Inkblots and gestures: Getting creative about security
Connecting state and local government leaders
Because today’s cell phones contain more data than many desktop computers, improving security for mobile devices is becoming a priority.
Most of us carry cell phones and other mobile devices that can, and often do, contain more data than many desktop computers. What's more, mobile devices are a lot easier to steal or to be misplaced. As a result, improving security for mobile devices is becoming a priority.
Researchers at the Georgia Institute of Technology – with funding from the National Science Foundation – are developing a security system that would make user identification an unintrusive, passive operation. The system – dubbed LatentGesture – is a software application that identifies users through the way they swipe and tap mobile devices. If the system detects that the user's gestures don't match the owner's, the device is locked.
According to Polo Chau, leader of the study and an assistant professor at the university's College of Computing, the software taps into sensors in the touchscreen to measure the speed of a user's swipes, as well as the pressure and location of taps, to produce a "touch signature."
"Everyone has small differences in the way they use touchscreens," Chau said. "The speed of swipes, how hard a person taps a checkbox – it's all different."
Testing in a laboratory setting showed that the system could accurately identify device owners 98 percent of the time. And the system can also be used to store multiple profiles, potentially giving different permissions to different authorized users.
Since people rarely use their mobile devices in a laboratory setting, however, there is still some work to do. Would a user's on-screen behavior be enough different to cause misidentification if he is walking with the device instead of sitting at a table?
While Chau says the team hasn't tested how peoples' behavior under real-world conditions will affect the system, they do plan to do so. "We also plan to integrate other sensor data into the system," said Chau, "such as ambient light and accelerometer data."
While Chau and his team refine LatentGesture, researchers at Carnegie Mellon University are developing a new password utility called GOTCHA (Generating panOptic Turing Tests to Tell Computers and Humans Apart).
OK, so the name isn't exactly self-explanatory. But, like LatentGesture, GOTCHA uses subliminal cues from users to identify them. In the case of GOTCHA, the data is users' responses to inkblots.
With the GOTCHA system, a user creates a password and the computer then generates several random inkblots. The user is prompted to describe each inkblot with a short phrase. When the user next logs on, he or she is required to match a given inkblot with the appropriate phrase.
While the system has proven reliable in preventing brute-force password cracking by computers, it still needs a little work. Apparently, humans aren't sufficiently reliable at remembering the correct matches between inkblots and phrases. In a test 10 days after users created phrases for inkblots, only one-third of the 58 participants correctly matched all the inkblots. Two-thirds of the participants, however, made more than half of the matches correctly.
The Carnegie Mellon team has challenged security researchers to apply artificial intelligence techniques to try to attack the GOTCHA password scheme. Those wanting to take a crack at it will find the challenge at: http://www.cs.cmu.edu/~jblocki/GOTCHA-Challenge.html.
NEXT STORY: NIST to help IT developers build in security