Sign in Subscribe
4 min read Cyber Security

Contextual Authentication

Contextual Authentication
Photo by NeONBRAND / Unsplash

You probably have used your phone multiple times today. You unlock your phone either with a PIN, a pattern, finger print, or face recognition. When choosing a locking method for your phone you are trying to make a balance between security and usability. Usability basically determines how easy a device or an interface is to use. A pattern for example is easier to remember and input than a password, thus offers better usability. On the other hand, a patter is easier to be guessed or cracked and thus offers less security than a password. Another example is shoulder surfing attacks and smudge attacks that can be performed on mobile devices. More advanced techniques such as fingerprint and face recognition introduce their own weaknesses; they need special hardware and can be circumvented [1, 2].

According to NordPass, 123456 and 123456789 are the two most used passwords of 2020 [3]

With all that being said, a balance must be found between security and usability. Especially since users do not only demand their devices to be more secure, but also more user-friendly.

Let's talk a bit about authentication. Authentication is the security practice of affirming that an entity is in fact who or what it stated to be. Essentially, authentication of persons can be categorized into three different types depending on what the users use to authenticate themselves:

  • Knowledge Based: Something the user knows. This can be for example a personal identification number (PIN), or a password.
  • Possession Based: Something the user has. This typically is a hardware device such as a security token, a smart card, or a mobile device.
  • Biometric Based: Something the user is. Usually, this is related to human characteristics. There are two types of biometric data: (1) physiological such as fingerprint, iris, face, and retina, and (2) behavioral such as keystroke dynamics, and gait2 analysis.

Authentication can also be categorized based on the number of techniques used:

  • Single-factor Authentication: Authentication of one entity to another using only one authentication technique.
  • Multi-factor Authentication: The use of two or more independent and different authentication techniques together. These techniques must belong to different categories. For example, using a password and fingerprint is a correct use of multi-factor authentication, but using fingerprint and face recognition is not.

Two factor authentication greatly reduces the chances that an account can be breached, but hackers can find a way around it.

Finally, authentication can be categorized into two broad groups: Explicit and Implicit authentication. Explicit authentication is when users intentionally perform a task to authenticate themselves such as entering a PIN. On the other hand, implicit authentication does not require the user to input specific data. In this case, the device recognizes its user without demanding a password or a fingerprint scan. One way of authenticating users implicitly is using contextual authentication. This means authenticating users with data that is generated by a device when the device is being used. But what is contextual authentication?

Art by Shvet Silver

Contextual authentication aims to provide authentication using context: authenticating entities implicitly instead of explicitly asking them to authenticate. Context can include rich information such as location, device fingerprinting, and behavior analysis.

Key points about contextual authentication are exploiting the idea that humans are creatures of habit and the relation between users and their devices. Habits, such as the time of the day a user leaves for work and the route a student takes to school, can be used to help determine if the device is being carried by its owner. Contextual authentication aims to:

  • Minimize user effort by using context data to authenticate the user. This would decrease the amount of times a user needs to explicitly authenticate.
  • Offer more fine-grained protection, especially when users attempt to access sensitive information such as calendar entries or critical tasks such as a money transfer.
  • Be less dependent on secret knowledge. As mentioned earlier, users tend to use weak passwords for their devices or not use them at all. Context does not require the user to memorize any additional information.
  • Resist observation. Attackers may be able to steal users PIN or pattern (shoulder surfing attacks or smudge attack) but it is considerably hard to steal or imitate the way users interact with their phones.

Humans are creatures of habit, and contextual authentication aims to exploit this fact to authenticate users implicitly.

My idea for my master thesis was to focus on utilizing movements that are natural to phone usage to authenticate users. Natural movements happen when users are interacting with their phones. This means that the solution should not require users to perform any additional tasks to authenticate themselves, they should only use their phones.

To test my idea, I created a prototype android app that takes advantage of context to authenticate users. With machine learning (I used Dynamic Time Warping (DTW)), the app can recognize its user from the way the user picks up their phone of a table.

Of course, I did intensive testing of my app and I really liked the results. During the test, participants would pick up the phone, and the app would display the algorithm decision. The results showed that the pick up motions can successfully be used to differentiate between the owner of the device and intruders. The pick-up motion achieved 3.3% FRR (false rejection rate) and 0% FAR (false acceptance rate).

If you would like to read more about this subject you can find my thesis here. If you have any questions or comments please feel free to contact me.

References:

[1] Tao Wei et al. Fingerprints On Mobile Devices: Abusing And Leaking. FireEye Labs, 2015. url: https://www.blackhat.com/docs/us- 15/materials/us- 15- ZhangFingerprints-On-Mobile-Devices-Abusing-And-Leaking-wp.pdf.
[2] Dan Moren. Face Recognition Security, Even With A 'Blink Test,' Is Easy To Trick. [Online; accessed April 1, 2016]. 2015. url: http://www.popsci.com/its-not-hardtrick-facial-recognition-security.
[3] https://nordpass.com/most-common-passwords-list/

Published by:

Yazan Badin