Table Of ContentIMPROVING THE SECURITY OF MOBILE DEVICES THROUGH
MULTI-DIMENSIONAL AND ANALOG AUTHENTICATION
JONATHANGURARY
BachelorofComputerEngineering
ClevelandStateUniversity
2012
MasterofElectricalEngineering
ClevelandStateUniversity
2013
submitted inpartialfulfillment oftherequirementsforthedegree
DOCTOR OF ENGINEERING
atthe
CLEVELAND STATE UNIVERSITY
May2018
Weherebyapprovethedissertation
of
JonathanGurary
CandidatefortheDoctorofEngineeringdegree.
SIGNATUREPAGEONFILEWITHCLEVELANDSTATEUNIVERSITY
ThisdissertationhasbeenapprovedfortheDepartmentof
ELECTRICALANDCOMPUTERENGINEERING
andCLEVELANDSTATEUNIVERSITY
CollegeofGraduateStudiesby
ThesisCommitteeChairperson,Dr. WenbingZhao
Department/Date
Formywife,myfamily,mycountry,fortheEmperor. Iftheroadiseasy,thedestinationis
worthless.
ACKNOWLEDGMENTS
Of course, a great thank you to my adviser, Dr. Zhao, for his tremendous help and
support. A thank you to my entire committee: Dr. Dong, Dr. Simon, Dr. Wang, and Dr.
Wu, for their time and dedication in reviewing this work. And thank you to the EECE
department here at Cleveland State, for their financial support and for an overall excellent
experience in time I spent working towards this degree. Thank you to Dr. Zhu for getting
mestartedonthisjourney. ThankyoutomycollaboratingauthorsfromOaklandUniversity
fortheirhelp. Iwishyoualltheverybest.
This work is dedicated to everyone who supported me. I’d like to thank my wife,
forbeingomnipresentinsupportandbearingwithmewhileIfinishedthislengthyproject.
My parents, for all their love and patience as well, even if they have no idea what I’m
doing “over there at school”. My friends, for distracting me from finishing this sooner, but
keepingmeentertainedinthemeantime.
iv
IMPROVING THE SECURITY OF MOBILE DEVICES THROUGH
MULTI-DIMENSIONAL AND ANALOG AUTHENTICATION
JONATHANGURARY
ABSTRACT
Mobile devices are ubiquitous in today’s society, and the usage of these devices
for secure tasks like corporate email, banking, and stock trading grows by the day. The
first, and often only, defense against attackers who get physical access to the device is
the lock screen: the authentication task required to gain access to the device. To date
mobile devices have languished under insecure authentication scheme offerings like PINs,
PatternUnlock,andbiometrics–orslowofferingslikealphanumericpasswords. Thiswork
addressesthedesignandcreationoffiveproof-of-conceptauthenticationschemesthatseek
to increase the security of mobile authentication without compromising memorability or
usability. These proof-of-concept schemes demonstrate the concept of Multi-Dimensional
Authentication, a method of using data from unrelated dimensions of information, and
the concept of Analog Authentication, a method utilizing continuous rather than discrete
information. Security analysis will show that these schemes can be designed to exceed the
security strength of alphanumeric passwords, resist shoulder-surfing in all but the worst-
case scenarios, and offer significantly fewer hotspots than existing approaches. Usability
analysis, including data collected from user studies in each of the five schemes, will show
promisingresultsforentrytimes,insomecaseson-parwithexistingPINorPatternUnlock
v
approaches, and comparable qualitative ratings with existing approaches. Memorability
results will demonstrate that the psychological advantages utilized by these schemes can
lead to real-world improvements in recall, in some instances leading to near-perfect recall
after two weeks, significantly exceeding the recall rates of similarly secure alphanumeric
passwords.
vi
TABLE OF CONTENTS
Page
ACKNOWLEDGMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iv
ABSTRACT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
LISTOFTABLES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii
LISTOFFIGURES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
CHAPTER
I. OVERVIEWANDMOTIVATION . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1 Mobile: AnOpportunity forChange . . . . . . . . . . . . . . . . . . 1
1.2 Shortcomings oftheCurrentParadigm . . . . . . . . . . . . . . . . . 4
1.3 StatisticalTesting . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.4 Contributions andOutline . . . . . . . . . . . . . . . . . . . . . . . . 7
II. MULTI-DIMENSIONALAUTHENTICATION . . . . . . . . . . . . . . . . . 10
2.1 Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.2 Introduction toMulti-Dimensional Authentication . . . . . . . . . . . 11
2.2.1 AnExampleofMAPS . . . . . . . . . . . . . . . . . . . . . 12
2.2.2 MAPSvsTraditionalAuthentication . . . . . . . . . . . . . . 13
2.3 RelatedWork: GraphicalPasswords . . . . . . . . . . . . . . . . . . 15
2.4 ChessBasedMAPS(CMAPS) . . . . . . . . . . . . . . . . . . . . . 21
2.4.1 GraphicalHints . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.5 SecurityStrengthofMAPS . . . . . . . . . . . . . . . . . . . . . . . 24
2.5.1 SecurityStrengthofMAPS . . . . . . . . . . . . . . . . . . . 24
2.5.2 SecurityStrengthofCMAPS . . . . . . . . . . . . . . . . . . 26
2.6 Usability Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
2.7 UserStudy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
vii
2.7.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
2.7.2 Apparatus . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
2.7.3 Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
2.7.4 Participants . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
2.7.5 Memorability . . . . . . . . . . . . . . . . . . . . . . . . . . 34
2.7.6 Usability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
2.7.7 Hotspots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
2.7.8 UserChoiceinCMAPSPasswords . . . . . . . . . . . . . . . 43
2.7.9 GraphicalHintsGeneratedbyParticipants . . . . . . . . . . . 45
2.8 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
III. SHOULDER-SURFINGRESISTANCE . . . . . . . . . . . . . . . . . . . . . 48
3.1 Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
3.2 ExpandingMAPStoReduceShoulder-Surfing . . . . . . . . . . . . . 49
3.2.1 CMAPSvsShoulder-Surfing andSmudgeAttacks . . . . . . . 49
3.2.2 PassGame: AddingShoulder-Surfing ResistancetoMAPS . . 50
3.3 RelatedWork: Shoulder-Surfing Resistance . . . . . . . . . . . . . . 51
3.3.1 TestingShoulder-Surfing . . . . . . . . . . . . . . . . . . . . 52
3.3.2 Hardware-basedShoulder-Surfing Resistance . . . . . . . . . 53
3.3.3 Challenge-Response . . . . . . . . . . . . . . . . . . . . . . . 54
3.4 TheDesignofPassGame . . . . . . . . . . . . . . . . . . . . . . . . 55
3.4.1 RandomBoardGeneration . . . . . . . . . . . . . . . . . . . 56
3.4.2 AvailableRules . . . . . . . . . . . . . . . . . . . . . . . . . 57
3.4.3 Additional rules . . . . . . . . . . . . . . . . . . . . . . . . . 60
3.5 SecurityofPassGame . . . . . . . . . . . . . . . . . . . . . . . . . . 61
3.6 PassGameUserStudy . . . . . . . . . . . . . . . . . . . . . . . . . . 62
3.6.1 Participants . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
3.6.2 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
viii
3.6.3 Memorability Results . . . . . . . . . . . . . . . . . . . . . . 64
3.6.4 UsabilityResults . . . . . . . . . . . . . . . . . . . . . . . . 65
3.6.5 UserChoiceinPassGame . . . . . . . . . . . . . . . . . . . . 68
3.6.6 Shoulder-Surfing Study . . . . . . . . . . . . . . . . . . . . . 69
3.7 PassGameDiscussion . . . . . . . . . . . . . . . . . . . . . . . . . . 71
IV. AUTHENTICATIONINVR . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
4.1 Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
4.2 ExpandingMAPStoVirtualReality . . . . . . . . . . . . . . . . . . 75
4.3 VRIntroduction andRelatedWork . . . . . . . . . . . . . . . . . . . 76
4.4 Advantagesofa3DAuthentication Scheme . . . . . . . . . . . . . . 77
4.4.1 PsychologicalPhenomena . . . . . . . . . . . . . . . . . . . 77
4.4.2 PhysicalPhenomena . . . . . . . . . . . . . . . . . . . . . . 79
4.5 Implementation of3DPass . . . . . . . . . . . . . . . . . . . . . . . . 81
4.5.1 InputDevice . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
4.5.2 DesignConsiderations . . . . . . . . . . . . . . . . . . . . . 85
4.6 SecurityStrengthof3DAuthentication . . . . . . . . . . . . . . . . . 86
4.6.1 PasswordSpaceof3DPass . . . . . . . . . . . . . . . . . . . 87
4.7 3DPassUserStudy . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
4.7.1 Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
4.7.2 Memorability Results . . . . . . . . . . . . . . . . . . . . . . 94
4.7.3 UsabilityResults . . . . . . . . . . . . . . . . . . . . . . . . 95
4.7.4 Hotspots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
4.7.5 UserChoicein3DPasswords . . . . . . . . . . . . . . . . . . 99
4.8 Discussionof3DAuthentication . . . . . . . . . . . . . . . . . . . . 100
V. BEHAVIORALPASSIVEAUTHENTICATION . . . . . . . . . . . . . . . . . 102
5.1 Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
5.2 Introduction toImplicit Authentication . . . . . . . . . . . . . . . . . 102
ix
5.3 RelatedWork: Implicit Authentication . . . . . . . . . . . . . . . . . 103
5.4 Implicit Biometric AuthenticationScheme . . . . . . . . . . . . . . . 105
5.4.1 FutureImplementation . . . . . . . . . . . . . . . . . . . . . 107
5.5 Experiment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
5.5.1 DevicesUsed . . . . . . . . . . . . . . . . . . . . . . . . . . 108
5.5.2 ExperimentSetup . . . . . . . . . . . . . . . . . . . . . . . . 109
5.5.3 TypographicalCorrection . . . . . . . . . . . . . . . . . . . . 109
5.5.4 ClassificationandAnalysis . . . . . . . . . . . . . . . . . . . 110
5.5.5 CharacterIndependent Classification . . . . . . . . . . . . . . 111
5.5.6 CharacterDependentClassification . . . . . . . . . . . . . . . 112
5.5.7 OrderDependent . . . . . . . . . . . . . . . . . . . . . . . . 114
5.5.8 FutureApproaches . . . . . . . . . . . . . . . . . . . . . . . 116
5.6 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
VI. ANALOGAUTHENTICATION . . . . . . . . . . . . . . . . . . . . . . . . . 119
6.1 Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
6.2 Introduction toAnalogAuthentication . . . . . . . . . . . . . . . . . 120
6.3 Authentication UsingContinuousInformation . . . . . . . . . . . . . 121
6.4 RelatedWork: AnalogAuthentication . . . . . . . . . . . . . . . . . 123
6.5 TheDesignofPassHue . . . . . . . . . . . . . . . . . . . . . . . . . 124
6.5.1 Comparison ofColorValues . . . . . . . . . . . . . . . . . . 128
6.6 SecurityStrengthofPassHue . . . . . . . . . . . . . . . . . . . . . . 130
6.7 PassHueUserStudy . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
6.7.1 DataCollection . . . . . . . . . . . . . . . . . . . . . . . . . 132
6.7.2 Participants . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
6.7.3 Memorability ofPassHue . . . . . . . . . . . . . . . . . . . . 135
6.7.4 UsabilityofPassHue . . . . . . . . . . . . . . . . . . . . . . 135
6.7.5 ColorSelectionandHotspots . . . . . . . . . . . . . . . . . . 140
x
Description:2012. Master of Electrical Engineering. Cleveland State University. 2013 submitted in For my wife, my family, my country, for the Emperor. If the road is .. 21 Screenshot of the Android Keyboard Implementation ods that allow the user to avoid entering a password for every application they use, but
