Multimedia Tools and Applications

, Volume 77, Issue 23, pp 30167–30185 | Cite as

Enhancing touch behavioral authentication via cost-based intelligent mechanism on smartphones

  • Weizhi MengEmail author
  • Wenjuan Li
  • Duncan S. Wong


Due to the popularity of smartphones, there is a great need to deploy appropriate authentication mechanisms to safeguard users’ sensitive data. Touch dynamics-based authentication has been developed to verify smartphone users and detect imposters. These schemes usually employ machine learning techniques to detect behavioral anomalies by comparing current behavioral actions with the stored normal model. However, we notice that machine learning classifiers often have an unstable performance, which would greatly reduce the system usability, i.e., causing a high false rejection. In this work, we are motivated by this challenge and design a cost-based intelligent mechanism that can choose a less costly algorithm for user authentication. In the evaluation, we conduct a user study with a total of 60 users to investigate the performance of our mechanism with a lightweight touch gesture-based scheme on smartphones. Experimental results demonstrate that our approach can help achieve a relatively higher and more stable authentication accuracy, as compared to the use of a sole classifier.


Behavioral biometrics Touch dynamics User authentication Smartphone usability Intelligent mechanism Machine learning 



The authors would like to thank all participants for their work in the user study.


  1. 1.
    Aviv AJ, Gibson K, Mossop E, Blaze M, Smith JM (2010) Smudge attacks on smartphone touch screens. In: Proceedings of the 4th USENIX conference on offensive technologies (WOOT). USENIX Association, Berkeley, pp 1–10Google Scholar
  2. 2.
    Bergadano F, Gunetti D, Picardi C (2002) User authentication through keystroke dynamics. ACM Trans Inf Syst Secur 5(4):367–397CrossRefGoogle Scholar
  3. 3.
    Cahyani NDW, Martini B, Choo KKR, AKBP Muhammad Nuh Al-Azhar (2017) Forensic Data acquisition from cloud-of-things devices: windows Smartphones as a case study. Concurrency and Computation: Practice and Experience 29(14)Google Scholar
  4. 4.
    Clarke NL, Furnell SM (2005) Telephones - a survey of attitudes and practices. Comput Secur 24(7):519–527CrossRefGoogle Scholar
  5. 5.
    Clarke NL, Furnell SM (2007) Authenticating mobile phone users using keystroke analysis. Int J Inf Secur 6(1):1–14CrossRefGoogle Scholar
  6. 6.
    Chang L (2015) Smartphone usage soars in US as other devices’ popularity declines. Available at:
  7. 7.
    Dai J, Zhou J (2011) Multifeature-based high-Resolution Palmprint Recognition. IIEEE Trans Pattern Anal Mach Intell 33(5):945–957CrossRefGoogle Scholar
  8. 8.
    D’Orazio CJ, Choo KKR (2016) An adversary model to evaluate DRM protection of video contents on iOS devices. Comput Secur 56:94–110CrossRefGoogle Scholar
  9. 9.
    D’Orazio CJ, Choo KKR (2017) A technique to circumvent SSL/TLS validations on iOS devices. Futur Gener Comput Syst 74:366–374CrossRefGoogle Scholar
  10. 10.
    D’Orazio CJ, Choo KKR, Yang LT (2017) Data exfiltration from internet of things devices: iOS devices as case studies. IEEE Internet of Things Journal 4(2):524–535CrossRefGoogle Scholar
  11. 11.
    Dunphy P, Heiner AP, Asokan N (2010) A closer look at recognition-based graphical passwords on mobile devices. In: Proceedings of the 6th symposium on usable privacy and security (SOUPS). ACM, New York, pp 1–12Google Scholar
  12. 12.
    Feng T, Liu Z, Kwon K-A, Shi W, Carbunary B, Jiang Y, Nguyen N (2012) Continuous mobile authentication using touchscreen gestures. In: Proceedings of the 2012 IEEE conference on technologies for homeland security (HST). IEEE, USA, pp 451–456Google Scholar
  13. 13.
    Fiorella D, Sanna A, Lamberti F (2010) Multi-touch user interface evaluation for 3D object manipulation on mobile devices. Journal on Multimodal User Interfaces 4(1):3–10CrossRefGoogle Scholar
  14. 14.
    Florencio D, Herley C (2007) A Large-Scale study of web password habits. In: Proceedings of the 16th international conference on world wide Web (WWW). ACM, New York, pp 657–s666Google Scholar
  15. 15.
    Frank M, Biedert R, Ma E, Martinovic I, Song D (2013) Touchalytics: on the applicability of touchscreen input as a behavioral biometric for continuous authentication. IEEE Trans Inf Forensics Secur 8(1):136–148CrossRefGoogle Scholar
  16. 16.
    Gaffney JE, Ulvila JW (2001) Evaluation of intrusion detectors: a decision theory approach. In: Proceedings of the 2001 IEEE symposium on security and privacy, pp 50–61Google Scholar
  17. 17.
    Goel M, Wobbrock JO, Patel SN (2012) Gripsense: using built-in sensors to detect hand posture and pressure on commodity mobile phones. In: Proceedings of the 25th Annual ACM symposium on user interface software and technology (UIST). ACM, New York, pp 545–554Google Scholar
  18. 18.
    Gong NZ, Moazzezi R, Payer M, Frank M (2016) Forgery-resistant touch-based authentication on mobile devices. In: Proceedings of the 11th ACM Asia conference on computer and communications security pp 499–510Google Scholar
  19. 19.
    Gu G, Fogla P, Lee W, Skoric B (2006) Measuring intrusion detection capability: an information-theoretic approach. In: Proceedings of the 2006 ACM symposium on information, computer and communications security (ASIACCS). ACM, New York, pp 90–101Google Scholar
  20. 20.
    IDC (2017) Smartphone OS Market Share. Q1.
  21. 21.
    Gunson N, Marshall D, McInnes F, Jack M (2011) Usability evaluation of voiceprint authentication in automated telephone banking: sentences versus digits. Interact Comput 23(1):57–69CrossRefGoogle Scholar
  22. 22.
    Karlson AK, Brush AB, Schechter S (2009) Can i borrow your phone?: understanding concerns when sharing mobile phones. In: Proceedings of the 27th international conference on human factors in computing systems (CHI). ACM, New York, pp 1647–1650Google Scholar
  23. 23.
    Keith M, Shao B, Steinbart P (2007) The usability of passphrases for authentication: an empirical field study. Int J Hum Comput Stud 65(1):17–28CrossRefGoogle Scholar
  24. 24.
    Kim D, Dunphy P, Briggs P, Hook J, Nicholson JW, Nicholson J, Olivier P (2010) Multi-touch authentication on tabletops. In: Proceedings of the 28th international conference on human factors in computing systems (CHI). ACM, New York, pp 1093–1102Google Scholar
  25. 25.
    Kotthoff L, Gent IP, Miguel I (2012) An evaluation of machine learning in algorithm selection for search problems. AI Commun 25(3):257–270MathSciNetGoogle Scholar
  26. 26.
    Lemos R (2002) Passwords: the weakest link? hackers can crack most in less than a minute.
  27. 27.
    Li J, Liu Z, Chen X, Xhafa F, Tan X, Wong DS (2015) L-encDB: a lightweight framework for privacy-preserving data queries in cloud computing. Knowl-Based Syst 79:18–26CrossRefGoogle Scholar
  28. 28.
    Li J, Li J, Chen X, Jia C, Lou W (2015) Identity-Based Encryption with outsourced revocation in cloud computing. IEEE Trans Comput 64(2):425–437MathSciNetCrossRefGoogle Scholar
  29. 29.
    Li J, Yan H, Liu Z, Chen X, Huang X, Wong DS (2017) Location-Sharing Systems with enhanced privacy in mobile online social networks. IEEE Syst J 11 (2):439–448CrossRefGoogle Scholar
  30. 30.
    Li J, Zhang Y, Chen X, Xiang Y (2018) Secure attribute-based data sharing for resource-limited users in cloud computing. Comput Secur 72:1–12CrossRefGoogle Scholar
  31. 31.
    Maio D, Maltoni D, Wayman JL, Jain AK (2002) Fvc2000: Fingerprint verification competition. IEEE Trans Pattern Anal Mach Intell 24(3):402–412CrossRefGoogle Scholar
  32. 32.
    Meng Y, Kwok LF (2011) Adaptive false alarm filter using machine learning in intrusion detection. In: Proceedings of the 6th international conference on intelligent systems and knowledge engineering (ISKE), advances in intelligent and soft computing, Springer, pp 573–584Google Scholar
  33. 33.
    Meng Y (2012) Measuring intelligent false alarm reduction using an ROC curve-based approach in network intrusion detection. In: Proceedings of the 2012 IEEE international conference on computational intelligence for measurement systems and applications (CIMSA), pp 108–113Google Scholar
  34. 34.
    Meng Y, Wong DS, Schlegel R, Kwok LF (2012) Touch gestures based biometric authentication scheme for touchscreen mobile phones. In: Proceedings of the 8th China international conference on information security and cryptology (INSCRYPT). LNCS, Springer, Heidelberg, pp 331–350CrossRefGoogle Scholar
  35. 35.
    Meng Y, Wong DS, Kwok L. -F. (2014) Design of touch dynamics based user authentication with an adaptive mechanism on mobile phones. In: Proceedings of the ACM symposium on applied computing, pp 1680–1687Google Scholar
  36. 36.
    Meng W, Wong DS, Furnell S, Zhou J (2015) Surveying the development of biometric user authentication on mobile phones. IEEE Commun Surv Tutorials 17 (3):1268–1293CrossRefGoogle Scholar
  37. 37.
    Meng W (2016) Evaluating the effect of multi-touch behaviours on Android unlock patterns. Inf Comput Secur 24(3):277–287CrossRefGoogle Scholar
  38. 38.
    Meng W, Li W, Wong DS, Zhou J (2016) TMGUard: a touch movement-based security mechanism for screen unlock patterns on smartphones. In: Proceedings of the 14th international conference on applied cryptography and network security (ACNS), pp 629–647Google Scholar
  39. 39.
    Meng W, Li W, Jiang L, Meng L (2016) On multiple password interference of touch screen patterns and text passwords. In: Proceedings of ACM conference on human factors in computing systems, pp 4818–4822Google Scholar
  40. 40.
    Meng W, Li W, Kwok L-F, Choo K-KR (2017) Towards enhancing click-draw based graphical passwords using multi-touch behaviours on smartphones. Comput Secur 65:213–229CrossRefGoogle Scholar
  41. 41.
    Millennial Media (2012) Mobile mix: the mobile device index. Available at:
  42. 42.
    Mobile and NCSA (2012) Report on consumer behaviors and perceptions of mobile security. Available at:
  43. 43.
    Numabe Y, Nonaka H, Yoshikawa T (2009) Finger identification for touch panel operation using tapping fluctuation. In: Proceedings of the IEEE 13th international symposium on consumer electronics, pp 899–902Google Scholar
  44. 44.
    Nguyen TV, Sae-Bae N, Memon N (2017) DRAW-A-PIN: authentication using finger-drawn PIN on touch devices. Comput Secur 66:115–128CrossRefGoogle Scholar
  45. 45.
    Pokharel S, Choo KKR, Liu J (2017) Mobile cloud security: an adversary model for lightweight browser security. Computer Standards & Interfaces 49:71–78CrossRefGoogle Scholar
  46. 46.
    Potharaju R, Newell A, Nita-Rotaru C, Zhang X (2012) Plagiarizing smartphone applications: attack strategies and defense techniques. In: Proceedings of the 2012 international symposium on engineering secure software and systems (ESSoS). LNCS, Springer, Heidelberg, pp 106–120Google Scholar
  47. 47.
    Pusara M, Brodley CE (2004) User Re-Authentication via mouse movements. In: Proceedings of the 2004 ACM workshop on visualization and data mining for computer security (VizSEC/DMSEC). ACM, New York, pp 1–8Google Scholar
  48. 48.
    Quick D, Choo KKR (2017) Pervasive social networking forensics: intelligence and evidence from mobile device extracts. J Netw Comput Appl 86:24–33CrossRefGoogle Scholar
  49. 49.
    Ranjan J, Whitehouse K (2016) Automatic authentication of smartphone touch interactions using smartwatch. In: Proceedings of the 2016 ACM international joint conference on pervasive and ubiquitous computing, pp 361–364Google Scholar
  50. 50.
    Saevanee H, Bhattarakosol P (2009) Authenticating user using keystroke dynamics and finger pressure. In: Proceedings of the 6th IEEE conference on consumer communications and networking conference (CCNC). IEEE Press, USA, pp 1078–1079Google Scholar
  51. 51.
    Sae-Bae N, Memon N, Isbister K, Ahmed K (2014) Multitouch gesture-based authentication. IEEE Trans Inf Forensics Secur 9(4):568–582CrossRefGoogle Scholar
  52. 52.
    Smith-Creasey M, Rajarajan M (2016) A continuous user authentication scheme for mobile devices. In: Proceedings of the 14th annual conference on privacy, security and trust (PST), pp 104–113Google Scholar
  53. 53.
    Sommer R, Paxson V (2010) Outside the closed world: on using machine learning for network intrusion detection. In: Proceedings of the 2010 IEEE Symp on security and privacy, pp 305–316Google Scholar
  54. 54.
    Song Y, Cai Z, Zhang Z. -L. (2017) Multi-touch authentication using hand geometry and behavioral information. In: Proceedings of IEEE symposium on security and privacy, pp 357–372Google Scholar
  55. 55.
    Schaub F, Deyhle R, Weber M (2012) Password entry usability and shoulder surfing susceptibility on different smartphone platforms. In: Proceedings of the 11th international conference on mobile and ubiquitous multimedia (MUM). ACM, New York, pp 1–10Google Scholar
  56. 56.
    Schmid NA, Ketkar MV, Singh H, Cukic B (2006) Performance analysis of iris-based identification system at the matching score level. IEEE Trans Inf Forensics Secur 1(2):154–168CrossRefGoogle Scholar
  57. 57.
    Shahzad M, Liu AX, Samuel A (2017) Behavior based human authentication on touch screen devices using gestures and signatures. IEEE Trans Mob Comput 16 (10):2726–2741CrossRefGoogle Scholar
  58. 58.
    Sharma V, Enbody R (2017) User authentication and identification from user interface interactions on touch-enabled devices. In: Proceedings of the 10th ACM conference on security and privacy in wireless and mobile networks (WiSec), pp 1–11Google Scholar
  59. 59.
    Shabtai A, Fledel Y, Kanonov U, Elovici Y, Dolev S, Glezer C (2010) Google Android: a Comprehensive Security Assessment. IEEE Secur Priv 8(2):35–44CrossRefGoogle Scholar
  60. 60.
    Tari F, Ozok AA, Holden SH (2006) A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords. In: Proceedings of the 2nd symposium on usable privacy and security (SOUPS). ACM, New York, pp 56–66Google Scholar
  61. 61.
    Temper M, Tjoa S, Kaiser M (2015) Touch to authenticate - continuous biometric authentication on mobile devices. In: Proceedings of the 2015 international conference on software security and assurance (ICSSA), pp 30–35Google Scholar
  62. 62.
    The PS, Zhang N, Teoh ABJ, Chen K (2015) Recognizing your touch: towards strengthening mobile device authentication via touch dynamics integration. In: Proceedings of the 13th international conference on advances in mobile computing and multimedia (MoMM), pp 108–116Google Scholar
  63. 63.
    Trewin S, Swart C, Koved L, Martino J, Singh K, Ben-David S (2012) Biometric authentication on a mobile device: a study of user effort, error and task disruption. In: Proceedings of the 28th annual computer security applications conference (ACSAC), pp 159–168Google Scholar
  64. 64.
    Van Thanh D (2000) Security issues in mobile eCommerce. In: Proceedings of the 11th international workshop on database and expert systems applications (DEXA). IEEE, USA, pp 412–425Google Scholar
  65. 65.
    Wallace R, McLaren M, McCool C, Marcel S (2012) Cross-pollination of normalisation techniques from speaker to face authentication using gaussian mixture models. IEEE Trans Inf Forensics Secur 7(2):553–562CrossRefGoogle Scholar
  66. 66.
    The University of Waikato. WEKA-Waikato Environment for Knowledge Analysis. Available at:
  67. 67.
    Yan J, Blackwell A, Anderson R, Grant A (2004) Password memorability and security: empirical results. IEEE Secur Priv 2(5):25–31CrossRefGoogle Scholar
  68. 68.
    Zahid S, Shahzad M, Khayam SA, Farooq M (2009) Keystroke-based user identification on smart phones. In: Proceedings of RAID, lecture notes in computer science, Springer, pp 224–243Google Scholar
  69. 69.
    Zhao X, Feng T, Shi W, Kakadiaris IA (2014) Mobile user authentication using statistical touch dynamics images. IEEE Trans Inf Forensics Secur 9(11):1780–1789CrossRefGoogle Scholar
  70. 70.
    Zheng N, Bai K, Huang H, Wang H (2014) You are how you touch: user verification on smartphones via tapping behaviors. In: Proceedings of the 2014 international conference on network protocols (ICNP), pp 221–232Google Scholar

Copyright information

© Springer Science+Business Media, LLC, part of Springer Nature 2018

Authors and Affiliations

  1. 1.DTU ComputeTechnical University of DenmarkLyngbyDenmark
  2. 2.Department of Computer ScienceCity University of Hong KongKowloonHong Kong
  3. 3.Hong Kong Applied Science and Technology Research InstituteShatinHong Kong

Personalised recommendations