Tap-based user authentication for smartwatches
Introduction
Smartwatches are becoming increasingly popular thanks to the seamless experience they offer to consumers (Gartner, 2016), with their applications ranging from getting notifications, tracking health and fitness, to conducting financial transactions (Inc, Samsung). Recently, smartwatches are being used to conveniently unlock computers (Google, Inc) and even cars (Verge, Verge). However, despite potentially containing sensitive and private information, smartwatches are not as secure as their counterparts–mobile phones as shown in HP (2015); MobileIron (2015). Specifically, researchers have found that only five out of the ten most popular smartwatch models offer a lock screen method (either a PIN or a Pattern Lock), to protect user information in a stolen device scenario. Further, two in ten devices can be paired with an attacker’s smartphone without any difficulty (HP, 2015). Moreover, protection methods are often turned off by default and smartwatches usually do not prompt users to enable them (except Apple Watch) (MobileIron, 2015).
Even the PIN and Pattern Lock methods, if at all used, have many weaknesses. They are known to be vulnerable to guessing attacks (Bonneau, Preibusch, Anderson, 2012, Serwadda, Phoha, 2013), shoulder surfing (Papadopoulos, Nguyen, Durmus, Memon, 2017, Tari, Ozok, Holden, 2006, Wiedenbeck, Waters, Birget, Brodskiy, Memon, 2005), smudge attack (Aviv et al., 2010), and video attack where a whole authentication session could be recorded with a camera or a device like Google Glass or GoPro (Yue et al., 2014). From a usability point of view, authentication with a PIN or a Pattern may suffer from the “fat-finger problem” due to the limited size of the smartwatch screen (Siek et al., 2005). Moreover, putting biometric sensors like fingerprint scanners and camera for face recognition on smartwatches may be difficult given their small form factors.
This paper introduces TapMeIn, an eyes-free, two-factor authentication method that allows a user to tap a memorable melody or tap-password on the smartwatch touchscreen to login. A user is verified based on the correctness of the tap-password as well as features which depend on the physiological and behavioral characteristics of a user.
TapMeIn offers several desirable features. First, in terms of security, its two-factor nature makes guessing, smudge and shoulder surfing attacks less relevant. Even in the case where an attacker knows and can repeat the melody of a user, he still needs to pass behavioral and physiological verification which is significantly more difficult. This protection also applies to video attacks as shown in our evaluation. Second, in terms of usability, its eyes-free feature, allows the user to tap anywhere on the screen, and hence not only solves the fat-finger problem but also enables users to login discreetly and benefits users with visual impairment. In different conditions like sitting and walking, TapMeIn achieves performance similar to that of PIN and Pattern Lock methods.
It is envisioned that TapMeIn can be deployed as lock/unlock method or to secure pairing between a watch and a phone. It can also be displayed as an option along the PIN or Pattern for the user to choose based on the context of usage or surroundings. For example, users can choose TapMeIn to unlock their watch in a public place where the risk of being observed by someone is high. And when they are at home or alone, they can unlock their watch with Pattern Lock or the regular PIN method.
The main contributions of this paper are summarized as follows.
- •
We propose TapMeIn, an eyes-free, two-factor authentication for smartwatches with a touchscreen which provides resilience against guessing, smudge, shoulder surfing and, to some degree, video attacks.
- •
We introduce and evaluate a new feature set for tap-based authentication.
- •
We present comprehensive evaluation results of TapMeIn through a study involving 41 participants, in different contexts (sitting and walking) and in several attack scenarios.
- •
We present a comparative study of several authentication methods on smartwatches, including TapMeIn and de-facto PIN and Pattern Lock authentication. The results show that while there is no significant difference in error rate between TapMeIn and the other two methods, TapMeIn provides a much higher resilience against shoulder surfing and video attacks. In terms of login speed, TapMeIn is slightly slower than Pattern Lock but there is no significant difference with 4-digit PIN authentication. PIN and Pattern Lock have been evaluated extensively on smartphones, however, study of their performance on smartwatches is sparse. We provide interesting insights as a baseline for future research on this topic.
The rest of this paper is organized as follows: The threat model and design of TapMeIn as well as its modules are presented in Section 2. Data collection and the performance evaluation results (the first study) are detailed in Section 3 and Section 4, respectively. The second study, detailed in Section 5, presents a comparison between TapMeIn and the two methods currently available on smartwatches: PIN and Pattern Lock. Discussion and limitations are described in Section 6. Related work is presented in Section 7. Section 8 concludes this paper.
Section snippets
TapMeIn system design
In this section, we first present the threat model and give an overview of TapMeIn. Then details of its modules are described in subsequent subsections.
Data collection
A study was conducted to evaluate the performance of TapMeIn in terms of security and usability. Because smart watches are often used on the move, i.e., walking or running, the study was designed to explore the performance of TapMeIn in different conditions. Specifically, when users are sitting and walking. We implemented TapMeIn on a Samsung Gear Live Smartwatch running Android Wear OS. In the rest of this section, the study design and data collection procedure are presented. Note that all
Performance evaluation results
In this section, we report performance evaluation results of TapMeIn based on the collected data set. We use False Positive Rate (FPR), False Negative Rate (FNR) and Equal Error Rate (EER) to report performance in different experiments. FPR shows how often a system falsely accepts attackers, and FRR indicates how often it wrongly rejects legitimate users. EER is a common metric in biometric systems. EER is the point where FPR and FNR are equal. Thus, EER balances between usability and security.
Comparison to PIN and Pattern Lock authentication
In this section, a second study is presented with the goal to compare TapMeIn with two de-facto methods currently available on smartwatches, PIN and Pattern Lock, in terms of error rate, security and authentication time. In the PIN and Pattern Lock methods, error rate is defined as the ratio of the number of user mistakes divided by the total number of user trials. In TapMeIn, the error rate is the FRR which includes user mistake as well as classifier errors.
Discussion
Although results presented in our evaluation are encouraging, further investigation is needed as the data set is somewhat limited. Nevertheless, as a proof-of-concept, we have shown that TapMeIn is potential for smartwatch authentication. Results can be seen as comparable to the state-of-the-art in the literature. We plan to conduct a real-world study to collect a data set which is not only larger but more realistic.
Another limitation of the work is that we did not have enough data to analyze
Smartwatches and wearables authentication
In recent years, authentication for smartwatches and wearables have been attracting attention from researchers. Bianchi et al., surveyed recent advances in the wearables authentication research and predicted that this topic will develop rapidly in the next decade (Bianchi and Oakley, 2016). Smartwatches and wearables possess limited input channels, i.e., small screen makes entering passwords laborious or difficult. However, wearables often have rich sensing capabilities. Moreover, with the
Conclusion
This paper introduces TapMeIn, a fast, accurate and secure two-factor authentication for smartwatches that allows users to tap a memorable melody anywhere on the screen to authenticate. Experimental results showed that TapMeIn provides protection against shoulder surfing and video attacks, while maintaining short authentication time and low error rate. Comprehensive experiments were conducted to compare it with the de-facto PIN and Pattern Lock on smartwatches. Lastly, a user study rated
Acknowledgments
We thank all participants for their time and insightful feedback. We thank anonymous reviewers for their constructive comments.
Toan Nguyen is a researcher with interests in cybersecurity, authentication, machine learning, human computer interaction, and biometrics. He received a Ph.D. degree in Computer Science from New York University (USA, 2018). Before joining NYU, he was a Lecturer at Hanoi University of Science and Technology (HUST, Vietnam) after receiving his Bachelor and Master degrees from HUST. He published in top-ranked security venues and his research was covered by major news media.
References (41)
- et al.
Passpoints: design and longitudinal evaluation of a graphical password system
Int J Hum Comput Stud
(2005) - et al.
Stay cool! understanding thermal attacks on mobile-based user authentication
Proceedings of the CHI conference on human factors in computing systems
(2017) - et al.
Unobtrusive gait recognition using smartwatches
Proceedings of the BIOSIG 2017
(2017) - et al.
Bad sounds good sounds: attacking and defending tap-based rhythmic passwords using acoustic signals
Proceedings of the international conference on cryptology and network security
(2015) - et al.
Smudge attacks on smartphone touch screens
WOOT
(2010) - et al.
An empirical evaluation of the system usability scale
Int J Hum Comput Inter
(2008) - et al.
Wearable authentication: trends and opportunities
IT-Inf Technol
(2016) - et al.
A birthday present every eleven wallets? The security of customer-chosen banking pins
Proceedings of the international conference on financial cryptography and data security
(2012) Random forests
Mach Learn
(2001)Sus-a quick and dirty usability scale
Usabil Eval Ind
(1996)
Your song your way: rhythm-based two-factor authentication for multi-touch mobile devices
Proceedings of the IEEE conference on computer communications (INFOCOM)
Support-vector networks
Mach Learn
Using rhythmic patterns as an input method
Proceedings of the SIGCHI conference on human factors in computing systems
The anatomy of smartphone unlocking: a field study of android lock screens
Proceedings of the CHI conference on human factors in computing systems
Smartwatch-based biometric gait recognition
Proceedings of the IEEE seventh international conference on biometrics theory, applications and systems (BTAS)
Cited by (0)
Toan Nguyen is a researcher with interests in cybersecurity, authentication, machine learning, human computer interaction, and biometrics. He received a Ph.D. degree in Computer Science from New York University (USA, 2018). Before joining NYU, he was a Lecturer at Hanoi University of Science and Technology (HUST, Vietnam) after receiving his Bachelor and Master degrees from HUST. He published in top-ranked security venues and his research was covered by major news media.
Nasir Memon received the M.Sc. and Ph.D. degrees in computer science from the University of Nebraska. He is currently a Professor with the Department of Computer Science and Engineering, New York University (NYU) Tandon School of Engineering, the Director of the OSIRIS Laboratory, a Founding Member of the Center for Interdisciplinary Studies in Security and Privacy, and a Collaborative Multidisciplinary Initiative of several schools within NYU. He is also the Cofounder of Digital Assembly and Vivic Networks, two early stage startups in NYUs business incubators. He has authored over 250 articles in journals and conference proceedings and holds a dozen patents in image compression and security. His research interests include digital forensics, biometrics, data compression, network security, and usable security. He is a Distinguished Lecturer of the IEEE Signal Processing Society. He received several awards, including the Jacobs Excellence in Education Award and several best paper awards. He has been on the editorial boards of several journals and was the Editor-In-Chief of IEEE Transactions on Information Security and Forensics.