A framework for continuous, transparent mobile device authentication

• We present a framework for transparent, continuous authentication on mobile devices.
• The framework uses behavioral biometrics to uniquely identify the device owner.
• The biometrics are supplemented with an explicit authentication method for backup.
• We tested the framework via a simulation that used keystroke and voice information.
• The owner explicitly authenticated 67% less often than with explicit methods alone.

We address two distinct problems with de facto mobile device authentication, as provided by a password or sketch. Firstly, device activity is permitted on an all-or-nothing basis, depending on whether the user successfully authenticates at the beginning of a session. This ignores the fact that tasks performed on a mobile device have a range of sensitivities, depending on the nature of the data and services accessed. Secondly, users are forced to re-authenticate frequently due to the bursty nature that characterizes mobile device use. Owners react to this by disabling the mechanism, or by choosing a weak “secret”. To address both issues, we propose an extensible Transparent Authentication Framework that integrates multiple behavioral biometrics with conventional authentication to implement an effortless and continuous authentication mechanism. Our security and usability evaluation of the proposed framework showed that a legitimate device owner can perform all device tasks, while being asked to authenticate explicitly 67% less often than without a transparent authentication method. Furthermore, our evaluation showed that attackers are soon denied access to on-device tasks as their behavioral biometrics are collected. Our results support the creation of a working prototype of our framework, and provide support for further research into transparent authentication on mobile devices.