Talking to…Rodrigo Rocha about authentication in mobile devices

Rodrigo Rocha started at LOQR in October 2018 as part of the Mobile Development team. He graduated in Computer Engineering at IPP, where he completed a Bachelor’s and master’s degree in Computer Engineering. His dissertation studied topics related to behavioral biometrics on mobile devices and in this conversation, he will talk a bit more about authentication on mobile devices. 

Rodrigo, can you tell us more about the importance of this topic? 

Over the last few years, mobile devices have become increasingly important in our daily lives. Their development in terms of processing power, storage, communication, and mobility led to unprecedented growth in existing mobile applications, that now cover virtually the whole spectrum of our daily living, from leisure activities to work. 

Therefore, we now move around with a small portable device in our pockets that contains very sensitive information that ranges from our social networks to online shopping or e-banking accounts. 

Many applications, such as banking services, which until recently were run on computers, have shown a significant increase in their applicability to mobile devices, which means that they often contain sensitive private information, such as personal photos, email addresses, credit card numbers, passwords, and even companies’ confidential data. 

For this reason, authentication in mobile devices is crucial to protecting this information and a cause for concern that should be present in all users of this technology. 

Do users have this concern to protect their devices with authentication? 

When a smartphone is stolen or lost, the value lost is beyond the value of the device itself.  According to a survey conducted by Motorola Mobility, 25% of its consumers stored their email passwords, bank account information, and even social security information on their mobile phones. 

In an experiment conducted by the security company Symantec, 50 smartphones with no authentication mechanisms were left in five North American cities. Data was collected regarding if and how they were used. Results showed that 96% of the devices were accessed by someone. Of these, in 86% of the cases the unauthorized user accessed personal information and, in 60% of the cases, this information included social networks and e-mail accounts. 

Another study shows that 40% of users store information that they consider secret on their mobile device and that nearly one-third of mobile users had accessed at least once a smartphone that was not theirs, such as a lost or stolen one. When our smartphone is accessed by a non-authorized individual, the user gains potential access to all this sensitive information. 

The availability and flexibility of these technologies make life easier, but their use brings other concerns related to the security and privacy of the data stored in them.  

Nowadays, the loss of a mobile phone represents the loss of private information, so the concern to keep mobile phones protected has increased significantly, and it is currently one of the main concerns. 

Are the authentication methods on our mobile devices enough to guarantee our protection?  

The most common approach used to secure mobile devices is information-based authentication, such as the use of text-based passwords (e.g., a numeric code) or a pattern that is drawn on the screen. 

The main advantage of these methods is that they are very easy to use and require very few computational resources. However, it is also very easy for an unauthorized user to observe the owner of the device while unlocking the device, namely in public transportation, restaurants, or even in places where there is video surveillance. 

Moreover, most users tend to use passwords that are easy to memorize. These are, often, also the passwords that are easier to guess.  

It has been shown that in 9.23% of the times that an unauthorized user gains access to a device by “password-guessing”, he does so in less than three attempts. This happens in part because most users define their password based on important dates (such as birthdate) or repetitions of numbers. The use of patterns for unlocking the screen is sometimes also relatively easy to guess, as these often leave markings on the screen of the device. More advanced techniques, even thermal imaging cameras, are also used to accomplish this same goal. 

More recently, authentication methods based on biometrics have emerged with the promise of increased security. These can be divided into two main categories: physiological and behavioral.  

Physiological biometrics authentication mechanisms rely on the use of specific sensors, such as fingerprint scanners or cameras for facial recognition. This has as main disadvantage the increase of the cost of the device. 

It has also been shown that some of these approaches can be fooled, namely by using photographs of people. Regarding the fingerprint, despite being difficult, forgery is also possible, since after obtaining the fingerprint, it can be forged through the physical construction of a hardware sensor that replicates the fingerprint. 

Behavioral biometrics, on the other hand, relies on the behaviors of the user such as specific actions, application usage, habits, among others. In this kind of authentication, the behavior of the user is monitored in search of actions or habits that are generally not attributed to the user. 

This method is related to actions, behaviors, habits that users have, such as touch gestures, writing dynamics, signature, or voice. 

How can we minimize this problem? 

Authentication methods can be divided into two categories, explicit authentication, and implicit (continuous) authentication. Explicit methods require the input of some form of authentication at a specific moment (e.g., fingerprint, password). The device remains unlocked afterwards.  

While implicit or continuous authentication methods continuously monitor the device and the user in search for signs that the current user is not the authorized one. 

To decrease the risks associated with authentication, tech industries, and scientific areas have recently been studying and looking for new forms of continuous authentication through behavioral biometrics, creating models that allow the user to be periodically validated, not just at his entry point. 

Continuous authentication through behavioral biometrics allows the user’s identity to be continuously verified without having to intervene, also allowing the reduction of security risks of unauthorized sharing, in cases of loss or theft of the device. As with other biometric data, the touch dynamic is unique for each user and therefore can be used to identify them. 

Thus, the study of interaction/touch with the touch screen has been one of the most studied cases in the field of continuous authentication. The use of continuous authentication has the advantage of enabling the use of other types of authentications together, that is, it allows the creation of multifactor authentication that contributes to a significant increase in data security. 

Rodrigo, if you had to define LOQR in one sentence, which would it be? 

LOQR is the present and the future of technology, and through digital innovative solutions optimizes and facilitates society’s life with the goal of “Empowering digital Lives”.