Biometric systems like Apple’s gimmicky new fingerprint scanner may look fancy, but if researchers have their way, similar systems for detecting whether or not your phone has been stolen will be a lot less cumbersome. The alternative to fingerprint scanning, swipe-based lock screens and numerical codes is a system called implicit identification. Its promise—seamless, always-on security that only gets better as our phones become smarter and more laden with sensors—could eliminate or at least reduce the use of lock screens on phones, and also make them secure enough to act as our mobile wallets, keys to our homes and cars, and stores of our health and other critical records.
They key to implicit identification is that it identifies who is using a phone by a host of unique signals we can’t help but give off as we use a mobile device. Researchers have tried a variety of them, and they include our location and patterns of movement (pdf), the apps we use, the frequency and nature of our touch gestures, the way that we walk (pdf), the speed and style of our typing (pdf), our call frequency, the time of day we carry out all of these activities, and even the subtle way our hands shake as we hold our phones (pdf).
Once a phone has gathered enough data about the unique combination of these traits, it simply waits for a person to deviate sufficiently from his or her typical patterns, and then asks him or her for some kind of explicit verification, like a passcode (pdf). The advantage of this approach means that security on phones can be on by default, and they can shut themselves down or even send out an alert if they’re suspected to have been stolen, even before the user realizes the phone is gone. Another advantage is that, as smartphones become ever more important for the elderly and disabled, these systems could, absent even a lock screen, provide security for individuals who have trouble dealing with typical lock screens.
Implicit security also solves perhaps the thorniest security problem of them all: If an attacker can hack into or impersonate your device, they can wreak havoc with systems that think that you and your device are one and the same. (Imagine, for example, how much damage a thief could do to your life if they got hold of an unsecured smartphone that is already logged into your email accounts.)
Sophisticated versions of these kinds of attacks have already been used to gain access to people’s bank accounts via their smartphones. As security expert Bruce Schneier points out, there is only one way to truly secure against these kinds of attacks: look at user behavior in order to authenticate that requests are coming from the human being who should be making them, rather than assuming that a “secure” device is always in the hands of the person who owns it.
This is exactly how fraud detection on credit cards in the US works, and it’s the reason that people can buy things with little more than a credit card swipe and an (illegible) signature—if a card is ever stolen, banks are evaluating every single transaction to see whether it fits the behavioral pattern for that person. That’s why, for example, credit card transactions can sometimes be refused if a person goes on vacation without notifying his or her bank first.
Implicit security is only as good as the data used to achieve it. Credit card companies know where you live, where and how often you shop, what you buy and the amounts of money you usually spend. But a smartphone can record a list of information that is growing longer by the day—the always-on sound sensor in Google’s Moto X and the always-on motion sensor in Apple’s iPhone 5S are just the latest examples of the way our phones have turned into sophisticated sensor clusters and the ultimate tools for self-surveillance. As our phones gain new ways to sense their environments—Samsung’s Galaxy S4 can even sense temperature and humidity—the ways in which they can authenticate their original user is only going to multiply.
Google already uses implicit security to help prevent unauthorized access to its services. If you’ve ever found yourself logged out of Gmail when accessing it from a new Wi-Fi network, you’ve seen it in action. That implies that Google is already using things like your location (at the least) to determine that you are who you are. As smartphones record and transmit more and more data about us, the hitch security researchers could face is one entirely different from authenticating users. As one paper on the topic notes, the problem will be ensuring that all of this data is secured from eavesdropping by the telecoms, internet companies and governments that provide the infrastructure on which our mobile devices depend.