Research On Secure And Usable Biometric Authentication For Mobile Terminal

Authentication is the first line of defense under cybersecurity to ensure the security of information systems.On mobile devices,biometric authentication is the most widely used user authentication,such as face recognition and fingerprint recognition.Although biometric authentication has many security flaws and risks of user privacy leakage,Numerous new biometric authentication technologies have been designed and proposed.At the same time,biometric authentication is highly usable,since it eliminates the need for users to repeatedly enter the authentication password on the screen to verify their identity.It greatly meets the needs of users for security and practicality.In the foreseeable future cyberspace security situation,biometric authentication will be the authentication method that users tend to choose on the mobile devices.Even in highly secure application scenarios,such as face payment,biometric authentication is still the main authentication method.Although biometric authentication security has been of great concern to the computer security community in the past 20 years,academia has hardly led industry to improve the various security issues encountered in real usage.The main reasons for this are: i)Biometric authentication security involves interdisciplinary knowledge,such as biology,cryptography,behavior,signal processing and image processing,and other complex system disciplines;ii)Previous research mainly focused on how to design security biometric authentication protocols based on cryptographic knowledge,lacking attention to the user level,which is often the weakest security link in reality;iii)Previous biometric authentication security research results have shown large limitations,such as only limited to improving the accuracy of behavioral authentication from the model perspective,or offensive and defensive research on traditional biometric authentication security methods to verify the security of the scheme under a closed data set,or against user perceptions of practicality and device limitations,or limited only by in liveness detection,lacking consideration of other practical attacks.This thesis applies sensor data analysis,signal processing,behavior modeling,image processing,machine learning,and representation learning techniques to investigate three key problems in the field of biometric authentication.The main work accomplished is as follows.· Design a context-aware implicit and continuous authentication method.Relieving users from the burden of remembering and inputting authentication information explicitly,such as passwords/PINs and lock patterns,implicit authentication mechanisms have gained an increasing concern.When providing authentication,the existing implicit methods only depend on a specific behavior,such as typing on the screen,performing gestures,or taking a walk.However,in real applications,a user’s behavioral characteristics are also decided by the context where behavior is performed.Thus,those existing methods show limited authentication accuracy and usability.To address these issues,the paper propose CIAuth,a reliable context-aware implicit authentication method,which profiles users’ behavior and context characteristics in a holistic fashion.It observes the states of contextsensing entities for different smartphone usage patterns and builds a context-aware model to distinguish between legitimate users and illegal ones.We conducted extensive experiments to evaluate system performance with a large dataset collected from 142 subjects.Experimental results show that our system achieves a low equal error rate(e.g.,less 7%)and is resilient against common threats,including zero-effect attack and mimicry attack.In addition,CIAuthachieves a low authentication delay and overhead.· Design a puppet attack-resilient fingerprint authentication method Fingerprint authentication has gained increasing popularity on mobile devices in recent years.However,it is vulnerable to presentation attacks,which include that an attacker spoofs with an artificial replica.Many liveness detection solutions have been proposed to defeat such presentation attacks;however,they all fail to defend against a particular type of presentation attack,namely puppet attack,in which an attacker places an unwilling victim’s finger on the fingerprint sensor.In this paper,we propose Fin Auth,an effective and efficient software-only solution,to complement fingerprint authentication by defeating both synthetic spoofs and pup-pet attacks using fingertip-touch characteristics.Fin Authcharacterizes intrinsic fingertip-touch behaviors including the acceleration and the rotation angle of mobile devices when a legitimate user authenticates.Fin Authonly utilizes common sensors equipped on mobile devices and does not introduce extra usability burdens on users.The results show that Fin Authcan achieve the average balanced accuracy of 96.04% with 5 training data points and 99.28% with 100 training data points.Security experiments also demonstrate that Fin Authis resilient against possible attacks.· Design an acoustic sensing-based hand authentication method In recent years,biometric authentication schemes,i.e.,fingerprint and face authentication,have raised serious privacy concerns.To alleviate such concerns,hand authentication has been proposed recently.However,existing hand authentication schemes use dedicated hardware,such as infrared or depth cameras,which are not available on commodity mobile devices.In this paper,we present Echo Hand,a high accuracy and presentation attack resistant authentication scheme that complements camera-based 2-dimensional hand geometry recognition of one hand with active acoustic sensing of the other holding hand.Echo Handplays an inaudible acoustic signal using the speaker to actively sense the holding hand and collects the echoes using the microphone.Echo Handdoes not rely on any specialized hardware but uses the built-in speaker,microphone and camera.Moreover,Echo Handdoes not place more burdens on users than existing hand authentication methods.The results show that Echo Handhas a low equal error rate of 2.45% with as few as 10 training data points,and it defeats presentation attacks.