Today at the IFIP Information Security and Privacy 2014 conference, Nathan Clarke talked about active authentication. The goal of active authentication is to continuously estimate the confidence that the owner of a smart phone is actually using it at this very moment. This is an interesting idea, that I’d like to discuss a little bit in this blog post.

Active authentication is meant to replace the current point-of-entry authentication method, where the user is asked to explicitly unlock a device after a certain timeout (and assuming that before the timeout the device is under the control of the user). Permission to use a specific app depends on the current confidence level (a value between 0 and 1). Financial applications can be set to require a high confidence, whereas checking the weather or playing children games can be set to require a low confidence level. If the confidence level is higher than required, the app can be used straight away. If not, the user does have to explicitly authenticate (and the confidence level is set accordingly). Note that in that case the confidence level can be set to a value lower than 1 if the method chosen to authenticate is weak.

Active authentication has several benefits. With active authentication, users are expected to perform fewer explicit authentication actions. Second, usage of the smart phone by an attacker (when caught unlocked) is detected within a short period of time, and access to sensitive apps is blocked automatically.
Thirdly, when sharing your smart phone with others (friends, children), the risk that they accidentally access sensitive apps is reduced. (This all depends on the confidence level required to access the apps, of course.)

A different way to understand the difference between point-of-entry from active authentication is the following. Suppose you plot the level of confidence that the owner is controlling the smart phone over time (along the x-axis). Then point-of-entry authentication starts at confidence level 0, which jumps straight to 1 when the user enters the correct PIN (or, in the case of the iPhone, unlocks with his fingerprint), and drops straight back to 0 after the time out. Active authentication starts with confidence level 0, then slowly increases the confidence based on continuously measuring certain biometrics, may jump to 1 if an explicit authentication is performed, and decays gradually when the device is not in used. If a non-owner uses the device, the confidence level quickly lowers to 0. Given this explanation, I would actually prefer to call the first method discrete authentication and the second method continuous authentication.

Nathan’s research group has investigated how to compute the confidence level in practice. They use several biometric templates for this. Examples of biometric templates used to determine the current user of the smart phone are linguistic profiles, keystroke dynamics, and behavioural profiles. Each of these templates may individually perform bad to distinguish the real owner from a different user, for certain groups of users. But Nathan’s research shows that when combining templates and using so-called multi-modal biometrics, this risk is significantly reduced.

Interestingly, in a discussion after the session, Bart de Decker rightfully pointed out that you can combine this approach with context-based authentication. Context (like current location, or time of day) is also a good source to determine the authenticity of the current user (e.g. if your smart phone is used at your home, it is more likely that you yourself are using it). Moreover, you can restrict access to apps to certain contect (only allowing certain apps to be used at work, or if you are alone).