Realizing a Safe and Comfortable Society with Lifestyle Authentication
The Next-Generation Personal Authentication Course (sponsored by Mitsubishi UFJ NICOS) held at the Social ICT Research Center, Graduate School of Information Science and Technology, The University of Tokyo, is undertaking research on a new personal authentication technology that has been named "lifestyle authentication".
As the use of ICT technology expands, personal authentication has become indispensable for the use of online services such as net shopping and SNS.
Lifestyle authentication builds on each user's everyday habits, that is, his or her lifestyle. As such, it allows the user to authenticate identity without hassle.
Lifestyle authentication is a new authentication technology that was developed in the MITHRA (Multi-factor Identification/auTHentication ReseArch) Project. As we enter the age of IoT, we can now extract meaningful information from big data. Against the backdrop of such recent social change, we are conducting research on lifestyle authentication as a way to resolve existing problems in authentication technology.
Lifestyle authentication verifies a user's identity by referring to his or her life log data. Life logs are the user's history that are stored in smart phones and other devices that use ICT technology. Verification in reference to a user's everyday habits that life logs reflect is called lifestyle authentication.
For example, using the position information from a user's smart phone, authentication is processed by verifying whether the user has relocated to outside the sphere of his or her everyday activities such as home or office, or has otherwise deviated from regular everyday habits.
Moreover, in lifestyle authentication, combination of authentication factors can be changed flexibly so that it is easy to use. Previously, multi-factor authentication required a variety of maneuvers from the user, thus offering less convenience. Lifestyle authentication addresses this by referring to the user's daily activity patterns, thus reducing stress in the authentication process. The authentication factors include smart phone device information, positional information, Wi-Fi information, shopping history, and data sent from sensors in wearable devices. This unique method makes it possible to leverage existing infrastructure while also offering flexibility to new authentication methods.
Issues in existing authentication technology
Limitations of IDs and passwords
Today's authentication technology involves two issues: most websites rely on IDs and passwords, and users tend to register the same passwords. Various alternatives have been proposed, such as one-time passwords, IC cards, and two-step verification by SMS. However, the reality is that the reach of these methods has not penetrated very far. Some have said that this could be resolved by improving user literacy, but no efforts have been made in this area, either.
Don't focus just on information security
Today's research on information security mostly places importance on safety in security and mostly remains within the limits of a paradigm that upholds security that absolutely ensures full prevention of unauthorized use. Meanwhile, in reality, the frameworks in society expect fraud to occur. For example, with credit cards, fraudulent use is reported after the invoice is sent to the user. By offering protection ex post facto, companies place importance on security to a certain extent, but they do not expect to eradicate fraud completely. Instead of purging fraud exhaustively, we find it necessary to conduct research on technology that reduces it.
Technology that offers high user convenience
It has been almost two decades since voices have called for authentication technology that offers high security while also offering great convenience. However, no solution has been offered to date.
Risk-based authentication is a technology that authenticates a user based only on the information provided by the server and foregoes any maneuvers by the user. This type uses the IP or operating system information of the device being used by the user. When certain criteria are not met, the technology judges that the use is fraudulent and asks for a different type of authentication. Currently, risk-based authentication uses only the information provided by the device in use. However, by referring to various information, such as that provided by smart phones and wearable devices, the technology promises to not only detect irregularity but also to verify the user's identity.
Adapting to today's society
Just because a technology reduces incidences of fraud and offers great convenience does not mean that it will be implemented. This is because it is important to also consider the cost.
The cost of making overall structural changes, such as distributing a new device to all users or making major changes to the infrastructure, is extremely high. Today, the use of smart phones has spread at an explosive pace. Wearable devices are also penetrating the user market. It has been said that we are entering the age of IoT, wherein every single device around us is connected to a network. Moreover, active steps are being taken to leverage big data, which are built from large volumes of various information retrieved from these devices. In this regard, personal authentication technology must also make developments in light of the age of IoT and big data.
Demonstration test for lifestyle authentication
In order to determine which algorithm is optimal for technology to be applied for each dataset and which parameters are appropriate, we must analyze actual user data. During the three and a half months from January 11, 2017 to April 26, 2017, we collaborated with 13 companies to conduct a demonstration test that linked with existing commercial services. The scale of this test was large even by international standards.
As a result, we successfully collected information from about 57,000 users, including data from devices and Wi-Fi, positional information, IP addresses, use time, exercise history, comics browsing history, and information from electronic ads.
We presented to the user what types of information we were retrieving and what we were using them for, as a way to respect the participating users' cooperation in allowing their information to be provided. Moreover, during the test, we held demonstrations at Caretta Shiodome, Tokyo Dome, and Roppongi Hills, among other locations, to offer an occasion for people to experience lifestyle authentication. We would like to hereby express our gratitude for all those participants who offered to share their data, as well as the companies and people who collaborated with us in the demonstration tests.
Realizing a safe and comfortable society with lifestyle authentication
Lifestyle authentication does not seek to rely only on ICT technology to achieve perfection. Rather, it seeks to ensure safety by engaging society as a whole. Right now, authentication takes place on a one-time basis. In the future, although the process may be instant, the authentication itself will be based on data collected over a long period of time. We believe this will be the standard.
There are many issues to address, such as privacy. However, exposure in one's everyday life will soon mean that the user is creating many small walls against intruders.
It is important to uphold safety and assurance in light of balance with cost and convenience. As ICT technology is flexible, it is important to introduce technology that offers an appropriate balance among these factors.
Going forward, we believe that lifestyle authentication will be used on even more occasions and that society as a whole will be a little bit safer place.