A Framework for Continuous Authentication Based on Touch Dynamics Biometrics for Mobile Banking Applications.

Priscila Morais Argôlo Bonfim Estrela,Dino Macedo Amaral,William Ferreira Giozza,Robson De Oliveira Albuquerque,Rafael Timóteo De Sousa Júnior

doi:10.3390/s21124212

Priscila Morais Argôlo Bonfim Estrela, Dino Macedo Amaral + Show 3 more

Open Access

https://doi.org/10.3390/s21124212

Copy DOI

Abstract

As smart devices have become commonly used to access internet banking applications, these devices constitute appealing targets for fraudsters. Impersonation attacks are an essential concern for internet banking providers. Therefore, user authentication countermeasures based on biometrics, whether physiological or behavioral, have been developed, including those based on touch dynamics biometrics. These measures take into account the unique behavior of a person when interacting with touchscreen devices, thus hindering identitification fraud because it is hard to impersonate natural user behaviors. Behavioral biometric measures also balance security and usability because they are important for human interfaces, thus requiring a measurement process that may be transparent to the user. This paper proposes an improvement to Biotouch, a supervised Machine Learning-based framework for continuous user authentication. The contributions of the proposal comprise the utilization of multiple scopes to create more resilient reasoning models and their respective datasets for the improved Biotouch framework. Another contribution highlighted is the testing of these models to evaluate the imposter False Acceptance Error (FAR). This proposal also improves the flow of data and computation within the improved framework. An evaluation of the multiple scope model proposed provides results between 90.68% and 97.05% for the harmonic mean between recall and precision (F1 Score). The percentages of unduly authenticated imposters and errors of legitimate user rejection (Equal Error Rate (EER)) are between 9.85% and 1.88% for static verification, login, user dynamics, and post-login. These results indicate the feasibility of the continuous multiple-scope authentication framework proposed as an effective layer of security for banking applications, eventually operating jointly with conventional measures such as password-based authentication.

Highlights

At least 5 billion people use mobile telephones [1], including 3.2 billion people who use smartphones [2], and among them, 2 billion use their smartphones to access banking applications [3]
Scope D was responsible for solving the search for 52% of users in scenario 1 (S1), 66% in scenario 2 (S2), and 62.23% in scenario 3 (S3); Scope A was responsible for 32% of users in S1, 16.66% in S2, and 15.38% in S3; and the Scope B was responsible for 4% of users in S1, 0% in S2, and 0% in S3, indicating that Scope D is comprehensive in finding the best algorithm for the data collected and analyzed in this experiment for static verification
Based on the steps defined for the framework, it was possible to find a model with an F1 of at least 90% and with an imposters’ FAR (I_FAR) of up to 10% for 80% of users in Static verification (SV), of which five out of five users offered enough samples to participate in S1, indicating that the use of the proposed SV framework, if used in conjunction with conventional methods such as passwords, can offer an additional line of security with good performance

Summary

Introduction

At least 5 billion people use mobile telephones [1], including 3.2 billion people who use smartphones [2], and among them, 2 billion use their smartphones to access banking applications [3]. As reported in a Kaspersky lab report released in 2019, the number of attacks on mobile devices doubled in 2018, with more than 1165 million [4]. This migration to mobile applications motivated the evolution of authentication methods over time, aiming to ensure fraud prevention, especially in the case of critical applications such as financial ones. The first interaction of a user with a mobile device and applications is the authentication process. There are three traditional methods to authenticate a user: possession of something, knowledge of information, and biometrics, i.e., something that is part of the person’s body or behavior [5]. Biometric authentication is an interesting means of hindering fraud because of the effort required to forge something that is part of a person compared to the effort related to producing something that the person knows or owns

Methods

Results

Conclusion