The paper presents a risk-driven behavioral biometric-based user authentication scheme for smartphones. Our scheme delivers one-shot-cum-continuous authentication, thus not only authenticates users at the start of the application sign-in process but also, throughout the active user session. The scheme leverages the widely used PIN/password-based authentication technology by giving flexibility to users to enter any random 8-digit alphanumeric text, instead of pre-configured PIN/Passwords. Internally, the scheme exploits two behavioral biometric traits, i.e., touch-timing-differences of the entered strokes and the hand-movement gesture recorded during the random text entry, to authenticate users. And, for the entire user session, the scheme continuously authenticates the user by computing the risk-score every time the user initiates a sensitive activity. If the risk-score is higher than the predefined threshold, the current user session terminates. Afterward, the scheme requests the user to re-authenticate. Thus, our scheme serves three main objectives: Firstly, it offers users the flexibility to enter an 8 − digit random alphanumeric text as their secret enhancing the usability of PIN/password-based schemes. Secondly, it strengthens the security of PIN/password-based schemes as verification decision is not binary, and mimicking the invisible touch-timings and hand-movements simultaneously, could be extremely difficult as our security analysis determined. Lastly, the scheme does not require any dedicated device (e.g., a smart token for OTP generation) for 2-factor authentication. The results obtained on 11,400 user-samples (collected by 3 days in-the-wild testing) and user-experience responses (received from the Software Usability Scale⁴ survey) of 95 testers demonstrate our scheme as an accurate and acceptable user authentication scheme.

本文提出了一种基于风险驱动的基于行为生物特征的智能手机用户身份验证方案。我们的方案提供了一次暨连续的身份验证，因此不仅在应用程序登录过程开始时对用户进行身份验证，而且在整个活动用户会话中都对用户进行身份验证。该方案通过使用户可以灵活地输入任何随机的8位字母数字文本而不是预先配置的PIN /密码，从而利用了广泛使用的基于PIN /密码的身份验证技术。在内部，该方案利用了两个行为生物特征，即在随机文本输入期间记录的笔触的触摸计时差异和记录的手部动作手势，以对用户进行身份验证。并且，对于整个用户会话，该方案不断通过在用户每次启动敏感活动时计算风险分数来对用户进行身份验证。如果风险分数高于预定义的阈值，则当前用户会话终止。之后，该方案要求用户重新进行身份验证。因此，我们的方案有三个主要目标：首先，它为用户提供了灵活地进入8 - d我摹我牛逼随机字母数字文本作为它们的秘密，从而增强了基于PIN /密码的方案的可用性。其次，由于验证决策不是二进制的，因此它增强了基于PIN /密码的方案的安全性，并且由于我们的安全性分析而确定，同时模仿不可见的触摸时序和手部移动可能非常困难。最后，该方案不需要任何专用设备（例如，用于OTP生成的智能令牌）进行2要素认证。在95个测试人员的11,400个用户样本（通过3天的野外测试收集）中获得的结果以及用户体验响应（从Software Usability Scale ⁴调查中获得）证明了我们的方案是准确且可接受的用户身份验证方案。