US20190311095A1 - Method and system for behavior-based authentication of a user - Google Patents
Method and system for behavior-based authentication of a user Download PDFInfo
- Publication number
- US20190311095A1 US20190311095A1 US16/470,832 US201716470832A US2019311095A1 US 20190311095 A1 US20190311095 A1 US 20190311095A1 US 201716470832 A US201716470832 A US 201716470832A US 2019311095 A1 US2019311095 A1 US 2019311095A1
- Authority
- US
- United States
- Prior art keywords
- mobile
- communication system
- portable communication
- motor
- classification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/316—User authentication by observing the pattern of computer usage, e.g. typical user behaviour
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/214—Generating training patterns; Bootstrap methods, e.g. bagging or boosting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/32—User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
-
- G06K9/6256—
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
Definitions
- the invention relates to a method and a system for behaviour-based authentication of a user to a mobile, portable communication system.
- Fingerprint sensors have the disadvantage that the user has to perform the extra task of placing his finger on the sensor. If the user is holding the mobile, portable communication system in the incorrect hand, the fingerprint sensors often already can no longer recognise the user. Furthermore, there are numerous situations in which a fingerprint sensor does not function correctly, for example if the user has dirty or wet fingers, not to mention if the user is wearing gloves.
- the object of the invention is to enable an improved method for authentication of a user.
- the invention proposes a method and a system for behaviour-based authentication of a user to a mobile, portable communication system, which enables authentication to the mobile, portable communication system without PIN or password.
- the authentication is based on an individual intrinsic behaviour of the user, which is defined by a natural behaviour pattern of the user.
- the behaviour-based authentication allows the user to gain access to his mobile, portable communication system as a result of the user behaving as normal. The user therefore does not have to remember a password, a PIN, a specific gesture or similar authentication means.
- the invention in accordance with embodiments does not presuppose a connection to a network outside the mobile, portable communication system, for example the Internet, since all fundamental data are captured by the mobile, portable communication system and all fundamental operations are performed by the mobile, portable communication system or its processor.
- sensitive data which reflect a personal behaviour of the user, remain exclusively in an internal memory of the mobile, portable communication system.
- sensors which can capture the position of the device in space, whereby for example the display on the screen can rotate into the correct position relative to the spatial orientation of the device.
- a sensor is usually an acceleration sensor, a gyroscope or a combination thereof. It is not only possible with this sensor to capture the position in space of the mobile, portable communication system, but also a gross-motor movement of the user, whereby the sensor is used as a motion sensor.
- a gross-motor movement in this context refers to all motor skills that a human can learn with his limbs, his torso and his head. Main muscle groups are utilised. Gross-motor skills are for example walking, jogging, running, skipping, bicycle riding or car driving. The movement of the arm in order to perform an action, for example lifting a glass in order to drink or eat, can also be interpreted as a gross-motor movement, as can an arm movement in order to remove a mobile telephone from a pocket. By contrast, the grasping of a cup is considered to be a fine-motor movement, since the movement for grasping the cup is performed using the fingers and finer muscle groups are utilised. A gross-motor movement may also comprise in particular a hip movement of the user.
- a quite specific, characteristic gross-motor movement profile can thus be associated with a specific user of a mobile, portable communication system.
- the user is identifiable on the basis of this movement profile.
- the measurement data captured by the motion sensor are associated with a movement profile of this kind.
- the mobile, portable communication system is also equipped with a classification module, which is trained to recognise the movement patterns of the user.
- Training for recognition of a generic movement pattern for example comprises an evaluation of a plurality of training data sets of a user cohort, wherein the training data sets are assigned to one user each of the user cohort and comprise measurement data relating to a movement type identical for all users of the user cohort.
- a generic movement pattern common for the identical movement type of all users is identified as a result of the evaluation and is extracted for future recognition.
- Training for recognition of a user-individual movement pattern for example comprises an evaluation of movement data for an individual user, wherein the movement data comprise measurement data relating to a specific movement type.
- a user-individual movement pattern for the corresponding movement type is identified by the evaluation and is extracted for future recognition of user-individual movement patterns. This evaluation is performed with use of a generic movement pattern for the specific movement type, for which training was likewise carried out beforehand.
- the user registered in the mobile, portable communication system is the user that is to be recognised by the mobile, portable communication system.
- the current user is the user that wishes to operate the mobile, portable communication system currently, for which purpose said user must authenticate himself. If the current user can be identified by the authentication process as being the user registered in the mobile, portable communication system, the current user is granted access to the mobile, portable communication system. If the current user does not match with the user registered in the mobile, portable communication system, the mobile, portable communication system thus identifies the current user as another person, not authorised for use, and refuses access.
- the term “the user” denotes the current user of the mobile, portable communication system. If the user registered in the mobile, portable communication system is intended, this will be stated explicitly by the wording “the registered user”.
- a mobile, portable communication system can consist of an individual independent device or of a plurality of devices connected to one another mechanically and/or communicatively.
- a device can comprise for example: a smartphone, a tablet, a personal digital assistant, a pager, smartglasses, a smartwatch, navigation device, an activity tracker, or a device for recording medical data, in particular physiological data, such as a device for measuring pulse rate or a device for measuring blood pressure.
- the method for behaviour-based authentication can be performed by all mobile and portable devices and systems that are capable of processing electronic data and have at least one sensor for capturing a gross-motor movement.
- a mobile, portable communication system could consist of a smartphone and a smartwatch, wherein the smartphone has a sensor for capturing the gross-motor movement constituted by walking and the smartwatch measures the pulse and the blood pressure of the user. On the basis of a comparison of the data of the user and of the registered user, it can be identified whether or not the user is the registered user.
- Such a mobile, portable communication system in order to carry out the method for behaviour-based authentication of a user to the mobile, portable communication system, comprises at least one sensor for capturing measurement data relating to a gross-motor movement of the user (referred to hereinafter merely as “measurement data”), a gross-motor classification module, an operating system, a processor, and an internal memory.
- the sensor for capturing the measurement data is designed to capture a gross-motor movement of the user.
- the gross-motor classification module is configured for the classification of the measurement data, trained for recognition of a gross-motor movement of the user, implements a machine-learning method, and is executed by the processor of the mobile, portable communication system, the operating system being capable of controlling access to the mobile, portable communication system on the basis of the success of the authentication.
- the machine-learning method implemented by the gross-motor classification module denotes a method by means of which the gross-motor classification module is capable of adapting to the user of the mobile, portable communication system.
- the term “adapt” refers to the adjustment and, as appropriate, reconfiguration of classification parameters, on the basis of which the user can be correctly identified.
- the machine-learning method is not limited to a specific algorithm.
- the machine-learning method is an algorithm developed especially for machine learning, for example and without limitation, a density-based multi-dimensional outlier detection (local outlier detection), a random forest algorithm, a neural network, a support-vector machine, a naive Bayes classifier, or a feedback similar to the feedback of a linear or non-linear control system.
- a density-based multi-dimensional outlier detection local outlier detection
- a random forest algorithm for machine learning
- a neural network for example and without limitation, a neural network, a support-vector machine, a naive Bayes classifier, or a feedback similar to the feedback of a linear or non-linear control system.
- Portion A comprises a repeated execution of the following steps:
- an application executed by the mobile, portable communication system sends an authentication request to the operating system of the mobile, portable communication system and/or an application program configured for the authentication, which application program is implemented on the mobile, portable communication system.
- An application can comprise, for example, an application program or an app which is implemented on the mobile, portable communication system and/or which is controlled via the mobile, portable communication system.
- an application program is understood, without limitation, to mean any type of computer program which comprises machine-readable instructions for controlling a function of a computer.
- An application program of this type can be configured for example to process or to assist a useful or desired non-system-related function.
- the processor of the mobile, portable communication system accesses the memory in response to the authentication request and reads out at least one first classification result.
- the at least one first classification result is then checked for a specific, predefined checking criterion. If the at least one first classification result meets the checking criterion, a signal is sent to the operating system of the mobile, portable communication system, wherein the signal comprises the information of the success of the authentication of the user to the mobile, portable communication system. If the checking criterion is not met by the at least one classification result, the user is not granted access to the mobile, portable communication system.
- the measurement data are captured by the at least one sensor in the form of a data stream (stream).
- Measurement data are captured continuously and are processed continuously to form first classification results.
- the term “continuously” means that the data are captured as often as permitted by the clock of the processor and/or the sensor. Since the classification results are available continuously, a real-time classification result can be called up at any time from the memory of the mobile, portable communication system, without the mobile, portable communication system having to first wait until a predetermined measurement interval has elapsed and current measurement data have been processed. Furthermore, new first classification results are generated continuously, so that, in the event of an authentication request, current first classification results are available, provided the user has moved recently.
- the mobile, portable communication system comprises an application behaviour classification module.
- the application behaviour classification module is configured to classify application data of a user and to find user-specific application patterns in the application data.
- the application data can comprise for example the following data types:
- the position data of the mobile, portable communication system are captured by a method for position determination by a position sensor of the mobile, portable communication system.
- a method for position determination by a position sensor of the mobile, portable communication system can comprise for example the capture of a GPS signal or a triangulated position from WLAN connection data or connection data of another radio network which comprises radio cells, such as a mobile network.
- a regular position of the user (for example at home, at work or at other locations regularly frequented by the user) is advantageously captured.
- An unauthorised user, in particular a thief, who is using the mobile, portable communication system will not generally reside at the locations regularly frequented by the registered user.
- the mobile, portable communication system is thus able to recognise whether the user is the registered user.
- the position data can thus contribute to improving the behaviour-based authentication.
- the application usage data include an application usage behaviour of the user, wherein the application usage behaviour comprises information describing when specific applications are started and/or executed by the user on the mobile, portable communication system. For example, it is thus possible to capture when and how often the user listens to the radio, moreover which application he uses to do so and/or which radio station he listens to, and also when and how often the user reads messages or operates his camera.
- applications used frequently day-to-day can provide a user-specific application usage profile, on the basis of which the user can be identified.
- the security of the mobile, portable communication system increases, since an unauthorised user, in particular a thief, who has stolen the mobile, portable communication system, would also have to imitate the application usage behaviour of the user in order to gain access to applications which require an authentication and/or in order to gain access to the mobile, portable communication system.
- the biometric data can be captured by a sensor for capturing biometric data.
- the biometric data can be, amongst other things, the dimensions of the face, the voice frequencies of the user, the finger shape, the ear shape, the retina or iris pattern, the fingerprint of a finger, or physiological data, for example the blood pressure or the pulse of the user, in particular during specific activities, such as running.
- the biometric data in particular the dimensions of the face, the iris and/or retina pattern and the ear shape, can be captured when the user is using his mobile, portable communication system anyway and/or wishes to authenticate himself.
- This photo can be read out, and therefore the biometric data of the user captured. Should the user wish to access his system, a photo is created or one or more of the photos last stored is/are used, and the biometric data calculated from the created photo or the stored photos are used for authentication.
- the mobile, portable communication system for example comprises a pressure sensor or an optical sensor for capturing a pulse rate, by means of which the pulse and the blood pressure of the user can be determined.
- biometric data advantageously can be captured continuously, similarly to the measurement data, since the user wears the smartwatch on his wrist during regular use.
- the mobile, portable communication system comprises a sensor for capturing a fingerprint of the user.
- the sensor is positioned at points of the mobile, portable communication system at which the user holds the mobile, portable communication system using his fingertips and/or regularly touches the mobile, portable communication system in order to control functions.
- the fingerprint Due to the use of a fingerprint sensor, in particular at a point where the user's fingertips are located during regular use, the fingerprint, which is unique for every person, is advantageously used as an identification feature of the user in order to check the authenticity of the user, and thus increases the security of the method.
- biometric data of the user Due to the use of the biometric data of the user for behaviour-based authentication of the user to a mobile, portable communication system, the data used for authentication are advantageously dependent personally on the user to the greatest possible extent.
- biometric data offer a high security against forgery, whereby the security of the authentication method is increased.
- connection data of the mobile, portable communication system to other devices capable of communication can be used to demonstrate a typical connection pattern of the user.
- individual devices can be connected to the mobile, portable communication system via WLAN, Bluetooth, radio frequency identification (RFID), near field communication (NFC) or a cable.
- RFID radio frequency identification
- NFC near field communication
- a connection profile which contains information regarding the regular connections of the mobile, portable communication system to further devices can thus be created for the user.
- a user can connect the mobile, portable communication system to the private WLAN of a home or a public WLAN.
- the user connects the mobile, portable communication system to domestic appliances and/or a computer via the Internet or an Intranet, thus resulting in a user-specific connection profile.
- This usage profile can comprise for example, without limitation, a washing machine, dryer, a refrigerator or similar domestic appliances, and devices of a smart home system, for example lighting, alarm system, air-conditioning system, heating system, audio system(s), video or television system(s), and/or a PC, which the user controls at home via the Internet, an Intranet or individual radio connections.
- an authentication request is sent by a device connected to the mobile, portable communication system to the operating system of the mobile, portable communication system and/or an application program which is configured for the authentication and which is implemented on the mobile, portable communication system, in order to authenticate the user to the devices which are connected to the mobile, portable communication system.
- an unauthorised user advantageously must know the devices and, as appropriate, must have access to the devices to which the registered user normally connects the mobile, portable communication device.
- connection data for behaviour-based authentication of a user to a mobile, portable communication system
- the current user who for example is wearing a smartwatch, can advantageously authenticate himself to his mobile, portable communication system by wearing the smartwatch.
- the smartwatch thus functions as a kind of key, which releases the access to the mobile, portable communication system.
- a thief who has stolen the mobile, portable communication system would thus also have to be in possession of the smartwatch in order to gain access to the mobile, portable communication system.
- Calendar and/or time data can be captured by a clock implemented in the mobile, portable communication system or by an external clock, the signal of which is received by a sensor, in particular a radio signal by a radio sensor, of the mobile, portable communication system.
- connection data of the mobile, portable communication system are correlated with other devices and/or the position data of the mobile, portable communication system are correlated with the calendar and/or time data.
- a time-specific application behaviour of the user advantageously can be created, in particular by the communication with the previous applications. For example, it can be recognised that from Monday to Friday the user is on his way to work and at that time listens to a specific radio station and at the weekend goes for a walk and at that time plays selected music via a music application, or that the user every evening at a fixed time, for example around 8 o'clock, reads messages via his mobile, portable communication system.
- calendar and/or time data thus results in an increased security of the mobile, portable communication system, since this data contribute to an application usage profile of the user that is structured in respect of time and that is more difficult to imitate as compared to an application usage profile that is unstructured in respect of time.
- the distance between two or more communication devices of a mobile, portable communication system is determined on the basis of the signal strength of the signal of the wireless connection between the devices.
- a wireless connection signal of this kind can be, for example, a Bluetooth signal, a WLAN signal, or a radio signal.
- the distance between the devices determined from the wireless connection signal can be captured in accordance with this embodiment as part of the application data and can be used for behaviour-based authentication of the user to a mobile, portable communication system.
- the capture of the distance between two devices of a mobile, portable communication system as part of the application data and the use of the distance for behaviour-based authentication of the user to the mobile, portable communication system makes it possible to increase the security of the method for behaviour-based authentication, since a further parameter would have to be forged or imitated by an unauthorised user in order to gain access to the mobile, portable communication system.
- the distance is used to recognise a gross-motor movement pattern of the user.
- the first classification result used, which is based on the measurement data of the sensor for capturing gross-motor movement, but also the second classification result, which is given from the application data of the user.
- the mobile, portable communication system comprises a fine-motor classification module, which is designed to capture a fine-motor movement of the user, and a sensor for capturing a fine-motor movement in the form of fine-motor measurement data.
- a fine-motor movement is a movement of fine muscle groups, for example the muscles of the fingers.
- the term “fine-motor skills” denotes targeted and coordinated movement, for example by the hand and/or finger muscles, but also the muscles of the mouth, the eyes and the face.
- the fine-motor movement which is captured by a fine-motor sensor of the mobile, portable communication system, can comprise a specific movement of the fingers, for example.
- the input speed, the input clock time and/or the input accuracy of the user whilst he makes an input into the mobile, portable communication system are/is captured by the sensor for capturing a fine-motor movement.
- An input of this kind can be for example, without limitation, the typing of words or swiping of words, i.e. an input method similar to typing, in which the finger or the fingers maintains/maintain contact with the screen surface as letters are selected, on a virtual keyboard, the following of geometric figures shown on the screen, or another movement by means of which the user makes an input.
- fine-motor movements can comprise changes to the orientation, for example the angle of inclination, of the mobile, portable communication system during use.
- a sensor for capturing a fine-motor movement can be formed for example as an optical system or as a touchpad or touchscreen, but in particular, without limitation, a resistive touchscreen, a surface-capacitive touchscreen, a projected capacitive touchscreen, or an inductive touchscreen.
- the first classification result used, which is based on the measurement data of the sensor for capturing gross-motor movement, but also the third classification result, which is given from the fine-motor data of the user.
- the user is invited, following a failed authentication attempt, to make an input into the mobile, portable communication system so as to be able to capture a fine-motor movement of the user.
- the input can comprise, for example, the drawing of a specific figure on the screen or the input of a predefined word or the input of a number of words.
- the words and/or patterns can be predefined by the system or the user or can be selected randomly. For example, the corresponding words and/or patterns are displayed on the screen.
- the user Due to the authentication by means of a fine-motor movement in the case of a failed authentication by means of a gross-motor movement and/or application data, the user is advantageously provided with the possibility to authenticate himself in spite of a failed authentication via a gross-motor movement and/or his application usage behaviour, without having to use a PIN or a password.
- the classification result is used hereinafter representatively for “the first and/or second and/or third classification result”.
- the plural “classification results” then also includes a plurality of the first and/or second and/or third classification results.
- the term “measurement data” hereinafter denotes the measurement data of the sensor for capturing a gross-motor movement and/or the measurement data of the sensor for capturing a fine-motor movement. If only the measurement data of the sensor for capturing a gross-motor movement or a fine-motor movement are meant, this will be stated explicitly.
- the gross-motor classification module and/or the application behaviour classification module and/or the fine-motor classification module are/is formed as a classification module which is capable of processing the measurement data and the application data.
- the classification module generates an individual classification result.
- the gross-motor classification module and/or the application behaviour classification module and/or the fine-motor classification module are/is comprised by the same application program or by different application programs, which is/are configured to perform a behaviour-based authentication.
- the classification module or the classification modules i.e. the gross-motor classification module and/or the application behaviour classification module and/or the fine-motor classification module, generates/generate for example a common classification result with use of confidence values, which have been determined by the classification module or the classification modules in each case for classification-module-specific measurement data.
- the first, second and/or third classification result is the same classification result to which the gross-motor classification module and/or the application behaviour classification module and/or the fine-motor classification module contribute.
- a signal is sent, which comprises the information regarding the failed authentication.
- a signal of this kind in accordance with an embodiment of the invention, can be limited to the information of the failed authentication.
- the signal can contain the information regarding the reason for the failure of the authentication.
- Such a reason in accordance with further embodiments of the invention, can include, for example, the age of the current at least one classification result, the at least one classification result itself, or another reason for the failure.
- a checking criterion can include the fact that the at least one classification result is not older than a few minutes, a few hours, a day or a week.
- the checking criterion can include the fact that the at least one classification result must reach a specific threshold value.
- the user is advantageously informed that his authentication has failed and can behave purposefully such that he can gain access to the mobile, portable communication system.
- the signal indicates that the walking style of the user has not been recognised.
- the user notes the signal and starts to walk back-and-forth until the checking criterion is met.
- Such a signal can be displayed to the user for example by means of a display of the mobile, portable communication system, can be communicated acoustically via a loudspeaker of the mobile, portable communication system, or can be signalled by means of a vibration pattern, generated by a vibration mechanism of the mobile, portable communication system.
- At least one pattern in the form of a pattern function and at least one comparison data set are stored in the memory of the mobile, portable communication system, wherein the comparison data set contains values for at least one comparison parameter, wherein the following steps are performed by the relevant classification module:
- the comparison parameters are newly calculated if the comparison data set changes and are stored in the memory of the mobile, portable communication system.
- a method is advantageously provided which can be bypassed repeatedly by fixedly defined steps for the user, but is very difficult to bypass for an unauthorised user.
- An attacker attempting to access the mobile, portable communication system by means of an electronic attack in which the attacker attempts to guess the measurement data and application data of the at least one sensor, the at least one classification parameter or the at least one confidence value in order to fake a classification result to the mobile, portable communication system, would have to be familiar with or know: the at least one pattern function; which of the classification parameters are processed into confidence values; and which values these must comprise in order for access to be granted to the mobile, portable communication system.
- the measurement data and/or the application data are stored in the memory of the mobile, portable communication system when the classification result resulting from the measurement and/or application data has contributed successfully to the authentication of the user.
- the measurement and application data are stored by adding the measurement and application data to the corresponding comparison data sets.
- the comparison parameters are calculated again from the now modified comparison data set in order to be able to carry out a next authentication of the user with current comparison parameters.
- a feedback training of the classification modules is advantageously provided.
- the comparison data sets and therefore the comparison parameters thus match the behaviour of the user, whereby the method is resistant to minor behaviour changes or adapts thereto.
- Such a behaviour change can be brought about for example by an injury to the user, which influences the walking style or the writing behaviour.
- a further example of a behaviour change is the permanent change to another radio station by means of a radio application. For example, if the user no longer likes the program transmitted by the station that he previously listened to, the user will look for a new station.
- the user can also still successfully authenticate himself on the basis of the storage of the measurement and/or application data in the memory of the mobile, portable communication system and the addition of the measurement and/or application data to the corresponding comparison data set.
- the measurement and/or application data which are part of a particular comparison data set, are deleted from the memory of the mobile, portable communication system if the measurement and/or application data are older than a defined time.
- the defined time can be for example days, weeks, months or years.
- Comparison data for a new comparison data set of this kind can be captured for example by the user authenticating himself to the mobile, portable communication system in a non-behaviour-based manner, for example via a PIN or a similar method, and behaving beforehand or afterwards such that new measurement and/or application data are required and are stored in the memory of the mobile, portable communication system, whereby the captured data form a new comparison data set.
- a comparison data set and thus the comparison parameters advantageously can also change in the event of behaviour changes of the user. Since the behaviour of the user can change in particular over a longer period of time, for example of a year or more, it is advantageous for the method if the comparison parameters also change with the behaviour of the user, i.e. potentially outdated measurement and/or application data, which might no longer correctly reflect the current behaviour of the user, are carefully deleted.
- the deletion of data of a specific age thus means that the behaviour of the user in the past, which does not necessarily have to match the behaviour of the user in the present, has no influence on the behaviour-based authentication of the user to the mobile, portable communication system.
- the age of measurement and/or application data is measured for example from the time of capture and/or storage of the corresponding measurement and/or application data.
- the user must authenticate himself to the mobile, portable communication system following the initial commissioning.
- An authentication following an initial commissioning can comprise for example an input of a one-time password or an initialisation PIN, which is provided to an authorised user for example during the course of the lawful purchasing of the mobile, portable communication system and/or a SIM card used in the mobile, portable communication system.
- the authentication after an initial commissioning can also include, for example, an input or a sending of an initial authentication token into or to the mobile, portable communication system.
- the initial authentication token can be provided for example from a central authentication service, to which the user has authenticated himself as authorised user. Due to the authentication to the mobile, portable communication system following the initial commissioning, only the authorised user advantageously can thus use the system, which is still untrained.
- the mobile, portable communication system undergoes for example an automatic personalisation to the authorised user after and/or together with the aforementioned authentication of the authorised user, if this is necessary.
- measurement and/or application data are required for a behaviour-based authentication of the authorised user and are added to the comparison data set.
- the classification module is thus trained to the corresponding user, i.e. the mobile, portable communication system is personalised. If the aforementioned authentication of the authorised user fails, for example no measurement and/or application data are required, or captured measurement and/or application data are not added to the comparison data set.
- the user must personalise the mobile, portable communication system following the initial commissioning. If the mobile, portable communication system is switched on for the first time, the mobile, portable communication system sends a signal to the user.
- the signal comprises the request for personalisation of the mobile, portable communication device by the user by way of a deliberate or specified behaviour, which generates at least one comparison data set. For example, the user is requested to run with the mobile, portable communication device.
- the user advantageously can apply the method for behaviour-based authentication to the mobile, portable communication system as early as possible.
- the personalisation following the initial commissioning in this case comprises the capture of measurement and/or application data, in order to construct the corresponding comparison data set on that basis.
- the confidence values of the classification parameters are stored in the memory of the mobile, portable communication system.
- the sum of the confidence values of the classification parameters forms the classification result.
- the confidence values advantageously can be used individually for the checking operation.
- fewer confidence values are read out from the memory and checked than in the case of an authentication request with a higher checking criterion.
- a low checking criterion may then be present for example if the user wishes to change the radio station.
- a high checking criterion can be present for example if the user wishes to call up the contact data stored in the mobile, portable communication system.
- the checking criterion for each confidence value comprises a different threshold value, such that the quality of the individual classification parameters in which the confidence values are calculated is taken into consideration when checking the classification result against the checking criterion.
- the checking criterion comprises the stipulation that the at least one confidence value must reach a specific threshold value in order to achieve successful authentication of the user.
- the checking criterion consists of the stipulation that a confidence value must reach a minimum level
- the checking of the classification results against the checking results can be performed advantageously by the comparison of just one value. For this step, very few operations are therefore necessary, and therefore the processor has to perform fewer computing operations.
- the mobile, portable communication system thus experiences a reduced energy consumption.
- an embodiment of this kind is advantageous.
- the checking criterion comprises the stipulation that a plurality of stored confidence values must each reach an individual threshold value.
- the checking criterion comprises an individual threshold value for each of a plurality of confidence values
- the checking criterion can be individually adapted to the particular accuracies of the individual confidence values. This results in an increased accuracy of the authentication process as a whole.
- the second classification result which is based on the application data, is included in the checking of the classification results against the checking criterion only if, in a previous step, the first classification module recognised a gross-motor movement of the user in the measurement data.
- application usage data of a radio are thus captured only if the user is currently walking.
- a removal of the mobile, portable communication system from a pocket can be recognised, whereupon for example the execution of a messaging application is used as a part of the application usage profile.
- the classification of the first classification module which uses the measurement data, advantageously can be much more accurate, since the classification result on the basis of the application data can be used in order to refine the classification result based on the measurement data.
- the confidence values which result ultimately from the gross-motor and/or fine-motor measurement data and/or the application data, are combined to form a resultant confidence value.
- the combining of this data can comprise for example, but not necessarily, the forming of a mean value, a median or a modal value.
- the forming of the resultant confidence value makes it possible to specify the likelihood with which the current user is the user registered in the mobile, portable communication system.
- the individual confidence values of the classification parameters are weighted in each case with a weighting factor for the evaluation.
- the weighting factors are assigned to the relevant confidence value.
- the accuracy of the resultant confidence value when checking against a checking criterion advantageously can be increased.
- Individual confidence values, which result from different classification parameters can be weighted depending on the importance and/or accuracy of their determinability. Since each user behaves differently, the individual classification parameters also play varying roles in the behaviour-based authentication of the user to the mobile, portable communication system.
- a first user of a first mobile, portable communication system for example could regularly use a radio application of his mobile, portable communication system, whereas a second user of a second mobile, portable communication system might never use a radio application. Due to the possibility of weighting the individual confidence values, a higher weighting factor can be allocated to the confidence value for the use of a radio application for the first user than for the second user.
- the weighting factors of the confidence values are specified by the checking criterion.
- different confidence values advantageously can be weighted individually in dependence on the security level of the checking criterion. For example, in the case of checking criteria which require a very high authentication likelihood, all parameters can be included, whereby all confidence values are calculated in order to give a resultant confidence value. By contrast, in the case of a checking criterion which requires a low security level, only some of the confidence values or classification parameters or only an individual confidence value or classification parameter are/is used for the evaluation.
- the individual weighting factors of the respective confidence values are fixedly specified.
- the expression “fixedly specified” means that the weighting factors are defined from the outset at the time of initial commissioning of the mobile, portable communication system, and no changes to the weighting factors are provided during the intended operation of the mobile, portable communication system.
- the mobile, portable communication system does not have to check which weighting factors are to be defined for which confidence value, but instead must ultimately only read out from its memory the appropriate confidence values, which are already set against the weighting factors.
- the user himself defines the weighting factors of the individual confidence values in an initiation process.
- the defined weighting factors are then stored in a configuration file in the memory of the mobile, portable communication system.
- the registered user himself advantageously can determine the extent to which his applications or behaviour patterns contribute to the behaviour-based authentication. This increases the freedom of the registered user in the configuration of the system, since the registered user himself can decide which classification parameters are included by his behaviour pattern. For example, the registered user can define that the use of the radio application should not be included or should only be included to a very minor extent in the generation of the classification results, since he usually only uses the radio application sporadically. By contrast, the same user could allow the confidence values of the position determination to be included to a greater extent in the generation of the classification result, since he has a very structured day-to-day timetable and frequents specific locations with a high level of regularity.
- the checking criterion is defined by the executed application requesting the authentication of the user.
- checking criterion being defined by the executed application results advantageously in that the security of the authentication by means of the checking criterion can be determined by the application. For example, applications for online banking can require a much higher security level of the user to the mobile, portable communication system than a music application.
- the mobile, portable communication system is connected to a network, for example the Internet or a local network (LANS), a private network, in particular an Intranet, or a virtual private network (VPN).
- a network for example the Internet or a local network (LANS), a private network, in particular an Intranet, or a virtual private network (VPN).
- the mobile, portable communication system can communicate with an online application via an appropriate interface, which is usually configured as a browser or launcher, wherein the online application is executed on a device within the network, but outside the mobile, portable communication system.
- the online application is capable of requesting the mobile, portable communication system to authenticate itself to the application, whereupon the mobile, portable communication system sends the resultant confidence value to the online application.
- the mobile, portable communication system is advantageously capable of authenticating the user applications which are not installed on the mobile, portable communication system.
- the method therefore does not require an application to be installed on the mobile, portable communication system.
- a number of users are registered on the mobile, portable communication system, and the classification result is generated for each registered user.
- a user recognition module then decides which user is currently active, wherein the user recognition module is likewise executed by the processor of the mobile, portable communication system.
- the user is identified by the user recognition module by means of a decision tree. Due to the possibility of identifying a number of users, it is possible for service devices or service systems, which are given by an employer to a number of employees, wherein the number of employees use the particular mobile, portable communication system in alternation, to advantageously also apply the method for behaviour-based authentication.
- the user recognition module is configured such that it recognises a change in user on the basis of gross-motor and/or fine-motor measurement data.
- the user recognition module generates a fourth classification result, which specifies which of the registered users is the current user.
- the fourth classification result is then formed if the user recognition module recognises a movement that is typical for a change in user of a mobile, portable communication system.
- a typical movement can include the taking off and putting back on again of a smartwatch, the handing over of a mobile telephone, or a comparable movement.
- the user recognition module is configured to recognise a change in user on the basis of a gross-motor and/or fine-motor movement.
- the user recognition module is configured for example to recognise a gross-motor and/or fine-motor movement constituted by the taking off and/or putting on of the mobile, portable communication system.
- the user recognition module is furthermore trained to recognise user-specific movement patterns in the measurement data and/or the fine-motor measurement data, wherein the user recognition module performs the following steps repeatedly:
- the user recognition module then accesses the memory of the mobile, portable communication system in order to read out at least one of the stored fourth classification results from the memory.
- the at least one fourth classification result is evaluated in order to check whether a change of user has occurred.
- the previous first, second and/or third classification results are discarded in the case of a change of user so as to ensure that, in the event of a change in user, a non-authenticated user then uses the mobile, portable communication system. This non-authenticated user then has to authenticate himself.
- the machine-learning method implemented by the gross-motor classification module is a random forest algorithm, which classifies a movement as a movement known to the gross-motor classification module.
- the user recognition module is configured such that it recognises an at least temporary termination of the use of the mobile, portable communication system by the current user on the basis of gross-motor and/or fine-motor measurement data.
- the user recognition module is configured for example to recognise a gross-motor and/or fine-motor movement constituted by a taking off of the mobile, portable communication system. If such a termination is recognised, for example the previous first, second and/or third classification results are discarded, in order to ensure that, in the event of a possible change of user, a non-authenticated user then uses the mobile, portable communication system. This non-authenticated user then has to authenticate himself.
- the parameters for classification of the gross-motor movement advantageously contribute in a particularly efficient manner to the classification, and furthermore the random forest algorithm can be implemented particularly easily on account of the fixed number of available parameters.
- FIG. 1 shows a schematic structure of an exemplary mobile, portable communication system for carrying out the method for behaviour-based authentication of a user.
- FIG. 2 shows a schematic course of a behaviour-based authentication in a flow diagram.
- FIG. 3 shows an embodiment of the mobile, portable communication system for carrying out the method for behaviour-based authentication of a user.
- FIG. 4 shows a schematic method for handling data processed by the mobile, portable communication system.
- FIG. 5 shows a flow diagram of an exemplary method which, besides measurement data, also takes into consideration application data.
- FIG. 6 a shows steps of the behaviour-based authentication in a flow diagram.
- FIG. 6 b shows steps of a training of a classification module in a flow diagram.
- FIG. 1 shows the schematic structure of an embodiment of a mobile, portable communication system 100 , which is carried by a user 1 .
- the mobile, portable communication system in this embodiment is an individual mobile, portable communication device 102 .
- the mobile, portable communication device 102 is suitable for carrying out a method for behaviour-based authentication of the user 1 to the mobile, portable communication system 100 .
- the mobile, portable communication device 102 has a sensor 110 , which is suitable for capturing a gross-motor movement of the user 1 as measurement data 500 .
- the mobile, portable communication device 102 also has a memory 120 , in which the measurement data 500 can be stored in processed form as classification results 600 .
- the mobile, portable communication device 102 also has a processor 130 , which executes the gross-motor classification module 200 .
- the sensor 110 can capture this movement in the form of measurement data 500 .
- the sensor 110 can be configured for example as an acceleration sensor or a gyroscope or a combination thereof.
- the movement of the current user 1 for example can be walking, jogging, running or a movement of the arm, if the device which has the sensor 110 and is part of the mobile, portable communication system 100 is fastened to the arm.
- a gross-motor movement can be understood to mean movement sequences such as walking, jogging, running, skipping, climbing, balancing, bicycle riding, car driving or a movement of the arm, for example when drinking, when looking at a wristwatch, or when removing the mobile, portable communication system 100 from a pocket.
- the gross-motor classification module 200 receives the measurement data 500 from the sensor 110 and classifies the measurement data 500 as a gross-motor movement. Based on the classification, the gross-motor classification module 200 generates the classification result 600 . This classification result 600 is stored in the memory 120 of the mobile, portable communication device 102 .
- the measurement data 500 , 510 and the application data 550 contributing to the successful authentication are stored in the memory 120 of the mobile, portable communication system 100 or are added to a comparison data set stored in the memory 120 in order to be used for future authentication attempts when generating the future classification results 600 .
- FIG. 2 shows the authentication method 400 for behaviour-based authentication of a user to a mobile, portable communication system 100 in a flow diagram.
- the authentication method 400 can be divided into two portions A and B. Portion A is performed repeatedly and thus forms a loop-like execution structure.
- the sensor 110 captures the gross-motor movement of the user 1 as measurement data 500 .
- the measurement data 500 are input in step S 200 into the gross-motor classification module 200 .
- the gross-motor classification module 200 in step S 210 generates the classification result 600 .
- the generated classification result 600 is stored in the memory 120 of the mobile, portable classification system 100 .
- the sensor 110 then captures new measurement data 500 .
- the entire method according to portion A is executed repeatedly.
- the sensor 110 captures the measurement data 500 in the form of the data stream (stream), wherein the gross-motor classification module 200 receives and processes the measurement data 500 in the form of a stream.
- the classification results 600 are stored in the memory 120 of the mobile, portable communication system 100 at very short time intervals, which are specified by the clock rate of the processor and/or the sensor.
- Portion B is then executed when an application sends an authentication request 700 to the operating system and/or an application program of the mobile, portable communication system 100 , which application program is configured for behaviour-based authentication.
- the authentication request 700 includes a request to read out at least one classification result 600 from the memory 120 .
- the at least one classification result is then read out from the memory 120 , and in step S 800 is checked by the operating system or the application program configured for behaviour-based authentication against a checking criterion 800 . If the classification result 600 meets the checking criterion 800 , the operating system or the application program generates an authentication signal 710 . If the classification result 600 does not meet the checking criterion 800 , no authentication signal 710 is generated.
- a plurality of classification results 600 are read out from the memory 120 of the mobile, portable communication system 100 and are checked against the checking criterion 800 .
- the measurement data 500 , 510 and the application data 550 contributing to the successful authentication are stored in the memory 120 of the mobile, portable communication system and/or are added to a comparison data set in order to be used for future authentication attempts when generating future classification results 600 .
- FIG. 3 shows a further embodiment of the invention.
- the schematic structure of a mobile, portable communication system 100 is shown, which consists of a plurality of communication devices 102 , 104 and 106 .
- the communication devices 102 , 104 and 106 are carried by the user 1 , for example.
- the communication devices 102 , 104 and 106 are capable of communicating with one another via a communication interface in each device.
- the communication devices 102 , 104 and 106 are capable of communicating with one another via a communication interface in each device. Suitable communication can be performed for example via Bluetooth, WLAN, RFID, NFC or a cable connection.
- the mobile, portable communication system 100 can comprise one, two, three or more mobile, portable communication devices.
- the communication devices 102 , 104 and 106 are each equipped with sensors 110 and applications 112 .
- the sensors 110 can be for example sensors for capturing a gross-motor movement, for example an acceleration sensor or a gyroscope.
- the applications 112 generate application data 550 .
- the applications 112 can access sensors for capturing the position of the mobile, portable communication system 100 , sensors for capturing biometric data, in particular a camera for capturing shape features such as face shape, ear shape or palm line shape, a fingerprint sensor, or physiological sensors, which for example measure the blood pressure or the pulse of the user 1 , wherein these sensors are comprised by the mobile, portable communication system.
- sensors for capturing biometric data in particular a camera for capturing shape features such as face shape, ear shape or palm line shape, a fingerprint sensor, or physiological sensors, which for example measure the blood pressure or the pulse of the user 1 , wherein these sensors are comprised by the mobile, portable communication system.
- a sensor for capturing fine-motor movements captures a fine-motor movement of the user.
- the sensor for capturing fine-motor movements can be embodied as a screen, in particular as a touchscreen.
- the measurement data 500 , 510 and the application data 550 once they have been captured by the sensors 110 and the applications 112 , are sent from the communication devices 102 , 104 and 106 to the classification modules 200 .
- the classification modules 200 determine confidence values for the measurement data 500 , 510 and the application data 550 , on which basis the classification result 600 is generated.
- the generated classification result 600 is then stored in the memory 120 .
- the measurement data 500 , 510 and the application data 550 contributing to the successful authentication are stored in the memory 120 of the mobile, portable communication system and/or are added to a comparison data set in order to be used for future authentication attempts when generating future classification results 600 .
- FIG. 4 shows the schematic structure for determining the classification result 600 from the measurement data 500 .
- a sensor 110 captures the gross-motor movement of the user 1 in the form of measurement data 500 .
- the measurement data 500 are then sent to the gross-motor classification module 200 .
- the gross-motor classification module 200 calls up a pattern function 210 from the memory and in step S 220 compares the pattern function 210 with the measurement data 500 .
- the measurement data 500 are assigned to a first number of classification parameters 520 .
- a comparison data set 220 which contains data reflecting the gross-motor movement of the user, wherein the data of the comparison data set 220 have the structure of the measurement data 500 , is stored in the memory 120 of the mobile, portable communication system 100 .
- Comparison parameters 230 which were calculated from the data of the comparison data set 220 , are assigned to the comparison data set 220 .
- the gross-motor classification module 200 reads out the comparison parameters 230 from the memory 120 of the mobile, portable communication system and compares the comparison parameters 230 with the classification parameters 520 in step S 230 . Based on the difference, the gross-motor classification module 200 calculates at least one confidence value 540 , wherein each confidence value 540 is assigned a classification parameter 520 and therefore the number of classification parameters 520 is equal to the number of confidence values 540 .
- the confidence values 540 are then processed in step S 500 , for example by forming the mean value, the median, mode or by a more complex calculation, in order to form a classification result 600 .
- the classification result 600 is stored in the memory 120 of the mobile, portable communication system 100 . In the event of an authentication request, the classification result 600 is read out from the memory 120 of the mobile, portable communication system 100 .
- the application data 550 and the fine-motor measurement data 510 are processed similarly to the measurement data 500 .
- the fundamental structure of the various classification modules is the same or similar, since each module performs the same operations.
- the commands are adapted in the modules to the particular input data.
- the confidence values 540 are stored directly in the memory 120 of the mobile, portable communication system 100 and can be read out in the event of an authentication request 700 .
- the measurement data 500 contributing to the successful authentication are added in the memory 120 of the mobile, portable communication system, in order to be used for future authentication attempts when generating the future classification results 600 .
- FIG. 5 shows, in a flow diagram, the schematic course of a further embodiment of the invention.
- application data 550 are captured in addition to the measurement data 500 and are processed.
- the application data 550 can comprise the position data of the mobile, portable communication system, which data are captured by a method for position determination by a position sensor of the mobile, portable communication system 100 , the application usage data of the user 1 , the biometric data of the user 1 , which data are captured by a sensor for capturing biometric data, the connection data of the mobile, portable communication system 100 with other devices, or the calendar and/or time data of a clock implemented in the mobile, portable communication system 100 or an external clock, the signal of which is received by a sensor of the mobile, portable communication system 100 .
- the method loop A′ is executed similarly to the method loop A according to FIG. 2 , wherein, instead of the measurement data 500 , the application data 550 are input into the application behaviour classification module 200 .
- Method loop A and method loop A′ each generate a classification result 600 , which is stored in the memory 120 of the mobile, portable communication system 100 .
- the classification result 600 contains the processed measurement data 500 , the processed application data 550 and the processed fine-motor measurement data 510 .
- the fine-motor measurement data 510 are processed by a separate method loop A′′ (not shown here).
- Method loop A′′ is executed similarly to method loop A according to FIG. 2 , wherein, instead of the measurement data 500 , the measurement data 510 are input into the fine-motor classification module 200 .
- Method loop A and method loop A′′ each generate a classification result 600 , which is stored in the memory 120 of the mobile, portable communication system 100 .
- the at least one classification result 600 is read out and is checked against a checking criterion 800 .
- the result of the checking of the classification result 600 against the checking criterion 800 determines whether or not an authentication signal 710 is sent. An authentication signal 710 is generated and sent if the checking criterion 800 is met. If the checking criterion 800 is not met, no authentication signal 710 is generated.
- a signal which displays the failure of the authentication of the current user 1 to the mobile, portable communication system 100 is generated in the event that the checking criterion 800 is not met.
- the steps of the authentication request 700 , the reading out of the at least one classification result 600 , the checking of the at least one classification result 600 against a checking criterion 800 , and the generation of an authentication signal 710 are represented by the method loop B.
- FIG. 6 a shows a flow diagram which illustrates method loops A, A′ and A′′ according to FIG. 5 .
- step S 60 the measurement data 500 , 510 and the application data 550 are captured.
- the captured measurement data 500 , 510 and the application data 550 are input in step S 62 into the relevant classification module 200 .
- the gross-motor measurement data 500 are input into the gross-motor classification module.
- the fine-motor measurement data 510 are input into the fine-motor classification module.
- the application data 550 are input into the application behaviour classification module.
- step S 64 the classification modules 200 generate one or more classification results 600 .
- a classification result 600 is generated which comprises the evaluation of the gross-motor measurement data 500 , the fine-motor measurement data 510 and/or the application data 550 .
- the generated classification results 600 are stored in step S 66 in the memory 120 of the mobile, portable communication system 100 .
- the classification modules 200 are trained in step S 68 , wherein the training is dependent on the classification result 600 .
- FIG. 6 b shows the training according to step S 68 of FIG. 6 a in detail. Firstly, it is checked whether the user 1 was able to be authenticated by the classification result 600 to the mobile, portable communication system 100 . If this is not the case, the captured measurement data 500 , 510 and the application data are discarded, and no training takes place.
- the measurement data 500 , 510 and the application data 550 are added to one or more comparison data sets 220 and are thus stored in the memory 120 of the mobile, portable communication system.
- the memory 120 comprises separate comparison data sets 200 for the gross-motor measurement data 500 , the fine-motor measurement data 510 and/or the application data 550 .
- the memory 120 comprises a comparison data set for the measurement data 500 , 510 and the application data 550 .
- the comparison dataset or the comparison data sets 220 contains/contain measurement data 500 , 510 and/or application data 550 which are older than a specific threshold age.
- the threshold age is defined for example by the user 1 or the mobile, portable communication system.
- this threshold age can be days, weeks, months or years. For example, it is four weeks, three months or one year.
- the respective comparison parameters 230 are determined anew. These new comparison parameters 230 are stored for example in the memory of the mobile, portable communication system 100 and are available to the relevant classification module 200 at the time of the next authentication attempt. Alternatively, the comparison parameters 230 are calculated anew in the event of each authentication attempt, such that it can be ensured that current comparison parameters 230 trained to the authorised or registered user are always used for the authentication.
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Data Mining & Analysis (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Evolutionary Computation (AREA)
- Artificial Intelligence (AREA)
- General Health & Medical Sciences (AREA)
- Social Psychology (AREA)
- Health & Medical Sciences (AREA)
- Computing Systems (AREA)
- Medical Informatics (AREA)
- Mathematical Physics (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Life Sciences & Earth Sciences (AREA)
- Evolutionary Biology (AREA)
- Bioinformatics & Computational Biology (AREA)
- Mobile Radio Communication Systems (AREA)
- Telephone Function (AREA)
- Measurement Of The Respiration, Hearing Ability, Form, And Blood Characteristics Of Living Organisms (AREA)
Abstract
A method for behaviour-based authentication of a current user to a mobile, portable communication system, is implemented using at least one sensor for capturing gross-motor measurement data, a gross-motor classification module, a processor, and an internal memory. Furthermore, a user is registered in the mobile, portable communication system. The sensor is designed to recognise the gross-motor measurement data of a gross-motor movement of the current user of the mobile, portable communication system and the gross-motor classification module is trained to capture a generic gross-motor movement pattern with the help of training data sets of a user cohort. In addition, the gross-motor classification module implements a machine-learning method. The gross-motor classification module is executed by the processor of the mobile, portable communication system.
Description
- The invention relates to a method and a system for behaviour-based authentication of a user to a mobile, portable communication system.
- Mobile, portable communication systems have become a staple in human day-to-day life, to such an extent that we can no longer imagine life without them. In order to gain access to such a system, a user usually has to authenticate himself via a personal identification number (PIN), a password, or possibly a fingerprint. In view of the large number of PIN-secured devices and applications used day-to-day by users and the associated high number of PINs to be remembered, it can easily be the case that a user forgets a PIN. Passwords, which often are freely selectable, are either too short and easily remembered, which has the disadvantage that they are guessed more quickly and therefore only offer a low level of security, or passwords that offer a high level of security are by contrast often long and complex, which makes it difficult for the user to remember them. Fingerprint sensors have the disadvantage that the user has to perform the extra task of placing his finger on the sensor. If the user is holding the mobile, portable communication system in the incorrect hand, the fingerprint sensors often already can no longer recognise the user. Furthermore, there are numerous situations in which a fingerprint sensor does not function correctly, for example if the user has dirty or wet fingers, not to mention if the user is wearing gloves.
- By contrast, the object of the invention is to enable an improved method for authentication of a user.
- The problem forming the basis of the invention is solved by the features of each of the independent claims. Embodiments of the invention are described in the dependent claims.
- The invention proposes a method and a system for behaviour-based authentication of a user to a mobile, portable communication system, which enables authentication to the mobile, portable communication system without PIN or password. The authentication is based on an individual intrinsic behaviour of the user, which is defined by a natural behaviour pattern of the user. The behaviour-based authentication allows the user to gain access to his mobile, portable communication system as a result of the user behaving as normal. The user therefore does not have to remember a password, a PIN, a specific gesture or similar authentication means. Furthermore, the invention in accordance with embodiments does not presuppose a connection to a network outside the mobile, portable communication system, for example the Internet, since all fundamental data are captured by the mobile, portable communication system and all fundamental operations are performed by the mobile, portable communication system or its processor. In particular, sensitive data, which reflect a personal behaviour of the user, remain exclusively in an internal memory of the mobile, portable communication system.
- Many mobile, portable communication systems, such as smartphones, are nowadays equipped anyway with sensors, which can capture the position of the device in space, whereby for example the display on the screen can rotate into the correct position relative to the spatial orientation of the device. Such a sensor is usually an acceleration sensor, a gyroscope or a combination thereof. It is not only possible with this sensor to capture the position in space of the mobile, portable communication system, but also a gross-motor movement of the user, whereby the sensor is used as a motion sensor.
- A gross-motor movement in this context refers to all motor skills that a human can learn with his limbs, his torso and his head. Main muscle groups are utilised. Gross-motor skills are for example walking, jogging, running, skipping, bicycle riding or car driving. The movement of the arm in order to perform an action, for example lifting a glass in order to drink or eat, can also be interpreted as a gross-motor movement, as can an arm movement in order to remove a mobile telephone from a pocket. By contrast, the grasping of a cup is considered to be a fine-motor movement, since the movement for grasping the cup is performed using the fingers and finer muscle groups are utilised. A gross-motor movement may also comprise in particular a hip movement of the user.
- Every person performs these gross-motor movements in his own way. A quite specific, characteristic gross-motor movement profile can thus be associated with a specific user of a mobile, portable communication system. The user is identifiable on the basis of this movement profile. The measurement data captured by the motion sensor are associated with a movement profile of this kind. The mobile, portable communication system is also equipped with a classification module, which is trained to recognise the movement patterns of the user.
- In this context, the term “training” includes the fact that the classification module is able to recognise on the one hand a capability and on the other hand user-individual movement patterns by evaluation of training data sets. Training for recognition of a generic movement pattern for example comprises an evaluation of a plurality of training data sets of a user cohort, wherein the training data sets are assigned to one user each of the user cohort and comprise measurement data relating to a movement type identical for all users of the user cohort. A generic movement pattern common for the identical movement type of all users is identified as a result of the evaluation and is extracted for future recognition. Training for recognition of a user-individual movement pattern for example comprises an evaluation of movement data for an individual user, wherein the movement data comprise measurement data relating to a specific movement type. A user-individual movement pattern for the corresponding movement type is identified by the evaluation and is extracted for future recognition of user-individual movement patterns. This evaluation is performed with use of a generic movement pattern for the specific movement type, for which training was likewise carried out beforehand.
- For the method for behaviour-based authentication of a user to a mobile, portable communication system, a distinction is made between two types of users. On the one hand, the user registered in the mobile, portable communication system is the user that is to be recognised by the mobile, portable communication system. On the other hand, the current user is the user that wishes to operate the mobile, portable communication system currently, for which purpose said user must authenticate himself. If the current user can be identified by the authentication process as being the user registered in the mobile, portable communication system, the current user is granted access to the mobile, portable communication system. If the current user does not match with the user registered in the mobile, portable communication system, the mobile, portable communication system thus identifies the current user as another person, not authorised for use, and refuses access. Hereinafter, the term “the user” denotes the current user of the mobile, portable communication system. If the user registered in the mobile, portable communication system is intended, this will be stated explicitly by the wording “the registered user”.
- A mobile, portable communication system can consist of an individual independent device or of a plurality of devices connected to one another mechanically and/or communicatively. Such a device can comprise for example: a smartphone, a tablet, a personal digital assistant, a pager, smartglasses, a smartwatch, navigation device, an activity tracker, or a device for recording medical data, in particular physiological data, such as a device for measuring pulse rate or a device for measuring blood pressure. The method for behaviour-based authentication can be performed by all mobile and portable devices and systems that are capable of processing electronic data and have at least one sensor for capturing a gross-motor movement.
- By way of example, a mobile, portable communication system could consist of a smartphone and a smartwatch, wherein the smartphone has a sensor for capturing the gross-motor movement constituted by walking and the smartwatch measures the pulse and the blood pressure of the user. On the basis of a comparison of the data of the user and of the registered user, it can be identified whether or not the user is the registered user.
- Such a mobile, portable communication system, in order to carry out the method for behaviour-based authentication of a user to the mobile, portable communication system, comprises at least one sensor for capturing measurement data relating to a gross-motor movement of the user (referred to hereinafter merely as “measurement data”), a gross-motor classification module, an operating system, a processor, and an internal memory. The sensor for capturing the measurement data is designed to capture a gross-motor movement of the user. The gross-motor classification module is configured for the classification of the measurement data, trained for recognition of a gross-motor movement of the user, implements a machine-learning method, and is executed by the processor of the mobile, portable communication system, the operating system being capable of controlling access to the mobile, portable communication system on the basis of the success of the authentication.
- The machine-learning method implemented by the gross-motor classification module denotes a method by means of which the gross-motor classification module is capable of adapting to the user of the mobile, portable communication system. In this context, the term “adapt” refers to the adjustment and, as appropriate, reconfiguration of classification parameters, on the basis of which the user can be correctly identified. The machine-learning method is not limited to a specific algorithm. In accordance with embodiments of the invention the machine-learning method is an algorithm developed especially for machine learning, for example and without limitation, a density-based multi-dimensional outlier detection (local outlier detection), a random forest algorithm, a neural network, a support-vector machine, a naive Bayes classifier, or a feedback similar to the feedback of a linear or non-linear control system.
- The method for behaviour-based authentication of a user to a mobile, portable communication system can be divided into two operative portions. Portion A comprises a repeated execution of the following steps:
-
- capture of the measurement data by the at least one sensor of the mobile, portable communication system,
- input of the measurement data into the gross-motor classification module,
- generation of a first classification result by the gross-motor classification module, detailing whether the current user is the user registered in the mobile, portable communication system,
- storage of the first classification result in the memory of the mobile, portable communication system, and
- training of the gross-motor classification module with the measurement data of the user in order to train the gross-motor classification module for a user-specific gross-motor movement pattern on the condition that, in accordance with the first classification result, the user is the user registered in mobile, portable communication system.
- These steps are repeated, whereby classification results are generated continuously and are stored in the memory of the mobile, portable communication system.
- In the second portion of the method an application executed by the mobile, portable communication system sends an authentication request to the operating system of the mobile, portable communication system and/or an application program configured for the authentication, which application program is implemented on the mobile, portable communication system. An application can comprise, for example, an application program or an app which is implemented on the mobile, portable communication system and/or which is controlled via the mobile, portable communication system. Here, an application program is understood, without limitation, to mean any type of computer program which comprises machine-readable instructions for controlling a function of a computer. An application program of this type can be configured for example to process or to assist a useful or desired non-system-related function.
- The processor of the mobile, portable communication system accesses the memory in response to the authentication request and reads out at least one first classification result. The at least one first classification result is then checked for a specific, predefined checking criterion. If the at least one first classification result meets the checking criterion, a signal is sent to the operating system of the mobile, portable communication system, wherein the signal comprises the information of the success of the authentication of the user to the mobile, portable communication system. If the checking criterion is not met by the at least one classification result, the user is not granted access to the mobile, portable communication system.
- In accordance with an embodiment of the invention, the measurement data are captured by the at least one sensor in the form of a data stream (stream).
- Due to the capture of the measurement data in the form of a stream, there is advantageously a maximum sensitive division of the first classification results per unit of time. Measurement data are captured continuously and are processed continuously to form first classification results. In this context, the term “continuously” means that the data are captured as often as permitted by the clock of the processor and/or the sensor. Since the classification results are available continuously, a real-time classification result can be called up at any time from the memory of the mobile, portable communication system, without the mobile, portable communication system having to first wait until a predetermined measurement interval has elapsed and current measurement data have been processed. Furthermore, new first classification results are generated continuously, so that, in the event of an authentication request, current first classification results are available, provided the user has moved recently.
- In a further embodiment of the invention the mobile, portable communication system comprises an application behaviour classification module. The application behaviour classification module is configured to classify application data of a user and to find user-specific application patterns in the application data.
- The application data can comprise for example the following data types:
-
- position data of the mobile, portable communication system
- application data of the user
- biometric data of the user
- connection data of the mobile, portable communication system
- calendar and time data.
- The position data of the mobile, portable communication system are captured by a method for position determination by a position sensor of the mobile, portable communication system. Such a method can comprise for example the capture of a GPS signal or a triangulated position from WLAN connection data or connection data of another radio network which comprises radio cells, such as a mobile network.
- By the use of the position data for behaviour-based authentication of the user to the mobile, portable communication system, a regular position of the user (for example at home, at work or at other locations regularly frequented by the user) is advantageously captured. An unauthorised user, in particular a thief, who is using the mobile, portable communication system will not generally reside at the locations regularly frequented by the registered user. The mobile, portable communication system is thus able to recognise whether the user is the registered user. The position data can thus contribute to improving the behaviour-based authentication.
- The application usage data include an application usage behaviour of the user, wherein the application usage behaviour comprises information describing when specific applications are started and/or executed by the user on the mobile, portable communication system. For example, it is thus possible to capture when and how often the user listens to the radio, moreover which application he uses to do so and/or which radio station he listens to, and also when and how often the user reads messages or operates his camera. In particular, applications used frequently day-to-day can provide a user-specific application usage profile, on the basis of which the user can be identified.
- By including the application usage data of the user in the behaviour-based authentication method, the security of the mobile, portable communication system increases, since an unauthorised user, in particular a thief, who has stolen the mobile, portable communication system, would also have to imitate the application usage behaviour of the user in order to gain access to applications which require an authentication and/or in order to gain access to the mobile, portable communication system.
- The biometric data can be captured by a sensor for capturing biometric data. The biometric data can be, amongst other things, the dimensions of the face, the voice frequencies of the user, the finger shape, the ear shape, the retina or iris pattern, the fingerprint of a finger, or physiological data, for example the blood pressure or the pulse of the user, in particular during specific activities, such as running.
- In an embodiment of the invention the biometric data, in particular the dimensions of the face, the iris and/or retina pattern and the ear shape, can be captured when the user is using his mobile, portable communication system anyway and/or wishes to authenticate himself. At the time at which the user uses his mobile, portable communication system and/or wishes to authenticate himself, it can be assumed, depending on the executed application, that the user is looking at the screen of the system. This is the case for example with a chat or messaging application. Since commercial smartphones and other systems are equipped with cameras which are also positioned on the side of the screen on the mobile, portable communication system, it is possible that a background application of the mobile, portable communication system takes a photo of the user whilst he is using the mobile, portable communication system. This photo can be read out, and therefore the biometric data of the user captured. Should the user wish to access his system, a photo is created or one or more of the photos last stored is/are used, and the biometric data calculated from the created photo or the stored photos are used for authentication.
- In a further embodiment the mobile, portable communication system for example comprises a pressure sensor or an optical sensor for capturing a pulse rate, by means of which the pulse and the blood pressure of the user can be determined.
- By use of a biometric sensor worn directly on the body, in particular a biometric sensor of a smartwatch, for example a pressure sensor or optical sensor, the biometric data advantageously can be captured continuously, similarly to the measurement data, since the user wears the smartwatch on his wrist during regular use.
- In a further embodiment the mobile, portable communication system comprises a sensor for capturing a fingerprint of the user. In advantageous embodiments the sensor is positioned at points of the mobile, portable communication system at which the user holds the mobile, portable communication system using his fingertips and/or regularly touches the mobile, portable communication system in order to control functions.
- Due to the use of a fingerprint sensor, in particular at a point where the user's fingertips are located during regular use, the fingerprint, which is unique for every person, is advantageously used as an identification feature of the user in order to check the authenticity of the user, and thus increases the security of the method.
- Due to the use of the biometric data of the user for behaviour-based authentication of the user to a mobile, portable communication system, the data used for authentication are advantageously dependent personally on the user to the greatest possible extent. In particular, biometric data offer a high security against forgery, whereby the security of the authentication method is increased.
- The connection data of the mobile, portable communication system to other devices capable of communication, for example computers, domestic appliances capable of communication, or individual, mobile, portable communication devices and systems, can be used to demonstrate a typical connection pattern of the user. For example, individual devices can be connected to the mobile, portable communication system via WLAN, Bluetooth, radio frequency identification (RFID), near field communication (NFC) or a cable. A connection profile which contains information regarding the regular connections of the mobile, portable communication system to further devices can thus be created for the user.
- For example, a user can connect the mobile, portable communication system to the private WLAN of a home or a public WLAN. In a further embodiment of the invention the user connects the mobile, portable communication system to domestic appliances and/or a computer via the Internet or an Intranet, thus resulting in a user-specific connection profile. This usage profile can comprise for example, without limitation, a washing machine, dryer, a refrigerator or similar domestic appliances, and devices of a smart home system, for example lighting, alarm system, air-conditioning system, heating system, audio system(s), video or television system(s), and/or a PC, which the user controls at home via the Internet, an Intranet or individual radio connections.
- In a further embodiment of the invention an authentication request is sent by a device connected to the mobile, portable communication system to the operating system of the mobile, portable communication system and/or an application program which is configured for the authentication and which is implemented on the mobile, portable communication system, in order to authenticate the user to the devices which are connected to the mobile, portable communication system.
- Due to the use of the connection data of the user for behaviour-based authentication of the user to a mobile, portable communication system, an unauthorised user advantageously must know the devices and, as appropriate, must have access to the devices to which the registered user normally connects the mobile, portable communication device.
- Due to the use of the connection data for behaviour-based authentication of a user to a mobile, portable communication system, the current user, who for example is wearing a smartwatch, can advantageously authenticate himself to his mobile, portable communication system by wearing the smartwatch. The smartwatch thus functions as a kind of key, which releases the access to the mobile, portable communication system. A thief who has stolen the mobile, portable communication system would thus also have to be in possession of the smartwatch in order to gain access to the mobile, portable communication system.
- Calendar and/or time data can be captured by a clock implemented in the mobile, portable communication system or by an external clock, the signal of which is received by a sensor, in particular a radio signal by a radio sensor, of the mobile, portable communication system.
- In a further embodiment of the invention the connection data of the mobile, portable communication system are correlated with other devices and/or the position data of the mobile, portable communication system are correlated with the calendar and/or time data.
- Due to the use of the calendar and/or time data for behaviour-based authentication of the user to the mobile, portable communication system, a time-specific application behaviour of the user advantageously can be created, in particular by the communication with the previous applications. For example, it can be recognised that from Monday to Friday the user is on his way to work and at that time listens to a specific radio station and at the weekend goes for a walk and at that time plays selected music via a music application, or that the user every evening at a fixed time, for example around 8 o'clock, reads messages via his mobile, portable communication system. The use of the calendar and/or time data thus results in an increased security of the mobile, portable communication system, since this data contribute to an application usage profile of the user that is structured in respect of time and that is more difficult to imitate as compared to an application usage profile that is unstructured in respect of time.
- In a further embodiment the distance between two or more communication devices of a mobile, portable communication system is determined on the basis of the signal strength of the signal of the wireless connection between the devices. A wireless connection signal of this kind can be, for example, a Bluetooth signal, a WLAN signal, or a radio signal. The distance between the devices determined from the wireless connection signal can be captured in accordance with this embodiment as part of the application data and can be used for behaviour-based authentication of the user to a mobile, portable communication system.
- The capture of the distance between two devices of a mobile, portable communication system as part of the application data and the use of the distance for behaviour-based authentication of the user to the mobile, portable communication system makes it possible to increase the security of the method for behaviour-based authentication, since a further parameter would have to be forged or imitated by an unauthorised user in order to gain access to the mobile, portable communication system.
- In accordance with embodiments of the invention the distance is used to recognise a gross-motor movement pattern of the user.
- In order to use the application data for behaviour-based authentication of the user to a mobile, portable communication system, the following steps are performed:
-
- capture of the application data,
- input of the application data into the application behaviour classification module,
- generation of a second classification result by the application behaviour classification module, detailing whether the current user is the user registered in the system,
- storage of the second classification result in the memory of the mobile, portable communication system, and
- training of the application behaviour classification module with the application data of the user in order to train the application behaviour classification module for a user-specific application behaviour pattern on the condition that, in accordance with the second classification result, the user is the user registered in the system and/or on the condition that, in accordance with the first classification result, the user is the user registered in the system.
- When checking the first classification result against the checking criterion, not only is the first classification result used, which is based on the measurement data of the sensor for capturing gross-motor movement, but also the second classification result, which is given from the application data of the user.
- In a further embodiment of the invention the mobile, portable communication system comprises a fine-motor classification module, which is designed to capture a fine-motor movement of the user, and a sensor for capturing a fine-motor movement in the form of fine-motor measurement data.
- A fine-motor movement is a movement of fine muscle groups, for example the muscles of the fingers. The term “fine-motor skills” denotes targeted and coordinated movement, for example by the hand and/or finger muscles, but also the muscles of the mouth, the eyes and the face. The fine-motor movement, which is captured by a fine-motor sensor of the mobile, portable communication system, can comprise a specific movement of the fingers, for example.
- In embodiments of the invention the input speed, the input clock time and/or the input accuracy of the user whilst he makes an input into the mobile, portable communication system are/is captured by the sensor for capturing a fine-motor movement. An input of this kind can be for example, without limitation, the typing of words or swiping of words, i.e. an input method similar to typing, in which the finger or the fingers maintains/maintain contact with the screen surface as letters are selected, on a virtual keyboard, the following of geometric figures shown on the screen, or another movement by means of which the user makes an input.
- Furthermore, fine-motor movements can comprise changes to the orientation, for example the angle of inclination, of the mobile, portable communication system during use.
- A sensor for capturing a fine-motor movement can be formed for example as an optical system or as a touchpad or touchscreen, but in particular, without limitation, a resistive touchscreen, a surface-capacitive touchscreen, a projected capacitive touchscreen, or an inductive touchscreen.
- In order to use the fine-motor measurement data for fine-motor authentication of the user to a mobile, portable communication system, the following steps are performed:
-
- capture of the fine-motor measurement data,
- input of the fine-motor measurement data into the fine-motor classification module,
- generation of a third classification result by the fine-motor classification module, detailing whether the current user is the user registered in the system,
- storage of the third classification result in the memory of the mobile, portable communication system, and
- training of the fine-motor classification module with the fine-motor measurement data of the current user in order to train the fine-motor classification module for a user-specific fine-motor behaviour pattern on the condition that, in accordance with the third classification result, the current user is the user registered in the system and/or on the condition that, in accordance with the first classification result, the current user is the user registered in the system.
- When checking the first classification result against the checking criterion, not only is the first classification result used, which is based on the measurement data of the sensor for capturing gross-motor movement, but also the third classification result, which is given from the fine-motor data of the user.
- Due to the use of a fine-motor movement of a user, the security of the method increases, since further parameters are necessary in order to authenticate the user to the mobile, portable communication system.
- In a further embodiment of the invention the user is invited, following a failed authentication attempt, to make an input into the mobile, portable communication system so as to be able to capture a fine-motor movement of the user. The input can comprise, for example, the drawing of a specific figure on the screen or the input of a predefined word or the input of a number of words. The words and/or patterns can be predefined by the system or the user or can be selected randomly. For example, the corresponding words and/or patterns are displayed on the screen.
- Due to the authentication by means of a fine-motor movement in the case of a failed authentication by means of a gross-motor movement and/or application data, the user is advantageously provided with the possibility to authenticate himself in spite of a failed authentication via a gross-motor movement and/or his application usage behaviour, without having to use a PIN or a password.
- On account of the similarity of the processing structure of the measurement data and the application data, the following explanations apply equally for the measurement data and the application data, the gross-motor, application behaviour and fine-motor classification module, and the first, second and/or third classification result. For example, “the classification result” is used hereinafter representatively for “the first and/or second and/or third classification result”. It should be noted that the plural “classification results” then also includes a plurality of the first and/or second and/or third classification results. Furthermore, the term “measurement data” hereinafter denotes the measurement data of the sensor for capturing a gross-motor movement and/or the measurement data of the sensor for capturing a fine-motor movement. If only the measurement data of the sensor for capturing a gross-motor movement or a fine-motor movement are meant, this will be stated explicitly.
- Furthermore, in accordance with a further embodiment, the gross-motor classification module and/or the application behaviour classification module and/or the fine-motor classification module are/is formed as a classification module which is capable of processing the measurement data and the application data. In accordance with this embodiment the classification module generates an individual classification result. For example, in accordance with a further embodiment, the gross-motor classification module and/or the application behaviour classification module and/or the fine-motor classification module are/is comprised by the same application program or by different application programs, which is/are configured to perform a behaviour-based authentication.
- The classification module or the classification modules, i.e. the gross-motor classification module and/or the application behaviour classification module and/or the fine-motor classification module, generates/generate for example a common classification result with use of confidence values, which have been determined by the classification module or the classification modules in each case for classification-module-specific measurement data. In this case, the first, second and/or third classification result is the same classification result to which the gross-motor classification module and/or the application behaviour classification module and/or the fine-motor classification module contribute.
- In a further embodiment of the invention, in the event of an unsuccessful checking of the at least one classification result against the checking criterion, a signal is sent, which comprises the information regarding the failed authentication. A signal of this kind, in accordance with an embodiment of the invention, can be limited to the information of the failed authentication. In accordance with further embodiments the signal can contain the information regarding the reason for the failure of the authentication. Such a reason, in accordance with further embodiments of the invention, can include, for example, the age of the current at least one classification result, the at least one classification result itself, or another reason for the failure. In an embodiment of the invention a checking criterion can include the fact that the at least one classification result is not older than a few minutes, a few hours, a day or a week. In a further embodiment of the invention the checking criterion can include the fact that the at least one classification result must reach a specific threshold value.
- By the sending of a signal in the event of failed authentication, the user is advantageously informed that his authentication has failed and can behave purposefully such that he can gain access to the mobile, portable communication system. For example, the signal indicates that the walking style of the user has not been recognised. The user notes the signal and starts to walk back-and-forth until the checking criterion is met. Such a signal can be displayed to the user for example by means of a display of the mobile, portable communication system, can be communicated acoustically via a loudspeaker of the mobile, portable communication system, or can be signalled by means of a vibration pattern, generated by a vibration mechanism of the mobile, portable communication system.
- In a further embodiment of the invention at least one pattern in the form of a pattern function and at least one comparison data set are stored in the memory of the mobile, portable communication system, wherein the comparison data set contains values for at least one comparison parameter, wherein the following steps are performed by the relevant classification module:
-
- a) Comparison of the captured measurement data and application data with the at least one pattern function.
- b) Assignment of the measurement data and application data to one of the patterns corresponding to the pattern function and attainment of at least one classification parameter corresponding to the pattern by the classification module, if the measurement data and/or application data can be assigned to the at least one pattern.
- c) Calculation of a confidence value for each classification parameter by a comparison of the at least one classification parameter with the relevant comparison parameter of the comparison data set.
- d) Generation of the classification result from the at least one confidence value of the at least one classification parameter.
- In a further embodiment of the invention the comparison parameters are newly calculated if the comparison data set changes and are stored in the memory of the mobile, portable communication system.
- Due to the generation of the classification result from the at least one confidence value of the at least one classification parameter, a method is advantageously provided which can be bypassed repeatedly by fixedly defined steps for the user, but is very difficult to bypass for an unauthorised user. An attacker attempting to access the mobile, portable communication system by means of an electronic attack in which the attacker attempts to guess the measurement data and application data of the at least one sensor, the at least one classification parameter or the at least one confidence value in order to fake a classification result to the mobile, portable communication system, would have to be familiar with or know: the at least one pattern function; which of the classification parameters are processed into confidence values; and which values these must comprise in order for access to be granted to the mobile, portable communication system.
- In an embodiment of the invention the measurement data and/or the application data are stored in the memory of the mobile, portable communication system when the classification result resulting from the measurement and/or application data has contributed successfully to the authentication of the user. The measurement and application data are stored by adding the measurement and application data to the corresponding comparison data sets. The comparison parameters are calculated again from the now modified comparison data set in order to be able to carry out a next authentication of the user with current comparison parameters.
- Due to the storage of the measurement data and/or application data in the memory of the mobile, portable communication system and the addition of the measurement and/or application data to the corresponding comparison data set in the event of successful authentication of the user, a feedback training of the classification modules is advantageously provided. The comparison data sets and therefore the comparison parameters thus match the behaviour of the user, whereby the method is resistant to minor behaviour changes or adapts thereto. Such a behaviour change can be brought about for example by an injury to the user, which influences the walking style or the writing behaviour. A further example of a behaviour change is the permanent change to another radio station by means of a radio application. For example, if the user no longer likes the program transmitted by the station that he previously listened to, the user will look for a new station. In the event of such behaviour changes and similar behaviour changes, the user can also still successfully authenticate himself on the basis of the storage of the measurement and/or application data in the memory of the mobile, portable communication system and the addition of the measurement and/or application data to the corresponding comparison data set.
- In a further embodiment of the invention the measurement and/or application data, which are part of a particular comparison data set, are deleted from the memory of the mobile, portable communication system if the measurement and/or application data are older than a defined time. The defined time can be for example days, weeks, months or years. If the comparison data set is completely deleted by the deletion of the measurement and/or application data, a signal is generated in accordance with a further embodiment of the invention and signals to the user that an authentication via the deleted comparison data set is no longer possible until corresponding comparison data are present again, i.e. a new comparison data set has been generated. Comparison data for a new comparison data set of this kind can be captured for example by the user authenticating himself to the mobile, portable communication system in a non-behaviour-based manner, for example via a PIN or a similar method, and behaving beforehand or afterwards such that new measurement and/or application data are required and are stored in the memory of the mobile, portable communication system, whereby the captured data form a new comparison data set.
- Due to the deletion of the measurement and/or application data when a defined age of the data is reached, a comparison data set and thus the comparison parameters advantageously can also change in the event of behaviour changes of the user. Since the behaviour of the user can change in particular over a longer period of time, for example of a year or more, it is advantageous for the method if the comparison parameters also change with the behaviour of the user, i.e. potentially outdated measurement and/or application data, which might no longer correctly reflect the current behaviour of the user, are carefully deleted. The deletion of data of a specific age thus means that the behaviour of the user in the past, which does not necessarily have to match the behaviour of the user in the present, has no influence on the behaviour-based authentication of the user to the mobile, portable communication system. The age of measurement and/or application data is measured for example from the time of capture and/or storage of the corresponding measurement and/or application data.
- In a further embodiment of the invention the user must authenticate himself to the mobile, portable communication system following the initial commissioning.
- An authentication following an initial commissioning can comprise for example an input of a one-time password or an initialisation PIN, which is provided to an authorised user for example during the course of the lawful purchasing of the mobile, portable communication system and/or a SIM card used in the mobile, portable communication system. In accordance with further embodiments the authentication after an initial commissioning can also include, for example, an input or a sending of an initial authentication token into or to the mobile, portable communication system. The initial authentication token can be provided for example from a central authentication service, to which the user has authenticated himself as authorised user. Due to the authentication to the mobile, portable communication system following the initial commissioning, only the authorised user advantageously can thus use the system, which is still untrained. In the event of an initial commissioning, the mobile, portable communication system undergoes for example an automatic personalisation to the authorised user after and/or together with the aforementioned authentication of the authorised user, if this is necessary. During the course of the authentication and/or thereafter, measurement and/or application data are required for a behaviour-based authentication of the authorised user and are added to the comparison data set. The classification module is thus trained to the corresponding user, i.e. the mobile, portable communication system is personalised. If the aforementioned authentication of the authorised user fails, for example no measurement and/or application data are required, or captured measurement and/or application data are not added to the comparison data set.
- In a further embodiment of the invention the user must personalise the mobile, portable communication system following the initial commissioning. If the mobile, portable communication system is switched on for the first time, the mobile, portable communication system sends a signal to the user. The signal comprises the request for personalisation of the mobile, portable communication device by the user by way of a deliberate or specified behaviour, which generates at least one comparison data set. For example, the user is requested to run with the mobile, portable communication device.
- As a result of the personalisation of the mobile, portable communication system following the initial commissioning on account of a corresponding signal, the user advantageously can apply the method for behaviour-based authentication to the mobile, portable communication system as early as possible. The personalisation following the initial commissioning in this case comprises the capture of measurement and/or application data, in order to construct the corresponding comparison data set on that basis.
- In a further embodiment of the invention the confidence values of the classification parameters are stored in the memory of the mobile, portable communication system.
- The sum of the confidence values of the classification parameters forms the classification result.
- Due to the storage of the confidence values as classification result, the confidence values advantageously can be used individually for the checking operation. In a further embodiment of the invention, for authentication requests with a low checking criterion, fewer confidence values are read out from the memory and checked than in the case of an authentication request with a higher checking criterion. A low checking criterion may then be present for example if the user wishes to change the radio station. A high checking criterion can be present for example if the user wishes to call up the contact data stored in the mobile, portable communication system. In a further embodiment the checking criterion for each confidence value comprises a different threshold value, such that the quality of the individual classification parameters in which the confidence values are calculated is taken into consideration when checking the classification result against the checking criterion. In a further embodiment of the invention the checking criterion comprises the stipulation that the at least one confidence value must reach a specific threshold value in order to achieve successful authentication of the user.
- Since the checking criterion consists of the stipulation that a confidence value must reach a minimum level, the checking of the classification results against the checking results can be performed advantageously by the comparison of just one value. For this step, very few operations are therefore necessary, and therefore the processor has to perform fewer computing operations. The mobile, portable communication system thus experiences a reduced energy consumption. In particular for mobile, portable communication systems which are operated by battery, an embodiment of this kind is advantageous.
- In a further embodiment of the invention the checking criterion comprises the stipulation that a plurality of stored confidence values must each reach an individual threshold value.
- Since the checking criterion comprises an individual threshold value for each of a plurality of confidence values, the checking criterion can be individually adapted to the particular accuracies of the individual confidence values. This results in an increased accuracy of the authentication process as a whole.
- In accordance with a further embodiment of the invention the second classification result, which is based on the application data, is included in the checking of the classification results against the checking criterion only if, in a previous step, the first classification module recognised a gross-motor movement of the user in the measurement data. For example, application usage data of a radio are thus captured only if the user is currently walking. In a further embodiment of the invention a removal of the mobile, portable communication system from a pocket can be recognised, whereupon for example the execution of a messaging application is used as a part of the application usage profile.
- Due to the use of the second classification result, which is based on the application data, in combination with the recognised gross-motor movement of the user, the classification of the first classification module, which uses the measurement data, advantageously can be much more accurate, since the classification result on the basis of the application data can be used in order to refine the classification result based on the measurement data.
- In a further embodiment of the invention the confidence values, which result ultimately from the gross-motor and/or fine-motor measurement data and/or the application data, are combined to form a resultant confidence value. The combining of this data can comprise for example, but not necessarily, the forming of a mean value, a median or a modal value. The forming of the resultant confidence value makes it possible to specify the likelihood with which the current user is the user registered in the mobile, portable communication system.
- Due to the forming of a resultant confidence value and the use of the resultant confidence value for behaviour-based authentication of the user to the mobile, portable communication system, only a single numerical value advantageously is necessary for the authentication, in order to authenticate the user. No details regarding the application usage or the person of the user are sent to the application requiring the authentication in order to authenticate the user. This protects in particular the data security and the anonymity of the user, since, from the resultant confidence value, it is no longer discernible which confidence values or classification parameters this confidence value is composed of in detail or what values each of these have.
- In a further embodiment of the invention the individual confidence values of the classification parameters are weighted in each case with a weighting factor for the evaluation. The weighting factors are assigned to the relevant confidence value.
- Due to the use of weighting factors for the respective confidence values when calculating the resultant confidence value, the accuracy of the resultant confidence value when checking against a checking criterion advantageously can be increased. Individual confidence values, which result from different classification parameters, can be weighted depending on the importance and/or accuracy of their determinability. Since each user behaves differently, the individual classification parameters also play varying roles in the behaviour-based authentication of the user to the mobile, portable communication system. A first user of a first mobile, portable communication system for example could regularly use a radio application of his mobile, portable communication system, whereas a second user of a second mobile, portable communication system might never use a radio application. Due to the possibility of weighting the individual confidence values, a higher weighting factor can be allocated to the confidence value for the use of a radio application for the first user than for the second user.
- In a further embodiment, the weighting factors of the confidence values are specified by the checking criterion.
- By specifying the weighting factors by the checking criterion, different confidence values advantageously can be weighted individually in dependence on the security level of the checking criterion. For example, in the case of checking criteria which require a very high authentication likelihood, all parameters can be included, whereby all confidence values are calculated in order to give a resultant confidence value. By contrast, in the case of a checking criterion which requires a low security level, only some of the confidence values or classification parameters or only an individual confidence value or classification parameter are/is used for the evaluation.
- In a further embodiment of the invention the individual weighting factors of the respective confidence values are fixedly specified. In this context, the expression “fixedly specified” means that the weighting factors are defined from the outset at the time of initial commissioning of the mobile, portable communication system, and no changes to the weighting factors are provided during the intended operation of the mobile, portable communication system.
- Due to the specifying of the weighting factors for the confidence values, there is advantageously a reduced computing effort, which results in a low battery consumption in particular for mobile portable communication systems. The mobile, portable communication system does not have to check which weighting factors are to be defined for which confidence value, but instead must ultimately only read out from its memory the appropriate confidence values, which are already set against the weighting factors.
- In a further embodiment of the invention the user himself defines the weighting factors of the individual confidence values in an initiation process. The defined weighting factors are then stored in a configuration file in the memory of the mobile, portable communication system.
- Due to the fact that the weighting factors are defined by the registered user himself, the registered user himself advantageously can determine the extent to which his applications or behaviour patterns contribute to the behaviour-based authentication. This increases the freedom of the registered user in the configuration of the system, since the registered user himself can decide which classification parameters are included by his behaviour pattern. For example, the registered user can define that the use of the radio application should not be included or should only be included to a very minor extent in the generation of the classification results, since he usually only uses the radio application sporadically. By contrast, the same user could allow the confidence values of the position determination to be included to a greater extent in the generation of the classification result, since he has a very structured day-to-day timetable and frequents specific locations with a high level of regularity.
- In a further embodiment of the invention the checking criterion is defined by the executed application requesting the authentication of the user.
- The fact of the checking criterion being defined by the executed application results advantageously in that the security of the authentication by means of the checking criterion can be determined by the application. For example, applications for online banking can require a much higher security level of the user to the mobile, portable communication system than a music application.
- In a further embodiment of the invention the mobile, portable communication system is connected to a network, for example the Internet or a local network (LANS), a private network, in particular an Intranet, or a virtual private network (VPN). Within the network, the mobile, portable communication system can communicate with an online application via an appropriate interface, which is usually configured as a browser or launcher, wherein the online application is executed on a device within the network, but outside the mobile, portable communication system. The online application is capable of requesting the mobile, portable communication system to authenticate itself to the application, whereupon the mobile, portable communication system sends the resultant confidence value to the online application.
- Due to the sending of the resultant confidence value to the online application, the mobile, portable communication system is advantageously capable of authenticating the user applications which are not installed on the mobile, portable communication system. The method therefore does not require an application to be installed on the mobile, portable communication system.
- In a further embodiment of the invention a number of users are registered on the mobile, portable communication system, and the classification result is generated for each registered user. A user recognition module then decides which user is currently active, wherein the user recognition module is likewise executed by the processor of the mobile, portable communication system.
- In a further embodiment of the invention the user is identified by the user recognition module by means of a decision tree. Due to the possibility of identifying a number of users, it is possible for service devices or service systems, which are given by an employer to a number of employees, wherein the number of employees use the particular mobile, portable communication system in alternation, to advantageously also apply the method for behaviour-based authentication.
- In a further embodiment of the invention the user recognition module is configured such that it recognises a change in user on the basis of gross-motor and/or fine-motor measurement data. The user recognition module generates a fourth classification result, which specifies which of the registered users is the current user. The fourth classification result is then formed if the user recognition module recognises a movement that is typical for a change in user of a mobile, portable communication system. A typical movement can include the taking off and putting back on again of a smartwatch, the handing over of a mobile telephone, or a comparable movement.
- The user recognition module is configured to recognise a change in user on the basis of a gross-motor and/or fine-motor movement. To this end, the user recognition module is configured for example to recognise a gross-motor and/or fine-motor movement constituted by the taking off and/or putting on of the mobile, portable communication system. The user recognition module is furthermore trained to recognise user-specific movement patterns in the measurement data and/or the fine-motor measurement data, wherein the user recognition module performs the following steps repeatedly:
-
- input of the measurement data and/or fine-motor measurement data into the user recognition module,
- generation of a fourth classification result by the user recognition module, detailing whether a change in user has occurred or whether the mobile, portable communication system has been taken off or put on,
- storage of the fourth classification result in the memory of the mobile, portable communication system.
- The user recognition module then accesses the memory of the mobile, portable communication system in order to read out at least one of the stored fourth classification results from the memory. The at least one fourth classification result is evaluated in order to check whether a change of user has occurred. The previous first, second and/or third classification results are discarded in the case of a change of user so as to ensure that, in the event of a change in user, a non-authenticated user then uses the mobile, portable communication system. This non-authenticated user then has to authenticate himself.
- In an embodiment the machine-learning method implemented by the gross-motor classification module is a random forest algorithm, which classifies a movement as a movement known to the gross-motor classification module.
- In a further embodiment of the invention the user recognition module is configured such that it recognises an at least temporary termination of the use of the mobile, portable communication system by the current user on the basis of gross-motor and/or fine-motor measurement data. To this end, the user recognition module is configured for example to recognise a gross-motor and/or fine-motor movement constituted by a taking off of the mobile, portable communication system. If such a termination is recognised, for example the previous first, second and/or third classification results are discarded, in order to ensure that, in the event of a possible change of user, a non-authenticated user then uses the mobile, portable communication system. This non-authenticated user then has to authenticate himself.
- Due to the implementation of the machine-learning method as a random forest algorithm, the parameters for classification of the gross-motor movement advantageously contribute in a particularly efficient manner to the classification, and furthermore the random forest algorithm can be implemented particularly easily on account of the fixed number of available parameters.
- The invention will be explained in greater detail hereinafter with reference to the drawings, in which:
-
FIG. 1 shows a schematic structure of an exemplary mobile, portable communication system for carrying out the method for behaviour-based authentication of a user. -
FIG. 2 shows a schematic course of a behaviour-based authentication in a flow diagram. -
FIG. 3 shows an embodiment of the mobile, portable communication system for carrying out the method for behaviour-based authentication of a user. -
FIG. 4 shows a schematic method for handling data processed by the mobile, portable communication system. -
FIG. 5 shows a flow diagram of an exemplary method which, besides measurement data, also takes into consideration application data. -
FIG. 6a shows steps of the behaviour-based authentication in a flow diagram. -
FIG. 6b shows steps of a training of a classification module in a flow diagram. - Elements in the following embodiments that correspond to one another are denoted by the same reference signs.
-
FIG. 1 shows the schematic structure of an embodiment of a mobile,portable communication system 100, which is carried by auser 1. The mobile, portable communication system in this embodiment is an individual mobile,portable communication device 102. The mobile,portable communication device 102 is suitable for carrying out a method for behaviour-based authentication of theuser 1 to the mobile,portable communication system 100. The mobile,portable communication device 102 has asensor 110, which is suitable for capturing a gross-motor movement of theuser 1 asmeasurement data 500. The mobile,portable communication device 102 also has amemory 120, in which themeasurement data 500 can be stored in processed form as classification results 600. The mobile,portable communication device 102 also has aprocessor 130, which executes the gross-motor classification module 200. - If the
user 1 performs a gross-motor movement and at the same time is carrying themobile communication device 102, thesensor 110 can capture this movement in the form ofmeasurement data 500. Thesensor 110 can be configured for example as an acceleration sensor or a gyroscope or a combination thereof. The movement of thecurrent user 1 for example can be walking, jogging, running or a movement of the arm, if the device which has thesensor 110 and is part of the mobile,portable communication system 100 is fastened to the arm. - For example, a gross-motor movement can be understood to mean movement sequences such as walking, jogging, running, skipping, climbing, balancing, bicycle riding, car driving or a movement of the arm, for example when drinking, when looking at a wristwatch, or when removing the mobile,
portable communication system 100 from a pocket. - The gross-
motor classification module 200 receives themeasurement data 500 from thesensor 110 and classifies themeasurement data 500 as a gross-motor movement. Based on the classification, the gross-motor classification module 200 generates theclassification result 600. Thisclassification result 600 is stored in thememory 120 of the mobile,portable communication device 102. - If the user is authenticated in accordance with the
classification result 600, themeasurement data 500, 510 and theapplication data 550 contributing to the successful authentication are stored in thememory 120 of the mobile,portable communication system 100 or are added to a comparison data set stored in thememory 120 in order to be used for future authentication attempts when generating the future classification results 600. -
FIG. 2 shows the authentication method 400 for behaviour-based authentication of a user to a mobile,portable communication system 100 in a flow diagram. The authentication method 400 can be divided into two portions A and B. Portion A is performed repeatedly and thus forms a loop-like execution structure. Thesensor 110 captures the gross-motor movement of theuser 1 asmeasurement data 500. Themeasurement data 500 are input in step S200 into the gross-motor classification module 200. Based on themeasurement data 500, the gross-motor classification module 200 in step S210 generates theclassification result 600. The generatedclassification result 600 is stored in thememory 120 of the mobile,portable classification system 100. Thesensor 110 then capturesnew measurement data 500. The entire method according to portion A is executed repeatedly. - In an embodiment of the invention the
sensor 110 captures themeasurement data 500 in the form of the data stream (stream), wherein the gross-motor classification module 200 receives and processes themeasurement data 500 in the form of a stream. The classification results 600 are stored in thememory 120 of the mobile,portable communication system 100 at very short time intervals, which are specified by the clock rate of the processor and/or the sensor. - Portion B is then executed when an application sends an
authentication request 700 to the operating system and/or an application program of the mobile,portable communication system 100, which application program is configured for behaviour-based authentication. Theauthentication request 700 includes a request to read out at least oneclassification result 600 from thememory 120. The at least one classification result is then read out from thememory 120, and in step S800 is checked by the operating system or the application program configured for behaviour-based authentication against a checkingcriterion 800. If theclassification result 600 meets the checkingcriterion 800, the operating system or the application program generates anauthentication signal 710. If theclassification result 600 does not meet the checkingcriterion 800, noauthentication signal 710 is generated. In an embodiment of the invention a plurality ofclassification results 600 are read out from thememory 120 of the mobile,portable communication system 100 and are checked against the checkingcriterion 800. - If the user is authenticated in accordance with the
classification result 600, whereby the sending of an authentication signal has been prompted, themeasurement data 500, 510 and theapplication data 550 contributing to the successful authentication are stored in thememory 120 of the mobile, portable communication system and/or are added to a comparison data set in order to be used for future authentication attempts when generating future classification results 600. -
FIG. 3 shows a further embodiment of the invention. The schematic structure of a mobile,portable communication system 100 is shown, which consists of a plurality ofcommunication devices communication devices user 1, for example. Thecommunication devices communication devices - In various embodiments of the invention the mobile,
portable communication system 100 can comprise one, two, three or more mobile, portable communication devices. - The
communication devices sensors 110 andapplications 112. Thesensors 110 can be for example sensors for capturing a gross-motor movement, for example an acceleration sensor or a gyroscope. Theapplications 112 generateapplication data 550. - In further embodiments of the invention the
applications 112 can access sensors for capturing the position of the mobile,portable communication system 100, sensors for capturing biometric data, in particular a camera for capturing shape features such as face shape, ear shape or palm line shape, a fingerprint sensor, or physiological sensors, which for example measure the blood pressure or the pulse of theuser 1, wherein these sensors are comprised by the mobile, portable communication system. - In a further embodiment of the invention a sensor for capturing fine-motor movements captures a fine-motor movement of the user. The sensor for capturing fine-motor movements can be embodied as a screen, in particular as a touchscreen.
- The
measurement data 500, 510 and theapplication data 550, once they have been captured by thesensors 110 and theapplications 112, are sent from thecommunication devices classification modules 200. Theclassification modules 200 determine confidence values for themeasurement data 500, 510 and theapplication data 550, on which basis theclassification result 600 is generated. The generatedclassification result 600 is then stored in thememory 120. - If the user is authenticated in accordance with the
classification result 600, themeasurement data 500, 510 and theapplication data 550 contributing to the successful authentication are stored in thememory 120 of the mobile, portable communication system and/or are added to a comparison data set in order to be used for future authentication attempts when generating future classification results 600. -
FIG. 4 shows the schematic structure for determining theclassification result 600 from themeasurement data 500. Firstly, asensor 110 captures the gross-motor movement of theuser 1 in the form ofmeasurement data 500. Themeasurement data 500 are then sent to the gross-motor classification module 200. The gross-motor classification module 200 calls up apattern function 210 from the memory and in step S220 compares thepattern function 210 with themeasurement data 500. Themeasurement data 500 are assigned to a first number ofclassification parameters 520. Acomparison data set 220, which contains data reflecting the gross-motor movement of the user, wherein the data of thecomparison data set 220 have the structure of themeasurement data 500, is stored in thememory 120 of the mobile,portable communication system 100. -
Comparison parameters 230, which were calculated from the data of thecomparison data set 220, are assigned to thecomparison data set 220. The gross-motor classification module 200 reads out thecomparison parameters 230 from thememory 120 of the mobile, portable communication system and compares thecomparison parameters 230 with theclassification parameters 520 in step S230. Based on the difference, the gross-motor classification module 200 calculates at least oneconfidence value 540, wherein eachconfidence value 540 is assigned aclassification parameter 520 and therefore the number ofclassification parameters 520 is equal to the number of confidence values 540. - The confidence values 540 are then processed in step S500, for example by forming the mean value, the median, mode or by a more complex calculation, in order to form a
classification result 600. Theclassification result 600 is stored in thememory 120 of the mobile,portable communication system 100. In the event of an authentication request, theclassification result 600 is read out from thememory 120 of the mobile,portable communication system 100. - In an embodiment of the invention the
application data 550 and the fine-motor measurement data 510 are processed similarly to themeasurement data 500. In accordance with this embodiment the fundamental structure of the various classification modules is the same or similar, since each module performs the same operations. The commands are adapted in the modules to the particular input data. - In a further embodiment of the invention the confidence values 540 are stored directly in the
memory 120 of the mobile,portable communication system 100 and can be read out in the event of anauthentication request 700. - If the user is in accordance with the
classification result 600, themeasurement data 500 contributing to the successful authentication are added in thememory 120 of the mobile, portable communication system, in order to be used for future authentication attempts when generating the future classification results 600. -
FIG. 5 shows, in a flow diagram, the schematic course of a further embodiment of the invention. In accordance with this embodiment of the invention,application data 550 are captured in addition to themeasurement data 500 and are processed. Theapplication data 550 can comprise the position data of the mobile, portable communication system, which data are captured by a method for position determination by a position sensor of the mobile,portable communication system 100, the application usage data of theuser 1, the biometric data of theuser 1, which data are captured by a sensor for capturing biometric data, the connection data of the mobile,portable communication system 100 with other devices, or the calendar and/or time data of a clock implemented in the mobile,portable communication system 100 or an external clock, the signal of which is received by a sensor of the mobile,portable communication system 100. - The method loop A′ is executed similarly to the method loop A according to
FIG. 2 , wherein, instead of themeasurement data 500, theapplication data 550 are input into the applicationbehaviour classification module 200. Method loop A and method loop A′ each generate aclassification result 600, which is stored in thememory 120 of the mobile,portable communication system 100. - In a further embodiment of the invention the
classification result 600 contains the processedmeasurement data 500, the processedapplication data 550 and the processed fine-motor measurement data 510. The fine-motor measurement data 510 are processed by a separate method loop A″ (not shown here). - Method loop A″ is executed similarly to method loop A according to
FIG. 2 , wherein, instead of themeasurement data 500, the measurement data 510 are input into the fine-motor classification module 200. Method loop A and method loop A″ each generate aclassification result 600, which is stored in thememory 120 of the mobile,portable communication system 100. - In response to an
authentication request 700, the at least oneclassification result 600 is read out and is checked against a checkingcriterion 800. The result of the checking of theclassification result 600 against the checkingcriterion 800 determines whether or not anauthentication signal 710 is sent. Anauthentication signal 710 is generated and sent if the checkingcriterion 800 is met. If the checkingcriterion 800 is not met, noauthentication signal 710 is generated. - In a further embodiment of the invention a signal which displays the failure of the authentication of the
current user 1 to the mobile,portable communication system 100 is generated in the event that the checkingcriterion 800 is not met. - The steps of the
authentication request 700, the reading out of the at least oneclassification result 600, the checking of the at least oneclassification result 600 against a checkingcriterion 800, and the generation of anauthentication signal 710 are represented by the method loop B. -
FIG. 6a shows a flow diagram which illustrates method loops A, A′ and A″ according toFIG. 5 . In step S60, themeasurement data 500, 510 and theapplication data 550 are captured. The capturedmeasurement data 500, 510 and theapplication data 550 are input in step S62 into therelevant classification module 200. The gross-motor measurement data 500 are input into the gross-motor classification module. The fine-motor measurement data 510 are input into the fine-motor classification module. Theapplication data 550 are input into the application behaviour classification module. - In step S64 the
classification modules 200 generate one or more classification results 600. For example, aclassification result 600 is generated which comprises the evaluation of the gross-motor measurement data 500, the fine-motor measurement data 510 and/or theapplication data 550. The generatedclassification results 600 are stored in step S66 in thememory 120 of the mobile,portable communication system 100. Lastly, theclassification modules 200 are trained in step S68, wherein the training is dependent on theclassification result 600. -
FIG. 6b shows the training according to step S68 ofFIG. 6a in detail. Firstly, it is checked whether theuser 1 was able to be authenticated by theclassification result 600 to the mobile,portable communication system 100. If this is not the case, the capturedmeasurement data 500, 510 and the application data are discarded, and no training takes place. - If the authentication of the
user 1 was successful, themeasurement data 500, 510 and theapplication data 550 are added to one or morecomparison data sets 220 and are thus stored in thememory 120 of the mobile, portable communication system. For example, thememory 120 comprises separatecomparison data sets 200 for the gross-motor measurement data 500, the fine-motor measurement data 510 and/or theapplication data 550. For example, thememory 120 comprises a comparison data set for themeasurement data 500, 510 and theapplication data 550. - In one embodiment it is now checked whether the comparison dataset or the
comparison data sets 220 contains/containmeasurement data 500, 510 and/orapplication data 550 which are older than a specific threshold age. The threshold age is defined for example by theuser 1 or the mobile, portable communication system. For example, this threshold age can be days, weeks, months or years. For example, it is four weeks, three months or one year. - If the
comparison data sets 220 have altered as a result of the addition ofnew measurement data 500, 510 and/orapplication data 550 and/or the deletion ofold measurement data 500, 510 and/orapplication data 550, therespective comparison parameters 230 are determined anew. Thesenew comparison parameters 230 are stored for example in the memory of the mobile,portable communication system 100 and are available to therelevant classification module 200 at the time of the next authentication attempt. Alternatively, thecomparison parameters 230 are calculated anew in the event of each authentication attempt, such that it can be ensured thatcurrent comparison parameters 230 trained to the authorised or registered user are always used for the authentication. -
- 1: user
- 100: communication system
- 102: communication device
- 104: communication device
- 106: communication device
- 110: sensor
- 112: application
- 120: memory
- 130: processor
- 200: classification module
- 210: pattern function
- 220: comparison data set
- 230: comparison parameter
- 400: authentication method
- 500: measurement data
- 510: fine-motor measurement data
- 520: classification parameter
- 540: confidence values
- 550: application data
- 600: classification result
- 700: authentication request
- 710: authentication signal
- 800: checking criterion
- 900: application
- S60: capture of the measurement data and application data
- S62: input of the measurement data and application data in the classification module
- S64: generation of the classification results
- S66: storage of the classification results
- S68: training of the classification module
- S200: input of the measurement data in the classification module
- S210: generation of the classification result
- S220: comparison of the measurement data with the pattern function
- S230: comparison of the classification parameters with the comparison parameters
- S500: calculation of the classification result
- S800: checking of the classification result
Claims (20)
1. method for behaviour-based authentication of a current user to a mobile, portable communication system, which has at least one sensor for capturing gross-motor measurement data, a gross-motor classification module, a processor and an internal memory,
wherein a user is registered in the mobile, portable communication system,
wherein the sensor is designed to capture the gross-motor measurement data of a gross-motor movement of the current user of the mobile portable communication system,
wherein the gross-motor classification module is trained to recognise a generic gross-motor movement pattern with the help of training data sets of a user cohort and implements a machine-learning method, wherein the gross-motor classification module is executed by the processor of the mobile portable communication system,
wherein the method comprises the following steps:
a) repeated execution of the following steps with use of the machine-learning method:
i. capture of the gross-motor measurement data by the at least one sensor of the mobile, portable communication system, wherein the gross-motor measurement data are the movement data of the gross-motor movement of the current user,
ii. input of the gross-motor measurement data into the gross-motor classification module,
iii. generation of a first classification result by the gross-motor classification module, detailing whether the current user is the user registered in the mobile, portable communication system,
iv. storage of the first classification result in the memory of the mobile, portable communication system, and
v. training of the gross-motor classification module with the gross-motor measurement data of the current user in order to train the gross-motor classification module for a user-specific gross-motor movement pattern on the condition that, in accordance with the first classification result, the current user is the user registered in mobile, portable communication system,
b) access to the memory of the mobile, portable communication system in order to read out at least one of the stored first classification results from the memory,
c) evaluation of the at least one read-out first classification result in accordance with a specified checking criterion,
d) generation of an authentication signal if the checking criterion is met, wherein the authentication signal signals a successful authentication of the current user.
2. The method according to claim 1 , wherein the mobile, portable communication system comprises an untrained application behaviour classification module,
wherein the application behaviour classification module is executed by the processor of the mobile, portable communication system,
wherein the method further comprises:
a) repeated execution of the following steps with use of the machine-learning method:
i. capture of application data,
ii. input of the application data into the application behaviour classification module,
iii. generation of a second classification result by the application behaviour classification module, detailing whether the current user is the user registered in the mobile, portable communication system,
iv. storage of the second classification result in the memory of the mobile, portable communication system,
v. training of the application behaviour classification module with the application data of the current user in order to train the application behaviour classification module to a user-specific application behaviour pattern on the condition that, in accordance with the second classification result, the current user is the user registered in the system and/or on the condition that, in accordance with the first classification result, the current user is the user registered in the system,
b) access to the memory of the mobile, portable communication system in order to read out at least one of the stored second classification results from the memory,
wherein the second classification result is also included in the evaluation of the first classification result in accordance with the checking criterion.
3. The method according to claim 2 , wherein the application data can comprise:
position data of the mobile, portable communication system, which are captured by a method for position determination by a sensor for determining the position of the mobile, portable communication system, and/or
application usage data of the current user, and/or
biometric data of the current user, which are captured by a sensor for capturing biometric data, and/or
connection data of the mobile, portable communication system to other devices and/or
calendar and/or time data of a clock implemented in the mobile, portable communication system or an external clock, the signal of which is received by a sensor of the mobile, portable communication system.
4. The method according to claim 1 , wherein the mobile, portable communication system comprises a fine-motor classification module,
wherein the fine-motor classification module is configured for classification of fine-motor measurement data and is trained for recognition of a fine-motor movement of a registered user, wherein the fine-motor classification module is executed by the processor of the mobile, portable communication system,
wherein the method further comprises:
repeated execution of the following steps with use of the machine-learning method:
capture of the fine-motor measurement data,
input of the fine-motor measurement data into the fine-motor classification module,
generation of a third classification result by the fine-motor classification module, detailing whether the current user is the user registered in the mobile, portable communication system,
storage of the third classification result in the memory of the mobile, portable communication system,
training of the fine-motor classification module with the fine-motor measurement data of the current user in order to train the fine-motor classification module to a user-specific fine-motor movement pattern on the condition that, in accordance with the third classification result, the current user is the user registered in the system and/or on the condition that, in accordance with the first classification result, the current user is the user registered in the system,
access to the memory of the mobile, portable communication system in order to read out at least one of the stored third classification results from the memory,
wherein the third classification result is also included in the evaluation of the first classification result in accordance with the checking criterion.
5. The method according to claim 1 , wherein at least one first pattern in the form of a first pattern function and at least one first comparison data set are stored in the memory of the mobile, portable communication system,
wherein the first comparison data set comprises a plurality of the gross-motor measurement data, wherein at least one first comparison parameter is calculated from the plurality of the gross-motor measurement data of the first comparison data set,
wherein the gross-motor classification module performs the following steps when the gross-motor measurement data are input:
a) comparison of the captured gross-motor measurement data with the at least one first pattern function,
b) assignment of the gross-motor measurement data to the first pattern assigned to the first pattern function and attainment of at least one first classification parameter corresponding to the first pattern, if the gross-motor measurement data can be assigned to the at least one first pattern,
c) calculation of a confidence value for each first classification parameter by a comparison of the at least one first classification parameter with the relevant first comparison parameter of the first comparison data set, and
d) generation of the first classification result from the first confidence values of the first classification parameters,
and wherein the step of training comprises an addition of the captured gross-motor measurement data to the first comparison data set.
6. The method according to claim 2 , wherein at least one second pattern in the form of a second pattern function and at least one second comparison data set are stored in the memory of the mobile, portable communication system,
wherein the second comparison data set comprises a plurality of the application data, wherein at least one second comparison parameter is calculated from the plurality of the application data of the second comparison data set, wherein the application behaviour classification module performs the following steps when the application data are input:
a) comparison of the captured application data with the at least one second pattern function,
b) assignment of the application data to the second pattern assigned to the second pattern function and attainment of at least one second classification parameter corresponding to the second pattern, if the application data can be assigned to the at least one second pattern,
c) calculation of a confidence value for each second classification parameter by a comparison of the second classification parameter with the relevant second comparison parameter of the second comparison data set, and
d) generation of the second classification result from the second confidence values of the second classification parameters,
and wherein the step of training comprises an addition of the captured application data to the second comparison data set.
7. The method according to claim 4 , wherein at least one third pattern in the form of a third pattern function and at least one third comparison data set are stored in the memory of the mobile, portable communication system, wherein the third comparison data set comprises values for at least one third comparison parameter, wherein the fine-motor classification module performs the following steps when the fine-motor measurement data are input:
a) comparison of the captured fine-motor measurement data with the at least one third pattern function,
b) assignment of the fine-motor measurement data to the third pattern assigned to the third pattern function and attainment of at least one third classification parameter corresponding to the third pattern, if the fine-motor measurement data can be assigned to the at least one third pattern,
c) calculation of a confidence value for each third classification parameter by a comparison of the third classification parameter with the relevant third comparison parameter of the third comparison data set, and
d) generation of the third classification result from the third confidence values of the third classification parameters,
and wherein the step of training comprises an addition of the captured fine-motor measurement data to the third comparison data set.
8. The method according to claim 1 , wherein the checking criterion is met if:
at least one of the first and/or second and/or third classification results exceeds/exceed a threshold value specified by the checking criterion and/or
a maximum age of the first and/or second and/or third classification results specified by the checking criterion is not exceeded and/or
a minimum number of first and/or second and/or third classification results exceeding the threshold value is present.
9. The method according to claim 6 , wherein the gross-motor measurement data which are part of the first comparison data set and which are older than a defined time are removed from the first comparison data set and are deleted from the memory of the mobile, portable communication system, and the application data, which are part of the second comparison data set and which are older than the defined time are removed from the second comparison data set and are deleted from the memory of the mobile, portable communication system, and the fine-motor measurement data which are part of the third comparison data set and which are older than the defined time are removed from the third comparison data set and are deleted from the memory of the mobile, portable communication system.
10. The method according to claim 4 , wherein, at the time of evaluation of the first, second and/or third classification result, the second and/or third classification result is included only if, in the previous step, the gross-motor classification module recognised a gross-motor movement of the current user in the gross-motor measurement data.
11. The method according to claim 1 , wherein the current user of the mobile, portable communication system must authenticate himself to the mobile, portable communication system following an initial commissioning.
12. The method according to claim 1 , wherein the mobile, portable communication system sends a signal to the current user after the initial commissioning, which signal contains a request for personalisation of the mobile, portable communication system by generation of the at least one first and/or second and/or third comparison data set by the current user.
13. The method according to claim 1 , wherein the machine-learning method is a random forest algorithm.
14. A system for behaviour-based authentication of a current user to a mobile, portable communication system, which has at least one sensor for capturing gross-motor measurement data, a gross-motor classification module, a processor and an internal memory,
wherein a user is registered in the mobile, portable communication system,
wherein the sensor is designed to capture the gross-motor measurement data of a gross-motor movement of the current user of the mobile portable communication system,
wherein the gross-motor classification module is trained to recognise a generic gross-motor movement pattern with the help of training data sets of a user cohort and implements a machine-learning method, wherein the gross-motor classification module is executed by the processor of the mobile portable communication system,
wherein the system for behaviour-based authentication of the current user to the mobile, portable communication system performs the following method steps:
a) repeated execution of the following steps with use of the machine-learning method:
i. capture of the gross-motor measurement data by the at least one sensor of the mobile, portable communication system, wherein the gross-motor measurement data are the movement data of the gross-motor movement of the current user,
ii. input of the gross-motor measurement data into the gross-motor classification module,
iii. generation of a first classification result by the gross-motor classification module, detailing whether the current user is the user registered in the mobile, portable communication system,
iv. storage of the first classification result in the memory of the mobile, portable communication system, and
v. training of the gross-motor classification module with the gross-motor measurement data of the current user in order to train the gross-motor classification module for a user-specific gross-motor movement pattern on the condition that, in accordance with the first classification result, the current user is the user registered in mobile, portable communication system,
b) access to the memory of the mobile, portable communication system in order to read out at least one of the stored first classification results from the memory,
c) evaluation of the at least one read-out first classification result in accordance with a specified checking criterion,
d) generation of an authentication signal if the checking criterion is met, wherein the authentication signal signals a successful authentication of the current user.
15. The system according to claim 14 , wherein the mobile, portable communication system comprises an untrained application behaviour classification module,
wherein the application behaviour classification module is executed by the processor of the mobile, portable communication system,
wherein the system for behaviour-based authentication of the current user to the mobile, portable communication system performs the following method steps:
a) repeated execution of the following steps with use of the machine-learning method:
i. capture of application data,
ii. input of the application data into the application behaviour classification module,
iii. generation of a second classification result by the application behaviour classification module, detailing whether the current user is the user registered in the mobile, portable communication system,
iv. storage of the second classification result in the memory of the mobile, portable communication system,
v. training of the application behaviour classification module with the application data of the current user in order to train the application behaviour classification module to a user-specific application behaviour pattern on the condition that, in accordance with the second classification result, the current user is the user registered in the system and/or on the condition that, in accordance with the first classification result, the current user is the user registered in the system,
b) access to the memory of the mobile, portable communication system in order to read out at least one of the stored second classification results from the memory,
wherein the second classification result is also included in the evaluation of the first classification result in accordance with the checking criterion.
16. The system according to claim 15 , wherein the application data can comprise:
position data of the mobile, portable communication system, which are captured by a method for position determination by a sensor for determining the position of the mobile, portable communication system, and/or
application usage data of the current user, and/or
biometric data of the current user, which are captured by a sensor for capturing biometric data, and/or
connection data of the mobile, portable communication system to other devices and/or
calendar and/or time data of a clock implemented in the mobile, portable communication system or an external clock, the signal of which is received by a sensor of the mobile, portable communication system.
17. The system according to claim 14 , wherein the mobile, portable communication system comprises a fine-motor classification module,
wherein the fine-motor classification module is configured to classify fine-motor measurement data and is trained to recognise a fine-motor movement of a registered user, wherein the fine-motor classification module is executed by the processor of the mobile, portable communication system,
wherein the system for behaviour-based authentication of the current user to the mobile, portable communication system performs the following method steps:
repeated execution of the following steps with use of the machine-learning method:
capture of the fine-motor measurement data,
input of the fine-motor measurement data into the fine-motor classification module,
generation of a third classification result by the fine-motor classification module, detailing whether the current user is the user registered in the mobile, portable communication system,
storage of the third classification result in the memory of the mobile, portable communication system,
training of the fine-motor classification module with the fine-motor measurement data of the current user in order to train the fine-motor classification module to a user-specific fine-motor movement pattern on the condition that, in accordance with the third classification result, the current user is the user registered in the system and/or on the condition that, in accordance with the first classification result, the current user is the user registered in the system,
access to the memory of the mobile, portable communication system in order to read out at least one of the stored third classification results from the memory,
wherein the third classification result is also included in the evaluation of the first classification result in accordance with the checking criterion.
18. The system according to claim 14 , wherein at least one first pattern in the form of a first pattern function and at least one first comparison data set are stored in the memory of the mobile, portable communication system,
wherein the first comparison data set comprises a plurality of the gross-motor measurement data, wherein at least one first comparison parameter is calculated from the plurality of the gross-motor measurement data of the first comparison data set,
wherein the gross-motor classification module performs the following steps when the gross-motor measurement data are input:
a) comparison of the captured gross-motor measurement data with the at least one first pattern function,
b) assignment of the gross-motor measurement data to the first pattern assigned to the first pattern function and attainment of at least one first classification parameter corresponding to the first pattern, if the gross-motor measurement data can be assigned to the at least one first pattern,
c) calculation of a confidence value for each first classification parameter by a comparison of the at least one first classification parameter with the relevant first comparison parameter of the first comparison data set, and
d) generation of the first classification result from the first confidence values of the first classification parameters,
and wherein the step of training comprises an addition of the captured gross-motor measurement data to the first comparison data set.
19. The system according to claim 15 , wherein at least one second pattern in the form of a second pattern function and at least one second comparison data set are stored in the memory of the mobile, portable communication system,
wherein the second comparison data set comprises a plurality of the application data, wherein at least one second comparison parameter is calculated from the plurality of the application data of the second comparison data set,
wherein the application behaviour classification module performs the following steps when the application data are input:
a) comparison of the captured application data with the at least one second pattern function,
b) assignment of the application data to the second pattern assigned to the second pattern function and attainment of at least one second classification parameter corresponding to the second pattern, if the application data can be assigned to the at least one second pattern,
c) calculation of a confidence value for each second classification parameter by a comparison of the second classification parameter with the relevant second comparison parameter of the second comparison data set, and
d) generation of the second classification result from the second confidence values of the second classification parameters,
and wherein the step of training comprises an addition of the captured application data to the second comparison data set.
20. The system according to claim 17 , wherein at least one third pattern in the form of a third pattern function and at least one third comparison data set are stored in the memory of the mobile, portable communication system,
wherein the third comparison data set comprises values for at least one third comparison parameter,
wherein the fine-motor classification module performs the following steps when the fine-motor measurement data are input:
a) comparison of the captured fine-motor measurement data with the at least one third pattern function,
b) assignment of the fine-motor measurement data to the third pattern assigned to the third pattern function and attainment of at least one third classification parameter corresponding to the third pattern, if the fine-motor measurement data can be assigned to the at least one third pattern,
c) calculation of a confidence value for each third classification parameter by a comparison of the third classification parameter with the relevant third comparison parameter of the third comparison data set, and
d) generation of the third classification result from the third confidence values of the third classification parameters,
and wherein the step of training comprises an addition of the captured fine-motor measurement data to the third comparison data set.
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE102016225644.0 | 2016-12-20 | ||
DE102016225644.0A DE102016225644A1 (en) | 2016-12-20 | 2016-12-20 | Method and system for behavior-based authentication of a user |
PCT/EP2017/083042 WO2018114676A1 (en) | 2016-12-20 | 2017-12-15 | Method and system for behavior-based authentication of a user |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/EP2017/083042 A-371-Of-International WO2018114676A1 (en) | 2016-12-20 | 2017-12-15 | Method and system for behavior-based authentication of a user |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US18/306,450 Continuation US12093358B2 (en) | 2016-12-20 | 2023-04-25 | Method and system for behavior-based authentication of a user |
Publications (1)
Publication Number | Publication Date |
---|---|
US20190311095A1 true US20190311095A1 (en) | 2019-10-10 |
Family
ID=60888401
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/470,832 Abandoned US20190311095A1 (en) | 2016-12-20 | 2017-12-15 | Method and system for behavior-based authentication of a user |
US18/306,450 Active US12093358B2 (en) | 2016-12-20 | 2023-04-25 | Method and system for behavior-based authentication of a user |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US18/306,450 Active US12093358B2 (en) | 2016-12-20 | 2023-04-25 | Method and system for behavior-based authentication of a user |
Country Status (5)
Country | Link |
---|---|
US (2) | US20190311095A1 (en) |
EP (1) | EP3559845A1 (en) |
CN (1) | CN110268405A (en) |
DE (1) | DE102016225644A1 (en) |
WO (1) | WO2018114676A1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20240028683A1 (en) * | 2020-06-11 | 2024-01-25 | Capital One Services, Llc | Methods and systems for executing a user instruction |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
SG10201909659QA (en) * | 2018-10-17 | 2020-05-28 | Tata Consultancy Services Ltd | System and method for authenticating humans based on behavioral pattern |
KR20200089971A (en) * | 2019-01-18 | 2020-07-28 | 삼성전자주식회사 | Electronic device and operating method for authenticating a user |
DE102021105256A1 (en) | 2021-03-04 | 2022-09-08 | Audi Aktiengesellschaft | Mobile communication device and method for operating a mobile communication device |
Citations (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2008110597A2 (en) * | 2007-03-14 | 2008-09-18 | Bundesdruckerei Gmbh | Method for authenticating an individual |
US20100100950A1 (en) * | 2008-10-20 | 2010-04-22 | Roberts Jay B | Context-based adaptive authentication for data and services access in a network |
US20120007713A1 (en) * | 2009-11-09 | 2012-01-12 | Invensense, Inc. | Handheld computer systems and techniques for character and command recognition related to human movements |
EP2458524A1 (en) * | 2010-11-25 | 2012-05-30 | Deutsche Telekom AG | Identifying a user of a mobile electronic device |
WO2012093393A1 (en) * | 2011-01-07 | 2012-07-12 | Seal Mobile Id Ltd | Method and system for unobtrusive mobile device user recognition |
WO2014142947A1 (en) * | 2013-03-15 | 2014-09-18 | Intel Corporation | Continuous authentication confidence module |
US20140333524A1 (en) * | 2013-05-13 | 2014-11-13 | Ohio University | Motion-based identity authentication of an individual with a communications device |
US20150066822A1 (en) * | 2013-09-03 | 2015-03-05 | The Arizona Board Of Regents For And On Behalf Of Arizona State University | Systems and methods for authenticating a user through an unobservable re-authentication system |
US20150339477A1 (en) * | 2014-05-21 | 2015-11-26 | Microsoft Corporation | Risk assessment modeling |
US20160027399A1 (en) * | 2013-03-15 | 2016-01-28 | Intel Corporation | Mobile computing device technology and systems and methods utilizing the same |
US9355236B1 (en) * | 2014-04-03 | 2016-05-31 | Fuji Xerox Co., Ltd. | System and method for biometric user authentication using 3D in-air hand gestures |
US20160180078A1 (en) * | 2014-12-23 | 2016-06-23 | Jasmeet Chhabra | Technologies for enhanced user authentication using advanced sensor monitoring |
US20170076518A1 (en) * | 2015-09-11 | 2017-03-16 | Comcast Cable Communications, Llc | Consensus Based Authentication and Authorization Process |
US9760702B1 (en) * | 2014-07-14 | 2017-09-12 | Jpmorgan Chase Bank, N.A. | Systems and methods for driver authentication through embedded sensing |
Family Cites Families (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6687390B2 (en) * | 2001-12-04 | 2004-02-03 | Applied Neural Conputing Ltd. | System for and method of web signature recognition system based on object map |
KR100847532B1 (en) * | 2006-04-06 | 2008-07-21 | 재단법인서울대학교산학협력재단 | User terminal and authenticating apparatus used for user authentication using information of user's behavior pattern |
US8345935B2 (en) * | 2008-03-17 | 2013-01-01 | International Business Machines Corporation | Detecting behavioral deviations by measuring eye movements |
US8241912B2 (en) * | 2008-06-26 | 2012-08-14 | Wms Gaming Inc. | Gaming machine having multi-touch sensing device |
KR101242390B1 (en) * | 2011-12-29 | 2013-03-12 | 인텔 코오퍼레이션 | Method, apparatus and computer-readable recording medium for identifying user |
TWI533159B (en) * | 2013-10-18 | 2016-05-11 | 國立臺灣科技大學 | A continuous identity authentication method for computer users |
US10534900B2 (en) * | 2014-02-21 | 2020-01-14 | Samsung Electronics Co., Ltd. | Electronic device |
CN104239761B (en) * | 2014-09-15 | 2017-06-27 | 西安交通大学 | The identity for sliding behavioural characteristic based on touch screen continues authentication method |
US11669604B2 (en) * | 2019-06-10 | 2023-06-06 | Daon Technology | Methods and systems for authenticating a user |
-
2016
- 2016-12-20 DE DE102016225644.0A patent/DE102016225644A1/en active Pending
-
2017
- 2017-12-15 WO PCT/EP2017/083042 patent/WO2018114676A1/en unknown
- 2017-12-15 CN CN201780083368.0A patent/CN110268405A/en active Pending
- 2017-12-15 US US16/470,832 patent/US20190311095A1/en not_active Abandoned
- 2017-12-15 EP EP17822637.9A patent/EP3559845A1/en active Pending
-
2023
- 2023-04-25 US US18/306,450 patent/US12093358B2/en active Active
Patent Citations (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2008110597A2 (en) * | 2007-03-14 | 2008-09-18 | Bundesdruckerei Gmbh | Method for authenticating an individual |
US20100100950A1 (en) * | 2008-10-20 | 2010-04-22 | Roberts Jay B | Context-based adaptive authentication for data and services access in a network |
US20120007713A1 (en) * | 2009-11-09 | 2012-01-12 | Invensense, Inc. | Handheld computer systems and techniques for character and command recognition related to human movements |
EP2458524A1 (en) * | 2010-11-25 | 2012-05-30 | Deutsche Telekom AG | Identifying a user of a mobile electronic device |
WO2012093393A1 (en) * | 2011-01-07 | 2012-07-12 | Seal Mobile Id Ltd | Method and system for unobtrusive mobile device user recognition |
US20150373007A1 (en) * | 2013-03-15 | 2015-12-24 | Intel Corporation | Continuous Authentication Confidence Module |
WO2014142947A1 (en) * | 2013-03-15 | 2014-09-18 | Intel Corporation | Continuous authentication confidence module |
US20160027399A1 (en) * | 2013-03-15 | 2016-01-28 | Intel Corporation | Mobile computing device technology and systems and methods utilizing the same |
US20140333524A1 (en) * | 2013-05-13 | 2014-11-13 | Ohio University | Motion-based identity authentication of an individual with a communications device |
WO2014186274A2 (en) * | 2013-05-13 | 2014-11-20 | Ohio University | Motion-based identity authentication of an individual with a communications device |
US20150066822A1 (en) * | 2013-09-03 | 2015-03-05 | The Arizona Board Of Regents For And On Behalf Of Arizona State University | Systems and methods for authenticating a user through an unobservable re-authentication system |
US9355236B1 (en) * | 2014-04-03 | 2016-05-31 | Fuji Xerox Co., Ltd. | System and method for biometric user authentication using 3D in-air hand gestures |
US20150339477A1 (en) * | 2014-05-21 | 2015-11-26 | Microsoft Corporation | Risk assessment modeling |
US9760702B1 (en) * | 2014-07-14 | 2017-09-12 | Jpmorgan Chase Bank, N.A. | Systems and methods for driver authentication through embedded sensing |
US20160180078A1 (en) * | 2014-12-23 | 2016-06-23 | Jasmeet Chhabra | Technologies for enhanced user authentication using advanced sensor monitoring |
US20170076518A1 (en) * | 2015-09-11 | 2017-03-16 | Comcast Cable Communications, Llc | Consensus Based Authentication and Authorization Process |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20240028683A1 (en) * | 2020-06-11 | 2024-01-25 | Capital One Services, Llc | Methods and systems for executing a user instruction |
Also Published As
Publication number | Publication date |
---|---|
DE102016225644A1 (en) | 2018-06-21 |
EP3559845A1 (en) | 2019-10-30 |
US20230267185A1 (en) | 2023-08-24 |
US12093358B2 (en) | 2024-09-17 |
WO2018114676A1 (en) | 2018-06-28 |
CN110268405A (en) | 2019-09-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US12093358B2 (en) | Method and system for behavior-based authentication of a user | |
US20200178077A1 (en) | System and method for implicit authentication | |
US10511600B2 (en) | Maintaining user authentications with common trusted devices | |
US20190156345A1 (en) | Adaptive biometric and environmental authentication system | |
US9961547B1 (en) | Continuous seamless mobile device authentication using a separate electronic wearable apparatus | |
US9788203B2 (en) | System and method for implicit authentication | |
US20200004939A1 (en) | Biometric authentication | |
US20160226865A1 (en) | Motion based authentication systems and methods | |
EP3482331B1 (en) | Obscuring data when gathering behavioral data | |
US20150371023A1 (en) | Usage modeling | |
US20160350761A1 (en) | Method and Apparatus for Managing Reference Templates for User Authentication Using Behaviometrics | |
US10216914B2 (en) | System, method, and apparatus for personal identification | |
US11102648B2 (en) | System, method, and apparatus for enhanced personal identification | |
JP5823651B1 (en) | Authentication system, authentication method, and authentication program | |
US11636188B2 (en) | Combining biometrics, hidden knowledge and intent to authenticate | |
Smith-Creasey et al. | Adaptive threshold scheme for touchscreen gesture continuous authentication using sensor trust | |
US20220414194A1 (en) | Method and system for user authentication | |
Tanviruzzaman et al. | Your phone knows you: Almost transparent authentication for smartphones | |
US20190158496A1 (en) | System, Method, and Apparatus for Personal Identification | |
US11632368B2 (en) | Method and system for the behaviour-based authentication of a user | |
US10810288B2 (en) | Method and system for behavior-based authentication of a user | |
JP6942957B2 (en) | Authentication system, authentication controller, authentication device and program | |
RU2817264C2 (en) | Method of protecting electronic multifunctional mobile device from unauthorized access | |
RU2817264C9 (en) | Method of protecting electronic multifunctional mobile device from unauthorized access | |
Filina et al. | Mobile authentication over hand-waving |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: FINAL REJECTION MAILED |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |