EURASIP Journal on Information Security (Sep 2022)
Behavior-based user authentication on mobile devices in various usage contexts
Abstract
Abstract Reliable and non-intrusive user identification and authentication on mobile devices, such as smartphones, are topical tasks today. The majority of state-of-the-art solutions in this domain are based on “device unlock” scenario—checking of information (authentication factors) provided by the user for unlocking a smartphone. As such factors, we may use either single strong authentication factor, for example, password or PIN, or several “weaker” factors, such as tokens, biometrics, or geolocation data. However, these solutions require additional actions from a user, for example, password typing or taking a fingerprint, that may be inappropriate for on-the-fly authentication. In addition, biometric-based user authentication systems tend to be prone to presentation attack (spoofing) and typically perform well in fixed positions only, such as still standing or sitting. We propose BehaviorID solution that is passwordless (transparent) user-adaptive context-dependent authentication method. The feature of BehaviorID is usage of new “device lock” scenario—smartphone is stayed unlocked and can be fast locked if non-owner’s actions are detected. This is achieved by tracking of user’s behavior with embedded sensors after triggering events, such as actions in banking apps, e-mails, and social services. The advanced adaptive recurrent neural network (A-RNN) is used for accurate estimation and adaptation of behavioral patterns to a new usage context. Thus, proposed BehaviorID solution allows reliable user authentication in various usage contexts by preserving low battery consumption. Performance evaluation of both state-of-the-art and proposed solutions in various usage contexts proved the effectiveness of BehaviorID in real situations. Proposed solution allows reducing error levels up to three times in comparison with modern Abuhamad’s solutions (Abuhamad et al., IEEE Internet Things J 7(6):5008–5020, 2020) (about $$0.3\%$$ 0.3 % false acceptance rate (FAR) and $$1.3\%$$ 1.3 % false rejection rate (FRR)) by preserving high robustness to spoofing attack ( $$2.5\%$$ 2.5 % spoof acceptance rate (SAR)). In addition, BehaviorID showed low drift of error level in case of long-term usage in contrast to modern solutions. This makes the proposed BehaviorID solution an attractive candidate for next-generation behavior-based user authentication systems on mobile devices.
Keywords