Password-Less Behaviometrics Authentication on Touchscreen Devices [ID 13020]

Description:

Overview

Researchers at Ohio University have developed a novel, secure, single-factor, behavioral biometric user authentication that is compatible with virtually all touchscreen devices. The technology is based on the precedent fact that no two people move quite the same way. The intent is to create a secure method of user authentication that is convenient and impossible to hack into or falsify. Although human movement patterns are unique to the individual, no two movements are exactly the same. This means that even if you perfectly duplicated a previous movement, the advanced algorithm would recognize it as an attempt to hack. As a result, the technology provides an unparalleled level of security that allows users to safely conduct transactions on any device without fear of their online security being compromised. Prototype versions of the technology have been developed for iOS and Android devices, although it is not limited to these operating systems. Initial internal testing of the authentication algorithm shows proof-of-concept, confirming the algorithm’s ability to distinguish between individuals.

 

Commercial Application

* Personal Identification on touchscreen devices, both public and private

* Online/mobile banking and Commerce

* Hospitals/Healthcare

* Military Installations

 

Benefits

* Does not require users to memorize anything, such as passwords, secret questions, or PIN numbers

* Nothing to lose: Current 2-factor authentication uses cell-phones as the 2nd factor, which could be lost or stolen

* Does not require additional, expensive equipment such as fingerprint or vein readers

* Due to natural intra-individual biological variability in human movement patterns, theft of the authentication would be impossible; hacking yields useless data

 

Frequently Asked Questions

Why is there a need for this technology?

With data breaches becoming almost daily news, credit card information is being trafficked for fraudulent purchases. Currently there is no way to prevent thousands or even millions of fake credit card transactions from occurring in an instant. Even the online currency Bitcoin has fallen prey to online fraud. Yet, all that is needed to prevent these hacking attacks is another layer of protection to secure online transactions.

 

What problem does our technology solve?

Our technology provides a safe and secure mode of authentication that does not require an individual to memorize different user names and passwords. Essentially, we seek to replace the password with movement behavior to: 1) remove the need for memorization; and 2) eliminates the hacking problem, both over the shoulder and with brute force computing. The technology that we have developed is the future of user authentication, has the potential to usher in a new era of highly secure e-commerce and cyber security.

Our technology is a natural “liveness” test requiring data input through the touchscreen sensors in order to complete a transaction. This slows down the transaction process, where a hacker must take the time to generate a matching gesture pattern for a single transaction. At the minimum, our invention prevents large-scale credit card attacks from occurring.

 

How does this technology work? What are the basics of using it?

In the simplest sense, the gesture produced by the user works as a password. The best analogy for the process of using this technology is an ATM card, with the process always starting with the user demonstrating that he/she is who they claim to be when the account is opened at the bank. Just like with an ATM PIN, the user then picks a template (a symbol such as a heart, beta, alpha, etc.) and generates a “reference” movement by tracing the shape of the symbol. This information is then stored so that the next time this person wants to use the card, he/she will be presented with the original symbol and is asked to trace the shape once again. Data generated from this new movement is then compared against the reference movement in order to authenticate the user. Anytime the user wants to make a purchase, a screen with the template pops up and the user produces their natural gesture trace and the transaction is only authorized when the appropriate gesture with matching  behaviometrics is generated.

How does the invention distinguish between different people? How will we know if it is the same person?

A critical point of distinction between the movements of individuals lies in its dynamics, that is, how the action unfolds in both space and time. In Figure 1, we provide screen-captures from the table to demonstrate in how differently two individuals perform a movement. Immediately, there are a few visible differences. First, the movement on the right was much slower and took more time to complete. Second, the curvature of the movement on the right is different. An invisible aspect to this difference is that the user on the right initiated the movement at the curved segment, while the user on the left started at the bottom of the “tail.”

The algorithm that we have developed and tested uses a multi-point matching system by requiring different movement criteria to be satisfied within a certain threshold, in addition to some of the visibly different characteristics mentioned earlier. This approach accommodates inherent variability from one movement to the next to reduce the number of false negatives while completely preventing false positives. However, our algorithm goes beyond simply matching the coordinates of the movement in time and space. Instead, we have devised a number of innovative approaches of capturing how the movement unfolds in space and time that can be used as criteria for the multi-point matching process.

 

Can a smart hacker simply shift the data by random amounts and beat the authentication system?

No. Because of our multi-point matching algorithm, the data must maintain its “shape” and the relativity of space and time in human movement. A random adjustment in time that alters its temporal characteristics will disrupt the movement flow in space. Similarly, random shifts in the spatial characteristics of the movement disrupt its flow in time.

 

Why provide users with a template to trace? Doesn’t that make the movement easier to reproduce and copy?

There are many advantages to providing a template. The rationale for this is similar to Microsoft’s picture password. Users can effectively select their own template image and trace whatever aspects of the image they choose (as long as the movement generates enough data points for matching), as presented in Figure 3. This increases the uniqueness of each template-gesture matching. However, instead of capturing the pixels positions of each gesture, the goal of our approach is to use the intrinsic dynamics of a user’s movements on the multi-touch screen as a unique identifier, this means including movement velocity, and phase.