Computer Fraud & Security August 200812

I don’t often walk through the corridors of power, but I hope that staff are aware of the procedure for the proper handling of information. However, if carrying and reading such information in public was commonplace to staff, then the novelty value could well have worn thin and thereby carelessness is more likely.

Learning from our ancestorsWhile on one hand, businesses have to be aware of their responsibilities under the Data Protection Act, normal busi-ness documentation often gets carried and treated differently, even though the contents could well be just as sen-sitive to business operations. The first Elizabethan court knew that informa-tion on paper was not safe. They used codes of all sorts to hide information, even in the public media of portraiture

where a carefully pointed finger or pat-tern on a dress was very meaningful to those who understood the code. Of course the codes could also be broken, as Mary Queen of Scots found to her cost. They clearly saw the danger. It seems some in government in the time of the second Elizabeth need to relearn it.

The recently released Coleman report states “Key services now depend on electronic information; physical data records are rapidly becoming obsolete. Much information is stored now in electronic only format.”2 It is a mistake to concentrate solely on electronic risk. If information is lost on IT equipment then that information may be out in the open if the finder has the means to read it. If you lose information on paper, then it is out in the open and the details are likely to turn up in a media outlet near you.

Perversely therefore, it is possible to conclude that where sensitive documents must be carried then the best solution is often to use an encrypted laptop. I believe the Cabinet office would have settled for a ‘Government loses another laptop’ story. After all it would have been one of many!

References

1. “Secret terror files left on train”,BBC News, 11 June 2008. <http://news.bbc.co.uk/1/hi/uk/7449255.stm>

2. “Independent Review of Government Information Assurance”, HM Government, June 2008. < http://www.cabinetoffice.gov.uk/~/media/assets/www.cabinetoffice.gov.uk/csia/dhr/ia_coleman080626%20pdf.ashx>

Beyond the PIN: Enhancing user authentication for mobile devices

However, by providing functionality that extends beyond telephony, such devices have evolved from a simple telephone to a necessity that people utilise every day, for a variety of applications. This level of functionality is significantly expanding; the processing and memory capabilities

of today’s devices are similar to those of PCs a few years ago. Indeed, the com-bination of portability and capability means that handsets such as smartphones and PDAs are likely to have an increas-ingly significant role as mobile comput-ing and network access devices.

The transition poses serious security considerations for mobile users. With the ability to access and store a wide variety of more sensitive information comes the imperative need to ensure this information is not misused or abused. Whereas the replacement cost arising from loss or theft might previously have been the principal risk associated with mobile devices, unauthorised access to the data they hold could now be a far more significant problem (introducing threats ranging from personal identity theft to serious corporate loss).2

Given the changing nature of the mobile device and network, it is necessary to

Steven Furnell, Nathan Clarke and Sevasti KaratzouniCentre for Information Security & Network Research, University of Plymouth, Plymouth, United Kingdom

Mobile devices have changed significantly over the last decade, in terms of both their form factor and underlying capabilities. The introduction of third genera-tion (3G) technologies has provided the underlying mechanism for a wide vari-ety of innovative data-orientated services, with approximately one million users every day adopting these new features.1

Steven Furnell

AUTHENTICATION

August 2008 Computer Fraud & Security13

consider whether the current approach to authentication is capable of providing the level of security that is necessary to meet these requirements. While devices have passed through several generations of tech-nology and functionality, the authentica-tion mechanism has remained essentially the same, with Personal Identification Numbers (PINs) remaining the most widely used approach.

This article establishes the need for flexible and multi-level security for mobile devices, to meet the demands of all stakeholders (end-users, network operators, and system administrators). The discussion begins with an over-view of the existing security provision of mobile devices and then proceeds to examine the need for multi-level and continuous identity verification. A new approach is then proposed, introducing an architecture that enables a series of mechanisms to be used in a flexible and non-intrusive manner, depending upon the user’s activity and the level of secu-rity required for it. This provides a basis for moving authentication away from the device and point-of-entry towards con-tinuous verification tied to service and application usage.

Current authentication on mobile devicesAs the range of data and services expands, it is increasingly desirable for users to protect their devices using authentication methods. The dominant approach on current devices is via a PIN, which (on a mobile phone) can be applied to both the device and the user’s Subscriber Identity Module (SIM). PDA and smartphone devices offer stronger password-based options for the device-level authentication.

Unfortunately, PIN and password-based approaches have long-established drawbacks and their weaknesses are often introduced by the authorised users them-selves. Weaknesses involving passwords are the most clearly documented and include the selection of weak (guessable) strings, as well as sharing details with

other people, writing them down, and never changing them.3,4

A survey assessing authentication and security practices on mobile handsets found that 34% of the 297 respondents did not use the PIN.5 In addition, 85% of those who did use the PIN at switch-on only, would leave their handset on for more than 10 hours a day, thereby undermining any security the PIN might have provided. However, it appears that users do have an appreciation of secu-rity, as 85% were in favour of additional security for their device. The increasing requirement for protection is further evidenced by a survey of 230 business professionals. The survey found that 81% considered the information on their PDA was either somewhat or extremely valuable. As a result, 70% were inter-ested in a security system for their PDA, with 69% willing to pay more for a PDA with security than one without.6

With the evolution of mobile device functionality and access, the requirement for additional and/or advanced authen-tication mechanisms is becoming more apparent. The original specifications for security in 3G networks identified the importance of authenticating users in the more advanced environment that would be provided. Specifically, it was stated that “It shall be possible for service pro-viders to authenticate users at the start of, and during, service delivery to pre-vent intruders from obtaining unauthor-ised access to 3G services by masquerade or misuse of priorities”.7

The reference to performing the authentication during service delivery is particularly interesting, and a potential interpretation is to use more advanced techniques that would enable periodic or continuous re-verification of the user. However, it is notable that although 3G technologies are now widely deployed, we have not witnessed any large-scale advancement over previous authentica-tion approaches. A minority of devices have emerged with fingerprint readers, but this currently shows no signs of becoming a standard provision.

Beyond secret-knowledge authentica-tion, two other forms of authentication are available, namely tokens and biomet-rics. Tokens are not a practical solution in this context, however, in the sense that the user would need to carry them around with the mobile device, thus increasing the risk of one of the neces-sary items being lost or forgotten.

Another issue is that if the authentica-tion process required the token to be placed into the device, then many users would likely leave it in situ, as is the case with the SIM card on current devices. Security conscious users could remove it when the device is not in use, but of course would not because it would be wildly inconvenient. More innovative solutions involving contactless tokens (e.g. based on Bluetooth or RFID) could also be considered and, for example, in-tegrated within items that users would always be expected to have with them, such as wristwatches or rings. However, this could still prove impractical in some scenarios and it would be unlikely for security issues to be able to set the agenda in this manner. With these con-straints in mind, the authors consider that solutions for mobile devices are more likely to arise from biometric tech-nologies, coupled with a more restricted use of secret-knowledge approaches.

Re-examining the requirements for mobile authenticationAnother observation regarding current point-of-entry authentication is that it tends to assume that all services, applica-tions and information accessible on the device are of equal value, and do not require any further access control restric-tions. However, different services and data arguably require different security provi-sions. For example, the protection required by a text message is substantially different to that required by a bank account.

Figure 1 shows a representation of how current authentication is provided; offering a single level of security,

AUTHENTICATION

Computer Fraud & Security August 200814

regardless of the activity or service involved. The reality is, though, that the need for security will vary depending upon what the user is doing, and Figure 2 illustrates how the risk associated with each service could add a further dimen-sion to the way in which the security level is defined.

The potential for misuse and its consequent impact, which each service carries, ought to be a factor in deciding the appropriate level of security. In this way, more critical operations could be assigned greater protection (by requiring

greater confidence in the legitimacy of the user), leaving less risky operations to a lower level of trust.

It can also be argued that the level of security within a service or application is likely to change during the process, as key stages will have a greater risk associ-ated with them than others. To carry out a specific task, a number of discrete steps are involved, which may not carry the same level of sensitivity (i.e. some stages are more critical, whereas others are simply operational steps that assist in the completion of the desired task).

A simple example to illustrate this notion is the use of a text message fea-ture. When the user initially accesses the inbox no real threat is involved as the operation cannot lead to any misuse in its own right (see Figure 3 (a)). Even if the next step is to create a new mes-sage and start typing the content, no additional risk exists. However, security implications start when the user is press-ing ‘send’ because it is at this point that adverse impacts from impostor actions would begin. By contrast, in Figure 3 (b), the user again accesses the inbox, but tries to access the saved messages instead. This time the requirement for greater protection occurs earlier in the process, as accessing the saved messages could affect confidentiality if an impos-tor reads them.

Each operation has different sensitivi-ties and as such each step of the process changes the threat and therefore the risk level. The same principle could be applied more broadly to the access to services themselves (e.g. the sensitivity associated with sending a text mes-sage versus accessing online banking). Attributing a security level to each type of service would effectively reflect the level of confidence required in the legiti-macy of the user.

Realising enhanced authentication on mobile devicesIn order to realise and evaluate a new approach, the authors have been engaged in a two-year research project funded by the Eduserv Foundation, which has resulted in the design and prototype implementa-tion of the Non-Intrusive Continuous Authentication (NICA) architecture. The guiding principles of the research were that the authentication approach should meet the following objectives:

• Increase security beyond secret-knowl-edge techniques

• Provide transparent/non-intrusive authentication

Figure 1: Current security assessment.

Figure 2: Proposed security assessment.

AUTHENTICATION

August 2008 Computer Fraud & Security15

• Authenticate the user continuously/periodically throughout the day in order to maintain confidence in the identity of the user

• Link the provision of security with service utilisation

The authentication concept adopted by the research is illustrated in Figure 4 which shows a range of biometrics that could conceivably be measured from the user’s natural interactions with a mobile device (noting that although the device depicted in the Figure is currently rep-resentative of a more high-end model, such capabilities are likely to become increasingly standard, with subsets still feasible on other current devices).

In this particular case, the device has five forms of input that could be har-nessed as a basis for biometric authenti-cation (noting that only one of these, the fingerprint reader, is specifically provided for this purpose and would represent an intrusive approach in the sense that it requires an explicit user action rather than being part of their normal activ-ity). In addition, the general utilisation of services could be profiled, such that the system is able to identify deviations from the legitimate user’s normal usage pattern (e.g. in the same manner that can already be used to flag anomalies in telephony calling patterns and credit card payment patterns).

Such an approach does not entirely rule out the use of secret-knowledge approach-es, but would reserve their application for explicit challenge scenarios, when non-intrusive authentication approaches have already raised a level of suspicion about the legitimacy of the user.

The current NICA prototype incor-porates face, voice and keystroke-based mechanisms, and by taking feeds from the various interactions with the device it is able to maintain an overall ‘authentica-tion confidence’ as a composite measure of the user’s perceived legitimacy. It is notable that, at its core, NICA can only be as effective as the underlying biomet-rics, and the research has not specifically

focused upon the enhancement of these technologies (although it has incorporat-ed some of the authors’ own prior work in relation to keystroke dynamics).8

In operation, NICA captures and buffers samples in order to support the biometric methods while users perform their normal activities. This ensures that recent data should then be available to enable both scheduled and on-demand authentication judgements; each of

which are scenarios that merit further explanation.

The scheduled context represents the routine operation of the system. In order to maintain an ongoing measure of user legitimacy, NICA schedules authentica-tion judgements at periodic intervals during active sessions. The results of these judgements are used to inform an ‘alert level’, which increases if the authentication is deemed to have failed.

Figure 3: Variation of the security requirements during utilisation of a service.

Figure 4: Harnessing device capabilities for enhanced authentication.

AUTHENTICATION

Computer Fraud & Security August 200816

As the level escalates, authentication is performed in different ways, ultimately making a transition from a transparent to more intrusive modes of operation.

This process is outlined in Table 1. If the system reaches alert level 6, then the handset is locked and would need operator intervention (i.e. in the same way as three incorrect attempts to enter the PIN on a current mobile network will result in the user needing to obtain a personal unblock-ing key in order to regain access).

In addition to the scheduled authenti-cation attempts during a session, certain circumstances will cause the system to perform an on-demand judgement. This will occur when the user attempts to access a service for which an associ-ated security requirement has been specified. NICA enables a required level of ‘authentication confidence’ to be assigned to each service, such that a user cannot access the service unless sufficient confidence in his/her identity has been established. When a user then comes to access a controlled service, one of the following scenarios will occur:

• If the ‘authentication confidence’ is already at (or above) the target level, then access will simply be granted.

• If the confidence is below the required level, the user will be prompted to respond to an explicit, intrusive authentication request.

Clearly, the second scenario is a context in which the authentication becomes apparent to the user, and is therefore the situation that the architecture ideally seeks

to avoid. The concept of the ‘authentica-tion confidence’ level, and the association of service access to different levels, is illus-trated in Figure 5.

Having introduced the confidence rating, the final consideration of note is how the user moves up and down the scale. This relates to successful and unsuccessful authentication attempts, from either scheduled or on-demand judgements. Different biometrics will deliver markedly different levels of performance (e.g. at a broad level, physiological approaches are typically shown to exhibit better performance than behavioural metrics)9, and as such NICA enables different authentication strength ratings to be assigned to differ-ent approaches. A successful authentica-tion with a strong method (e.g. facial recognition) will consequently increase the authentication confidence level more than success with a less reliable method (e.g. keystroke dynamics).

As previously indicated, NICA has been realised as an operational proto-type. Due to development constraints posed by the availability of biometrics and integration with Windows Mobile, the current version has been developed for Windows XP and Vista. However, in order to demonstrate genuine applicabil-ity to mobile devices with small form-factors, the Sony Vaio UX and HP Mini-Note have been used as client devices.

Evaluation within the context of the research project has established that it is effective at identifying impostors and presents a usable environment for legitimate users. However, further work

and longer-term trials are required to yield meaningful indications of False Acceptance and False Rejection rates (measures which, in any case, would be fundamentally tied to the performance of the underlying biometrics in use).

Conclusions and future workEnhanced authentication is imperative to protect increasingly mobile devices. Although many advances have been made in the devices themselves and the networks that support them, little has changed in the way we verify who is using them. Moreover, it is no longer a matter of simply replacing one point-of-entry authentication approach with another. Instead, a more fundamental understanding of what we use the mobile device for is required so that authentica-tion can be achieved more effectively.

This article has argued the need to adopt flexible, multi-level authentica-tion of the user, tied specifically to the services and applications that are used. The NICA prototype goes some way to proving that this concept can be realised, and is able to demonstrate an approach that can balance protec-tion and convenience from the user’s perspective.

Current limitations are the under-lying technologies. At present, few mobile devices are capable of running the processes that an approach such as NICA would demand. In addition, the biometric technologies themselves are not optimally developed for this con-text. The majority of current approach-es are primarily geared towards point-of-entry contexts and applying them, therefore, within NICA represents a scenario for which they were not origi-nally intended. However, it would not be unreasonable to expect that both of these constraints will be resolved over time, as the technology continues to advance in both domains. Once they have been resolved, an approach such as NICA will enable the devices to be

Alert Level NICA authentication action

1 Perform transparent authentication using the most recent data in input cache.

2 Perform transparent authentication using remaining data in input cache.

3 Perform transparent authentication using the next available user input.

4 Issue an intrusive authentication request using a high-confidence method.

5 Issue a further intrusive authentication request using a high-confidence method.

6 Successive authentication failure invokes a system lock.

Table 1: Escalation of the NICA Alert Level.

AUTHENTICATION

August 2008 Computer Fraud & Security17

as flexible in supporting authentication as they are in providing access to other services.

Acknowledgements

This research was supported by a two-year grant from the Eduserv Foundation.

About the authors

Prof. Steven Furnell is the head of the Centre for Information Security & Network Research at the University of Plymouth in the United Kingdom, and an Adjunct Professor with Edith Cowan University in Western Australia. His interests include security management, computer crime, user authentication, and security usability. Prof. Furnell is a UK representative in International Federation for Information Processing (IFIP) working groups relating to Information Security Management (of which he is the current chair) and Information Security Education. He is the author of over 180 papers in refereed international journals and conference proceedings, as well as the books Cybercrime: Vandalizing the Information Society (2001) and Computer Insecurity: Risking the

System (2005). Further details can be found at www.plymouth.ac.uk/cisnr.

Dr Nathan Clarke is a lecturer in Information Systems Security within the Centre for Information Security and Network Research and an adjunct scholar at Edith Cowan University, Western Australia. His research interests reside in the area of user identity, mobility, forensics and intru-sion detection; having published 39 papers in international journals and conferences. Dr Clarke is a member of the British Computing Society (BCS), the Institute of Engineering Technology (IET) and a UK representative in the International Federation of Information Processing (IFIP) working groups relating to Information Security Management and Identity Management. Dr Clarke is the co-chair of an innovative new symposium series on the Human Aspects of Information Security & Awareness (HAISA).

Miss Sevasti Karatzouni is a researcher in Mobile Security at the Centre for Information Security and Network Research. Her research interests reside in the area of user authentication for mobile devices, and she is pursuing a PhD in the area. Her research has given specific consideration in the use and applicabil-ity of biometrics in that context, having published seven papers in national and

international conferences. Miss Karatzouni is an active member of the British Computing Society (BCS), acting as the Young Professionals Ambassador for the South West Branch.

References

1. Best, J. 2006. “3G reaches 50 mil-lion users worldwide.” CNET.co.uk. 20 February 2006 <http://news.cnet.co.uk/mobiles/0,39029678,49251672,00.htm>.

2. BBC. 2008. “Patient files stolen with laptop.” BBC News Online. 30 June 2008 <http://news.bbc.co.uk/1/hi/england/essex/7481082.stm>.

3. Lemos, R. 2002. “Passwords: The Weakest Link? Hackers can crack most in less than a minute.” CNET.co.uk. 22 May 2002 <http://news.com.com/2009-1001-916719.html>.

4. Morris, R. and K. Thompson. 1979. “Password Security: A Case History.”Communications of the ACM, vol. 22, no. 11, pp. 594-597.

5. Clarke, N.L. and S.M. Furnell. 2005. “Authentication of users on mobile tel-ephones – A survey of attitudes and practices.” Computers & Security, vol. 24, no. 7, pp519-527.

6. Shaw, K. 2004. “Data on PDAs mostly unprotected, survey finds.”NetworkWorld. 4 May 2004 <http://www.networkworld.com/newsletters/mobile/2004/0503mobile1.html>.

7. 3GPP. 2001. “3G security; Security threats and requirements.” 3GPP TS 21.133, 3rd Generation Partnership Project. <http://www.3gpp.org/ftp/Specs/html-info/21133.htm>.

8. Clarke, N.L. and S.M. Furnell. 2007. “Authenticating Mobile Phone Users using Keystroke Analysis” International Journal of Information Security, vol. 6, no. 1, pp1-14.

9. Mansfield, T., Kelly, G., Chandler, D. and Kane, J. 2001. Biometric Product Testing Final Report, Issue 1.0, Centre for Mathematics and Scientific Computing, National Physical Laboratory, 19 March 2001.

Figure 5: Use of the ‘authentication confidence’ level.

AUTHENTICATION