Mobile devices store a diverse set of private user data and have graduallybecome a hub to control users' other personal Internet-of-Things devices.Access control on mobile devices is therefore highly important. The widelyaccepted solution is to protect access by asking for a password. However,password authentication is tedious, e.g., a user needs to input a passwordevery time she wants to use the device. Moreover, existing biometrics such asface, fingerprint, and touch behaviors are vulnerable to forgery attacks. We propose a new touch-based biometric authentication system that is passiveand secure against forgery attacks. In our touch-based authentication, a user'stouch behaviors are a function of some random "secret". The user cansubconsciously know the secret while touching the device's screen. However, anattacker cannot know the secret at the time of attack, which makes itchallenging to perform forgery attacks even if the attacker has alreadyobtained the user's touch behaviors. We evaluate our touch-based authenticationsystem by collecting data from 25 subjects. Results are promising: the randomsecrets do not influence user experience and, for targeted forgery attacks, oursystem achieves 0.18 smaller Equal Error Rates (EERs) than previous touch-basedauthentication.
展开▼