In this thesis, we presented a catalog of seven criteria. This number is not based on a voluntary decision. It just happened that after four years of intensive work, we ended up having this number of criteria. Each single criterion is not based on a one-time simple observation or thought. They are all the result of ongoing work and thus each criterion has been extended and improved a multitude of times. Therefore, we argue that in the next years, the criteria are likely to be further improved. It is also possible that based on future work, new criteria have to be defined to fill gaps that we are not yet aware of. That is, the catalog as presented in chapter 6 should not be seen as a final truth but rather a helpful toolbox that is likely to be extended with more tools.
Criterion 6 (resistance to distractions) has never been approached in a practical way within this thesis. When applying the criteria to VibraPass and EyePassShapes (see chapter 6.2), it was only tested upon theoretically. The nature of this criterion does actually encourage such an approach since a theoretical analysis does reveal most of what we need to know to judge this factor. For instance, if an authentication attempt has to be fulfilled in a single stroke and will fail otherwise, the criterion can be considered violated. On the other hand, a system like standard PIN-entry is very resistant to distractions because each digit can be input separately without a time limit. Practically, this might be a problem. While theoretically, resuming PIN-entry is no problem, it can limit the use of advanced memorability strategies and thus resuming can fail.
This raises the question how and if an authentication mechanism can be practically tested on resistance to distractions, especially in a lab study. Such a research question is both very difficult to answer and highly interesting at the same time: Can we develop a good method for testing distractions in a lab setting? We can think of a great deal of solutions for this problem but their appropriateness is yet to be proven. A very promising candidate could be an extended version of the cave-like setting as described by Dunphy et al. in [44]. They set up a fake ATM terminal in their lab and surrounded it with a projection of a public setting as shown in figure 7.1. In such a setting, active distractions could be injected to test how users react to them and if they are able to resume the authentication process after the distraction occurred. A distraction could be a passerby asking the user for help or the like. We observed similar and other distractions in our field study as described in chapter 5. One way could therefore be to model these distractions and add them to the study scenario.
Even though technically possible, distractions might be too artificial in a lab setting and are likely not to distract users at all. This is something that has to be evaluated carefully. Only to name a few, important research questions are therefore: To which degree is it possible to distract a user in an artificial setting? How immersive does such a setting have to be to work? What intensity of distraction are required to attract attention? This shows that this problem cannot be simply solved but we believe that it is worth investigating. This way, a methodology could be created to test distractions in lab settings not only for authentication tasks, but for any kind of interaction technology.
It has to be noted that distraction plays an important role also in other research areas. This is however usually approached the other way round. For instance, the lane-change task [92]
Figure 7.1: Intentional distractions in an ATM lab study. This setup has been used by Dun- phy et al. in [44] to provide a more realistic setting for ATM interaction within a controlled lab study. The screens around the ATM mock up display recordings that have been made around a real ATM.
is a methodology designed for the evaluation of in-car interfaces that tests how much (using a quantitative measurement) a secondary task distracts a user from the primary task, which is driving. What would be needed to evaluate criterion 6 would be a methodology to actively distract a user rather than measuring distraction.
We presented significant improvements to current authentication systems but we cannot claim that we created “the one authentication mechanism to replace them all”. From our experience based on this work, we argue that there is a high chance that such a system simply does not exist and that it is highly depending on the context. That is, in a different context, a different system might be the best solution.
At this point, we have to ask again whether biometrics might be the solution. From a point of view of the criteria defined in this thesis, biometric authentication in general would be a great candidate. As discussed in chapter 2.1, mainly privacy concerns still hinder its wide adaptation. Therefore, if biometrics are to replace standard authentication, this aspect has to be dealt with both in industry as well as in research. The main problem is the collection and storage of bio- metric data which users consider lost forever, once it is in possession of another entity, like a bank.
The biometric daemon [13] is a concept describing a possible solution: A pet, that lives with its users and “learns” their biometric features from them. Authentication is done by the daemon rather than its user. Once the user moves too far from it, the daemon dies. Having the biometric data always close to them, this concept might allay the users’ doubts. A very important thought of this concept is to create a biometric system in which the data does not have to be given away but
Figure 7.2: Interaction with TreasurePhone [116]. Different profiles of the phone and cor- responding data are protected until the user is in the right context. Left: By touching a room plate enhanced with an NFC tag, the user activates a location that defines a context like “work” or “home”. Right: Controlling an NFC-based lock activates a specific action that defines a context as well.
always remains with the user. We can imagine a biometric box (which could be a smartphone for example) or something key-like. The box learns the biometric data from the users while it stays with them. Starting from simple data like fingerprints to biometric information on how the users move, how they hold the box, etc. To authenticate to a system, the box or key has to be “opened” or “made ready”. To do so, biometric features of the user are exploited. In the best case, this could happen implicitly while pulling the box from the pocket. To authenticate to a system, the only property that it has to know is whether the box is open or not. After authentication, the box closes again. Since the biometric data never leaves the device, the users do not have to provide them to a third entity. This is just a quick thought but it highlights that if researchers work on the privacy problem, biometric authentication can be an important factor in our future.
Besides token-based and biometric authentication, there is a third field of authentication that has great potential, implicit authentication. The main idea is that authentication is implicitly happen- ing and not anymore something the user actively does. That is, it eliminates active authentication as a cumbersome task that users do not want to be bothered with since it is not their primary goal [133]. Oftentimes, biometric information is used to achieve this goal, but in many cases, context information can be used as well. When we developed TreasurePhone [116], we created a system in which context is used to define whether a specific profile (and with this specific data) of a smartphone can be viewed or not. Therefore, it uses actions and locations as shown in fig- ure 7.2. For instance, when a user opens an office door with the mobile device (e.g. using NFC), the phone switches to the “work” location and data related to the user’s work becomes available. Even though this is authorization rather than authentication, the system shows how context can be used to grant or deny access to a specific entity.
Especially the field of mobile personal devices can highly benefit from implicit authentication. For instance, modern mobile phones have different mechanisms to unlock the displays or keypads so that the user can interact with the device. These include for instance moving locks from one side to another or dragging windows down. Adding a biometric component to this approach, the mobile device could not only measure that the unlock mechanism was used but also how. This way, the user can be identified and authorized to use the phone or not. That is, authentication can take place implicitly in such an approach. Other approaches of implicit authentication could include shaking patterns and the like. Theoretically, the criteria of implicit authentication do not differ significantly from the ones presented in this thesis. Even though authentication is happening implicitly, the design of the system is important for its speed, security, robustness to distractions etc.1
In this chapter, we showed that there is still a large body of open research questions related to authentication. We are currently continuing our work with a focus on the just presented topics.