Forgery-Resistant Touch-based Authentication on Mobile Devices

TL;DR

This paper introduces a passive, forgery-resistant touch-based biometric authentication system for mobile devices that leverages a secret-dependent touch behavior, enhancing security without compromising user experience.

Contribution

It presents a novel touch-based authentication method that is secure against forgery by incorporating subconscious secrets, a significant advancement over existing biometric solutions.

Findings

Achieved lower EERs than previous methods.

User experience remains unaffected by the secret-based system.

System effectively resists targeted forgery attacks.

Abstract

Mobile devices store a diverse set of private user data and have gradually become a hub to control users' other personal Internet-of-Things devices. Access control on mobile devices is therefore highly important. The widely accepted solution is to protect access by asking for a password. However, password authentication is tedious, e.g., a user needs to input a password every time she wants to use the device. Moreover, existing biometrics such as face, fingerprint, and touch behaviors are vulnerable to forgery attacks. We propose a new touch-based biometric authentication system that is passive and secure against forgery attacks. In our touch-based authentication, a user's touch behaviors are a function of some random "secret". The user can subconsciously know the secret while touching the device's screen. However, an attacker cannot know the secret at the time of attack, which makes it challenging to perform forgery attacks even if the attacker has already obtained the user's touch behaviors. We evaluate our touch-based authentication system by collecting data from 25 subjects. Results are promising: the random secrets do not influence user experience and, for targeted forgery attacks, our system achieves 0.18 smaller Equal Error Rates (EERs) than previous touch-based authentication.