towards science of gesture-based authentication - … · 2014-05-15 · towards science of...
Post on 04-Jul-2018
214 Views
Preview:
TRANSCRIPT
Credit
• This talk is mostly based on: • “User-Generated Free-Form Gestures for Authentication:
Security and Memorability” • Michael Sherman (Rutgers), Gradeigh Clark (Rutgers), Yulong
Yang (Rutgers), Shridatt Sugrim (Rutgers), Arttu Modig (U. Helsinki), Janne Lindqvist (Rutgers), Antti Oulasvirta (MPI Informatics and Saarland University), Teemu Roos (U. Helsinki)
• To appear in MobiSys’14, June 2014 • Available at:
http://www.winlab.rutgers.edu/~janne/mobisys14gestures.pdf
Goal
• Measuring the security and memorability of user-generated free-form gestures
• No visual reference • Multitouch: Single or
multiple fingers
But How to Measure?
• No metrics available • Previous work
focused on ad hoc metrics: quality of recognizers
Security of Text-Based Passwords
• NIST standard for estimating the security of text-based passwords is based purely on length
– Plus magic numbers
• Assumes randomly chosen string of letters • Used also to model human-chosen passwords
– Overestimates the size of the possible password space • Other methods: password cracking
Intuition for Gesture Security
• Mutual information I(x ; y) = H(x) – H(x|y)
• H(x) entropy (“uncertainty” or “surprisingness”) of intended gestures
-> “complexity” of gesture
• H(x|y) conditional entropy (remaining uncertainty) of intended gesture given observed gesture
-> “accuracy” of gesture
Alignment of Residuals
• Residuals in time, not necessary aligned • Stretching or contracting in time with Canonical Time
Warping
Computing Mutual Information
• Mutual information I(x ; y) = H(x) – H(x|y)
• Omitted: how multiple fingers are treated (dimension reduction with PCA)
Method 1/4
• Participants recruited in two batches May 2013 (33) June 2013 (30)
• 63 first session, 57 in second session • Aged 18 to 65 (M = 27.2, SD = 9.9) • 22 high school, 23 Bachelor’s, 16 graduate degree
and 2 other degrees • Time gap between 1st and 2nd session varied
– May volunteers: Mean 14.53 days (SD = 5.81 days) – June volunteers: Mean 29.52 days (SD = 7.57 days)
Method 2/4
• Data collected w/ Google Nexus 10 tablet, average 200 FPS
• Gestures preprocessed to 60 FPS
• Artifacts etc. corrected
Method 3/4
• Experiment Design • 17 x 2 mixed factor • Repeated measurement variable of gesture
repetition (17 levels) – 10 creation (Generate) – 2 repetitions (Recall1 after distraction) – 5 repetitions (Recall2 in second session)
• Between-subject variable of time gap between two sessions (2 levels)
Method 4/4
• Procedure • 1st session
– Gesture Creation (Generate): 1+9 repetitions – NASA-TLX – Distraction (Mental rotation, Count down from 20) – Gesture Recall 1: 2 repetitions – Demographic questions
• 2nd sessions – Gesture Recall 2 – NASA-TLX – Short survey
Results: Factors Affecting Security
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
0
0.5
1
1.5
2
2.5
3
3.5
Repetition
Duration
(s)
Session 1 Session 2
Single FingerMulti Finger
Results: Factors Affecting Security
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
05
10152025303540
Repetition
MeanI(B
its)
Session 1 Session 2
Results: Factors Affecting Security
0 1 2 3 4 5 6
0
50
100
150
Gesture Duration (S)
MeanI(B
its) Mean I vs Duration
Linear Fit, r2=0.053
Best and Worst Gestures
0
500
1000
1500
2000
2500
I = 142.53 I = 110.54 I = 94.51
0 500 1000 15000
500
1000
1500
2000
2500
I = 1.69
YPosition(P
ixels)
0 500 1000 1500
I = 4.26
X Position (Pixels)0 500 1000 1500
I = 4.57
Finger 1
Finger 2
Fingers Used
1 2 3 40
10
20
30
40
Fingers Used
MeanI(B
its)
1 2 3 40
10
20
30
40
Fingers UsedCou
nt
GenerateRecall2
Memorability vs. Interval
5 10 15 20 25 30 35 40 45
0
0.5
1
1.5
Interval between sessions (Days)
Ratio
ofI
Results: Subjective Task Load Assesment
0
10
20
30
MentalPhysical
Temporal
PerformanceEffort
Frustration
Items of TLX form
Mea
n sc
ore
Sessions12
• Statistically significant difference w/ Wilcoxon signed-rank test for all items except Frustration
• Indicates recall less workload than creation
Practical Authentication System Implementation: ROC
0 0.2 0.4 0.6 0.8 10
0.5
1
FPR
TP
R
n=2n=4n=6n=8n=10
0 0.2 0.4 0.6 0.8 10
0.5
1
FPR
TP
R
n=2n=4n=6n=8n=10
Discussion
• Security high enough w/ most passwords • Multifinger gestures???
– Participants overestimated added security? • Unlike text-based passwords length, duration
not important – Gestures <2s average MI less than 2% of MI of all
• Memorability: few repetitions needed for a stable password
Towards?
• Predictability of model? – Shoulder surfing attacks
• Impact of policies to gesture generation?
• Incorporating visually cued gestures (graphical password) to the model
• And lots more
top related