BehavioCog: An Observation Resistant Authentication Scheme

TL;DR

BehavioCog combines behavioral biometrics with challenge-response authentication to create a secure, observation-resistant scheme that reduces rounds and enhances usability, achieving PIN-level security in under 38 seconds.

Contribution

The paper introduces BehavioCog, a hybrid authentication scheme that leverages behavioral biometrics and challenge-response methods to improve security and usability.

Findings

Requires only two challenge-response rounds for PIN-level security.

Achieves authentication in less than 38 seconds on average.

Provides observation resistance, unlike traditional PINs or passwords.

Abstract

We propose that by integrating behavioural biometric gestures---such as drawing figures on a touch screen---with challenge-response based cognitive authentication schemes, we can benefit from the properties of both. On the one hand, we can improve the usability of existing cognitive schemes by significantly reducing the number of challenge-response rounds by (partially) relying on the hardness of mimicking carefully designed behavioural biometric gestures. On the other hand, the observation resistant property of cognitive schemes provides an extra layer of protection for behavioural biometrics; an attacker is unsure if a failed impersonation is due to a biometric failure or a wrong response to the challenge. We design and develop an instantiation of such a "hybrid" scheme, and call it BehavioCog. To provide security close to a 4-digit PIN---one in 10,000 chance to impersonate---we only need two challenge-response rounds, which can be completed in less than 38 seconds on average (as estimated in our user study), with the advantage that unlike PINs or passwords, the scheme is secure under observation.