Free form gesture biometrics may be new key to authentication
In the quest for secure and convenient authentication methods, the doodle may prove to may be more than just a way to kill time during a boring meeting. Whether you call it a squiggle, doodle or free-form gesture, the act of drawing a curvy line in lieu of typing a four-digit code is getting positive reviews from researchers, software developers and users.
Researchers at Rutgers University found that free-form shapes are more secure than standard pass codes, and it turns out they’re surprisingly easy to remember.
Jeff Maynard has some experience with this. As founder and CEO of the Texas-based Biometric Signature ID, he looks for authentication options that aren’t easily hacked or stolen during data breeches. He believes gesture biometrics fits the bill.
“When a user accesses a computer or portable device they see a screen with a drawing area on it, and they’re asked to draw a series of numbers, letters or characters,” Maynard explains.
BioSig’s software picks up the user’s drawing patterns – including length, speed, and direction – and compares that information to the user’s encrypted enrollment profile. If matched, the user can log in to the device or access services.
Some users will even tell you it’s fun. “It reminds them of an Etch A Sketch,” Maynard says.
He first discovered the fun factor working with clients in higher education. Student surveys showed a 98% satisfaction level with the software, and 45% found the process entertaining or intriguing.
The students thought it was cool enough to repeatedly log in. “It gives you instant feedback whether you are successful or not,” Maynard says. “People were looking at this as a bit of a gaming opportunity.”
Independent testing showed BioSig had a product that worked. Testing for false positives found the software to be highly accurate – three times stronger than the regulations for biometrics set by the National Institute of Standards and Technology.
Maynard says squiggle technology works best when people are drawing something that’s meaningful to them.
Instead of a simple squiggle, BioSig encourages users to draw three or four characters. “They can be shapes, like happy faces or flowers, but in most cases we recommend numbers or letters because you’re always going to be able to remember that,” Maynard says. “Remember, each character can be written in different, unique patterns.”
BioSig keeps track of how its 2 million users behave as they access their digital assets through multiple portable devices. The company collects behaviors that help authenticate the user, Maynard explains. An alert may be triggered if someone repeatedly takes a long time to log in or is trying to log in from an unfamiliar IP address.
How does BioSig know whether the person logging in is the real deal? It’s a challenge that the company is always working on, thanks in part to a grant awarded through the National Strategy for Trusted Identities in Cyberspace.
Researchers find gesture has high security, ease of use
Researchers at Rutgers University, Max-Planck Institute for Informatics and the University of Helsinki set out to determine whether user-generated, free form shapes on a touch screen could be an alternative to the methods commonly used for authentication on mobile devices. The team found that gestures are easy to remember and can be more secure than standard pass codes.
“They work very well and they’re resistant to attacks – such as shoulder surfing attacks — that other methods are vulnerable to,” says Janne Lindqvist, assistant professor of electrical and computer engineering at Rutgers and a leader of the password project.
About half of the study’s 63 participants chose to create gestures using one finger, while the other half used multiple fingers. Either way, it took only a few tries for the users to be able to generate their chosen gesture in just two seconds.
The study showed that users tended to create signature type patterns, which ended up being very secure. In a shoulder surfing attack trial, attackers were not able to repeat the gesture well enough to gain access.
Plus, the users had no trouble remembering the gesture several weeks later.
Researchers experimented with an Android tablet and smartphone. Lindqvist imagines this system being put to use in many ways, even physical access to buildings.
BioSig receieved the grant to explore and combat online identity theft. The goal is to have remote users authenticate their identity before they gain access to a digital asset, like a bank account or personal health information.
“When you’re doing something from a remote log in, you have to find different ways to determine whether that individual is really the user,” explains Maynard. “That’s why we’ve built the data mining capability.”
He points to the risk taken on by Internet vendors who accept credit cards. Without actually seeing the card, the card number could be in the hand of a thief.
“One of the ways to prevent that is to create a technology that enables an individual from any remote location to create a profile that’s stored by – let’s call it Nordstrom’s,” Maynard says. “Every time I go to Nordstrom’s, I have to authenticate my identity. I can do it with my mouse, my finger – from any device. So even though the bad guys have my credit card number, they’re not going to be able to get in to use that card.”
“If you can find one technology that will allow you access – like a single sign on into multiple applications – that’s the Holy Grail,” Maynard explains. “That’s where we are heading with gesture biometrics.”