Among the many clever post-password authentication schemes currently under development is multi-touch gesture analysis. The basic idea is to observe a user's movements on a touchscreen device for some period of time and to come up with a gestural profile unique to that individual. Then, based on this profile, the system can verify a user's identity continuously as they use the device.
The idea sounds fishy, yes. Couldn't some hacker just observe those same gestures and then mimic them to gain access to a system? The answer should be no because the gestures read by the system are interpreted in such a way as to compile biometric profiles of the user's hand/wrist/etc, resulting in a model that can be used to interpret/verify new/different gestures down the line.
While gestural ID systems are getting a lot of research play these days thanks to error rates trending toward the low single-digits, they also tend to take a rosy view of the security world in which hackers attempt to breach such defenses via crude impersonation, e.g. when one hacker-user attempts to mirror some target-user. This is called a zero-effort attack and it stands in contrast to an attack-by-forgery, in which an attempt is made to recreate (rather than mimic) the user-target.
A DARPA-funded report titled "Robotic Robbery on the Touch Screen" published recently in the journal ACM Transactions on Information and System Security looks at gestural authentication through the eyes of a more sophisticated hacker. It presents two Lego-driven robotic attacks on a touch-based authentication system—one is based on gestural statistics collected over time from a large population of users and the other is based on stealing gestural data directly from a user. Both were pretty effective.
"Both attacks are launched by a Lego robot that is trained on how to swipe on the touch screen," the paper explains. "Using seven verification algorithms and a large dataset of users, we show that the attacks cause the system's mean false acceptance rate (FAR) to increase by up to fivefold relative to the mean FAR seen under the standard zero-effort impostor attack."
To amass enough statistics to launch the first attack, the researchers took 41 subjects, mostly college students between 18 and 25 years of age, and had them accomplish various tasks on an Android phone representing fairly normal Android operation. 28 different swipe-features were tabulated, ranging from touch-pressure to swipe start and end locations to swipe duration. The resulting data was then compiled into a single ultra-generic power-user.
This power-user ultimately became the Lego robot, which was outfitted with a Play-Doh-molded "finger." The robot was able to achieve a 70 percent FAR for the least affected gesture-recognition algorithm the experiment tested. In other words, the robot was usually able to trick a recognition algorithm using high-resolution statistical observations of actual smart-phone usage.
The second attack involved the theft of actual gesture-recognition data from a collection of target-user's phones. This data was then used by the robot to recreate a specific target-user's swiping biometrics, with, as expected, even better results. FARs for this method hit 90 percent at the high end.
While continuous gesture-based authentication is really only meant to be a backup to other (one-time) authentication methods, its apparent leakiness should be concerning. Also of concern, the authors note, is the traditional usage of zero-effort attacks for representing the relative successes of gestural algorithms.
"Because the attacks require only basic programming skills and are launched using cheap off-the-shelf hardware, they represent a realistic threat that should be expected to be faced by a real deployment of a touch-based authentication system," the paper concludes. "The article not only calls for the incorporation of robotic attacks in the standard impostor testing routine of touch-based authentication systems but also calls for research into mechanisms that could defeat these attacks."