INTRODUCTION
Objective of the Study
To propose a new biometric authentication method that works better than the traditional keystroke method while providing security, higher usability and faster authentication. To compare the expected security of the proposed method with another biometric authentication based on keystroke authentication and to apply the proposed method to real computer/device authentication.
Scope of Study
In Figure 3.2 (b), the user presses two fingers on the touchpad to create the first beat. In Figure 3.2 (c), the user presses three fingers on the touchpad to create the first beat.
RELATED WORKS
Biometric Authentication
Figures 3.2 (a) – 3.2 (d) show when the user places his/her fingers on the touchpad to create the first stroke using a different number and range of fingers. In Figure 3.2 (a), the user presses just one finger on the touchpad to create one beat. In Figure 3.2 (d), the user also presses the touchpad with three fingers to create the first beat.
Therefore, the distance between the user's fingertips is different when his/her fingers touch the input device. From Table 4.4, the minimum time to successfully attack Rhythmprint was 8, and the number of users who were successfully attacked was only 1/10. The user enters a password on a keyboard for traditional keystroke authentication and creates a rhythm on the touchpad for a scaled-down version of Rythmprint authentication.
For Rhythmprint authentication, when the user touches or taps the touchpad.
Keystroke Authentication
Touchscreen Authentication
If the user needs to touch the multi-touch screen device with his fingers, the user must first wear an IR Ring. The IR Ring identifies the wearer and returns the location of the hand on the screen. Second, the user repeats the process, but this time they cannot look at the screen while trying to authenticate.
The experiment shows that if the user tries to authenticate their smartphone in public (visually) 30 times, the shoulder surfing attacks for character pattern authentication or tap unlock were successful 5 times and 9 times for PIN authentication. When the user needs to unlock the phone, the user needs to draw the pattern or shape on the back of the phone for authentication.
K-Nearest Neighbors
Where p is the point of interest of feature, q is the point of data set in the same feature and n is number of features.
Two-Factor Authentication
As the user enters each stroke to create the rhythm, we collect hold time, latency, number of fingers and distance between each fingertip. The attacker must perform shoulder surfing and eavesdropping attacks in order to successfully attack the user; this is because the attacker needs to know two things: the rhythm and the number of fingers per blow. The attacker is again constantly behind the user while the user tries to authenticate himself using the minimized version of the Rhythmprint authentication and the traditional keystroke authentication.
Rhythmprint is a multi-factor authentication method because the user must know the rhythm and the number of fingers per beat (what you know) and the user must have the same hand that was used in the previous recording (what you have) because every person has a hand different. geometry. Therefore, the distance between the user's fingertips is different when his/her fingers touch an input device (which is you).
METHODOLOGY FRAMEWORK
Template Creation
It is the time measured when the user releases his fingers from the input device and when the user pushes his fingers on the input device again. Then, the keystroke extraction system creates a template for the user and stores it in the biometric database. If the attacker can only hear when the victim enters the rhythm to authenticate, the number of fingers and the distance between the fingertips protect the user's rhythm from malicious eavesdropping attacks.
In Table 2, the data for the first stroke from Figure 3.2 (a)-(d) is created as soon as the user touches the touchpad. After collecting the data, we can create the user template and store it in the database.
Authentication Process
In Figure 3 (c) and (d), the number of fingers used was the same, but the fingers are different, so the distances between the tips of the fingers are different. First, we calculate the number of strokes and the number of fingers used for each stroke. Based on the number of fingers per beat, we can directly compare the data with that stored in the database for easy filtering in the first stage.
The system rejects the login as the order of the number of fingers does not match the registered template. After filtering using the number of fingers per stroke we got the minimum records that were shown in Table 3.4, the next stage is the classification process.
Classification
- Real-time classification using our java programming
- Weka program classification
Second, the system classifies the login template using the retention times, latency times, and fingertip distances relative to the template in the minimum records from the previous step using the K-NN algorithm. The principle of the K-NN algorithm is to compare the similarities between interest data with the set of stored data to find out what the class of the interest data should be. If the interested data distance is closest to a set of stored data, the class of the closest data is the class of interest data. To find the distance matrix, the K-NN algorithm uses the Euclidean distance algorithm with the following equation.
We plan to use the Weka program to calculate an accuracy rate of the rhythm fingerprint to test whether the algorithm we designed can identify the users using our four metrics, including holding time, latency, number of fingers per tap. stroke and distance between the fingers.
Multi-Factor Authentication
With Rhythmprint authentication, the user is less likely to suffer from shoulder surfing and tapping attacks. The attacker stands behind the user at all times while the user is trying to authenticate himself to an application on a laptop using Rhythmprint authentication and traditional keyboard authentication. The user enters the password on the keyboard using the traditional keystroke authentication method and makes the rhythm on the touchpad for Rythymprint authentication.
In contrast, the minimum attack success time for keystroke authentication was only 1, and the number of users successfully attacked was 9/10. The mini version of Rhythmprint authentication uses multi-touch technology to collect the rhythm when the user touches a touchable device.
RESULTS OF THE EXPERIMENT
Proof of Concept
- Real-time classification
- Offline classification
- Weka classification
The result of FAR and FRR in our experiment with our Java program is shown in Table 4.1. In the experiment, we selected 5 out of 10 records of each user from the database to use for testing (500 records). The result of FAR and FRR in our offline classification experiment is shown in Table 4.2.
The sequence number of fingers per beat was collected in the database using the following format. We have "?" (the question mask) symbol instead of the username in the test file for testing in the Weka program.
Security Challenge
This becomes apparent when the user tries to log in to a program on a laptop ten times in a public place while the attacker is standing behind him. For the experimental design, we simulated a situation where the user needs to authenticate himself to an application on a laptop while sitting in a public place with an attacker standing behind the user. Each method requires the user to attempt to authenticate themselves 10 times, with the attacker performing a shoulder surfing and eavesdropping attack each time.
Each time the user can successfully authenticate, we tested whether the attacker is able to authenticate on the victim's laptop, and then record the results. For this experiment, we don't allow the user to use the other hand to cover the hand used for authentication when pressing the touchpad or typing on the keyboard.
Minimize Version of Rhythmprint
We've implemented all the authenticators for a scaled-down version of Rhythmprint authentication and traditional keystroke authentication on laptops. For the experimental design, we again simulate a situation where a user needs to authenticate to an application on a laptop while sitting in a public place, and an attacker is standing behind the user. For each method, the user must attempt to authenticate 10 times, while the attacker must perform a shoulder attack and eavesdrop immediately after each successful attempt.
Every time the user can authenticate successfully, we tested whether the attacker can authenticate on the victim's laptop or not. We do not allow the user to use the other hand to cover the touching hand when tapping on the touchpad or typing on the keyboard.
User satisfaction survey report
If Rhythmprint is to be installed on the user's computer, is the user willing to use Rhythmprint instead of the existing authentication method or not 25 of 25 answer: yes. Even when an attacker can see which fingers and the number of fingers were used to generate each beat, the attacker cannot impersonate the user. However, if we allow the user to use his/her own rhythm, the percentage accuracy score will be lower than the results found in chapter 4.
This is because when the user taps the touch device with a poor rhythm, he/she has to keep thinking about the number of fingers from the next beat to the last beat. Nevertheless, when the user chooses his/her own good rhythm and is familiar with it, the false acceptance and false rejection rate will be reduced.
Conclusion
