BehavioCog: An Observation Resistant Authentication Scheme
This addresses the need for secure and usable authentication methods resistant to observation attacks, though it is incremental as it builds on existing cognitive and biometric techniques.
The paper tackles the problem of creating an observation-resistant authentication scheme by combining behavioral biometric gestures with cognitive challenge-response methods, resulting in a system that requires only two rounds to achieve security comparable to a 4-digit PIN, with an average completion time of less than 38 seconds.
We propose that by integrating behavioural biometric gestures---such as drawing figures on a touch screen---with challenge-response based cognitive authentication schemes, we can benefit from the properties of both. On the one hand, we can improve the usability of existing cognitive schemes by significantly reducing the number of challenge-response rounds by (partially) relying on the hardness of mimicking carefully designed behavioural biometric gestures. On the other hand, the observation resistant property of cognitive schemes provides an extra layer of protection for behavioural biometrics; an attacker is unsure if a failed impersonation is due to a biometric failure or a wrong response to the challenge. We design and develop an instantiation of such a "hybrid" scheme, and call it BehavioCog. To provide security close to a 4-digit PIN---one in 10,000 chance to impersonate---we only need two challenge-response rounds, which can be completed in less than 38 seconds on average (as estimated in our user study), with the advantage that unlike PINs or passwords, the scheme is secure under observation.