Measuring me: is your body the future of security?

All this is done in the background, continuously monitoring user behaviour in order to maintain the verification of identity whenever the phone is being held.

If the machine-learning algorithms determine that a pattern is no longer a match, the handset can lock that user out. The software will switch on automatically during the use of sensitive apps (such as email or SMS, for example) to ensure protection, and switch off during extended gameplay to save power.

The accuracy of such methods is impressive, with a result of 99% achieved in testing after a maximum of ten screen taps. However, while this figure may sound sufficient, would you be happy if the one phone call out of a hundred you were locked out of was an important one? The accuracy figure isn’t good enough, which is why any successful behavioural-monitoring solution will have to combine methodologies.

Creatures of habit

Markus Jakobsson of mobile malware-detection firm FatSkunk suggests in a co-authored paper entitled “Implicit Authentication through Learning User Behavior” that implicit authentication – using our daily routines, what we do and where we go – as additional data for such schemes is one solution.

Smartphones make collecting such data easy, thanks to GPS and mapping. Also, as Jakobsson says, we’re mostly creatures of habit: we tend to follow the same route to work every day, stopping at the same coffee shop; once we’re in the office, we stay in one broadly defined area until lunchtime, and so on.

Collecting data on such patterns provides a model of a user’s behaviour, but it also raises questions of privacy. However, Jakobsson and his colleagues had ethics in mind, so all phone numbers, SSIDs and URLs collected in the trials were obfuscated using a keyed hash.

The key was randomly generated during the software-installation process, and stored – and all hashing performed – only on the device to which it pertained.

Scoring activity

Using this data, the system tots up scores based on whether a user is conforming to their standard behaviour versus acting out of the norm. The technique computes an authentication score based on recently observed behaviours and the identification of “good” events, such as calling the same person or buying coffee at the same shop.

Conversely, the authentication score is lowered by a negative event, such as calling an unknown number or visiting a new location. Even time itself is seen as a negative event, with scores degrading as time passes. When the score falls below a certain threshold, the user has to input a passcode to continue or else they’re locked out; successfully authenticating with the correct passcode is seen as a positive and boosts the score again.

It’s an interesting approach, and Jakobsson says it was robust enough in testing to prevent 95% of attackers from being successful.

Biometrics aren’t dead

Not all of the “measuring me” security research is centered on behavioural patterns, however – biometrics is far from dead. Indeed, one huge advantage of biometric technology is that it’s either available now or very soon.

A good example of the latter is Bionym’s Nymi. Smart wristbands that monitor your pulse and send that data to a smartphone app are becoming commonplace among techie types for whom “fitness training” isn’t a dirty phrase, and Bionym is hoping the Nymi password bracelet will become equally popular.

Unlike other wearable authentication concepts, the Nymi doesn’t act as a secure-code generator of one-time codes, but rather features an embedded electrocardiogram (ECG) sensor that monitors the heartbeat of the wearer.

Bionym

Use of the heartbeat as a security metric is inherently more secure than a fingerprint, the company says. Indeed, within days of the iPhone 5s going on sale, one German hacking group had revealed a method of lifting and cloning a fingerprint that would fool the Touch ID sensor.

Although such fingerprint theft represents a very small risk to most people, the opportunity to steal something like your heartbeat pattern is smaller, given that it can’t be left lying around and is protected inside your body.

Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way.

Todays Highlights
How to See Google Search History
how to download photos from google photos