Mobile Device Authentication – A Look at Behavior-based Authentication

finjanmobileBlog, Mobile Security

Behavior-based Authentication

Though they’re growing to become as much a part of everyday life as the clothes we put on every morning, mobile devices are still looked upon as a useful appendage, rather than a vulnerable repository for our priceless personal data, financial information, photographs, and contacts.

A 2014 study in the Symposium on Usable Privacy and Security (SOUPS) revealed that 57% of smartphone owners don’t even bother to lock their devices when they leave them unattended. This opens opportunities for thieves, passers-by, or malicious intruders to gain access to precious devices and the even more valuable information on them – and highlights the need for strong mechanisms to prevent unauthorized access.

Passwords and lock screens have traditionally served this purpose – but with so many users neglecting to make use of these methods, there’s a necessity for reliable methods of access control that can by-pass user reluctance – by being convenient enough for device owners to deploy them without having to think about it.

Behavior-based, implicit or active authentication methods are viewed as one solution to this problem.

Behavior-based Authentication – Basic Principles

Much of the ineffectiveness of passwords, lock screen patterns and other conventional methods of user authentication and access control is that mobile device owners perceive them as an inconvenience – just one more thing to remember or action to perform before they can get down to the serious business of texting, browsing, or shopping.

Another aspect of the problem is that smartphone screens and other Mobile Internet Devices (MIDs) don’t really lend themselves to typing – hence the popularity of AutoComplete functions and emoji. And that’s partly why virtual or soft keyboards were invented – but the form factor remains awkward, and mistakes are still often made.

But what if those very same typographical errors you habitually make on the keyboard could be remembered by your machine (together with other characteristics like the pressure you exert on each key as you hit it), and used to determine that it’s actually you, typing?

That’s the guiding principle behind behavior-based authentication: Establishing a unique profile of your physical/biometric interactions with your mobile device, together with your habitual patterns of activity and other identifying factors, to enable your smartphone or tablet to determine in real time whether or not it’s you that’s actually using the device.

Behavioral Markers

Several aspects of the way we interact with our mobile devices have unique characteristics that can be monitored and used as personal identifiers.

Researchers Lex Fridman, Steven Webery, Rachel Greenstadty, and Moshe Kamz, working out of the Massachusetts Institute of Technology (MIT), Drexel University and the New Jersey Institute of Technology ran an extensive study involving 200 subjects using their personal mobile devices over a period of 30 days in an environment which closely simulates the enclosed atmosphere of a commercial enterprise – where any unauthorized user of a device would most likely be an insider.

Authentication algorithms were devised for the test subjects on the basis of four behavioral biometric markers:

  1. Stylometry
  2. The use of mobile applications
  3. Web browsing activity
  4. Geographical location


Stylometry is the characteristic associated with the input of text on a mobile device. It ranges in scope from the keystrokes you use when typing on a keypad or virtual keyboard to your use of syntax and linguistic style. All of these are unique personal markers and may be used separately or in combination to allow a device to create a distinctive user profile.

As the errors you habitually make when typing are as much a part of your persona as the pressure you exert on the keys, there’s a lot of information which may be gleaned from your text input practices to provide an accurate picture of you as a user.

Handwriting and gesture recognition algorithms would be included in this category, so your individual tendency to pinch, zoom or swipe may also be added to the mix.

Application Usage

The mobile apps you habitually use, the time you spend using them, and the types of tasks or activities you perform with each one, all contribute to your application usage profile.

Identifying markers may be gathered from your per-application user settings (including themes, screen fonts, AutoSave, etc.), as well as the documents and images you store on your device. System information such as how long a particular app typically resides in your memory cache may also be taken into consideration.

Browsing Habits

In a similar fashion, this characteristic considers the websites you visit (using your browser, or dedicated platforms like social media apps), how long you spend there, and what you typically do. Cookies, subscriptions, and online purchases can add time and site-specific information to the pool of data used in creating this kind of profile, together with supplementary information from carriers and service providers, such as IP addresses.


Your physical location on the globe is another behavioral marker, as it’s affected by your habitual patterns of movement during the day.

A profile may be established using geo-location readings from GPS when you’re outdoors, or WiFi when you’re indoors. Information may also be contributed through indirect means such as the triangulation of your position from nearby cellphone towers, or the general location information provided by your network carrier.

Multi-modal Systems

With several behavioral markers to choose from, it’s possible to create a recognition system which uses inputs from two or more streams – and that’s what multi-modal authentication schemes are intended to do.

The problem with creating an effective multi-modal system is that each of the behavioral markers used has to be sampled (ideally) for a different time period to achieve reliable recognition accuracy. And extended sampling for some biometrics (most notably, GPS tracking and touch-sensitive monitoring using device gyroscopes and accelerometers) results in significant battery drain.

Implicit Authentication

Markus Jakobsson, Elaine Shi, Philippe Golle, and Richard Chow of the Palo Alto Research Center have developed a behavioral algorithm which they claim addresses the time and battery drain issues of multi-modal sampling.

Their proposed system uses an approach they call “implicit authentication“, which continuously monitors user activity for behavioral markers, and only issues an authentication challenge if the activity it observes over a given time seems to indicate that someone other than the profiled owner is currently using the device.

The overhead on data handling and activity monitoring is reduced by supplementing the recognition data stream with inputs from so-called “low fidelity” sources like carrier data, system architecture, and information from the cloud.

Behavior-based Authentication – Scope and Applications

Behavior based authentication isn’t just a bunch of nebulous academic research. The core technologies already exist, and some mobile apps are already available which use stylometric authentication for lock screen access and the launching and management of applications and files. Registered patents exist for behavior-based authentication platforms for touch screen devices.

Implicit authentication based on behavior also has potential as a secondary element in multi-factor authentication systems, when used in conjunction with passwords or other conventional methods.

Share this Post