The increasing capabilities of smartphones and tablets and their importance as productivity tools for business mean that mobile security is a hot-button issue.
A mid-level smartphone with a microSD card can easily fit more than eight DVDs worth of data on it, with room to spare. And even the best mobile security scheme can fall victim to the weakest link found in all security regimes: People.
If mobile security becomes too intrusive, users are less likely to employ best practices. A survey by security vendor BullGuard in mid-2011 found that 62 per cent of participants did not even employ a password or PIN to prevent access to their phones.
How Haiku is building a better BeOS
What's your idea worth? Building a social knowledge market with Barter
AmigaOS 4 developer interview: Why it endures and what the future holds
Syllable OS: Building a better operating system
Open Source Spotlight - OpenStack: Building a more open Cloud
Microsoft researchers Oriana Riva, Chuan Qin, Karin Strauss, and Dimitrios Lymberopoulos have developed a mobile authentication system, presented at the 21st USENIX Security Symposium earlier this month, that combines multiple sources of data to determine whether a device is being accessed by an authorised user.
The scheme means that user authentication can be less intrusive, so users are more likely to have a decent security regime for their smartphone, and that the degree of access to data and applications can be tied to confidence in a user's identity (the researchers use the example of having unimpeded access to a weather app when the system has low confidence in a user's identity, while access to email would require high confidence).
The paper, Progressive authentication: deciding when to authenticate on mobile phones, argues that an "all-or-nothing approach poorly fits users’ needs". "Our key insight is to combine multiple authentication signals to determine the user’s level of authenticity, and surface authentication only when this level is too low for the content being requested," the paper states.
The researchers propose a form of progressive authentication that can draw data from multiple sources to determine a system's confidence that a user is authorised to access a device: Biometric signals, such as face and voice recognition; user behaviour, such as when and where a handset it being used (e.g. whether a phone is used in a new location or at an atypical time); and ‘possession signals’, such as checking whether the phone is being used near a known laptop or desktop PC through a wireless technology such as Bluetooth or RFID. Password/PIN authentication is still used when the system cannot determine the identity of the user based on the other forms of identification with a high enough confidence level.
The model is 'continuous', so that the authentication level is maintained unless the system receives indications that a user has lost contact with their phone, and also takes advantage of the fact that people in workplaces are increasingly employing multiple devices (e.g. a phone, a tablet and a desktop PC) to determine information about who is using the handset.
"Multiple signals are aggregated into a single framework, which determines the level of confidence in user authenticity," the paper states.
"The example considers continuity (phone placement), biometric (face and voice) and multi-device (proximity to a PC where the user is logged on/out) signals as well PIN events. Based on the confidence level, the user is allowed to access predefined data and applications in three sensitivity levels: public, which requires a very low confidence; private, which requires medium confidence; and confidential, which requires very high confidence. Note that when the user’s authenticity level is too low for accessing high security applications, the system requires a PIN, which raises the score to the confidential level. Previously achieved levels are maintained by continuity as long as signals are sufficient."
The researchers built a prototype of the system running on a Windows Phone 7 handset (the tests were conducted in conjunction with a desktop PC). The prototype employed accelerometers, light, temperature and humidity sensing, the touchscreen, login events, the microphone and Bluetooth (the paper notes that all these capabilities are available on consumer-level smartphones, although not all of them are available on Windows Phone 7; as a result they added a sensor kit and used the .NET Gadgeteer software framework to access the additional features).
The PC was fitted with a Bluetooth adapter and webcam, and activity detection (such as keyboard usage and a user logging in or out of the OS) was also employed.
A trial was conducted involving nine users conducting a series of typical office tasks, as well as a series of attack scenarios, such as a user leaving his or her phone on the desk when they left the room. The researchers assessed both the incidents of access by an unauthorised user and the 'authentication overhead' of authorised users (the number of times they had to enter their PIN to access a phone function). The system managed to successfully prevent any unauthorised access, but still reduced the number of times a user had to enter his or her PIN by 42 per cent.
The authors conclude from their trials that a version of their system could be an important factor in reducing lax security habits among smartphone users.
Their intention isn't to device a new authentication method, but to make existing authentication systems, whether knowledge-based, multi-factor or biometric, less intrusive: "Our goal is not to provide a new 'explicit' authentication mechanism, but instead to increase the usability of current mechanisms by reducing the frequency at which the user must authenticate...
"We believe our results should make this approach attractive to many mobile users who do not use security locks today. Overall, progressive authentication offers a new point in the design of mobile authentication and provides users with more options in balancing the security and convenience of their devices."
Follow Rohan on Twitter: @rohan_p