Usable Mobile Multi-Factor Authentication     


Rachel Bellamy photo Pau-Chen Cheng photo Jacquelyn Martino photoKapil Singh photo Calvin (Cal) Swart photoShari Trewin photo

Usable Mobile Multi-Factor Authentication - overview

screenshot of authentication interface on a phone with authentication options for 'Voice', 'Face', 'Sign' and 'QR Code'

Mobile devices are increasingly being used to perform sensitive transactions in banking, retail, healthcare, and the workplace. At the same time, they are vulnerable to loss, theft, observation and hacking. Strong authentication is needed for high-value transactions.

Mobile devices, with their rich array of sensors, can support many authentication methods beyond passwords and PIN codes, including biometrics. We are investigating usable multi-factor authentication, which has the potential to improve usability by offering multiple ways to authenticate, and to improve security by providing several proofs of identity.

Complementing this, we are developing a risk based authorization framework that adjusts the authentication demands of a system according to the mobile context, the value-at-risk in mobile banking and other such transactions, and the operating characteristics of the device sensors. We are exploring the balance between improved security and usability that can be achieved by risk based approaches.

In a laboratory study, we compared the usability of several mobile biometric authentication methods, measuring efficiency, user errors, user preferences, and impact on short term memory. We are using predictive performance modeling with CogTool to assess efficiency.

We are also investigating users' perception of the risks in mobile transactions, which may not align with those of the organization serving the information. Methods of communicating risk, to reduce gaps between user and system perception, are being explored.

The demands of mobile environments mean that users will sometimes be in a situation where a particular method is not usable. For example, face recognition will not work in a dark room, and voice recognition may fail in noisy environments. These 'situational impairments' mirror the limitations experienced by people with disabilities, who also may be unable to use a particular authentication method. Multi-factor risk-based authentication offers a means to reduce demands on users, accommodate situational impairments, and provide a high level of security when it is needed.

Parts of this work are supported by a grant from the Department of Homeland Security under contract FA8750-12-C-0265.