Germany’s big three telcos of Deutsche Telekom, Vodafone and Telefonica are the latest to sign up for the GSMA’s Mobile Connect standard, which provides a foundation for use of smartphones as secure tokens for a range of pay services including mobile TV accessed on the device itself. They join many major mobile operators in other countries, such as China Mobile, America Movil, Turkcell, and South Korea’s LG+.
The surprise is that it has taken so long for the standard to ripple around the world as it has been on the table for several years and made a big splash at Mobile World Congress 2018 when the GSMA trumpeted its virtues and paraded recent adopters. But the truth is that the promise of strong security and authentication without friction is a false one and therefore the industry, including operators, device makers and security vendors, have had to develop enhancements that are as unobtrusive as possible.
The basic idea that smartphones eliminate the need for separate secure tokens is sound and certainly does provide a convenient base for secure authentication, at least of the user, but obviously creates a focal of vulnerability given that handsets can be stolen. The suggestion that passwords, usernames and other authentication hurdles can be avoided is therefore bogus. At the very least, secure services tend to be associated with transmission of one-time PINs or passwords to the handset which the user then plugs in, as an attempt to avoid the risk associated with smartphone loss or theft, but then that relies on the user entering some passkey to provide that second factor of security.
Such techniques are vulnerable to various forms of SMS Intercept attacks, for example where perpetrators convince a target’s mobile operator that the phone has been lost and so the service switched to a new SIM card that the attacker controls. This has led to some improvements, for example an authentication process developed by New York-based Boloro, certified by the GSMA under its Mobile Connect program. The key point is that it circumvents both the internet and the device OS, protecting against attacks that exploit exposure to the former and vulnerabilities in the latter. It means the authentication process can be separated entirely from the associated transaction or app, running through the mobile operator’s secure signaling layer instead of over the internet. The firm argues that not just one-time passwords sent via SMS but also biometrics can be compromised. However, this technique still relies on a password or PIN that the user remembers along with the device itself, making it a two-factor system.
Criticisms by such vendors of biometrics are valid when applied to current implementations but not particularly constructive, because clearly incorporating some unique property of the user has potential to strengthen security by providing an extra layer of defense. It is true that the biometric systems implemented on smartphones today by Apple, Microsoft, Samsung and others have been hacked many times and are much less robust than equivalents on high end systems such as those used for access control to secure buildings. One obvious criticism of systems such as Microsoft’s Windows Hello, in a practice common to most smartphones, desktops and tablets that implement them, is that they fall back to a PIN if the fingerprint, facial or iris recognition system does not work for any reason.
Therefore, this is not really a third factor since anyone can get access if they have just the phone and know the PIN. In such cases, the biometric system is deployed more for convenience since when it does work the user gains access to the phone’s capabilities and apps quickly without having to key in a PIN. It is certainly true that more development is needed to make such biometrics robust enough to stand on their own without a PIN back up while not consuming too much processing power or energy.
It may be that the upfront techniques, that is facial, iris or fingerprint recognition, are not optimal for smartphones and for that reason there has been growing interest in keystroke biometrics, designed to recognize the unique behavioral patterns of users as they tap in say a password to verify their identity. The attraction is that this combines two factors neatly, that is something the user knows and something the user is. Also, there is no issue with dirt or variations in presentation as with those direct biometric techniques, so the challenge comes down entirely to accuracy.
That indeed has been a problem but a recently published IEEE paper outlines significant progress reducing the key metric here, known as the equal error rate (EER), well known to statisticians. This is determined by adjusting a biometric system to equalize the number of false positives and false negatives, which involves adjusting the bar above which users are recognized and below which they are not. This means balancing sensitivity, a measure of how likely the system is to identify the user correctly or register a true positive, against specificity, which determines how likely it is to correctly identify impostors, a true negative.
If sensitivity is 100% there are no false positives and if specificity is 100% there are no false negatives. In practice, the two are in opposition so that raising one tends to lower the other and the EER is measured after they have been equalized on the basis that normally it is desirable to have both false positives and false negatives as low as possible. The EER is then determined by dividing that equal number of both false positives and negatives by the total number of authentications attempted in a trial. The lower the EER, the more accurate the biometric system and the same principle to other domains, such as medical diagnostic tests.
In the IEEE paper a technique described as differential evolution, which is a form of machine learning under a different cloak, achieves EERs as low as 0.1266% under ideal conditions. This represents huge progress in a field that like other biometric areas goes back at least 20 years but where accuracy has only reached acceptable levels recently through progress in machine learning.
The patterns used in keystroke dynamics are derived from the timing between key presses and releases by the user and until recently accuracy levels stuck stubbornly at around 70%, which is clearly useless for practical application. But once 99.9% is exceeded it begins to become feasible. At present though such high levels of accuracy can only be attained when the system is presented with a large sample of user key stroke actions for the algorithms to train on, so there are some practical considerations. However, such training could occur during the user’s normal activity so that the biometric could be invoked once a sufficient level of accuracy has been achieved. It clearly has potential to complement the GSMA’s Mobile Connect.