Improving Security of Free-Form Gesture Based Authentication

Abstract

Technical improvements of commercial smartphones enable capture of high quality inputs and bi- ological traits of users. In response, a wide range of services and applications collect and store iden- tifiable personal user information. Smartphones typically equipped with knowledge-based authentica- tion system (e.g. PIN and Pattern) to secure user-data from unauthorized access. However, traditional knowledge-based schemes often reveal security weaknesses stemmed from the limited password space and a significant portion of users opting for guessable credentials. Free-form gesture-based authentica- tion has been proposed to solve this issue: high usability (e.g., fast input and reduced visual attention) and theoretically large password space. Despite their potentials, less have been known regarding security of free-form gestures. Through a large-scale study and comprehensive security evaluations, this thesis argues that user-generated free-form gestures suffer against two common threats: dictionary-based and observation attacks, reflecting originated weakness of both knowledge-based and graphical passwords. Based on such initial observation in security pitfalls, this thesis then seeks to design, develop and eval- uate password enhancement techniques that can improve security of user-generated free-form gesture passwords and minimize negative impacts on usability. In my dissertation, I claim that free-form ges- ture passwords are highly usable but weak smartphone credentials, which can be made robust through password composition policies and enhanced with hardening techniques incorporating behavioral stroke features. Throughout this thesis, I validate my claims by conducting three studies. First, I collected the largest free-form gesture password dataset for smartphone unlocks to date using Amazon Mechanical Turk. I analyzed the security of gesture passwords by segmenting gestures into discrete symbols and training a probabilistic model to estimate their probability distribution. The results indicated that the partial guess- ing entropy of gesture passwords was significantly higher than that of traditional passwords like PINs and pattern locks. However, further analysis revealed that under an online dictionary attack scenario, 23.13% or more of user-generated gestures could be cracked within just 20 guesses. In the second study, I addressed this vulnerability by designing and implementing a novel gesture password strength meter policy. The meter uses three strength metrics to assess the security of user-generated gestures and pro- vides feedback to encourage more secure selections. I thoroughly evaluated the meter’s effectiveness in both online and lab settings, showing that it could reduce the success rate of dictionary attacks by up to 67%, with only a mild impact on usability. In the final study, I further enhanced gesture passwords by incorporating behavioral biometric features. I collected touch and inertial sensor data from 107 online users’ commercial smartphones while they input free-form gesture passwords. After reviewing prior biometric authentication literature, I derived 137 unique stroke features for analysis. I extended the threat model to include both dictionary and observation attacks, and the reinforced authentication sys- tem demonstrated resistance to both, achieving an Equal Error Rate (EER) between 3.25% and 4.47%, with a long-term recall performance yielding a False Rejection Rate (FRR) of 2.80%. From these studies, I argue that users often create gesture passwords that prioritize ease of entry and memorability, which makes them susceptible to guessing and cracking. This thesis argues that gesture password security can be enhanced by designing systems that guide users to create more unique passwords and reliably differentiate between users entering identical gestures. I conclude this thesis by discussing its limitations, offering insights into the implications of the findings, and providing design considerations for future studies aimed at developing techniques to enhance password strength.