Design and User Acceptability Testing of Secure Mobile Phone Authentication Mechanism Based on Fingerprint Sensing and GeoFencing Leigh Anne Clevenger Pace university doctor of professional studies in computing program ID: 736139
Download Presentation The PPT/PDF document "Mobile Phone Security July ..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Mobile Phone Security July 10, 2015
Design and User Acceptability Testing of Secure Mobile Phone Authentication Mechanism Based on Fingerprint Sensing and Geo-Fencing
Leigh Anne Clevenger
Pace university
doctor of professional studies in computing programSlide2
AcknowledgementsThe authors to would like to thank Verizon for sponsoring the study. This study is solely the independent work of the authors. Any Verizon documents and trademarks included in this paper are the property of Verizon and are reproduced with permission.Slide3
Project OverviewTo come up with a unique user authentication mechanism to achieve phone security without the user having to enter a passcode to unlock their phoneSlide4
AgendaDeciding on project detailsUse CasesHardware and Software choices
Tasks AccomplishedOperation of user authentication app
Survey of interest in password-free security
New Directions for Future Projects
Smartwatch sensorsSlide5
User Story Under Consideration Unlock Student’s Phone in Dorm Room
A user story is a tool used in Agile software development to capture a description of a software feature from an end-user perspective. The user story describes the type of user, what they want and why. A user story helps to create a simplified description of a requirement.User stories were developed keeping in mind the following:
Do they reflect the user’s mental model of protection?
Is the mechanism psychologically acceptable?
Is it close to transparent to the users?
Does it fit with their natural phone interactions
?
Focus:
student’s phone will
unlock
in
their dorm room
and lock at other times. This can be extended for future use cases.Slide6
Tasks AccomplishedA survey was conducted to evaluate user interest in a password-free mobile device authentication mechanism An iOS app “Authenticator” was
designed with authentication functionality based on fingerprint sensing and location information.
Developed by Tanya
SahinSlide7
Security MechanismsWidely used today:Passwords / PINsPattern locks
Using an unlock mechanism would make it harder for unauthorized users to access valuable dataSlide8
Burden of PIN-code EntryFrequency of entering PIN-codeAlthough locking a phone may provide maximum protection, it also
decreases usability by increasing PIN-code entry burdenAs a result companies have launched user specific and easy unlock mechanisms:
Touch ID
fingerprint reader (Apple and Samsung)Slide9
User Authentication MechanismsBluetooth Low Energy (BLE) and Beacons NFC
(Near Field Communication)Geofencing
Sensor capabilities
9Slide10
iBeacons and GeofencingiBeacon is Apple's
implementation of Bluetooth low-energy (BLE) wireless technology to provide location-based information and services to iPhones and other iOS devices.The beacons themselves are small, cheap Bluetooth transmitters. Apps installed on your iPhone listen out for the signal transmitted by these beacons and respond accordingly when the phone comes into range.
For example, if you pass a beacon in a shop, the retailer's app (assuming you have it installed) could display a special offer alert for you. On a visit to a museum, the museum's app would provide information about the closest display, using your distance from beacons placed near exhibits to work out your position Slide11
iBeaconsSlide12
Geo-fencingGeofencing is a feature in a software program that uses the global positioning system (GPS) or radio frequency identification (RFID) to define geographical boundaries.Our app uses
iBeacons to define the geofence. When user enters
the
defined
geofence
,
phone
unlocks automaticallySlide13
Programming Tasks AccomplishedAn iOS app “Authenticator” was designed with authentication functionality based on fingerprint sensing and
geofencing with Beacons
Since third party apps are not allowed to unlock the phone in iOS, successful authentication into the app displays some sensitive content
Display of sensitive information should be a useful example for user authentication using biometrics and
geofencing
Slide14
Authenticator - New iOS AppSupports three means of authentication:geofencing using iBeacon when in range of iBeaconfingerprint biometrics (TouchID) if outside of iBeacon range
password as fallbackDisplays sensitive content if authentication is successfulSlide15
Authenticator - iBeaconsUse CoreLocation framework to sense for iBeacons with specific UUIDIf beacon is ranged the app bypasses the authentication screen and proceeds to the confidential content right away
If no beacon is ranged biometric authentication with Touch ID will be attempted nextSlide16
Authenticator - Touch IDfingerprints are evaluated using the method TouchIDevaluatePolicy —> sensitive content is unlocked
choice of Verizon statement or Terms (exemplary for sensitive content)Slide17
Authenticator - Document AccessSlide18
Authenticator - Password Fallbackpassword prompt if beacons not in range (or user chose to not share location) and TouchID not availableset the UIA ApplicationExitsOnSuspend flag in the info.plist to true —> prevents the app from running in the backgroundSlide19
Survey ResultsThe survey consisted of 10 questions, most multiple choice with a few fill-in data boxes.Based on the results of the survey, the popular way of securing the mobile device seems to be with a
password/PIN authentication with 54% of the participants.
As an alternate to password or swipe pattern entry, 73% of the participants stated in the survey that they would be most comfortable with interacting with the device
with fingerprint or face recognition scan.
60% of the participants felt that
fingerprint sensing is a more secure authentication than password/PIN
authentication or other authentication mechanism.
Most people were unaware of NFC/
Geofencing
based authentication mechanisms. Only 38% had similar apps installed on their phones
Majority of the people said they are
uncomfortable
having an app that
requires location and
bluetooth
services turned on all the time
Overall, participants want a
simple
and
easy
way of unlocking their mobile device within minimal time, also giving them a
secure
feeling.Slide20
Future WorkA research study can be conducted for usability testing of designed apps and to test the comfort level of people with the current authentication mechanisms vs. the designed
mechanismOther physiological and behavioral sensors on smartphones and smartwatches can be used for user authentication.
Sensor data can be read using apps available from the Google
Playstore
or Apple
AppStore
or using a free, open source Software Development Kit for Android or iOSSlide21
Smartwatches and their Sensors - July 2015 (1 of 2)21Slide22
Smartwatches and their Sensors - July 2015 (2 of 2)22Slide23
References for Smartwatches and Smartphones to get you started – more added every daySmartwatches:https://moto360.motorola.comhttp://www.androidheadlines.com/2014/12/watch-comparisons-motorola-moto-360-vs-samsung-gear-live.htmlhttp://
www.macrumors.com/roundup/apple-watchhttp://www.techradar.com/us/news/portable-devices/other-devices/microsoft-band-5-things-you-need-to-know-1271135Galaxy S5 (has a lot of sensors, and open source android software development kit)
http://global.samsungtomorrow.com/?
p=36031
http://www.gottabemobile.com/2014/04/11/galaxy-s5-tips-tricks-hidden-features
/
https://
play.google.com/store/apps/details?id=imoblife.androidsensorbox
http://
downloadcenter.samsung.com/content/UM/201404/20140402111855054/SM-G900F_UM_EU_Kitkat_Eng_D06_140312.pdf
23Slide24
ContributorsSpring 2015 Pace University Master’s Students
Nikhita Gopidi
Nishant
Patel
Nitish
Pisal
Tanya
Sahin
Shreyansh
Shah
Sara
Siddiqui
Customers
Dr
Kalyanasundaram
, Verizon
Dr
Charles
Tappert
, CSIS
Leigh Anne Clevenger, DPS’ 16
Javid
Maghsoudi
, DPS’ 16
Vinnie Monaco, PhD’ 15Slide25
Copyright for Material ReuseCopyright© 2015 Leigh Anne Clevenger and Charles Tappert (ctappert@pace.edu), Pace University. Please properly acknowledge the source for any reuse of the materials as below.Leigh Anne Clevenger and Charles Tappert,
2015 GenCyber Cybersecurity Workshop, Pace UniversityPermission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation. A copy of the license is available at http://www.gnu.org/copyleft/fdl.html.