In the 1990’s, the touch screen had its place on some niche markets, such as restaurant consoles, and other businesses that lend themselves to this type of user interface. Yet it was the Smartphone interface that garnered the first real breakthrough in touch screen usability, since reduced real estate forced innovative and efficient workflow designs. The next breakthrough had been inclusion of gesturing, made possible with new technologies in multi-touch sensing screens. In 2006, NYU research scientist Jeff Han[1] allowed the user interface to change lanes from “tasks defining user behavior” to “user gestures defining tasks”.
The innovative use of technology ushers in an astounding array of new input patterns. Input is no longer tethered to keypads, keyboards, smartcards or biometrics devices; rather it has become 4-dimensional – assimilating codes, gestures, motions and timing into a complex representation of user behavior. The time is ripe for new security paradigm to grow from these patterns. Security will not longer be defined by users following security access rules, but by devices “listening” to what the user wants [as security] and learning user behavior in context.
Security can be enhanced in three distinct ways: multi-modal, multi-factor, and cooperative extensions. Multi-modal enhancements increase security by introducing new inputs into an existing system, mathematically increasing its uniqueness. Multi-factor enhancements add additional dimensions of security – i.e. not just what a user knows, but what a user possesses. Finally, cooperative extensions allow security to use external (out-of-band) knowledge about a user to augment the security context in which the user operates.
Increasing Security with Simple Math
Shortly after reading how Synaptics has now introduced a multi-touch screen capable of ten-finger touch[2] for normal mobile phones, the thought of Nth level security came to mind.
Why? Simple math, of course… if a single keypad requires a password of 4 numeric digits, the possible combinations are 0000 to 9999, mathematically a combination of 10 items taken 4 at a time, or 104 power. Imagine if each press of the keypad was replaced by a dual-key press. The combinatorial limit jumps to a staggering 65,610,000 – 90 items (00…99, minus 10 sets of duplicate digits) taken 4 at a time, or 904 power.
Allowing single and double key-press codes, the 10K combinatorial security of a 4 digit pin is matched with just 2 combinations, 100 items taken 2 at a time, or 1002. Add any number of gestures and the combinatorial limits jumps another factor.
This type of security does not just apply to computers and mobile devices, but everyday security such as home alarm keypads and car security systems.
Increasing Security through User-Defined Behavior
These new interface elements allows us to have better security through behavior. My expertise is in the keystroke dynamics world where behavioral biometrics is assessed from the rhythm of one’s typing pattern; specifically flight time and dwell time. This creates a pretty robust, albeit single faceted, behavioral mapping of a user.
Having multi-touch screens and gestures, incorporating the characteristics of the user input – not only timings from the keystroke dynamics realm but stroke patterns, angles and pressures from the handwriting recognition realm –the idea of security really becomes an unfettered medium.
Imagine allowing the user to set their security access method to be any behavior combination the user decides is appropriate for them. It could be as simple as allowing a multi-touch code of the keypad. Or perhaps it is the user drawing a custom gesture on the screen of the touch-based interface. On mobile phones with motion sensors, security can even be as natural as doing the Macarena (while holding the phone in one hand)! These phones can even detect if it is not in the pocket of the normal owner by calculating the innate stride and gait of the user from its gyroscopic sensors.
Increase Security utilizing Cooperative Information
Security through user behavior is not a novel concept. Behavioral biometrics has been studied at various times throughout modern history, as far back as WW-II with the
Ideal security is reached when internal measures can be augmented by external factors. In Bruce Shneier’s security blog (and in his book “Beyond Fear”), there is a great anecdote about the lima bean plant’s natural defense mechanism[3]. To paraphrase this story, when the lima bean plant is attacked by a certain bug, it emits a pheromone that attracts the bug’s own predator. The unique characteristic here is that once one lima bean plants emits this pheromone, all surrounding lima bean plants are triggered to emit this chemical; thus proactively protecting the entire lime bean patch.
This “cooperative security” mechanism provides us with a novel approach to access security. In fact, there exists this same paradigm in some of the newer IPS’s (intrusion prevention systems) such as LayerX Technology[4], whereby a confirmed breach attempt on one edge device will share this information with other edge devices in that community, so that they may be aware and proactively prevent the same attempt across the enterprise.
With the advent in BlueTooth seamless connectivity, other devices can lend themselves to promoting access security by sharing their access meta-information with surrounding devices. For example, in an office where a rogue user has failed to access John Q’s mobile device several times, it may send out a distress signal to other listening devices (such as workstations or laptops) to beware of accessing the network as John Q. This can, in turn, trigger a notification to a security office to investigate this more closely – even so far as tracking which door access pads have used John Q’s access code for entry and exit.
Security in Context
Can we get better security by simply replacing passwords with gestures? Yes, for a period of time.
In the end, we must concede that all this technology leads us to understand that security is a process, not a product. There are no absolute safeguards for access control; but the methods presented here allow us to increase the capabilities of where security can grow.
We can no longer force security onto the user in an isolated medium; or expect security from a single dimension to be sufficient.
The shift presented here is to elicit security methods the user behavior and their surroundings. Like human to human communication, context is imperative to comprehension.
[2] Reference. http://www.betanews.com/article/Tenfinger-multitouch-headed-to-mobile-gadgets-this-year/1248280076
[3] Reference: http://www.schneier.com/news-063.html
[4] We do not promote LayerX above any other IPS, but use it as a reference point for illustration purposes only.
