skip to main content
10.1145/2594368.2594375acmconferencesArticle/Chapter ViewAbstractPublication PagesmobisysConference Proceedingsconference-collections
research-article

User-generated free-form gestures for authentication: security and memorability

Published: 02 June 2014 Publication History

Abstract

This paper studies the security and memorability of free-form multitouch gestures for mobile authentication. Towards this end, we collected a dataset with a generate-test-retest paradigm where participants (N=63) generated free-form gestures, repeated them, and were later retested for memory. Half of the participants decided to generate one-finger gestures, and the other half generated multi-finger gestures. Although there has been recent work on template-based gestures, there are yet no metrics to analyze security of either template or free-form gestures. For example, entropy-based metrics used for text-based passwords are not suitable for capturing the security and memorability of free-form gestures. Hence, we modify a recently proposed metric for analyzing information capacity of continuous full-body movements for this purpose. Our metric computed estimated mutual information in repeated sets of gestures. Surprisingly, one-finger gestures had higher average mutual information. Gestures with many hard angles and turns had the highest mutual information. The best-remembered gestures included signatures and simple angular shapes. We also implemented a multitouch recognizer to evaluate the practicality of free-form gestures in a real authentication system and how they perform against shoulder surfing attacks. We discuss strategies for generating secure and memorable free-form gestures. We conclude that free-form gestures present a robust method for mobile authentication.

References

[1]
A. J. Aviv, K. Gibson, E. Mossop, M. Blaze, and J. M. Smith. Smudge attacks on smartphone touch screens. In Proc. of WOOT'10.
[2]
R. Biddle, S. Chiasson, and P. Van Oorschot. Graphical passwords: Learning from the first twelve years. ACM Comput. Surv., Sept. 2012.
[3]
C. Bo, L. Zhang, X.-Y. Li, Q. Huang, and Y. Wang. Silentsense: Silent user identification via touch and movement behavioral biometrics. In Proc. of MobiCom '13.
[4]
J. Bonneau. The science of guessing: Analyzing an anonymized corpus of 70 million passwords. In Proc. of IEEE SS&P'12.
[5]
J. Bonneau, C. Herley, P. van Oorschot, and F. Stajano. The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In Proc. of IEEE SS&P'12, May 2012.
[6]
S. Boztas. Entropies, guessing and cryptography. Technical report, RMIT University Research Report Series, 1999.
[7]
W. E. Burr, D. F. Dodson, E. M. Newton, R. A. Perlner, W. T. Polk, S. Gupta, and E. A. Nabbus. NIST SP 800-63-1. Electronic Authentication Guideline, 2011.
[8]
Z. Cai, C. Shen, M. Wang, Y. Song, and J. Wang. Mobile authentication through touch-behavior features. In Proc. of Biometric Recognition, 2013.
[9]
S. Chiasson, A. Forget, E. Stobert, P. C. van Oorschot, and R. Biddle. Multiple password interference in text passwords and click-based graphical passwords. In Proc. of CCS'09.
[10]
T. M. Cover and J. A. Thomas. Elements of Information Theory. Wiley-Interscience, 2006.
[11]
A. De Luca, E. von Zezschwitz, N. D. H. Nguyen, M.-E. Maurer, E. Rubegni, M. P. Scipioni, and M. Langheinrich. Back-of-device authentication on smartphones. In Proc. of CHI '13.
[12]
K. M. Everitt, T. Bragin, J. Fogarty, and T. Kohno. A comprehensive study of frequency, interference, and training of multiple graphical passwords. In Proc. of CHI'09.
[13]
J. Fierrez, J. Ortega-Garcia, D. Ramos, and J. Gonzalez-Rodriguez.uppercaseHMM-based on-line signature verification: Feature extraction and signature modeling. Pattern Recogn. Lett., Dec. 2007.
[14]
D. Florencio and C. Herley. A large-scale study of web password habits. In Proc. of WWW'07.
[15]
M. Frank, R. Biedert, E. Ma, I. Martinovic, and D. Song. Touchalytics: On the applicability of touchscreen input as a behavioral biometric for continuous authentication. IEEE Trans. on Information Forensics and Security, Jan 2013.
[16]
Gogogate. www.gogogate.com. Ref. Dec 3, 2013.
[17]
S. A. Grandhi, G. Joue, and I. Mittelberg. Understanding naturalness and intuitiveness in gesture production: insights for touchless gestural interfaces. In Proc. of CHI '11.
[18]
S. G. Hart and L. E. Staveland. Development of NASA-TLX (Task Load Index): Results of empirical and theoretical research. 1988. P. Hancock & N. Meshkati (Eds.), Human mental workload.
[19]
I. Jermyn, A. Mayer, F. Monrose, M. K. Reiter, and A. D. Rubin. The design and analysis of graphical passwords. In Proc. of USENIX Security'99.
[20]
L. A. Jones and S. J. Lederman. Human hand function. Oxford University Press, 2006.
[21]
Y. Li. Protractor: a fast and accurate gesture recognizer. In Proc. of CHI '10.
[22]
A. C. Long, J. A. Landay, and L. A. Rowe. "Those look similar!" issues in automating gesture design advice. In Proc. of PUI'01.
[23]
Microsoft. Windows azure multi-factor authentication. www.windowsazure.com/en-us/documentation/services/multi-factor-authentication. Ref. Dec 3, 2013.
[24]
D. Muramatsu and T. Matsumoto. AnuppercaseHMM on-line signature verifier incorporating signature trajectories. In Proc. of ICDAR '03.
[25]
U. Oh and L. Findlater. The challenges and potential of end-user gesture customization. In Proc. of CHI '13.
[26]
P. C. v. Oorschot and J. Thorpe. On predictive models and user-drawn graphical passwords. ACM Trans. Inf. Syst. Secur., jan 2008.
[27]
A. Oulasvirta, T. Roos, A. Modig, and L. Leppanen. Information capacity of full-body movements. In Proc. of CHI'13.
[28]
Q. Pu, S. Gupta, S. Gollakota, and S. Patel. Whole-home gesture recognition using wireless signals. In Proc. of MobiCom '13.
[29]
D. Rubine. Specifying gestures by example. In Proc. of SIGGRAPH '91.
[30]
J. Ruiz, Y. Li, and E. Lank. User-defined motion gestures for mobile interaction. In Proc. of CHI '11.
[31]
N. Sae-Bae, K. Ahmed, K. Isbister, and N. Memon. Biometric-rich gestures: a novel approach to authentication on multi-touch devices. In Proc. of CHI '12.
[32]
D. Savransky. Lomb (lomb-scargle) periodogram, 2008. http://www.mathworks.com/matlabcentral/fileexchange/20004-lomb-lomb-scargle-periodogram. Ref Dec 9, 2013.
[33]
F. Schaub, M. Walch, B. Könings, and M. Weber. Exploring the design space of graphical passwords on smartphones. In Proc. of SOUPS '13.
[34]
A. Serwadda and V. V. Phoha. When kids' toys breach mobile phone security. In Proc. of CCS '13.
[35]
M. Shahzad, A. X. Liu, and A. Samuel. Secure unlocking of mobile touch screen devices by simple gestures: You can see it but you can not do it. In Proc. of MobiCom '13.
[36]
Square. www.squareup.com. Ref. Dec 3, 2013.
[37]
J. Thorpe and P. C. van Oorschot. Human-seeded attacks and exploiting hot-spots in graphical passwords. In Proc. of USENIX Security'07.
[38]
J. Tian, C. Qu, W. Xu, and S. Wang. Kinwrite: Handwriting-based authentication using kinect. In Proc. of NDSS '13.
[39]
B. Ur, P. Kelley, S. Komanduri, J. Lee, M. Maass, M. Mazurek, T. Passaro, R. Shay, T. Vidas, L. Bauer, N. Christin, L. Cranor, S. Egelman, and J. Lopez. Helping users create better passwords. ;login, Dec. 2012.
[40]
S. Wiedenbeck, J. Waters, J.-C. Birget, A. Brodskiy, and N. Memon. Passpoints: design and longitudinal evaluation of a graphical password system. Int. J. Hum.-Comput. Stud., 63(1--2):102--127, July 2005.
[41]
J. O. Wobbrock, A. D. Wilson, and Y. Li. Gestures without libraries, toolkits or training: a $1 recognizer for user interface prototypes. In Proc. of UIST '07.
[42]
J. Yan, A. Blackwell, R. Anderson, and A. Grant. Password memorability and security: Empirical results. IEEE Security and Privacy, Sept. 2004.
[43]
N. H. Zakaria, D. Griffiths, S. Brostoff, and J. Yan. Shoulder surfing defence for recall-based graphical passwords. In Proc. of SOUPS'11.
[44]
Z. Zhao and G.-J. Ahn. On the security of picture gesture authentication. In Proc. of USENIX Security'13.
[45]
N. Zheng, K. Bai, H. Huang, and H. Wang. You are how you touch: User verication on smartphones via tapping behaviors. Technical report, Dec. 2006.
[46]
F. Zhou and F. De la Torre. Canonical time warping for alignment of human behavior. In Proc. of NIPS'09.

Cited By

View all

Index Terms

  1. User-generated free-form gestures for authentication: security and memorability

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    MobiSys '14: Proceedings of the 12th annual international conference on Mobile systems, applications, and services
    June 2014
    410 pages
    ISBN:9781450327930
    DOI:10.1145/2594368
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

    Sponsors

    In-Cooperation

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 02 June 2014

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. gestures
    2. memorability
    3. mutual information
    4. security

    Qualifiers

    • Research-article

    Funding Sources

    Conference

    MobiSys'14
    Sponsor:

    Acceptance Rates

    MobiSys '14 Paper Acceptance Rate 25 of 185 submissions, 14%;
    Overall Acceptance Rate 274 of 1,679 submissions, 16%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)35
    • Downloads (Last 6 weeks)5
    Reflects downloads up to 22 Dec 2024

    Other Metrics

    Citations

    Cited By

    View all

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    EPUB

    View this article in ePub.

    ePub

    Media

    Figures

    Other

    Tables

    Share

    Share

    Share this Publication link

    Share on social media