MAUTH: Continuous User Authentication Based on Subtle Intrinsic Muscular Tremors

Continuous authentication is viewed to be increasingly important for mobile devices, which store a wide range of private data and sensitive information of users. Traditional continuous authentication methods need user inputs (e.g. typing, sliding). In this work, we present MAUTH, a zero-effect continuous authentication scheme for mobile devices. With the built-in motion sensors on commercial off-the-shelf (COTS) devices, MAUTH can continuously extract, classify and verify the unique tremor features of users on how their body intrinsically shakes during the normal use of such devices. As a result, it is extremely difficult if not impossible to reproduce the same set of tremors as individuals differ in their muscle development. We implement MAUTH as a software on Android-based smartphones, which demonstrates that MAUTH is light-weight and unobtrusive to its users. We conduct extensive real-world experiments and trace-driven simulations in controlled and uncontrolled environments on 21 volunteers. The results show that MAUTH is difficult to counterfeit and achieves a low average false positive rate (FPR) of 6.73% under real-world spoofing attacks. Moreover, MAUTH is comfortable to use and can achieve a low average false negative rate (FNR) of 2.2% during uncontrolled and continuous usage of devices, leveraging isolation-forest-based classifiers trained with only 40 training samples.