You are on page 1of 5

Proceeding of the 3rd International Conference on Informatics and Technology, 2009

USER AUTHENTICATION ON MOBILE PHONES – WHAT IS THE BEST APPROACH?

Leong Lai Fong1, Woo Chaw Seng2


Faculty of Computer Science and Information Technology
University of Malaya, 50603 Kuala Lumpur, Malaysia.
Email: laifong@perdana.um.edu.my1, cswoo@um.edu.my2

ABSTRACT

The usage of the mobile phone over the last few years has made fundamental changes in our daily life. Mobile
devices, namely Personal Digital Assistants (PDAs) and mobile phones are containing ever more personal
information, including address books, schedules as well as payment information. Losing a mobile phone isn’t just a
lost of the gadget, but also the risk of greater loss of money. This paper discusses different types of authentication
approaches on mobile phones, namely PIN, token and biometric authentication. We believe that biometric
authentication is the most secure approach among PIN, token and biometric. Besides that, the suitability of various
biometric technologies are compared and the proper biometrics are identified.

Keywords: authentication, biometric, mobile phone, security, study.

1.0 Introduction
The usage of the mobile phone over the last few years has made fundamental changes in our daily life. Mobile
devices, namely Personal Digital Assistants (PDAs) and mobile phones are extremely useful in managing
appointments and contact information, reviewing documents, corresponding via electronic mail, delivering
presentations, accessing corporate data as well as mobile banking. Unfortunately, current PIN authentication security
in mobile device is weak and stronger authenticator is in higher demand.

2.0 IT Security Objectives

The main goals in IT security are based on the three components of computer security as follows [1]:
(a) Confidentiality: The concealment of information or resources for keeping information secret (privacy) as well
as obscuring identity (anonymity).
(b) Integrity: The trustworthiness of data or resources for ensuring non-repudiation of data integrity (the content
of the information) and origin integrity (the source of the data – how and from whom it was obtained) via
prevention mechanisms and detection mechanisms.
(c) Availability: The ability to use the information or resource desired in the aspect of reliability, system design
as well as protection against denial of service attacks.

Confidentiality Integrity

Availability

Fig. 1: Objectives of IT security

The definitions and solutions of confidentiality, integrity and availability are often overlapped and hardly be separated
completely. One important security protection is to have a strong access control mechanism. A strong authentication
system is able to prevent and detect unauthorized attackers to perform actions outside the scope of legitimate
activity, impacting on confidentiality, integrity and availability.

©Informatics '09, UM 2009 RDT6 - 230


Proceeding of the 3rd International Conference on Informatics and Technology, 2009

3.0 Security Overview on Personal Devices

Several major security issues loom over the use of such devices, including [2]:
(a) Mobile devices are often stolen or missing, due to their small sizes;
(b) The contents in the mobile devices are unencrypted or encrypted under a flawed protocol;
(c) Mobile devices are proned to middle-man attack or viruses attack from wireless connection;
(d) User authentication is weak or disabled or in a common default mode, the authentication mechanism –
single static password authentication can be circumvented easily;

To overcome the security problems mentioned above, computer locks or laptop locks are general solution for better
guardian of such devices physically. In order to enhance the security in data transmission, data encryption and
hashing with complicated algorithms are practiced. The Advanced Encryption Standard (AES) announced by National
Institute of Standards and Technology (NIST), which has a fixed block size of 128 bits and a key size of 128, 192 or
256 bits, is one of the most popular algorithms used in symmetric key cryptography [3]. Hashing, the transformation
of a string of characters into a usually shorter fixed-length value or key that represents the original string, is used to
encrypt and decrypt digital signatures, and further authenticate message senders and receivers. The digital signature
is transformed with the hash function and then both the hashed value (known as a message-digest) and the signature
are sent in separate transmissions to the receiver. Using the same hash function as the sender, the receiver derives
a message-digest from the signature and compares with the message-digest it also received and returns the same
message as original [4]. In this way, middle-man attack can be avoided.

As for user authentication issue, biometric authentication has already introduced and implemented in desktop, laptop,
tablet, mini notebook, Ultra Mobile Personal Computer (UMPC) or PDA. The Fujitsu U810 is a mini notebook that
promoting biometric authentication for better security, with its integrated AuthenTec fingerprint scanner and
embedded TPM [5]. The Sony VAIO VGN-UX390N is an example of UMPC embedded with a fingerprint scanner [6].
Hence, same as mobile phones, biometric authentication offers higher security when comparing with conventional
password authentication.

4.0 Authentication Security: Types of Authenticators

There are three means of authenticating a user’s identity, which can be used alone or in combination:
(a) Something the individual knows (a secret – e.g., a password, Personal Identification Number (PIN), or
cryptographic key);
(b) Something the individual possesses (a token – e.g., an ATM card or a smart card);
(c) Something the individual is (a biometric – e.g., such characteristics as a voice pattern, handwriting
dynamics, or a fingerprint).

Table 1: Types of authenticators and attributes


Authenticator Knowledge-Based Object-Based ID-Based
Commonly Referred to as Password, Secret Token Biometric
Support Authentication by Secrecy or obscurity Possession Uniqueness and
personalization
Security Defense Closely kept Closely held Forge-resistant
Traditional Method Combination lock Metal key Driver’s license
Digital Method Computer password Key-less car entry Fingerprint
Security Drawback Less secret with each use Insecure if lost Difficult to replace

5.0 User Authentication on Mobile Phones


5.1 PIN Authentication
The traditional method of securing a mobile phone is by using PIN as password authentication. The
concept of single static passwords is widely employed globally. One major benefit of single static
password is easy to remember. However in the sense of security, single static password is insufficient
as it can be hacked. According to O’Gorman [7], authentication systems based on passwords and
tokens can be attacked by:
(a) Client attack: By guessing passwords or stealing tokens;
(b) Host attack: By accessing plain text file containing password;
(c) Eavesdropping: By “shoulder surfing” for passwords;
(d) Repudiation: By claiming that token was misplaced;
(e) Trojan horse attack: By installing bogus log-in screen to steal passwords;
(f) Denial of service: By disabling the system by deliberately supplying an incorrect password
several times

©Informatics '09, UM 2009 RDT6 - 231


Proceeding of the 3rd International Conference on Informatics and Technology, 2009

5.2 Token Authentication


The token authentication approach does not fit well on mobile phones either. This is because the token
approach fundamentally relies upon the user must remember to pick up their token along with the
handset, as to ensure the token and the mobile phone to be physically connected. Then many users will
simply leave the token with the phone (as in SIM card) for convenience. As a result, the token does not
provide the security as it intended.

5.3 Biometric Authentication

The term Biometrics, in a wide definition, describes the science of “Statistical analysis of biological
observations and phenomena”. Biometrics is an emerging technology [8] that addresses the automated
identification of individuals, based on their biological observations (physiological) and phenomena
(behavioral traits). The personal physiological attributes of an individual can be obtained from things
one is, such as finger print, hand geometry, palm print, face, iris, retina, and ear. The idiosyncratic of an
individual can be trait by things one does, such as signature, lip movement, speech, keystroke
dynamics, gesture and gait. Each of these biometric techniques has its own advantages and
disadvantages according to user acceptance, cost and performance [9].

Fig. 2: Different types of biometric ID methods

In order to determine the suitability of a physical or a behavioral trait to be used in a biometric


application, Jain et al. [10] have identified seven factors as below:
(a) Universality: Every person accessing the application should possess the trait.
(b) Uniqueness: The given trait should be sufficiently different across individuals comprising the
population.
(c) Permanence: The biometric trait of a person should be sufficiently invariant over a period of
time with respect to the matching algorithm.
(d) Measurability: The biometric trait should be possible to acquire, digitize and amenable to
processing in order to extract representative feature sets, using suitable devices that do not
cause undue inconvenience to the user.
(e) Performance: The recognition accuracy and the resources required to achieve that accuracy
should meet the constraints imposed by the biometric system.
(f) Acceptability: Individuals in the target population that will utilize the biometric system should be
willing to present their biometric trait to the system.
(g) Circumvention: The trait of a person can be imitated using artifacts (eg., fake fingers), in the
case of physical traits; and mimicry (eg., mimic signatures), in the case of behavioral traits.

6.0 Discussion - What is the best approach?

Given the characterics as above, a biometrics authentication system offers the following benefits:
(a) The biometrics trait is unforgettable. Unlike the PIN or token authentication that need to be remembered,
biometrics traits – physical or behavior biometrics represent something that the user is.
(b) The biometrics trait cannot be lost. Unlike the PIN written on a piece of paper, or the authentication token
kept closely with the mobile phones, biometrics traits cannot be lost.
(c) The biometrics cannot be shared. Unlike the password or token that can be shared among the family and
friends, biometrics cannot be shared.
(d) The biometrics prevents identity theft. The nature of biometrics ensures that the log in user is the actual user
and not any other impostor.

In fact, there are already mobile phones offering biometric authentication in the market.
(a) Fingerprint
Several mobile handsets featuring fingerprint recognition technology are already on the market. One
example is the Pantech G100 (see Fig. 3) which will only allow certain functions to be accessed after a
registered fingerprint has been recognized. Other than that, LG Electronic also had introduced fingerprint

©Informatics '09, UM 2009 RDT6 - 232


Proceeding of the 3rd International Conference on Informatics and Technology, 2009

recognition in their LG-KP3800 mobile phones. However, additional fingerprint image acquisition sensor and
DSP chip for fingerprint recognition were required, thus increasing the cost and size of the mobile phon [11].

Fig. 3: Pantech GI100 fingerprint scanning handset

(b) Face recognition


Typical of face recognition devices that are becoming available is OMRON’s OKAO Vision Face Recognition
Sensor (Fig. 4), which can be implemented in PDAs, mobile phones or other mobile devices with a camera
function. There is no requirement for additional hardware. Users register their own face image to their
handset with the handset’s camera. To use the unit, the user takes his or her own photo, and the sensor
software will automatically detect the user and unlock the unit.

The software is typically designed to work quickly (less than 1 second from taking the image) and tolerant of
a wide range of facial orientations. It is also designed to be less demanding on processor and memory
requirements.

Fig. 4: Handset using OMRON OKAI vision sensor (Omron)

Let us now examine closely the possibilities of other biometric technologies.

Table 2: Comparison of various biometric technologies


Biometrics Universality Uniqueness Permanence Collectability Performance Acceptability Circumvention
Face High Low Medium High Low High Low
Fingerprint Medium High High Medium High Medium High
Hand Medium Medium Medium High Medium Medium Medium
geometry
Keystrokes Low Low Low Medium Low Medium Medium
Hand veins Medium Medium Medium Medium Medium Medium High
Iris High High High Medium High Low High
Retinal scan High High Medium Low High Low High
Signature Low Low Low High Low High Low
Voice Medium Low Low Medium Low High Low
Facial High High Low High Medium High High
thermograph
Odor High High High Low Low Medium Low
DNA High High High Low High Low Low
Gait Medium Low Low High Low High Medium
Ear Canal Medium Medium High Medium Medium High Medium

Based on the comparison table above, we believe that biometrics that are appropriate for mobile phone
authentication include face, fingerprint, hand geometry, hand veins, iris and retinal scan. This is because these
biometrics technologies have medium or high qualification for most of the criterias. Although facial thermograph has
very good characteristic, however we believe that it is not suitable for mobile phone authentication as it requires high

©Informatics '09, UM 2009 RDT6 - 233


Proceeding of the 3rd International Conference on Informatics and Technology, 2009

computation power and additional hardware. Meanwhile, biometrics trait like keystrokes, signatures, voice, odor,
DNA, gait and ear canal are also not suitable for mobile phone authentication due to low satisfaction on many
aspects.

However, we must also consider other factors when choosing a proper biometric trait for mobile phone authentication,
such as:
(a) Additional hardware device for mobile phone;
(b) Cost involved;
(c) Low computational power in mobile phone;
(d) Limited storage in mobile phone

7.0 Conclusion
As a conclusion, the conventional PIN authentication on mobile phone provides low security, while biometric
authentication which offers higher security on mobile phone is becoming a trend. Despite the current fingerprint and
face recognition, other biometrics approaches namely hand geometry, hand veins, iris recognition and retinal scan
could be proper alternatives. Besides that, hybrid authenticator combining biometrics and digital watermarking would
be a better choice to provide greater security.

References
[1] M.Bishop, “Computer Security: Art and Science”, Addison-Wesley, 2002.

[2] National Institute of Standards and Technology: Mobile Security and Forensics, available in
http://csrc.nist.gov/groups/SNS/mobile_security/index.html, date accessed: 10 September 2009.

[3] Wikipedia: Advanced Encryption Standard, available in


http://en.wikipedia.org/wiki/Advanced_Encryption_Standard, date accessed: 10 September 2009.

[4] A.K. Jain, P.Flynn, A. Ross, “Handbook of Biometrics”, Springer, 2008.

[5] Mobile Tech Review: Fujitsu U810 Mini-Notebook, available in


http://www.mobiletechreview.com/notebooks/Fujitsu-U810.htm, date accessed: 10 September 2009.

[6] The Incredible Shrinking Lapop, online article, available in


http://articles.directorym.co.uk/The_Incredible_Shrinking_Laptop-a873284.html, date accessed: 10 September 2009.

[7] L. O’Gorman, “Comparing Passwords, Tokens and Biometrics for User Authentication,” Proc. of the IEEE, vol. 91,
no. 12, pp. 2019-2040, Dec 2003.

[8] D. Zhang, “Automated Biometrics: Technologies & Systems,” eds Kluwer Academic, 2000.

[9] Y.L. Ma, Frank Pollick, W. Terry Hewitt, “Using B-Spline Curves for Hand Recognition,” Proc. of the 17th
International Conf. on Pattern Recognition (ICPR ’04), 2004.

[10] A.K. Jain, R.Bolle and S. Pankanti, “Biometrics: Personal Identification in Networked Society,” eds. Kluwer
Academic, 1999.

[11] Dae Sik jeong, Hyun-Ae Park, Kang Ryoung Park and Jaihie Kim, “Iris Recognition in Mobile Phone Based on
Adaptive Gabor Filter, Advances in Biometrics,” Springer Berlin/Heidelberg, vol. 3832, pp. 457-463, 2005.

BIOGRAPHY

Leong Lai Fong obtained her Master of Information Techonology from University of Science Malaysia in 2007.
Currently, she is a PhD cantidate at the Faculty of Computer Science and Information Technology, University of
Malaya. Her research areas include image processing, biometrics and mobile applications.

Woo Chaw Seng is a senior lecturer at the Faculty of Computer Science and Information Technology, University of
Malaya. His reseach interests include image processing, mobile applications and multimedia security.

©Informatics '09, UM 2009 RDT6 - 234

You might also like