Professional Documents
Culture Documents
ABSTRACT
The usage of the mobile phone over the last few years has made fundamental changes in our daily life. Mobile
devices, namely Personal Digital Assistants (PDAs) and mobile phones are containing ever more personal
information, including address books, schedules as well as payment information. Losing a mobile phone isn’t just a
lost of the gadget, but also the risk of greater loss of money. This paper discusses different types of authentication
approaches on mobile phones, namely PIN, token and biometric authentication. We believe that biometric
authentication is the most secure approach among PIN, token and biometric. Besides that, the suitability of various
biometric technologies are compared and the proper biometrics are identified.
1.0 Introduction
The usage of the mobile phone over the last few years has made fundamental changes in our daily life. Mobile
devices, namely Personal Digital Assistants (PDAs) and mobile phones are extremely useful in managing
appointments and contact information, reviewing documents, corresponding via electronic mail, delivering
presentations, accessing corporate data as well as mobile banking. Unfortunately, current PIN authentication security
in mobile device is weak and stronger authenticator is in higher demand.
The main goals in IT security are based on the three components of computer security as follows [1]:
(a) Confidentiality: The concealment of information or resources for keeping information secret (privacy) as well
as obscuring identity (anonymity).
(b) Integrity: The trustworthiness of data or resources for ensuring non-repudiation of data integrity (the content
of the information) and origin integrity (the source of the data – how and from whom it was obtained) via
prevention mechanisms and detection mechanisms.
(c) Availability: The ability to use the information or resource desired in the aspect of reliability, system design
as well as protection against denial of service attacks.
Confidentiality Integrity
Availability
The definitions and solutions of confidentiality, integrity and availability are often overlapped and hardly be separated
completely. One important security protection is to have a strong access control mechanism. A strong authentication
system is able to prevent and detect unauthorized attackers to perform actions outside the scope of legitimate
activity, impacting on confidentiality, integrity and availability.
Several major security issues loom over the use of such devices, including [2]:
(a) Mobile devices are often stolen or missing, due to their small sizes;
(b) The contents in the mobile devices are unencrypted or encrypted under a flawed protocol;
(c) Mobile devices are proned to middle-man attack or viruses attack from wireless connection;
(d) User authentication is weak or disabled or in a common default mode, the authentication mechanism –
single static password authentication can be circumvented easily;
To overcome the security problems mentioned above, computer locks or laptop locks are general solution for better
guardian of such devices physically. In order to enhance the security in data transmission, data encryption and
hashing with complicated algorithms are practiced. The Advanced Encryption Standard (AES) announced by National
Institute of Standards and Technology (NIST), which has a fixed block size of 128 bits and a key size of 128, 192 or
256 bits, is one of the most popular algorithms used in symmetric key cryptography [3]. Hashing, the transformation
of a string of characters into a usually shorter fixed-length value or key that represents the original string, is used to
encrypt and decrypt digital signatures, and further authenticate message senders and receivers. The digital signature
is transformed with the hash function and then both the hashed value (known as a message-digest) and the signature
are sent in separate transmissions to the receiver. Using the same hash function as the sender, the receiver derives
a message-digest from the signature and compares with the message-digest it also received and returns the same
message as original [4]. In this way, middle-man attack can be avoided.
As for user authentication issue, biometric authentication has already introduced and implemented in desktop, laptop,
tablet, mini notebook, Ultra Mobile Personal Computer (UMPC) or PDA. The Fujitsu U810 is a mini notebook that
promoting biometric authentication for better security, with its integrated AuthenTec fingerprint scanner and
embedded TPM [5]. The Sony VAIO VGN-UX390N is an example of UMPC embedded with a fingerprint scanner [6].
Hence, same as mobile phones, biometric authentication offers higher security when comparing with conventional
password authentication.
There are three means of authenticating a user’s identity, which can be used alone or in combination:
(a) Something the individual knows (a secret – e.g., a password, Personal Identification Number (PIN), or
cryptographic key);
(b) Something the individual possesses (a token – e.g., an ATM card or a smart card);
(c) Something the individual is (a biometric – e.g., such characteristics as a voice pattern, handwriting
dynamics, or a fingerprint).
The term Biometrics, in a wide definition, describes the science of “Statistical analysis of biological
observations and phenomena”. Biometrics is an emerging technology [8] that addresses the automated
identification of individuals, based on their biological observations (physiological) and phenomena
(behavioral traits). The personal physiological attributes of an individual can be obtained from things
one is, such as finger print, hand geometry, palm print, face, iris, retina, and ear. The idiosyncratic of an
individual can be trait by things one does, such as signature, lip movement, speech, keystroke
dynamics, gesture and gait. Each of these biometric techniques has its own advantages and
disadvantages according to user acceptance, cost and performance [9].
Given the characterics as above, a biometrics authentication system offers the following benefits:
(a) The biometrics trait is unforgettable. Unlike the PIN or token authentication that need to be remembered,
biometrics traits – physical or behavior biometrics represent something that the user is.
(b) The biometrics trait cannot be lost. Unlike the PIN written on a piece of paper, or the authentication token
kept closely with the mobile phones, biometrics traits cannot be lost.
(c) The biometrics cannot be shared. Unlike the password or token that can be shared among the family and
friends, biometrics cannot be shared.
(d) The biometrics prevents identity theft. The nature of biometrics ensures that the log in user is the actual user
and not any other impostor.
In fact, there are already mobile phones offering biometric authentication in the market.
(a) Fingerprint
Several mobile handsets featuring fingerprint recognition technology are already on the market. One
example is the Pantech G100 (see Fig. 3) which will only allow certain functions to be accessed after a
registered fingerprint has been recognized. Other than that, LG Electronic also had introduced fingerprint
recognition in their LG-KP3800 mobile phones. However, additional fingerprint image acquisition sensor and
DSP chip for fingerprint recognition were required, thus increasing the cost and size of the mobile phon [11].
The software is typically designed to work quickly (less than 1 second from taking the image) and tolerant of
a wide range of facial orientations. It is also designed to be less demanding on processor and memory
requirements.
Based on the comparison table above, we believe that biometrics that are appropriate for mobile phone
authentication include face, fingerprint, hand geometry, hand veins, iris and retinal scan. This is because these
biometrics technologies have medium or high qualification for most of the criterias. Although facial thermograph has
very good characteristic, however we believe that it is not suitable for mobile phone authentication as it requires high
computation power and additional hardware. Meanwhile, biometrics trait like keystrokes, signatures, voice, odor,
DNA, gait and ear canal are also not suitable for mobile phone authentication due to low satisfaction on many
aspects.
However, we must also consider other factors when choosing a proper biometric trait for mobile phone authentication,
such as:
(a) Additional hardware device for mobile phone;
(b) Cost involved;
(c) Low computational power in mobile phone;
(d) Limited storage in mobile phone
7.0 Conclusion
As a conclusion, the conventional PIN authentication on mobile phone provides low security, while biometric
authentication which offers higher security on mobile phone is becoming a trend. Despite the current fingerprint and
face recognition, other biometrics approaches namely hand geometry, hand veins, iris recognition and retinal scan
could be proper alternatives. Besides that, hybrid authenticator combining biometrics and digital watermarking would
be a better choice to provide greater security.
References
[1] M.Bishop, “Computer Security: Art and Science”, Addison-Wesley, 2002.
[2] National Institute of Standards and Technology: Mobile Security and Forensics, available in
http://csrc.nist.gov/groups/SNS/mobile_security/index.html, date accessed: 10 September 2009.
[7] L. O’Gorman, “Comparing Passwords, Tokens and Biometrics for User Authentication,” Proc. of the IEEE, vol. 91,
no. 12, pp. 2019-2040, Dec 2003.
[8] D. Zhang, “Automated Biometrics: Technologies & Systems,” eds Kluwer Academic, 2000.
[9] Y.L. Ma, Frank Pollick, W. Terry Hewitt, “Using B-Spline Curves for Hand Recognition,” Proc. of the 17th
International Conf. on Pattern Recognition (ICPR ’04), 2004.
[10] A.K. Jain, R.Bolle and S. Pankanti, “Biometrics: Personal Identification in Networked Society,” eds. Kluwer
Academic, 1999.
[11] Dae Sik jeong, Hyun-Ae Park, Kang Ryoung Park and Jaihie Kim, “Iris Recognition in Mobile Phone Based on
Adaptive Gabor Filter, Advances in Biometrics,” Springer Berlin/Heidelberg, vol. 3832, pp. 457-463, 2005.
BIOGRAPHY
Leong Lai Fong obtained her Master of Information Techonology from University of Science Malaysia in 2007.
Currently, she is a PhD cantidate at the Faculty of Computer Science and Information Technology, University of
Malaya. Her research areas include image processing, biometrics and mobile applications.
Woo Chaw Seng is a senior lecturer at the Faculty of Computer Science and Information Technology, University of
Malaya. His reseach interests include image processing, mobile applications and multimedia security.