This repository contains the full code-base – including a recorded demonstration of the application – of a simple prototype implemented as a proof of concept for the homonymous thesis submitted in fulfillment of the requirements for the degree of Master of Science in Software Design at the IT University of Copenhagen.
Strong and accurate digital user authentication is crucial as more systems move online to be accessed from personal devices. Contributing to this accuracy is also the assurance that the user interacting and performing decisions within the system is, in fact, the authenticated individual. This thesis explores the possibility of continuous authentication using biometrics, introducing a new authentication factor, "something only you can do", to reduce biometrics' vulnerabilities in situations of unaware coercion. This new factor, dependent on the biometric, can be seen as a hybrid between knowledge and secret-based authentication in the form of a user-defined movement sequence performed by a body part relating to the chosen biometric; assumed to increase both complexity and memorability compared to traditional user-defined passwords.
We propose a concept for such a two-factor continuous authentication system, including constant, periodic, and punctual verification of the user's identity, introducing time as an additional parameter affecting the system's overall security. Vulnerabilities of the individual and combined factors are explored – considering the probability of compromising the system through guessing and the duration any adversary can spend within such a system. This thesis contributes exploration and definitions within this space, threat modelling of the proposed system, and a simple prototype as a proof of concept.
This class diagram illustrates the overall structure of the prototype, which is organised through the model-view-controller architectural pattern. It contains 15 classes, including three designed to follow the singleton pattern (MovementClassifier
, FaceClassifier
, PersonsDB
), three object expressions that create objects of anonymous classes (FaceMovement
, BitmapUtils
, ByteBufferUtils
), one data class whose sole purpose is to hold data (Frame
) and one enumeration class that holds some constants (LensFacing
). Additional three classes usually required to store data in the SQLite database – built-in on Android devices – can be found in the code-base. As is customary in mobile applications, all behaviours that do not affect the user-interface thread run in parallel on background threads.