TING-YI CHANG ( 張庭毅 ) Phone: EXT 7381 GRADUATE INSTITUTE OF E-LEARNING, NATIONAL CHANGHUA UNIVERSITY OF EDUCATION

2 A Graphical-based Password Keystroke Dynamic Authentication System for Touch Screen Handheld Mobile Devices appear in Journal of Systems and Software

Authentication 3 The password space of 8-character text-based password on the QWERTY keyboard:  Text-based Authentication dictionary attack shoulder surfing attack

4  PIN-based Authentication No the QWERTY keyboard, used in the mobile devices. The password space of 6-digit PIN-based password : guessing attack shoulder surfing attack

5  Graphical-based Authentication Graphical passwords are an alternative to alphanumeric passwords in which users click on images to authenticate themselves rather than type alphanumeric strings. In psychological studies, graphical passwords are easier to remember, since humans remember pictures better than words and numbers.  Images are recognized with very high accuracy (up to 98 percent) after a two hour delay, which is much higher than accuracy for words and sentences.  It has been found that error in recognition of images is only 17 percent after viewing 10,000 pictures.

6  Graphical-based Authentication  Recall-based graphical password: A user is asked to reproduce something that he or she created or selected earlier during the registration stage.  Recognition-based graphical password: A user is authenticated by challenging him/her to identify one or more images he or she chooses during the registration stage.

7  Graphical-based Authentication The password space of choosing 6 sub-photos from 36 photos: shoulder surfing attack Users choose sub-photos in the order.

8  Graphical-based Authentication Users choose 3 icons (called pass icon) from 1,000 icons. During the authentication, the system shows the icons including pass icons. The user through pass icons to form an area and then click the icon that in the area. shoulder surfing attack

9  Graphical-based Authentication PassPoints: A user’s password consists of any chosen sequence of points in the image. Because users while they are being authenticated to reselect exactly the same points (pixel coordinates) selected during registration is too strict, all pixel-based graphical password authentication schemes will set a tolerance area. For a 5-click with a10×10 tolerance area on the 640×480, the password space is:

10 Keystroke Feature Four basic keystroke time features when a user types a string ‘ABCD’

11  Keystroke time feature  Methodology Record user keystrokes process, each operation takes as feature data of user. Verify the password and analysis these feature data to judge user identity.  Advantage No additional operation and extra devices required. Preventing password guessing attack and shoulder surfing attack.

12

System Assessment  Assessment  False Rejection Rate (FRR) Type Ⅰ Error  False Acceptance Rate (FAR) Type Ⅱ Error  Equal Error Rate (EER) 13

Classifier 14  Different types of classifier  Statistical  Neural network  Fuzzy logic  Support vector machine  Nearest neighbors  Clustering algorithm

Training Sample 15  Less training samples for the classifier is better! Araújo et al.’s suggestion (2005) the number of training samples should be less than 10.  High quality samples is good for the classifier. Chang et al. (2010) used the personalized rhythm to enhance the sample quality. However, the users should additionally memorize their personalized rhythm s and thus loading.

16 Keystroke Features on Mobile Devices  Some studies uses the concept of keystroke time features in mobile devices. (text-based or PIN-based passwords)  The size or layout of keypads is different.  A user may not get used to entering his/her PIN or password via different devices.  Some touch mobile devices has no keypad! The system utility for mobile devices is worse than that for QWERTY keyboards.

Touch Screen Mobile Devices 17        

18 No matter the size of the image, it is transformed into 49mm×58mm frame and the system cuts it into 30 thumbnail photos each with an identical size of 9.5mm×9.66mm. The user chooses 3 to 6 photos through the touch panel on the mobile device and the sequence of these photos is the user’s graphical password.    Enrollment Phase

19 After observing users using touch screen handheld mobile devices, we found that users enter their data through the touch screen in characteristic fashion. The force of each person clicking or touching the touch panel is not necessarily the same when they enter their data, thus, the system captures different pressures from the touch panels on mobile devices

20 Keystroke time features and press feature when a user enters a graphical password ‘photo 1, photo 2, photo 3, photo 4 ’  

21 Note that every user in the system only needs to provide five training samples (i=1 to 5) in the enrollment phase, which is smaller than that in Araújo et al.’s suggestion (<10). These sets of the ith training sample are denoted as: 

Classifier Building Phase 22

Authentication Phase 23  An unknown user’s features are denoted as

24 Experimental results  This paper provides a graphical-based password keystroke system developed by Java language and implemented in Android-compatible devices.  The handheld mobile devices used in the experiment were a Motorola Milestone (with an ARM Cortex A8 550 MHz CPU and 256 MB memory), an HTC Desire HD (with a Qualcomm 8255 Snapdragon 1GHz CPU and 768 MB memory), and a Viewsonic Viewpad (with an Intel Atom N GHz CPU and 1 GB memory).

25

26 The one hundred users could freely choose their favorite photos to construct their graphical passwords and provide ten samples. -Five samples were collected at the same time through the same mobile phone (Motorola Milestone 3.7 inch screen) and used in the enrollment phase to build the classifier. -The other five samples were collected over a period of five weeks through two mobile devices (HTC Desire HD 4.3 inch screen and Viewsonic Viewpad 10.1inch screen). -These had different screen sizes in the enrollment phase provided for users and for the legitimate user's login test. The total number of legitimate user samples was 100×5=500. The total number of impostor samples was 10×100×5=5000, which was obtained by ten people who were given the graphical passwords of the one hundred users and told to act as an impostor five times. 

27 java.lang.Object ↳ android.view.InputEvent ↳ android.view.MotionEvent getPressure(): Returns the current pressure of this event for the given pointer index. getDownTime (): Returns the time (in ms) when the user originally pressed down to start a stream of position events. getEventTime(): Returns the time (in ms) when this specific event was generated.

28 The reader has a 95% level of confidence with the results.

29  

30 Comparison of different numbers of training samples

31 

Conclusion 32        

33 Future Work  Recall-based graphical password        

34    

Q & A Phone: EXT 7381 Thank You Ting-Yi Chang