USER AUTHENTICATION ON MOBILE PHONES – WHAT IS THE BEST APPROACH?

8/14/2019 USER AUTHENTICATION ON MOBILE PHONES WHAT IS THE BEST APPROACH?

1/5

USER AUTHENTICATION ON MOBILE PHONES WHAT IS THE BEST APPROACH?

Leong Lai Fong1, Woo Chaw Seng

2

Faculty of Computer Science and Information TechnologyUniversity of Malaya, 50603 Kuala Lumpur, Malaysia.

Email: [email protected], [email protected]

2

ABSTRACT

The usage of the mobile phone over the last few years has made fundamental changes in our daily life. Mobiledevices, namely Personal Digital Assistants (PDAs) and mobile phones are containing ever more personalinformation, including address books, schedules as well as payment information. Losing a mobile phone isnt just alost of the gadget, but also the risk of greater loss of money. This paper discusses different types of authenticationapproaches on mobile phones, namely PIN, token and biometric authentication. We believe that biometricauthentication is the most secure approach among PIN, token and biometric. Besides that, the suitability of variousbiometric technologies are compared and the proper biometrics are identified.

Keywords: authentication, biometric, mobile phone, security, study.

1.0 IntroductionThe usage of the mobile phone over the last few years has made fundamental changes in our daily life. Mobiledevices, namely Personal Digital Assistants (PDAs) and mobile phones are extremely useful in managingappointments and contact information, reviewing documents, corresponding via electronic mail, deliveringpresentations, accessing corporate data as well as mobile banking. Unfortunately, current PIN authentication securityin mobile device is weak and stronger authenticator is in higher demand.

2.0 IT Security Objectives

The main goals in IT security are based on the three components of computer security as follows [1]:(a) Confidentiality: The concealment of information or resources for keeping information secret (privacy) as well

as obscuring identity (anonymity).(b) Integrity: The trustworthiness of data or resources for ensuring non-repudiation of data integrity (the content

of the information) and origin integrity (the source of the data how and from whom it was obtained) viaprevention mechanisms and detection mechanisms.

(c) Availability: The ability to use the information or resource desired in the aspect of reliability, system designas well as protection against denial of service attacks.

Fig. 1: Objectives of IT security

The definitions and solutions of confidentiality, integrity and availability are often overlapped and hardly be separatedcompletely. One important security protection is to have a strong access control mechanism. A strong authenticationsystem is able to prevent and detect unauthorized attackers to perform actions outside the scope of legitimateactivity, impacting on confidentiality, integrity and availability.

Confidentiality

Availability

Integrity

Proceeding of the 3rd International Conference on Informatics and Technology, 2009

Informatics '09, UM 2009 RDT6 - 230


2/5

3.0 Security Overview on Personal Devices

Several major security issues loom over the use of such devices, including [2]:(a) Mobile devices are often stolen or missing, due to their small sizes;(b) The contents in the mobile devices are unencrypted or encrypted under a flawed protocol;(c) Mobile devices are proned to middle-man attack or viruses attack from wireless connection;(d) User authentication is weak or disabled or in a common default mode, the authentication mechanism

single static password authentication can be circumvented easily;

To overcome the security problems mentioned above, computer locks or laptop locks are general solution for betterguardian of such devices physically. In order to enhance the security in data transmission, data encryption andhashing with complicated algorithms are practiced. The Advanced Encryption Standard (AES) announced by NationalInstitute of Standards and Technology (NIST), which has a fixed block size of 128 bits and a key size of 128, 192 or256 bits, is one of the most popular algorithms used in symmetric key cryptography [3]. Hashing, the transformationof a string of characters into a usually shorter fixed-length value or key that represents the original string, is used toencrypt and decrypt digital signatures, and further authenticate message senders and receivers. The digital signatureis transformed with the hash function and then both the hashed value (known as a message-digest) and the signatureare sent in separate transmissions to the receiver. Using the same hash function as the sender, the receiver derivesa message-digest from the signature and compares with the message-digest it also received and returns the samemessage as original [4]. In this way, middle-man attack can be avoided.

As for user authentication issue, biometric authentication has already introduced and implemented in desktop, laptop,tablet, mini notebook, Ultra Mobile Personal Computer (UMPC) or PDA. The Fujitsu U810 is a mini notebook thatpromoting biometric authentication for better security, with its integrated AuthenTec fingerprint scanner andembedded TPM [5]. The Sony VAIO VGN-UX390N is an example of UMPC embedded with a fingerprint scanner [6].Hence, same as mobile phones, biometric authentication offers higher security when comparing with conventionalpassword authentication.

4.0 Authentication Security: Types of Authenticators

There are three means of authenticating a users identity, which can be used alone or in combination:(a) Something the individual knows (a secret e.g., a password, Personal Identification Number (PIN), or

cryptographic key);

(b) Something the individual possesses (a token e.g., an ATM card or a smart card);(c) Something the individual is (a biometric e.g., such characteristics as a voice pattern, handwritingdynamics, or a fingerprint).

Table 1: Types of authenticators and attributesAuthenticator Knowledge-Based Object-Based ID-BasedCommonly Referred to as Password, Secret Token BiometricSupport Authentication by Secrecy or obscurity Possession Uniqueness and

personalizationSecurity Defense Closely kept Closely held Forge-resistantTraditional Method Combination lock Metal key Drivers licenseDigital Method Computer password Key-less car entry FingerprintSecurity Drawback Less secret with each use Insecure if lost Difficult to replace

5.0 User Authentication on Mobile Phones5.1 PIN Authentication

The traditional method of securing a mobile phone is by using PIN as password authentication. Theconcept of single static passwords is widely employed globally. One major benefit of single staticpassword is easy to remember. However in the sense of security, single static password is insufficientas it can be hacked. According to OGorman [7], authentication systems based on passwords andtokens can be attacked by:

(a) Client attack: By guessing passwords or stealing tokens;(b) Host attack: By accessing plain text file containing password;(c) Eavesdropping: By shoulder surfing for passwords;(d) Repudiation: By claiming that token was misplaced;(e) Trojan horse attack: By installing bogus log-in screen to steal passwords;(f) Denial of service: By disabling the system by deliberately supplying an incorrect password

several times




3/5

5.2 Token AuthenticationThe token authentication approach does not fit well on mobile phones either. This is because the tokenapproach fundamentally relies upon the user must remember to pick up their token along with thehandset, as to ensure the token and the mobile phone to be physically connected. Then many users willsimply leave the token with the phone (as in SIM card) for convenience. As a result, the token does notprovide the security as it intended.

5.3 Biometric Authentication

The term Biometrics, in a wide definition, describes the science of Statistical analysis of biologicalobservations and phenomena. Biometrics is an emerging technology [8] that addresses the automatedidentification of individuals, based on their biological observations (physiological) and phenomena(behavioral traits). The personal physiological attributes of an individual can be obtained from thingsone is, such as finger print, hand geometry, palm print, face, iris, retina, and ear. The idiosyncratic of anindividual can be trait by things one does, such as signature, lip movement, speech, keystrokedynamics, gesture and gait. Each of these biometric techniques has its own advantages anddisadvantages according to user acceptance, cost and performance [9].

Fig. 2: Different types of biometric ID methods

In order to determine the suitability of a physical or a behavioral trait to be used in a biometricapplication, Jain et al. [10] have identified seven factors as below:

(a) Universality: Every person accessing the application should possess the trait.(b) Uniqueness: The given trait should be sufficiently different across individuals comprising the

population.(c) Permanence: The biometric trait of a person should be sufficiently invariant over a period of

time with respect to the matching algorithm.(d) Measurability: The biometric trait should be possible to acquire, digitize and amenable to

processing in order to extract representative feature sets, using suitable devices that do notcause undue inconvenience to the user.

(e) Performance: The recognition accuracy and the resources required to achieve that accuracyshould meet the constraints imposed by the biometric system.

(f) Acceptability: Individuals in the target population that will utilize the biometric system should bewilling to present their biometric trait to the system.

(g) Circumvention: The trait of a person can be imitated using artifacts (eg., fake fingers), in thecase of physical traits; and mimicry (eg., mimic signatures), in the case of behavioral traits.

6.0 Discussion - What is the best approach?

Given the characterics as above, a biometrics authentication system offers the following benefits:(a) The biometrics trait is unforgettable. Unlike the PIN or token authentication that need to be remembered,

biometrics traits physical or behavior biometrics represent something that the user is.(b) The biometrics trait cannot be lost. Unlike the PIN written on a piece of paper, or the authentication token

kept closely with the mobile phones, biometrics traits cannot be lost.(c) The biometrics cannot be shared. Unlike the password or token that can be shared among the family and

friends, biometrics cannot be shared.(d) The biometrics prevents identity theft. The nature of biometrics ensures that the log in user is the actual user

and not any other impostor.

In fact, there are already mobile phones offering biometric authentication in the market.(a) Fingerprint

Several mobile handsets featuring fingerprint recognition technology are already on the market. Oneexample is the Pantech G100 (see Fig. 3) which will only allow certain functions to be accessed after aregistered fingerprint has been recognized. Other than that, LG Electronic also had introduced fingerprint




4/5

recognition in their LG-KP3800 mobile phones. However, additional fingerprint image acquisition sensor andDSP chip for fingerprint recognition were required, thus increasing the cost and size of the mobile phon [11].

Fig. 3: Pantech GI100 fingerprint scanning handset

(b) Face recognitionTypical of face recognition devices that are becoming available is OMRONs OKAO Vision Face RecognitionSensor (Fig. 4), which can be implemented in PDAs, mobile phones or other mobile devices with a camerafunction. There is no requirement for additional hardware. Users register their own face image to theirhandset with the handsets camera. To use the unit, the user takes his or her own photo, and the sensorsoftware will automatically detect the user and unlock the unit.

The software is typically designed to work quickly (less than 1 second from taking the image) and tolerant ofa wide range of facial orientations. It is also designed to be less demanding on processor and memoryrequirements.

Fig. 4: Handset using OMRON OKAI vision sensor (Omron)

Let us now examine closely the possibilities of other biometric technologies.

Table 2: Comparison of various biometric technologiesBiometrics Universality Uniqueness Permanence Collectability Performance Acceptability CircumventionFace High Low Medium High Low High Low

Fingerprint Medium High High Medium High Medium High

Hand

geometry

Medium Medium Medium High Medium Medium Medium

Keystrokes Low Low Low Medium Low Medium MediumHand veins Medium Medium Medium Medium Medium Medium High

Iris High High High Medium High Low High

Retinal scan High High Medium Low High Low HighSignature Low Low Low High Low High Low

Voice Medium Low Low Medium Low High Low

Facialthermograph

High High Low High Medium High High

Odor High High High Low Low Medium Low

DNA High High High Low High Low Low

Gait Medium Low Low High Low High Medium

Ear Canal Medium Medium High Medium Medium High Medium

Based on the comparison table above, we believe that biometrics that are appropriate for mobile phone

authentication include face, fingerprint, hand geometry, hand veins, iris and retinal scan. This is because thesebiometrics technologies have medium or high qualification for most of the criterias. Although facial thermograph hasvery good characteristic, however we believe that it is not suitable for mobile phone authentication as it requires high




5/5

computation power and additional hardware. Meanwhile, biometrics trait like keystrokes, signatures, voice, odor,DNA, gait and ear canal are also not suitable for mobile phone authentication due to low satisfaction on manyaspects.

However, we must also consider other factors when choosing a proper biometric trait for mobile phone authentication,such as:

(a) Additional hardware device for mobile phone;(b) Cost involved;(c) Low computational power in mobile phone;(d) Limited storage in mobile phone

7.0 ConclusionAs a conclusion, the conventional PIN authentication on mobile phone provides low security, while biometricauthentication which offers higher security on mobile phone is becoming a trend. Despite the current fingerprint andface recognition, other biometrics approaches namely hand geometry, hand veins, iris recognition and retinal scancould be proper alternatives. Besides that, hybrid authenticator combining biometrics and digital watermarking wouldbe a better choice to provide greater security.

References[1] M.Bishop, Computer Security: Art and Science, Addison-Wesley, 2002.

[2] National Institute of Standards and Technology: Mobile Security and Forensics, available inhttp://csrc.nist.gov/groups/SNS/mobile_security/index.html , date accessed: 10 September 2009.

[3] Wikipedia: Advanced Encryption Standard, available inhttp://en.wikipedia.org/wiki/Advanced_Encryption_Standard , date accessed: 10 September 2009.

[4] A.K. Jain, P.Flynn, A. Ross, Handbook of Biometrics, Springer, 2008.

[5] Mobile Tech Review: Fujitsu U810 Mini-Notebook, available inhttp://www.mobiletechreview.com/notebooks/Fujitsu-U810.htm , date accessed: 10 September 2009.

[6] The Incredible Shrinking Lapop, online article, available inhttp://articles.directorym.co.uk/The_Incredible_Shrinking_Laptop-a873284.html , date accessed: 10 September 2009.

[7] L. OGorman, Comparing Passwords, Tokens and Biometrics for User Authentication, Proc. of the IEEE, vol. 91,no. 12, pp. 2019-2040, Dec 2003.

[8] D. Zhang, Automated Biometrics: Technologies & Systems, eds Kluwer Academic, 2000.

[9] Y.L. Ma, Frank Pollick, W. Terry Hewitt, Using B-Spline Curves for Hand Recognition, Proc. of the 17 thInternational Conf. on Pattern Recognition (ICPR 04), 2004.

[10] A.K. Jain, R.Bolle and S. Pankanti, Biometrics: Personal Identification in Networked Society, eds. KluwerAcademic, 1999.

[11] Dae Sik jeong, Hyun-Ae Park, Kang Ryoung Park and Jaihie Kim, Iris Recognition in Mobile Phone Based onAdaptive Gabor Filter, Advances in Biometrics, Springer Berlin/Heidelberg, vol. 3832, pp. 457-463, 2005.

BIOGRAPHY

Leong Lai Fong obtained her Master of Information Techonology from University of Science Malaysia in 2007.Currently, she is a PhD cantidate at the Faculty of Computer Science and Information Technology, University ofMalaya. Her research areas include image processing, biometrics and mobile applications.

Woo Chaw Seng is a senior lecturer at the Faculty of Computer Science and Information Technology, University ofMalaya. His reseach interests include image processing, mobile applications and multimedia security.


http://csrc.nist.gov/groups/SNS/mobile_security/index.htmlhttp://csrc.nist.gov/groups/SNS/mobile_security/index.htmlhttp://en.wikipedia.org/wiki/Advanced_Encryption_Standardhttp://en.wikipedia.org/wiki/Advanced_Encryption_Standardhttp://www.mobiletechreview.com/notebooks/Fujitsu-U810.htmhttp://www.mobiletechreview.com/notebooks/Fujitsu-U810.htmhttp://articles.directorym.co.uk/The_Incredible_Shrinking_Laptop-a873284.htmlhttp://articles.directorym.co.uk/The_Incredible_Shrinking_Laptop-a873284.htmlhttp://articles.directorym.co.uk/The_Incredible_Shrinking_Laptop-a873284.htmlhttp://www.mobiletechreview.com/notebooks/Fujitsu-U810.htmhttp://en.wikipedia.org/wiki/Advanced_Encryption_Standardhttp://csrc.nist.gov/groups/SNS/mobile_security/index.html

Documents

USER AUTHENTICATION ON MOBILE PHONES – WHAT IS THE BEST APPROACH?