Abstract. We introduce the notion of implicit authentication – the ability to authenticate mobile users based on actions they would carry out anyway. We develop a model for how to perform implicit authentication, and describe experiments aimed at assessing the benefits of our techniques. Our preliminary findings support that this is a meaningful approach, whether used to increase usability or increase security. 1

Abstract — Mobile devices are becoming increasingly sophisticated and now incorporate many diverse and powerful sensors. The latest generation of smart phones is especially laden with sensors, including GPS sensors, vision sensors (cameras), audio sensors (microphones), light sensors, temperature sensors, direction sensors (compasses), and acceleration sensors. In this paper we describe and evaluate a system that uses phone-based acceleration sensors, called accelerometers, to identify and authenticate cell phone users. This form of behavioral biometric identification is possible because a person’s movements form a unique signature and this is reflected in the accelerometer data that they generate. To implement our system we collected accelerometer data from thirty-six users as they performed normal daily activities such as walking, jogging, and climbing stairs, aggregated this time series data into examples, and then applied standard classification algorithms to the resulting data to generate predictive models. These models either predict the identity of the individual from the set of thirty-six users, a task we call user identification, or predict whether (or not) the user is a specific user, a task we call user authentication. This work is notable because it enables identification and authentication to occur unobtrusively, without the users taking any extra actions—all they need to do is carry their cell phones. There are many uses for this work. For example, in environments where sharing may take place, our work can be used to automatically customize a mobile device to a user. It can also be used to provide device security by enabling usage for only specific users and can provide an extra level of identity verification. M I.

We tackle the problem of defending against ghost-and-leech (a.k.a. proxying, relay, or man-in-the-middle) attacks against RFID tags and other contactless cards. The approach we take — which we dub secret handshakes — is to incorporate gesture recognition techniques directly on the RFID tags or contactless cards. These cards will only engage in wireless communications when they internally detect these secret handshakes. We demonstrate the effectiveness of this approach by implementing our secret handshake recognition system on a passive WISP RFID tag with a built-in accelerometer. Our secret handshakes approach is backward compatible with existing deployments of RFID tag and contactless card readers. Our approach was also designed to minimize the changes to the existing usage model of certain classes of RFID and contactless cards, like access cards kept in billfold and purse wallets, allowing the execution of secret handshakes without removing the card from one’s wallet. Our techniques could extend to improving the security and privacy properties of other uses of RFID tags, like contactless payment cards.

Smart phones are quite sophisticated and increasingly incorporate diverse and powerful sensors. One such sensor is the tri-axial accelerometer, which measures acceleration in all three spatial dimensions. The accelerometer was initially included for screen rotation and advanced game play, but can support other applications. In prior work we showed how the accelerometer could be used to identify and/or authenticate a smart phone user [11]. In this paper we extend that prior work to identify user traits such as sex, height, and weight, by building predictive models from labeled accelerometer data using supervised learning methods. The identification of such traits is often referred to as ―soft biometrics‖ because these traits are not sufficiently distinctive or invariant to uniquely identify an individual—but they can be used in conjunction with other information for identification purposes. While our work can be used for biometric identification, our primary goal is to learn as much as possible about the smart phone user. This mined knowledge can be then be used for a number of purposes, such as marketing or making an application more intelligent (e.g., a fitness app could consider a user’s weight when calculating calories burned).

Password patterns, as used on current Android phones, and other shape-based authentication schemes are highly usable and memorable. In terms of security, they are rather weak since the shapes are easy to steal and reproduce. In this work, we introduce an implicit authentication approach that enhances password patterns with an additional security layer, transparent to the user. In short, users are not only authenticated by the shape they input but also by the way they perform the input. We conducted two consecutive studies, a lab and a long-term study, using Android applications to collect and log data from user input on a touch screen of standard commercial smartphones. Analyses using dynamic time warping (DTW) provided first proof that it is actually possible to distinguish different users and use this information to increase security of the input while keeping the convenience for the user high. Author Keywords Security; implicit authentication; password pattern