Protection using Continuous Authentication
Physical Access
Roland H.C. Yap Terence Sim Geraldine X. Y Kwang
Rajiv Ramnath Temasek Laboratories National University of Singapore 5 Sports Drive 2, 117508, Singapore Email:
[email protected]
School of Computing National University of Singapore Singapore 117590 Email: {ryap, tsim}@comp.nus.edu.sg
Abstract-Traditional password based authentication systems assume that the user who manages to sign-on into the system is the actual authorized user. There is no differentiation between the authorized user and an intruder who knows how to signon into the system. This paper describes an authentication mechanism which reduces the risk of un-authorized system usage by continuously authenticating the current user. This is achieved by using biometric sensors which can verify the user in a transparent fashion. We have developed two such prototype systems - one for Linux, and the other for Windows - both of which are directly integrated with the operating system. This paper focuses on the Windows platform. The benefit of our continuous authentication system is that it gives a higher degree of assurance that the authorized user is indeed the one presently using the system, and does so in a way that is transparent to the user. Preliminary user studies on Windows demonstrate that continuous authentication can be used successfully on a user population using Windows on a variety of interactive applications which simulate a general task mix. Our studies show that the goal of transparency is achieved as most users were not bothered nor affected by presence of the continuous authentication system. I. INTRODUCTION
Traditional password based authentication systems suffer from two drawbacks. First, they assume that the user who knows the password is the actual authorized user. Second, they assume that the same user is always the one using the system. The first problem can be addressed by adding biometrics to the authentication process. However, this does not address the second problem of an intruder forcibly hijacking the system after the initial sign-on. Using biometrics for the initial login or sign-on process only demonstrates that the intended user has been successfully authenticated at the time of the check. It does not assure that the current user is the correct one. In critical systems, we may want a high degree of assurance that a system is always in the hands of the legitimate user. Thus, a more trustworthy authentication process which can ascertain the identify of the user of the system at all times is desirable. Indeed, after the September 11 attacks, Carrillo proposed the use of continuous biometrics authentication to safeguard an aircraft cockpit against unauthorized control [1]. This paper describes a continuous authentication prototype
978-1-4244- 1978-4/08/$25.00 ©2008 IEEE
which is integrated into the Windows XPTMoperating system. Our continuous authentication system works by performing frequent checks to determine the identity of the user. In order for continuous authentication to be easily deployable, it should be transparent to the user and not affect existing applications. Our authentication mechanism works in a transparent manner by using two sets of continuous biometric inputs: video from a camera, and fingerprint images from a mouse equipped with a fingerprint scanner. We identify the user by using both face and fingerprint recognition with these two types of biometric modalities. Continuous authentication is integrated into Windows and prevents applications from being used whenever the fusion of face and fingerprint modalities fails to identify the user. This paper summarizes our results on the Windows continuous authentication prototype. We focus on some of the Windows system design issues. In order for continuous authentication to be workable, it should be acceptable to users. Our preliminary study on a population of users shows that continuous biometric good user acceptance is achievable even on single processor machines which means that multi-core machines will have even less user impact. II. CONTINUOUS AUTHENTICATION SYSTEM ARCHITECTURE
The overall system architecture for our Windows Continuous Biometrics prototype is shown in Figure 1. Two sources of biometric data are used, a camera and a fingerprint mouse.' The overall control and data flow is similar to an earlier Linux prototype [3]. We periodically sample the video input and mouse fingerprint scans to run face detection and recognition on the video image and fingerprint recognition on the fingerprint scan. The features from both modalities are then fused into a composite score [4] and compared against a threshold to determine whether the user's biometrics are recognized or not. Whenever an unauthorized user is detected, the continuous authentication system will prevent further use of the system by the user. 'We employ a SecuGen OptiMouse III [2] and the corresponding fingerprint detector in the SecuGen SDK.
510
Calculate score
Calculate Score
Combined score
Disable System
Access
Score
