• Embed Doc
  • Copy Link
  • Readcast
  • Collections
  • CommentGo Back
Download
 
USER AUTHENTICATION ON MOBILE PHONES
 –
WHAT IS THE BEST APPROACH?Leong Lai Fong
1
, Woo Chaw Seng
2
 
Faculty of Computer Science and Information TechnologyUniversity of Malaya, 50603 Kuala Lumpur, Malaysia.Email: laifong@perdana.um.edu.my
1
, cswoo@um.edu.my
2
 
ABSTRACT 
The usage of the mobile phone over the last few years has made fundamental changes in our daily life. Mobile devices, namely Personal Digital Assistants (PDAs) and mobile phones are containing ever more personal 
information, including address books, schedules as well as payment information. Losing a mobile phone isn’t just a
lost of the gadget, but also the risk of greater loss of money. This paper discusses different types of authentication approaches on mobile phones, namely PIN, token and biometric authentication. We believe that biometric authentication is the most secure approach among PIN, token and biometric. Besides that, the suitability of various biometric technologies are compared and the proper biometrics are identified.
Keywords: authentication, biometric, mobile phone, security, study.
1.0 Introduction
The usage of the mobile phone over the last few years has made fundamental changes in our daily life. Mobiledevices, namely Personal Digital Assistants (PDAs) and mobile phones are extremely useful in managingappointments and contact information, reviewing documents, corresponding via electronic mail, deliveringpresentations, accessing corporate data as well as mobile banking. Unfortunately, current PIN authentication securityin mobile device is weak and stronger authenticator is in higher demand.
2.0 IT Security Objectives
The main goals in IT security are based on the three components of computer security as follows [1]:(a) Confidentiality: The concealment of information or resources for keeping information secret (privacy) as wellas obscuring identity (anonymity).(b) Integrity: The trustworthiness of data or resources for ensuring non-repudiation of data integrity (the contentof the information) and origin integrity (the source of the data
 –
how and from whom it was obtained) viaprevention mechanisms and detection mechanisms.(c) Availability: The ability to use the information or resource desired in the aspect of reliability, system designas well as protection against denial of service attacks.Fig. 1: Objectives of IT securityThe definitions and solutions of confidentiality, integrity and availability are often overlapped and hardly be separatedcompletely. One important security protection is to have a strong access control mechanism. A strong authenticationsystem is able to prevent and detect unauthorized attackers to perform actions outside the scope of legitimateactivity, impacting on confidentiality, integrity and availability.
ConfidentialityAvailabilityIntegrity
 Proceeding of the 3rd International Conference on Informatics and Technology, 2009
 
©Informatics '09, UM 2009
 
 RDT6 -
230
 
 
3.0 Security Overview on Personal Devices
Several major security issues loom over the use of such devices, including [2]:(a) Mobile devices are often stolen or missing, due to their small sizes;(b) The contents in the mobile devices are unencrypted or encrypted under a flawed protocol;(c) Mobile devices are proned to middle-man attack or viruses attack from wireless connection;(d) User authentication is weak or disabled or in a common default mode, the authentication mechanism
 –
 single static password authentication can be circumvented easily;To overcome the security problems mentioned above, computer locks or laptop locks are general solution for betterguardian of such devices physically. In order to enhance the security in data transmission, data encryption andhashing with complicated algorithms are practiced. The Advanced Encryption Standard (AES) announced by NationalInstitute of Standards and Technology (NIST), which has a fixed block size of 128 bits and a key size of 128, 192 or256 bits, is one of the most popular algorithms used in symmetric key cryptography [3]. Hashing, the transformationof a string of characters into a usually shorter fixed-length value or key that represents the original string, is used toencrypt and decrypt digital signatures, and further authenticate message senders and receivers. The digital signatureis transformed with the hash function and then both the hashed value (known as a message-digest) and the signatureare sent in separate transmissions to the receiver. Using the same hash function as the sender, the receiver derivesa message-digest from the signature and compares with the message-digest it also received and returns the samemessage as original [4]. In this way, middle-man attack can be avoided.As for user authentication issue, biometric authentication has already introduced and implemented in desktop, laptop,tablet, mini notebook, Ultra Mobile Personal Computer (UMPC) or PDA. The Fujitsu U810 is a mini notebook thatpromoting biometric authentication for better security, with its integrated AuthenTec fingerprint scanner andembedded TPM [5]. The Sony VAIO VGN-UX390N is an example of UMPC embedded with a fingerprint scanner [6].Hence, same as mobile phones, biometric authentication offers higher security when comparing with conventionalpassword authentication.
4.0 Authentication Security: Types of Authenticators
There are three means of authenticating a user’s ident
ity, which can be used alone or in combination:(a) Something the individual knows (a secret
 –
e.g., a password, Personal Identification Number (PIN), orcryptographic key);(b) Something the individual possesses (a token
 –
e.g., an ATM card or a smart card);(c) Something the individual is (a biometric
 –
e.g., such characteristics as a voice pattern, handwritingdynamics, or a fingerprint).Table 1: Types of authenticators and attributes
Authenticator
Knowledge-Based Object-Based ID-Based
Commonly Referred to as
Password, Secret Token Biometric
Support Authentication by
Secrecy or obscurity Possession Uniqueness andpersonalization
Security Defense
Closely kept Closely held Forge-resistant
Traditional Method
Combination lock Metal key
Driver’s license
 
Digital Method
Computer password Key-less car entry Fingerprint
Security Drawback
Less secret with each use Insecure if lost Difficult to replace
5.0 User Authentication on Mobile Phones5.1 PIN Authentication
The traditional method of securing a mobile phone is by using PIN as password authentication. Theconcept of single static passwords is widely employed globally. One major benefit of single staticpassword is easy to remember. However in the sense of security, single static password is insufficientas it can be h
acked. According to O’Gorman [7
], authentication systems based on passwords andtokens can be attacked by:(a) Client attack: By guessing passwords or stealing tokens;(b) Host attack: By accessing plain text file containing password;(c)
Eavesdropping: By “shoulder surfing” for passwords;
(d) Repudiation: By claiming that token was misplaced;(e) Trojan horse attack: By installing bogus log-in screen to steal passwords;(f) Denial of service: By disabling the system by deliberately supplying an incorrect passwordseveral times
 Proceeding of the 3rd International Conference on Informatics and Technology, 2009
 
©Informatics '09, UM 2009
 
 RDT6 -
231
 
 
5.2 Token Authentication
The token authentication approach does not fit well on mobile phones either. This is because the tokenapproach fundamentally relies upon the user must remember to pick up their token along with thehandset, as to ensure the token and the mobile phone to be physically connected. Then many users willsimply leave the token with the phone (as in SIM card) for convenience. As a result, the token does notprovide the security as it intended.
5.3 Biometric Authentication
The term Biome
trics, in a wide definition, describes the science of “Statistical analysis of biological
o
bservations and phenomena”.
Biometrics is an emerging technology [8] that addresses the automatedidentification of individuals, based on their biological observations (physiological) and phenomena(behavioral traits). The personal physiological attributes of an individual can be obtained from thingsone is, such as finger print, hand geometry, palm print, face, iris, retina, and ear. The idiosyncratic of anindividual can be trait by things one does, such as signature, lip movement, speech, keystrokedynamics, gesture and gait. Each of these biometric techniques has its own advantages anddisadvantages according to user acceptance, cost and performance [9].Fig. 2: Different types of biometric ID methodsIn order to determine the suitability of a physical or a behavioral trait to be used in a biometricapplication, Jain et al. [10] have identified seven factors as below:(a) Universality: Every person accessing the application should possess the trait.(b) Uniqueness: The given trait should be sufficiently different across individuals comprising thepopulation.(c) Permanence: The biometric trait of a person should be sufficiently invariant over a period oftime with respect to the matching algorithm.(d) Measurability: The biometric trait should be possible to acquire, digitize and amenable toprocessing in order to extract representative feature sets, using suitable devices that do notcause undue inconvenience to the user.(e) Performance: The recognition accuracy and the resources required to achieve that accuracyshould meet the constraints imposed by the biometric system.(f) Acceptability: Individuals in the target population that will utilize the biometric system should bewilling to present their biometric trait to the system.(g) Circumvention: The trait of a person can be imitated using artifacts (eg., fake fingers), in thecase of physical traits; and mimicry (eg., mimic signatures), in the case of behavioral traits.
6.0 Discussion - What is the best approach?
Given the characterics as above, a biometrics authentication system offers the following benefits:(a) The biometrics trait is unforgettable. Unlike the PIN or token authentication that need to be remembered,biometrics traits
 –
physical or behavior biometrics represent something that the user is.(b) The biometrics trait cannot be lost. Unlike the PIN written on a piece of paper, or the authentication tokenkept closely with the mobile phones, biometrics traits cannot be lost.(c) The biometrics cannot be shared. Unlike the password or token that can be shared among the family andfriends, biometrics cannot be shared.(d) The biometrics prevents identity theft. The nature of biometrics ensures that the log in user is the actual userand not any other impostor.In fact, there are already mobile phones offering biometric authentication in the market.(a) FingerprintSeveral mobile handsets featuring fingerprint recognition technology are already on the market. Oneexample is the Pantech G100 (see Fig. 3) which will only allow certain functions to be accessed after aregistered fingerprint has been recognized. Other than that, LG Electronic also had introduced fingerprint
 Proceeding of the 3rd International Conference on Informatics and Technology, 2009
 
©Informatics '09, UM 2009
 
 RDT6 -
232
 
of 00

Leave a Comment

You must be to leave a comment.
Submit
Characters: ...
You must be to leave a comment.
Submit
Characters: ...