BioTouchPass Demo:Handwritten Passwords for Touchscreen Biometrics

Ruben Tolosana, Ruben Vera-Rodriguez, Julian Fierrez and Aythami MoralesBiometrics and Data Pattern Analytics - BiDA Lab, Universidad Autonoma de Madrid

(ruben.tolosana,ruben.vera,julian.fierrez,aythami.morales)@uam.es

ABSTRACTBioTouchPass enhances traditional authentication systems basedon Personal Identification Numbers (PIN) and One-Time Passwords(OTP) through the incorporation of biometric information fromhandwriting as a second level of user authentication. In our pro-posed approach, users draw each digit of the password on thetouchscreen of the device instead of typing them as usual. This waythe security of the authentication system increases as impostorsneed more than the traditional password to get access to the system.BioTouchPass achieves results with Equal Error Rates (EERs) ca.4.0% when the attacker knows the password, outperforming otherauthentication schemes based on touch biometrics, and providinga user-friendly interface easily adaptable to a variety of mobiledevices and application scenarios.

CCS CONCEPTS• Security andprivacy→Privacy protections; •Human-centeredcomputing → HCI design and evaluation methods; Touchscreens; • Applied computing→ Electronic commerce.

KEYWORDSMobile User Authentication; Passwords; Biometrics; Handwriting;PIN; OTP; Touchscreen; Touch Interaction;ACM Reference Format:Ruben Tolosana, Ruben Vera-Rodriguez, Julian Fierrez and Aythami Morales.2019. BioTouchPass Demo: Handwritten Passwords for Touchscreen Biomet-rics. In Proceedings of the 27th ACM International Conference on Multimedia(žMM ’19), October 21–25, 2019, Nice, France. ACM, New York, NY, USA,3 pages. https://doi.org/10.1145/3343031.3350578

1 INTRODUCTIONTraditionally, the twomost prevalent user authentication approacheshave been PIN and OTP. While PIN-based authentication systemsrequire users to memorize their personal passwords, OTP-basedsystems avoid users to memorize them as the security system isin charge of selecting and providing to the user a different pass-word each time is required, e.g., sending messages to personalmobile devices or special tokens. Despite the high popularity ofauthentication modules based on PIN and OTP for touchscreendevices (smartphones and tablets), many studies have highlightedthe weaknesses of these approaches [2, 4]. First, it is common to usePermission to make digital or hard copies of part or all of this work for personal orclassroom use is granted without fee provided that copies are not made or distributedfor profit or commercial advantage and that copies bear this notice and the full citationon the first page. Copyrights for third-party components of this work must be honored.For all other uses, contact the owner/author(s).MM ’19, October 21–25, 2019, Nice, France© 2019 Copyright held by the owner/author(s).ACM ISBN 978-1-4503-6889-6/19/10.https://doi.org/10.1145/3343031.3350578

passwords based on sequential digits, personal information such asbirth dates, or simply words such as “password” or “qwerty” thatare many times easy to guess. Second, passwords that are typed onmobile devices such as tablets or smartphones are susceptible to“smudge attacks”, i.e., the deposition of finger grease traces on thetouchscreen can be used by the impostors to guess the password [1].Finally, password-based authentication is also vulnerable to “shoul-der surfing”. This type of attack is produced when the impostorcan observe directly or use external recording devices to collectthe user information. This attack has attracted the attention ofmany researchers in recent years due to the increased deploymentof handheld recording devices and public surveillance infrastruc-tures [6, 13]. Biometric recognition schemes are able to cope withthese challenges by combining both a high level of security andconvenience [5].

In this study, we present the design of a novel mobile authentica-tion approach, named BioTouchPass, that incorporates handwritingbiometric information to traditional authentication passwords, ask-ing the users to draw each digit of the password on the touchscreenof the device (Figure 1). One example of use that motivates our pro-posed approach is on internet payments with credit cards. Banksusually send a numerical password (typically between 6 and 8 dig-its) to the user’s mobile device. This numerical password must betyped by the user in the security platform in order to completethe payment. BioTouchPass enhances such scenario by includinga second authentication factor based on the dynamic biometricinformation generated while drawing the digits.

2 BIOTOUCHPASS2.1 AcquisitionBioTouchPass has been designed in order to provide the best possi-ble user experience in different application scenarios. It incorporatesa user-friendly interface easily adaptable to a variety of mobile de-vices, allowing users to draw the digits while feeling comfortable.For tablet devices, users can draw all digits of the password on asingle screen. However, for smartphone devices, the acquisitioninterface is changed depending on the length of the password. For

AccessGranted

Pa

ssw

ord

M6

8g

Y4

Access Denied

. . .

Acquisition

Auth

entication

OC

RB

iom

etr

icA

naly

sis

Figure 1: BioTouchPass system diagram.

passwords shorter than 5 digits, users can perform the completepassword on a single screen. Otherwise, we propose users to per-form each digit of the password one by one (Figure 1). This aspectresults crucial for both usability and system performance [8, 9].

Finally, when designing biometric authentication systems forpractical applications, there are usually two conflicting factors: i)the amount of data requested to the user during the enrolment,and ii) the security level provided by the biometric system. Theseparameters can be easily modified in BioTouchPass in order toprovide the best user experience on each application scenario.

2.2 AuthenticationBioTouchPass biometric technology is based on [8] and comprisestwo main stages:

• Feature Extraction, which is based on time functions [12].Signals captured by the digitizer (i.e., X and Y spatial coordi-nates) are used to extract a set of 21 time functions for eachdigit related to kinematic, geometric and direction informa-tion. Sequential Forward Floating Search (SFFS) is used toselect the best subsets of time functions for each handwrittendigit to improve the system performance in terms of EER.

• Similarity Computation, based on the combination ofboth Dynamic Time Warping (DTW) and Recurrent Neu-ral Networks (RNNs), which obtains state-of-the-art results.In particular, this second system is based on BidirectionalLong-Short Term Memory (BLSTM) with a Siamese archi-tecture in order to learn a dissimilarity metric from pairs ofsamples [10].

3 BIOTOUCHPASS ON REAL SCENARIOSThis section studies the robustness of BioTouchPass against attacks.Here, we make the assumption that impostors know the passwordof the user to attack (e.g., by shoulder surfing) and thus, the attackwould have 100% success rate if BioTouchPass was not present.

The e-BioDigit database presented in [8] is considered here forthe analysis. In this database users had to draw numbers from 0 to9 one by one using a Samsung Galaxy Note 10.1 tablet. Each userhad to draw a total of 8 numerical sequences from 0 to 9 in twodifferent acquisition sessions.

The experimental protocol considered in this study has beendesigned keeping in mind real scenarios. Thus, genuine samplesfrom the first session are used as enrolment samples, whereas the

Table 1: BioTouchPass authentication performance in termsof EER (%) on the e-BioDigit evaluation dataset [8].

Enrolment Samples1 2 3

PasswordLeng

th 1 21.7 18.6 16.32 14.0 11.6 9.53 11.6 9.3 7.44 11.6 7.4 5.95 9.3 7.3 4.76 8.5 4.6 4.67 8.5 4.6 3.8

0 10 20 30 40-50

0

50

x

0 10 20 30 40-100

0

100

y

(a) User A, sample 1

0 10 20 30 40-50

0

50

x

0 10 20 30 40-100

0

100

y

(b) User A, sample 2

0 5 10 15 20-100

0

100

x

0 5 10 15 20-100

0

100

y

(c) User B, sample 1

0 5 10 15 20-100

0

100

x

0 5 10 15 20-100

0

100

y

(d) User B, sample 2

Figure 2: Examples of the digit 7 performed by two differentusers. Bottom plots are the corresponding X and Y trajecto-ries versus the time samples.

4 genuine samples from the second session are left for testing.This way, we consider the inter-session variability, a key aspect intouchscreen and behavioral biometrics in general [3, 11]. Finally,impostor scores are obtained by comparing the enrolment sampleswith one genuine sample of each of the remaining users (simulatingthis way the imitation attack in which the impostor knows thepassword).

Table 1 analyzes the performance of BioTouchPass for differentnumber of enrolment samples and length of the password. First,we analyze how the length of the handwritten password affectsthe system performance. In general, a considerable system per-formance improvement (less EER) is achieved when adding morehandwritten digits to the password. For example, for the case ofhaving just one enrolment sample per digit, a password composedof just two handwritten digits achieves a 14.0% EER, an absolute im-provement of 7.7% EER compared with the case of using a passwordwith just one digit. Now, we analyze the effect of the number ofavailable enrolment samples on the system performance. In general,the system performance improves with the number of enrolmentsamples. For example, for the case of having just one enrolmentsample and a password composed of just one digit, the biometricsystem achieves a 21.7% EER. This result is further improved whenincreasing the number of enrolment samples to 3, achieving a finalvalue of 16.3% EER, an absolute improvement of 5.4% EER. Theseresults put in evidence the discriminative power of the dynamicbiometric information considered from the handwritten digits toauthenticate different users. Examples of the digit 7 performedby two different users are shown in Figure 2. Finally, we expectto further improve BioTouchPass technology through the novelMobileTouchDB database presented in [7].

4 DEMONSTRATIONIn this demonstration, visitors will have the opportunity to useBioTouchPass for user authentication on some mobile devices andexperiment with different system configuration parameters such asthe number of enrolment samples and the length of the password.

ACKNOWLEDGMENTSThiswork has been supported by projects: BIBECA (RTI2018-101248-B-I00), Bio-Guard (Ayudas Fundación BBVA a Equipos de Investi-gación Científica 2017) and by UAM-CecaBank.

REFERENCES[1] A.J. Aviv, K.L. Gibson, E. Mossop, M. Blaze, and J.M. Smith. 2010. Smudge Attacks

on Smartphone Touch Screens. In Proc. of the 4th USENIX Conference on OffensiveTechnologies. 1–7.

[2] J. Bonneau, C. Herley, P.C.V. Oorschot, and F. Stajano. 2012. The Quest to ReplacePasswords: A Framework for Comparative Evaluation of Web AuthenticationSchemes. In Proc. IEEE Symposium on Security and Privacy. 553–567.

[3] J. Fierrez, A. Pozo, M. Martinez-Diaz, J. Galbally, and A. Morales. 2018. Bench-marking Touchscreen Biometrics for Mobile Authentication. IEEE Transactionson Information Forensics and Security 13, 11 (2018), 2720–2733.

[4] J. Galbally, I. Coisel, and I. Sanchez. 2017. A New Multimodal Approach forPassword Strength Estimation - Part I: Theory and Algorithms. IEEE Transactionson Information Forensics and Security 12 (2017), 2829–2844.

[5] W. Meng, D.S. Wong, S. Furnell, and J. Zhou. 2015. Surveying the Development ofBiometric User Authentication on Mobile Phones. IEEE Communications SurveysTutorials 17, 3 (2015), 1268–1293.

[6] D. Shukla, R. Kumar, A. Serwadda, and V.V. Phoha. 2014. Beware, Your HandsReveal Your Secrets!. In Proc. of the 2014 ACM SIGSAC Conference on Computerand Communications Security.

[7] R. Tolosana, J. Gismero-Trujillo, R. Vera-Rodriguez, J. Fierrez, and J. Ortega-Garcia. 2019. MobileTouchDB: Mobile Touch Character Database in the Wildand Biometric Benchmark. In Proc. Conference on Computer Vision and PatternRecognition Workshops, CVPRw.

[8] R. Tolosana, R. Vera-Rodriguez, and J. Fierrez. 2019. BioTouchPass: HandwrittenPasswords for Touchscreen Biometrics. IEEE Transactions on Mobile Computing(2019).

[9] R. Tolosana, R. Vera-Rodriguez, J. Fierrez, A. Morales, and J. Ortega-Garcia. 2017.Benchmarking Desktop and Mobile Handwriting across COTS Devices: the e-BioSign Biometric Database. PLOS ONE (2017).

[10] R. Tolosana, R. Vera-Rodriguez, J. Fierrez, and J. Ortega-Garcia. 2018. ExploringRecurrent Neural Networks for On-Line Handwritten Signature Biometrics. IEEEAccess 6 (2018), 5128 – 5138.

[11] R. Tolosana, R. Vera-Rodriguez, J. Fierrez, and J. Ortega-Garcia. 2019. Reducingthe Template Aging Effect in On-Line Signature Biometrics. IET Biometrics (2019).

[12] R. Tolosana, R. Vera-Rodriguez, J. Ortega-Garcia, and J. Fierrez. 2015. Prepro-cessing and Feature Selection for Improved Sensor Interoperability in OnlineBiometric Signature Verification. IEEE Access 3 (2015), 478 – 489.

[13] Q. Yue, Z. Ling, X. Fu, B. Liu, W. Yu, and W. Zhao. 2014. My Google Glass SeesYour Passwords!. In Proc. Black Hat USA.