In this project, we look into an alternative authentication method to replace passwords. Web services are protected through passwords and this has some disadvantages. For example it is hard to remember many complicated passwords or passwords get stolen through leaks. (see HPI Identity Leak Checker).
It is more user-friendly if our devices can recognize their owners, e.g. using physical characteristics or behavior. Thus, the devices can easily detect if a user changes, because the new person has other charactericstics and a different behavior.
Devices that are able to read or scan biometric features can be quite expensive. We avoid this burden for the users by using devices that the users already have. The main devices is the smartphone. Other possible devices are wearables (smartwatches, fitness bands) or IoT devices (e.g. from a smart home environment). All these devices offer a varity of sensors that can detect different patterns of user behavior.
Currently, we look into edge cases of gait recognition. While walking, we do a lot of different activities (reading or watching something on the smartphone, telephoning, etc.). Many walking classifiers have problems in recognizing the correct user if he is doing one of these activities.
Trust Level Method
The results of all behavior based recognition is fused into one single value, the trust level. This trust level is send to web services instead of a password. The web service decide which trust level threshold is necessary to access their service or which functions are available.
The trust level is send in regular intervals. This enables a continuous authentication. If the user changes, the device will detect it, the trust level will be low and then the service can lock the access.
The trust level is the only information that leaves the user device. The biometric data stays on the device and never leaves it. This is a privacy feature.