The device’sSIM card can also sign the authentication decision (orscore) and send it to a service provider. This approachprotects the user’s privacy This approach protects theuser’s privacy against cheating servers, but not theft andcorruption of devices. Namely, if the device is captured,an attacker may be able to obtain the data stored in thememory and learn the user’s behavioral patterns. As mo-bile devices are battery-constrained, we also need to en-sure that the authentication score is fast to compute.

Carriers are well-suited to be the trusted third party incharge of making authentication inferences and commu-nicating trust statements to qualified service providers.However, it is also possible for carriers simply to pro-vide data to third parties entrusted with the analysis ofdata and the making of authentication decisions. In eithercase, participation of carriers is simplified by the fact thatthey already have established a trust relationship with theconsumer, and because of their natural ability to commu-

nicate with the consumer devices. It is possible to enrolldevices that cannot be used to sense or report events byrelying on carrier data, and – based on consumer opt-in– on data from network service providers.

Network service providers are not only producers ofdata, but also consumers of trust statements. They wouldmake decisions on whether to require an explicit authen-tication or not based on such statements, and – in the casewhen an explicit authentication session is required – feedback the outcome of this step to the trusted third party. Itis possible for a network service provider to play the roleof the trusted third party, given client-side software thatreports information, using the carrier simply as a conduitof information.

Privacy. If we adopt an approach where data is re-ported to a trusted-third party, users’ privacy will be aconcern. The following approaches are possible for en-hancing user privacy: 1) removing identifying informa-tion (such as names or phone numbers) from the databeing reported; 2) using a pseudonym approach, e.g.,“phone number A, location B, area code D”; 3) usingcoarse-grained or aggregate data, e.g., reporting a roughgeographic location rather than precise GPS coordinates,and reporting aggregate statistics rather than full traces.

4 Learning Framework

ModelLearning

AlgorithmScoring

Algorithm

BehaviorPast Recent

Behavior

Score

User

Figure 1: Architecture.

Figure 1 outlines the framework of the machine learn-ing algorithm. We first learn auser model from a user’spast behavior which characterizes an individual’s behav-ioral patterns. To make an authentication decision inreal-time, ascoring algorithm examines the user modeland the user’s recent behavior, and outputs a score in-dicating the likelihood that the correct user is using thedevice. The score is used to make an authentication deci-sion: typically, we can use a threshold to decide whetherto accept or reject the user, and the threshold can vary fordifferent applications, depending on whether the applica-tion is security sensitive. The score may also be used as asecond-factor indicator to augment traditional password-based authentication.

4.1 Modelling the User

The user model should characterize the user’s behavioralpatterns. For example, how frequently the user typicallymakes phone calls to numbers in the phone book, wherethe user typically spends time, etc. The user model may

also consider combinations of different indicators. Forexample, given that the user is in her office and has re-ceived a call from number A, then with 90% probability,she will send an email to address B within the next 10minutes.

First step: an independent feature model. We nowdescribe a naive model where we assume independencebetween different categories of activities. In other words,we assume that the user’s phone call pattern is indepen-dent from her location, browser usage, and other activi-ties. We assume that the user’s behavior depends on thetime of day and day of week. For example, one usermight place and receive frequent phone calls in the after-noon, but might not place any phone calls between 6 pmand 10 pm, and only receive phone calls for the first halfof that interval.

Let V1, V2, . . . , Vk denotek independent random vari-ables, also referred to asfeatures. Example of fea-tures include: V1 = time elapsed since last good call,V2 = inter-arrival time between bad calls, V3 =GPS coordinates, etc. In the above, a good call is onemade to a number in the phone book or a number thathas been called in the past, and a bad call is one made toa number that has never been seen before.

A user model is the product ofk probability densityfunctions conditioned on the variableT = (time of day,day of week):

user model:=[

p(V1|T ), p(V2|T ), . . . , p(Vk|T )]

The learning algorithm in Figure 1 basically estimatesthese density functions, thereby forming a user model.

4.2 Scoring Algorithm

Given a user model and reported recent behavior, thescoring algorithm outputs a score indicating the likeli-hood that the device is in the hands of the rightful owner.

Scoring independent features. We now describe a po-tential way to design the scoring function under the inde-pendent feature model.

A user’s recent behavior may be described by a tu-ple (t, v1, v2, . . . , vk), wheret denotes the current time,andv1, . . . vk denote the values of variables(V1, . . . , Vk)at time t. The idea is to compute a separate score foreach feature, and then use a functionf to combine theseseparate scores into a final score. Basically, we willhavek scoring functions denotedS1, S2, . . . , Sk. Let1 ≤ i ≤ k. Given the probability density distributionp(Vi|T ) and an observed valuevi, thei-th scoring func-tion Si outputs a scoresi for this feature.

As an example, consider how one might design a scor-ing function forV1 = time elapsed since last good call.The idea is that the score should decay over time dur-ing periods of inactivity. However, the rate of decay de-pends on the time of day and day of week. If a user typ-

ically makes frequent phone calls in the afternoon, thenthe score should decrease faster in the afternoon duringperiods of inactivity. By contrast, if the user typicallymakes no phone calls between 12am and 8am, then thescore should decrease more slowly over this period oftime. One potential candidate for the scoring function isas follows. Letv1 denote the lapse since the last call attimet. LetF (x|T = t) = Pr(V1 ≤ x|T = t) denote thecumulative distribution of variableV1 for time t. Definethe score to be the probability that a lapse ofv1 or longeris seen at timet:

S1(v1) = 1 − F (v1|T = t) (1)

The scoring function for user location may assign toa location visited at a certain time of day a score whichis inversely proportional to the distance to the nearest lo-cation cluster associated with this time of day. For ex-ample, a user who is typically at a “work” cluster duringworking hours and at a “home” cluster at night would re-ceive the highest score for being located at the expectedcluster at the expected time. Locations near expectedclusters would receive partial credit that decreases to zeroas the distance to the cluster increases.

Learning the scoring function. Given the sep-arate scores for k different features, we callf(S1(v1), . . . , Sk(vk)) to compute the final score.For example, suppose that each scoreSi(vi) (1 ≤ i ≤ k)is the probability ofvi, i.e., Si(vi) = Pr[Vi = vi] orSi(vi) = Pr[Vi ≥ vi] as in Eq(1). Then a natural wayto combine the scores is to compute the joint probabilityof (v1, . . . , vk). As we assume independence betweenfeatures, the final score would be the product of theseprobabilities:f(s1, . . . , sk) = s1 · s2 · . . . · sk.

Another potential design forf is a weighted sum:

f(s1, . . . , sk) := w1s1 + w2s2 . . . + wksk

The weightsw1, . . . wk should be determined through atraining process.

To learn the scoring function, assume that we collectactivity data form individuals. This set of data is dividedinto a training set and a test set. The training set will beused as postive examples in the training process. We syn-thetically generate negative examples (attack data) fortraining. In particular, we use a splicing method to cre-ate negative examples. If person A and person B appearin the vicinity of each other at timet, then we splice thedata for A beforet and the data for B after timet. Thismodels an attack where B picks up or steals A’s mobilephone and starts using it on her own. In reality, B couldbe a friend, colleague, acquaintance or a stranger.

Now, training the weightsw1, . . . , wk can be ex-pressed as a minimization problem: suppose we fix thefalse negative rate, e.g., we say that a legitimate user is

denied access and has to enter her password at most oncea day on average. Our goal is then to minimize the falsepositive rate (failure to detect an attack) and the time tilldetection in the presence of an attack.

5 Data Collection and Initial Experiments

Data collection. There are three mainstream mobileplatforms to consider: the iPhone, Android devices, andSymbian devices (e.g., BlackBerry). We chose to per-form experiments to validate our approach using theBlackBerry platform, which supports multi-threading.

We ran an experiment in which we recorded a listof actions and events for BlackBerry equipped sub-jects. Information relating to the following types ofevents was recorded: emails, calls, SMSs, location,contacts, calendar, tasks, memos, alerts, battery level,(un)holstering, USB connections, power on/off, SD cardremoval/insertions.

In more detail, we recorded the following email ac-tivity: New email detection, opening/closing email mes-sages, adding/removing email messages to/from folders,creation and sending of new email messages, types andfile extensions of email attachments. For call activity,we recorded the date, duration, notes, and the status ofcalls. We recorded sending and receiving of SMSs. Thelocation was saved with 5-minute intervals. We recordedthe addition, removal and editing of contacts, calendarevents, task list items and memo pad entries. We alsorecorded alerts started and stopped – e.g., calendar ap-pointment warnings – and battery level changes (high,medium, low).

Data analysis. Whereas a full-blown system would useall detectable events to make authentication decisions,we started by examining a subset of them for the sakeof simplicity. Below we report some initial findings ofthe analysis we performed on phone data and locationdata.

We collected three months of phone data for each par-ticipant in the study, and studied their call patterns. Wefind that their call history exhibit distinct patterns de-pending on the time of the day. For example, between12 am and 4 am over a period of 3 months, one partic-ipant made only a small number of calls to 3 differentnumbers. On the other hand, between 12 pm and 4 pm,the same participant made a total of 267 calls to 44 dif-ferent numbers, averaging to about 3 calls per day duringthis time period. Among the 267 calls, about a half ofthem were made to a family member of the participant.The second most frequent number which turned out tobe a collaborator of the participant was called 17 times.Both the numbers called and the call patterns authenti-cate users – in Figure 2, we plot the cumulative distri-bution of the time elapsed since the previous call for theindividual described above. The two curves in the figure

represent 3 pm and 5 am respectively. The figure indi-cates that around 3 pm, the typical (median) lapse sincelast call is 108 minutes. By contrast, the typical (median)lapse at 5 am is around 521 minutes. The patterns varyfor different individuals. For example, another individ-ual in the study made only 60 calls between 12 pm and4pm over the course of 3 months, averaging about 0.67calls per day. The score for the latter individual shouldtherefore decay more slowly than the former individualduring this period of time.

0 500 1000 1500 20000.

00.

20.

40.

60.

81.

0

minutes

cum

ulat

ive

dist

ribut

ion

0 500 1000 1500 20000.

00.

20.

40.

60.

81.

0

minutes

cum

ulat

ive

dist

ribut

ion

3pm5am

Figure 2: CDF of lapse since previous call.

We also analyzed the location traces for participantsin the study. We used the interactive clustering algo-rithm of [15] to compute clusters of the most frequentlyvisited locations. The clusters are parametrized by themaximum distance between points within a cluster, andby the minimum number of points within a cluster. Weexperimented with different values for these parameters.For a trace representing a few days’ worth of activitieswith locations recorded every 5 minutes, we found that amaximal distance of 1,000 meters and a minimum of 20points per cluster successfully produced a small numberof clusters corresponding to where the user lives, worksand shops (see Figure 3).

Scoring algorithm. In a full-blown system thescore will combine all features collected. Inour preliminary analysis, we design a scoring al-gorithm for phone data combining two features:V1 = time elapsed since last good call, and V2 =number of consecutive bad calls. For example, if themost recent call is a good call, thenV2 = 0. If the mostrecent three calls are good, bad and bad respectively, thenV2 = 2.

Figure 4 plots the authentication score for one individ-ual over a period of one day. The x-axis represents thetime of day expressed in hours 0-23. The y-axis repre-sents the score, which is a value between 0 and 1. Everytime the individual makes a call to a known good num-

Figure 3: Locations clusters computed from a user’s GPS trace.The height of the cluster is proportional to the time spent withinthe cluster.ber, the score goes up to 1. As marked by red “X” in thefigure, the score is decreased whenever a bad call is made(i.e., a call to an unknown number). During silent peri-ods, the score decays over time. Specifically, the figureshows that the score decays faster in the afternoons thanat night. For example, during a silent period between 7pm and 9 pm, the score decays fast. By contrast, duringa silent period between 12 am and 5 am, the score de-cays very little. This is because this user typically makesmore phone calls between 7 pm and 9 pm, but typicallydoes not make any calls between 12 am and 5 am. Thesmall local oscillations are due to an artifact in the scor-ing function defined in Eq(1). Eq(1) does not guaranteethat the score is strictly monotonically decreasing. It ispossible to have small local oscillations while the scorewill decay over longer periods of time.

0.0

0.2

0.4

0.6

0.8

1.0

time of day (0−23)

scor

e

12 14 16 18 20 22 00 02 04 06 08 10 12

Figure 4: Score over time. Each red “X” marks a call to anunknown number, where the score is decreased.

We also ran the scoring algorithm on an adversarialtrace obtained by splicing two individuals’ traces. Notsurprisingly, the adversary’s score quickly decreases to 0as the adversary calls a disjoint set of numbers from theowner of the device.

6 Future WorkAs future work, we plan to investigate the following: 1)Make use of all features for the scoring, and report re-sults on false positive and false negative rates. 2) Re-search methods to model the dependence between dif-ferent features (i.e., activities). 3) Research methods tomodel adversarial behavior.

AcknowledgmentsWe gratefully acknowledge insightful feedback and invalu-able suggestions from Oliver Brdiczk, David Goldberg, MarkGrandcolas, Jessica Staddon and Arvind Narayanan. We thankYuan Niu and Alan Walendowski for their help with data col-lection. We also thank the anonymous reviewers for their help-ful comments.

References[1] J. Bigun, J. Fierrez-Aguilar, J. Ortega-Garcia, and J. Gonzalez-

Rodriguez. Combining biometric evidence for person authenti-cation. InAdvanced Studies in Biometrics, 2005.

[2] R. Brunelli and D. Falavigna. Person identification using multiplecues. InIEEE Transactions on Pattern Analysis and MachineIntelligence, 1995.

[3] K. Chang, J. Hightower, and B. Kveton. Inferring identity usingaccelerometers in television remote controls. InProceedings ofthe International Conference on Pervasive Computing, 2009.

[4] M. L. Damiani and C. Silvestri. Towards movement-aware ac-cess control. InProceedings of the SIGSPATIAL ACM GIS 2008International Workshop on Security and Privacy in GIS and LBS,2008.

[5] S. Furnell, N. Clarke, and S. Karatzouni. Beyond the pin:En-hancing user authentication for mobile devices.Computer Fraudand Security, 2008.

[6] D. Gafurov, K. Helkala, and T. Søndrol. Biometric gait authenti-cation using accelerometer sensor.JCP, 1(7):51–59, 2006.

[7] R. Greenstadt and J. Beal. Cognitive security for personal de-vices. InThe First ACM Workshop on AISec, 2008.

[8] M. Jakobsson and A. Juels. Server-side detection of malwareinfection. InNSPW, 2009.

[9] A. A. Kale, N. Cuntoor, and V. Kruger. Gait-based recognitionof humans using continuous hmms. InFGR ’02: Proceedings ofthe Fifth IEEE International Conference on Automatic Face andGesture Recognition, 2002.

[10] G. Leggett, J. Williams, and M. Usnick. Dynamic identity veri-fication via keystroke characteristics. InInternational Journal ofMan-Machine Studies, 1998.

[11] F. Monrose and A. Rubin. Authentication via keystroke dynam-ics. In 4th ACM conference on Computer and communicationssecurity, pages 48–56, 1997.

[12] M. Nisenson, I. Yariv, R. El-Yaniv, and R. Meir. Towardsbe-haviometric security systems: Learning to identify a typist. InPKDD, 2003.

[13] J. Oberheide, E. Cooke, and F. Jahanian. Cloudav: N-version an-tivirus in the network cloud. InProceedings of the 17th USENIXSecurity Symposium (Security), 2008.

[14] N. Sastry, U. Shankar, and D. Wagner. Secure verification of loca-tion claims. InWiSe ’03: Proceedings of the 2nd ACM workshopon Wireless security, 2003.

[15] C. Zhou, D. Frankowski, P. Ludford, S. Shekhar, and L. Terveen.Discovering personally meaningful places: An interactiveclus-tering approach. InACM Transactions on Information Systems,volume 25, page 12. ACM, 2007.