In the third research result of the month we report on the recent results in gesture-based authentication of users on mobile devices. We interview Assistant Professor Teemu Roos regarding the recent accepted scientific article in the top-tier ACM MobiSys 2014 conference.

Research result of the month: Free-Form Gestures for Mobile Authentication

In the third research result of the month we report on the recent advances in gesture-based authentication of users on mobile devices.

The research article titled “User-Generated Free-Form Gestures for Authentication: Security and Memorability” by Michael Sherman, Gradeigh Clark, Yulong Yang, Shridatt Sugrim, Arttu Modig, Janne Lindqvist, Antti Oulasvirta and Teemu Roos has been accepted for presentation and publication in the top-tier ACM MobiSys 2014 conference in June. They propose to use the information capacity of continuous full-body movements for estimating the mutual information in repeated sets of gestures. Mutual information is used to estimate the memorability and security of the gestures.

The aim is to develop gestures that have a certain level of variability, or surprise, while being repeatable. The research indicates that free-form gestures are a robust method for mobile authentication. This result paves way for the next generation mobile authentication solutions, such as smartphone lock screens.

We interview Assistant Professor Teemu Roos regarding the new result.

Tell a bit about the background of the work?

This is actually a nice paper in the sense that the long list of authors is genuinely a sign of intense collaboration between three units: Max Planck Institute (MPI) in Saarbrücken, Rutgers University and HIIT.

All three of the PIs, Antti (MPI), Janne (Rutgers), and I had actually been at UC Berkeley in 2007-2008. During that time, Antti learned to know both Janne and I.

About the beginning of the gesture application, Janne says: "I had been thinking about how text entry methods affect password security [4] and contacted Antti about it. Antti suggested that we could also look at gesture security, since Antti had already worked on non-security related work on gestures. Ultimately, both projects aligned quite well together."

The gesture work that Janne mentions is what Arttu and I have been working on with Antti for a couple years, that is, information capacity of full-body movement -- some people at the department may have seen our demo for example at the alumni event in March (see infocapacity.hiit.fi).

What got you started in this research topic?

Studying human movement from an information-theoretic point of view was originally proposed to me by Antti.

The reason why I got interested is that the research problem is simply stated and yet solving is a very complex matter. The problem is to measure the capacity of movement as an information channel. For instance, you can type on a keyboard, point using a mouse, or speak, etc., all of which are kinds of movements. You can even play an instrument, sing, or dance. The basic question is how much information, bits per second, can you express. It's a simple, well-defined, but extremely multifaceted, question. We are far from a complete solution but the results we have obtained seem to provide some interesting insight. And there are several very promising applications, such as the topic of the MobiSys paper, that we are just beginning to explore.

Figure 1: Measuring information capacity of a ballet dancer in a motion capture laboratory.

Can you outline the key scientific insights in the article?

Well, the MobiSys paper studies a new type of authentication system that is not based on a symbolic password like the one that you would normally use to log into a computer. It's a bit like the system used on Android phones where the password is a sequence of points on a 3x3 grid. However, in our system the password is not based on a small grid but it's essentially continuous, and you can also use more than one finger at a time. The continuous nature of gesture passwords implies some fundamental changes in the way such passwords are handled.

Figure 2: An example of a free-form gesture. Note that the gesture trace is displayed on the screen only after it has been performed.

The main contribution of the paper is to analyze the security of such gesture passwords from an information-theoretic point of view. This is a natural extension of different types of password entropy measures used to evaluate the security of symbolic passwords, see e.g. [1], and the work we had already done with Arttu and Antti provided a perfect tool for the analysis of continuous gestures.

What are the future directions of this research?

As I already mentioned, the information capacity work has several interesting applications. I am quite enthusiastic about applications in medical diagnosis and rehabilitation. I believe the capacity metric could be used to identify early signs of conditions affecting movement, or to evaluate the progress of rehabilitation for people suffering from such conditions. Another related idea is to use the metric for measuring athletic performance in professional sports. And why not amateur sports as well? We already have a Kinect implementation that we use in the demo I mentioned, so I guess we just need an app, or whatever, for people to start measuring their performance. Sounds like a cool student project, doesn't it?

An important point to make here, by the way, is that the metric not only gives a total score for a given performance but the score can also be decomposed in terms of different parts of the body, or temporally in terms of different phases of the movement.

Figure 3: An example of a decomposition in terms of body parts from the Kinect demo. Green means high information throughput, red means low.

Measuring the capacity of different user-interfaces such as keyboards and pointing devices using information theory has been done already since the 1950s [2]. This is of course something that we could do too, and in fact we have some preliminary studies in the CHI paper with Arttu and Antti [3].

Do you have advice for our PhD students?

First of all, I'd like to say to all students that doing a PhD is actually one of the coolest things you can do: talk about expanding your consciousness! Ask any of our PhD students and they will tell you about the deepest mysteries of science and how they are solving them. Of course it's not for everyone but after completing a Master's degree it's when things get really fascinating. You can pretty much choose the topics you want to study. Just try to make sure your interests coincide with those of your supervisor. Personal chemistry can also be a factor in how things work out but it's harder to predict in advance.

How to get a paper to MobiSys?

Same as any good conference or journal: have a great team, pick a good topic that suggests itself and isn't just what you and everyone else have always done, and then it's 90% perspiration.

Link to the article:

M. Sherman, G. Clark, Y. Yang, S. Sugrim, A. Modig, J. Lindqvist, A. Oulasvirta, and T. Roos, (2014). User-generated free-form gestures for authentication: security and memorability, to appear in Proc. 12th International Conference on Mobile Systems, Applications, and Services (MobiSys-2014). http://www.cs.helsinki.fi/u/ttonteri/pub/mobisys2014.pdf.

References

[1] J. Bonneau. The science of guessing: Analyzing an anonymized corpus of 70 million passwords. In Proc. of SP ’2012.

[2] P. Fitts. The information capacity of the human motor system in controlling the amplitude of movement. Journal of Experimental Psychology 47, 6 (1954), 381.

[3] A. Oulasvirta, T. Roos, A. Modig, and L. Leppänen. Information capacity of full-body movements, in Proc. 2013 ACM SIGCHI Conference on Human Factors in Computing Systems (CHI-2013), ACM.

[4] Y. Yang, J. Lindqvist, and A. Oulasvirta. Text Entry Method Affects Password Security, arxiv.org/abs/1403.1910.