The Latest in IT Security

How DARPA crushed the hopes for touch-based authentication



Smartphones head towards touch-based continuous authentication – a type of permanent identity validation that is also passive, since it does not hinder in any way other human-phone interactions that may be taking place during the same time. That would eliminate the risks of intrusion currently at the disposal of cyber-criminals once they bypass the screen lock. Malicious entities would be confronted with multiple, continuous cyber defense/authentication layers, as opposed to the punctual, one-layered shield they meet with in the current mobile configuration.

With advanced touch biometrics authentication systems, a smartphone would allow data access only to a legitimate user, which would verify its identity via a combination of touch operations and biometric parameters – or so theorize the researchers involved in this developing this authentication method.

Touch biometrics take into consideration biometric user profiling while he/she is performing the phone touch operations: pressure, touch curve, fingertip size – all serve in creating the user profile. Once this profile becomes the reference access control “key”, the smartphone recognizes its owner and allows operations and activities only when they originate from him/her.

Another term for this cyber-security mechanism would be (touch-based) post-login user authentication.

As you might have noticed, researchers are in the process of establishing convenient means of transposing this type of authentication into smartphones, or, if you like, of turning the concept into a feature. Here you may check another example of continuous touch-based mobile authentication – a hybrid authentication scheme that combines continuous authentication (CA) and touch-based implicit authentication (IA).

The (quite) premature hacking fears

Various existing post-password authentication schemes are only in their concept or development stage, yet the cyber-defense provided by continuous touch authentication is already being contested. DARPA funded a report called “Toward Robotic Robbery on the Touch Screen” which stirred quite a few reactions from the online media.

The supporters of continuous passive touch-based authentication argued that no human hacker could identify and memorize an individual’s touch biometric characteristics in order to mimic them and bypass this new security authentication system.

In response to that, the researchers from Texas and Syracuse University assembled a Lego robot that performed an attack on the touch-based access control system. The robotic device performed in fact two equally effective separate attacks, using the collected gestural statistics coming from a large pool of users in one of them, while the second one was based on collecting gestural data straight from the smartphone owner.

The rather unaesthetic robot served the purpose of performing the entire operation without any human intervention. It proved a point. In fact it’s all in the algorithms – the specific software approximated the right touch specifications (direction, pressure, angle, shape and so on), and it managed to bypass this system that is barely budding. In conclusion, continuous gesture-based authentication is a faulty method since it allows leaks – the user’s biometric characteristics can be either approximated, or stolen. In any case an artificial replicating device can trick the smartphone into believing the legitimate user is interacting with its software (and hardware).

Is this study premature or not? Judging by the way researchers seem to lag behind malfeasance when it comes to data breaches, malware waves or cyber-attacks, perhaps it is not a bad idea to consider taking zero-day exploits even more backwards in the timeline, preceding the moment of actual concept materialization.

This way the concept authors and involved researchers have the opportunity to reconsider their strategy and/or adapt the concept to make it less hackable by intelligent software.

Anticipating possible hacks – an useful trial method

Perhaps the authors of cyber-security systems and mechanisms cannot leave aside their initial perspective in order to think like the enemy and see the possible flaws in their own creation. However, it seems that other researchers can do this testing game and come up with valid results even before concepts are put into practice.

Since cybernetic research generally becomes more costly with each stage of testing, building and re-testing, being aware of the vulnerabilities in your innovation as soon as possible is useful because it gives time and space for changes before the final stages.

Another paradox in computing would be that sophisticated systems do not automatically translate into unbreakable protection – not with intelligent machines in action. Humans have to outsmart artificial intelligence in a completely unique manner, coming up with lateral thought solutions. Otherwise, what worked before due to intricate layers and complicated algorithms can be shattered in a few moments by a new-generation of software programs.

The touch-based continuous authentication concept is interesting, yet it is not quite there in terms of delivery. It seems to have blocked the idea of intelligent software powering through the volume of biometric characteristics employed to identify users, as well as to have assumed that all smartphones would adopt the touch gesture login method. The concept is vulnerable, like a giant with clay feet. While it is also true that the road from blueprints to market technologies may be a long one, a duration that may allow other technologies to become feasible and threaten the invulnerability of your entire solution, it is also necessary to keep informed with various other connected developments in the field.

Perhaps we will have more and better news in the future on the touch-based technology and its improved resistance to hacking…

Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments