Advanced Subscriber Authentication Approaches For Third Generation Mobile
This paper concerns the requirements for security within 3G networks, with particular focus upon subscriber authentication techniques. Although this aspect has already been recognised and addressed in 2G networks using SIM-based Personal Identification Numbers (PINs), the proposed services of UMTS demand a more secure subscriber-based authentication system in order to protect personal information in the event of masquerade attacks, particularly due to the convergence in function with Personal Digital Assistant (PDA) type devices and a consequent expansion in the range of sensitive information that such a device might hold and access.Clarke NL, Furnell SM, Reynolds PL, Rodwell PM
The paper will demonstrate the inadequacy of current subscriber authentication technologies, by considering the results of a survey of 161 mobile users, and examining their attitudes and practices in relation to PIN-based security. Given these results, even in a 2G context, the prognosis for the successful application of the same methods in 3G is not encouraging. Fortunately, however, the responses from the same users suggest a willingness to accept more advanced authentication techniques, based upon biometric technologies, provided that implementation is achieved in a non-intrusive manner.
Building upon the findings from the survey, the paper will present a conceptual architecture for non-intrusive subscriber authentication, which may be flexibly implemented at the handset and network levels. The general operation of the architecture will be outlined, along with the considerations that influence whether a network-centric, terminal-centric, or hybrid implementation would be desirable. Such an architecture would support a range of authentication techniques, which would be invoked as appropriate depending upon the context of the mobile service being utilised. For example, a voice related service could potentially utilise speaker recognition, whereas a data/browsing-oriented session would typically require an alternative technique as its primary measure.
As an illustration of how such an architecture might operate in practice, the paper will discuss the results of a prototype implementation of keystroke dynamics on a mobile handset. This technique, as currently evaluated, offers the means to authenticate subscriber identity according to their interactions with the keypad of the mobile handset. Such a technique offers the opportunity for transparent operation, unless impostor activity is suspected. An initial experimental study has been conducted with 16 participants, and the paper will present details of the false acceptance and false rejection rates observed. It is envisaged that keystroke analysis could be one of several measures that would operate in a 3G subscriber authentication framework.
The content of the paper is based upon ongoing research work at the University of Plymouth, which is being conducted in collaboration with Orange Personal Communications Services.