BY CHEN YEAH TECK Image-Based Authentication for Mobile Phones: Performance and User Opinions Source: Slippery Brick (2006)
Outline Introduction Motivation Literature Review Research Questions Research Methodology Findings Limitations Future Work
Introduction Increasingly sophisticated mobile devices More data generated, more services available More than 200,000 phones reported stolen each year in Australia alone (AMTA, 2008) How do you protect your phone?
Motivation Improper use of embedded mobile phone security (Clarke & Furnell 2005) 30% believe PIN troublesome 34% disable PIN 66% of those who use PIN 38% forgotten PIN at least once 45% use default PIN 42% change once (after purchase) 13% change more than once
Motivation (Cont) Password and PIN still the most used authentication mechanisms but often result inappropriate use and have memorability issues Token and Biometrics have limitations Research on image based authentication (IBA) shows promise Little focus on usability of new authentication methods
Literature Review The “Security Guard” Analogy Authentication Something you know Something you have Someone you are Also, someone you know
Literature Review (Cont) PIN and password Used to be machine generated Led to user generated Mobile device needs instantaneous access, authentication in the way get disabled Limitation Memorability and usability issues In secure PIN and Password
Literature Review (Cont) Token Authentication Removes need to remember password Store digital certificate Smart media Transient Authentication Limitation Extra hardware/cost Left in situ Can be forgotten or lost Use PIN or password as fallback Source: Nicholson, Corner & Noble 2006
Literature Review (Cont) Biometrics Physiological (Fingerprint, Face, Iris) Behavioural (Voice, Keystroke pattern, Gait, Signature) Limitation Extra hardware/cost Accuracy issues Privacy issues Use PIN or password as fallback Source: Furnell, S, Clarke & Karatzouni 2008
Literature Review (Cont) Graphical Based Authentication Recognition based Recall based Source: Takada & Koike 2003 Source: Weiss & Luca 2008
Research Questions Questions Which IBA authenticates faster? Which IBA has higher authentication success rates? What are users’ opinionson user authentication and IBA? Contributions Usability studies for user authentication especially for IBA Improving user authentication experience can result better acceptance and usage among consumers
Research Methodology Develop prototype Compare PIN, Password, Picture Password, and Awase-E Data Collection Enrolment and learning Test 1 (Survey then verification) Test 2 (Verification after 1 week) Authentication speed and success rate
Findings Authentication Speed Authentication Success Rate User Opinions
Authentication Speed
Authentication Speed Summary Pin was the fastest, speed decreased but significantly faster than other techniques Password was at least twice as slow as PIN Picture Password was similar to password’s speed Awase-E was surprisingly faster than predicted and reported User may still prefer PIN as it is the fastest technique, may tolerate slower authentication if only authenticate once or several times only
Authentication Success Rate
Authentication Success Rate Summary PIN and Password expected to decline over time and did, password did worse Picture Password performed well initially, but experienced a huge drop after a week to 55% Awase-E performed as expected, maintaining high success rate User still prefer PIN and password despite doing worse than Awase-E, probably due to familiarity, 35% still prefer PIN and password despite making an error
User Opinions Authentication Frequency 15% none, 40% once, 25% several times, 20% every time Total 85% willing to use some sort of authentication Usage of mobile authentication Only 35% use it – protect data, account, unintended use 65% do not use it – don’t know how to set it up, unnecessary, no significant data, troublesome, time consuming, had never let other people use their phone Opportunities to persuade user to adopt mobile security function, including IBA
User Preference Techniques/PINPasswordPicture PasswordAwase-E Preference0 week1 week0 week1 week0 week1 week0 week1 week Top 115%25%20%35%25%0%45%40% Top 245%50%45%55%45%30%70%65% Preference for PIN due to speed and success rate Preference for Password also increased although it did worse than initially Significant drop for Picture Password expected due to poor performance Awase-E maintained high preference
Limitation and Future work Sample size (20 participants) Use average, and standard deviation not taken into consideration Exploratory research to provide indication of the performance of IBA techniques and future research direction Future Research This research is an exploratory endeavour to provide indication for the usabilities of IBA techniques and also direction for future research Larger sample size Incorporate other factors such as age and social groups
References ATMA 2008, '2008 Annual Report', AMTA Publication. Clarke, N & Furnell, S 2005, 'Authentication of users on mobile telephones–A survey of attitudes and practices', Computers & Security, vol. 24, no. 7, pp Furnell, S, Clarke, N & Karatzouni, S 2008, 'Beyond the PIN: Enhancing user authentication for mobile devices', Computer Fraud and Security, vol. 2008, no. 8, pp Nicholson, AJ, Corner, MD & Noble, BD 2006, 'Mobile device security using transient authentication', IEEE Transactions on Mobile Computing, vol. 5, no. 11, pp SliperryBrick, 2006, “LG KE850 Touch Screen Mobile Phone”, viewed 3 June 2009, Takada, T & Koike, H 2003, 'Awase-E: image-based authentication for mobile phones using user's favorite images', Lecture Notes in Computer Science, pp Takada, T, Onuki, T & Koike, H 2006, 'Awase-E: Recognition-based Image Authentication Scheme Using Users’ Personal Photographs', Innovations in Information Technology, 2006, pp Weiss, R & Luca, AD 2008, PassShapes: utilizing stroke based authentication to increase password memorability, ACM, Lund, Sweden.
Q & A Thank You