A Comparative Evaluation of Implicit Authentication Schemes

  • Hassan Khan
  • Aaron Atwater
  • Urs Hengartner
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8688)


Implicit authentication (IA) schemes use behavioural biometrics to continuously and transparently authenticate mobile device users. Several IA schemes have been proposed by researchers which employ different behavioural features and provide reasonable detection accuracy. While these schemes work in principle, it is difficult to comprehend from these individual efforts which schemes work best (in terms of detection accuracy, detection delay and processing complexity) under different operating conditions (in terms of attack scenarios and availability of training and classification data). Furthermore, it is critical to evaluate these schemes on unbiased, real-world datasets to determine their efficacy in realistic operating conditions. In this paper, we evaluate six diverse IA schemes on four independently collected datasets from over 300 participants. We first evaluate these schemes in terms of: accuracy; training time and delay on real-world datasets; detection delay; processing and memory complexity for feature extraction, training and classification operations; vulnerability to mimicry attacks; and deployment issues on mobile platforms. We also leverage our real-world device usage traces to determine the proportion of time these schemes are able to afford protection to device owners. Based on our evaluations, we identify: 1) promising IA schemes with high detection accuracy, low performance overhead, and near real-time detection delays, 2) common pitfalls in contemporary IA evaluation methodology, and 3) open challenges for IA research. Finally, we provide an open source implementation of the IA schemes evaluated in this work that can be used for performance benchmarking by future IA research.


Gait Pattern Equal Error Rate Gait Recognition Detection Delay High Detection Accuracy 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Android Authority: Android face unlock hacked (March 2014),
  2. 2.
    Arya, S., Mount, D.M., Netanyahu, N.S., Silverman, R., Wu, A.Y.: An optimal algorithm for approximate nearest neighbor searching fixed dimensions. Journal of the ACM (JACM) 45(6) (1998)Google Scholar
  3. 3.
    Berndt, D.J., Clifford, J.: Using dynamic time warping to find patterns in time series. In: KDD Workshop, vol. 10 (1994)Google Scholar
  4. 4.
    Bo, C., Zhang, L., Li, X.Y., Huang, Q., Wang, Y.: Silentsense: silent user identification via touch and movement behavioral biometrics. In: MobiCom. ACM (2013)Google Scholar
  5. 5.
    Chang, C.C., Lin, C.J.: Libsvm: A library for support vector machines. ACM TIST 2(3) (2011)Google Scholar
  6. 6.
    Chen, T., Kan, M.-Y.: Creating a live, public short message service corpus: The nus sms corpus. Language Resources and Evaluation 47(2), 299–335 (2013)Google Scholar
  7. 7.
    Clarke, N., Karatzouni, S., Furnell, S.: Flexible and transparent user authentication for mobile devices. In: Gritzalis, D., Lopez, J. (eds.) SEC 2009. IFIP AICT, vol. 297, pp. 1–12. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  8. 8.
    Clarke, N.L., Furnell, S.: Authenticating mobile phone users using keystroke analysis. International Journal of Information Security 6(1) (2007)Google Scholar
  9. 9.
    Crawford, H., Renaud, K., Storer, T.: A framework for continuous, transparent mobile device authentication. Elsevier Computers & Security 39 (2013)Google Scholar
  10. 10.
    De Luca, A., Hang, A., Brudy, F., Lindner, C., Hussmann, H.: Touch me once and i know it’s you!: implicit authentication based on touch screen patterns. In: CHI. ACM (2012)Google Scholar
  11. 11.
    Feng, T., Liu, Z., Kwon, K.A., Shi, W., Carbunar, B., Jiang, Y., Nguyen, N.: Continuous mobile authentication using touchscreen gestures. In: HST. IEEE (2012)Google Scholar
  12. 12.
    Feng, T., Yang, J., Yan, Z., Tapia, E.M., Shi, W.: Tips: Context-aware implicit user identification using touch screen in uncontrolled environments. In: HotMobile. ACM (2014)Google Scholar
  13. 13.
    Feng, T., Zhao, X., Carbunar, B., Shi, W.: Continuous mobile authentication using virtual key typing biometrics. In: TrustCom. IEEE (2013)Google Scholar
  14. 14.
    Frank, J., Mannor, S., Precup, D.: Activity and gait recognition with time-delay embeddings. In: AAAI (2010)Google Scholar
  15. 15.
    Frank, M., Biedert, R., Ma, E., Martinovic, I., Song, D.: Touchalytics: On the applicability of touchscreen input as a behavioral biometric for continuous authentication. IEEE TIFS 8(1) (2013)Google Scholar
  16. 16.
    Friedman, N., Geiger, D., Goldszmidt, M.: Bayesian network classifiers. Machine Learning 29(2-3) (1997)Google Scholar
  17. 17.
    Gafurov, D., Helkala, K., Søndrol, T.: Biometric gait authentication using accelerometer sensor. Journal of Computers 1(7) (2006)Google Scholar
  18. 18.
    Hayashi, E., Riva, O., Strauss, K., Brush, A., Schechter, S.: Goldilocks and the two mobile devices: Going beyond all-or-nothing access to a device’s applications. In: SOUPS. ACM (2012)Google Scholar
  19. 19.
    Jain, A.K., Ross, A., Prabhakar, S.: An introduction to biometric recognition. IEEE Transactions on Circuits and Systems for Video Technology 14(1) (2004)Google Scholar
  20. 20.
    Jolliffe, I.: Principal component analysis. Wiley Online Library (2005)Google Scholar
  21. 21.
    Kalamandeen, A., Scannell, A., de Lara, E., Sheth, A., LaMarca, A.: Ensemble: Cooperative proximity-based authentication. In: MobiSys. ACM (2010)Google Scholar
  22. 22.
    Khan, H., Hengartner, U.: Towards application-centric implicit authentication on smartphones. In: HotMobile. ACM (2014)Google Scholar
  23. 23.
    Klimt, B., Yang, Y.: Introducing the enron corpus. In: CEAS (2004)Google Scholar
  24. 24.
    Li, L., Zhao, X., Xue, G.: Unobservable reauthentication for smart phones. In: NDSS (2013)Google Scholar
  25. 25.
    Lookout Blog: Sprint-lookout mobile behavior survey (March 2014),
  26. 26.
    Maiorana, E., Campisi, P., González-Carballo, N., Neri, A.: Keystroke dynamics authentication for mobile phones. In: SAC. ACM (2011)Google Scholar
  27. 27.
    Mantyjarvi, J., Lindholm, M., Vildjiounaite, E., Makela, S.M., Ailisto, H.: Identifying users of portable devices from gait pattern with accelerometers. In: ICASSP 2005. IEEE (2005)Google Scholar
  28. 28.
    Muaaz, M., Mayrhofer, R.: An analysis of different approaches to gait recognition using cell phone based accelerometers. In: MoMM. ACM (2013)Google Scholar
  29. 29.
    Riva, O., Qin, C., Strauss, K., Lymberopoulos, D.: Progressive authentication: deciding when to authenticate on mobile phones. In: USENIX Security (2012)Google Scholar
  30. 30.
    Schneier on Security: Apple iphone fingerprint reader hacked (March 2014),
  31. 31.
    Serwadda, A., Phoha, V.V.: Examining a large keystroke biometrics dataset for statistical-attack openings. ACM TISSEC 16(2) (2013)Google Scholar
  32. 32.
    Serwadda, A., Phoha, V.V.: When kids’ toys breach mobile phone security. In: CCS. ACM (2013)Google Scholar
  33. 33.
    Serwadda, A., Phoha, V.V., Wang, Z.: Which verifiers work?: A benchmark evaluation of touch-based authentication algorithms. In: BTAS. IEEE (2013)Google Scholar
  34. 34.
    Shahzad, M., Liu, A.X., Samuel, A.: Secure unlocking of mobile touch screen devices by simple gestures: you can see it but you can not do it. In: MobiCom. ACM (2013)Google Scholar
  35. 35.
    Shi, E., Niu, Y., Jakobsson, M., Chow, R.: Implicit authentication through learning user behavior. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 99–113. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  36. 36.
    Shrestha, B., Saxena, N., Truong, H.T.T., Asokan, N.: Drone to the rescue: Relay-resilient authentication using ambient multi-sensing. In: Financial Cryptography and Data Security (2014)Google Scholar
  37. 37.
    Striegel, A., Liu, S., Meng, L., Poellabauer, C., Hachen, D., Lizardo, O.: Lessons learned from the netsense smartphone study. In: HotPlanet. ACM (2013)Google Scholar
  38. 38.
    Studer, A., Perrig, A.: Mobile user location-specific encryption (mule): Using your office as your password. In: Wi’Sec. ACM (2010)Google Scholar
  39. 39.
    Tey, C.M., Gupta, P., Gao, D.: I can be you: Questioning the use of keystroke dynamics as biometrics. In: NDSS (2013)Google Scholar
  40. 40.
    Threatpost: Samsung android lockscreen bypass (March 2014),
  41. 41.
    Wright, S.: Symantec honey stick project. Symantec Corporation (March 2012)Google Scholar
  42. 42.
    Zhao, X., Feng, T., Shi, W.: Continuous mobile authentication using a novel graphic touch gesture feature. In: BTAS. IEEE (2013)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Hassan Khan
    • 1
  • Aaron Atwater
    • 1
  • Urs Hengartner
    • 1
  1. 1.Cheriton School of Computer ScienceUniversity of WaterlooWaterlooCanada

Personalised recommendations