
----------------------- REVIEW 2 ---------------------
PAPER: 97
TITLE: Touchalytics: On the Applicability of Touchscreen Input as a Behavioral Biometric for Continuous Authentication
AUTHORS: (anonymous)

[Short summary of paper's technical contributions]

This paper proposes the use of touchscreen input as a biometric for
authentication to touchscreen devices. The advantage of doing so is
continuous authentication without explicit user effort. The paper
presents a user study with 40 participants to evaluate the design. 

[Strengths of the submission]

The idea seems to be interesting at first thought. 

[Weaknesses of the submission]

1. The exprimental results are not convincing, which can be a major
concern for such a paper. 

2. It seems that the only way to apply the approach is to combine it
with password authentication, which voids some of the key advantages
of the approach. 

[Overall evaluation and importance]

The basic idea in this paper is rather simple and natural. The key
question is whether touchscreen input is good enough as a biometric for
authentication. As a result, experimental evaluation is the
central part of the paper, and the experimental results will roughly
determine whether this is a good idea or not.

Unfortunately, the evaluation in this paper is far from thorough. The
experiments are in a controled setting with only 40 participants. I
feel this is far from sufficient for such a paper. Note that given the
nature of the proposed approach, it is very hard to intuitively judge
whether it will likely work. (In particular, Figure 1 does not really
allow me to get an intuition that the approach works, since all Figure
1 says is that you can
easily have 8 different input patterns, which just translates to 3
bits of entropy.) So every question will have to be answered solely
from the experiments. The experimental results are not great
either. The most interesting usage scenario is the long-term
authentication scenario in Section 6.2, and the false-positive and
false-negative rates can often be above 10%. 

Given these results, it seems that in practice, the approach will
almost always be combined with password-based
authentication. (If not, a legitimate user who fails to pass the
biometric-based authentication will have to desparately 
try various different ways of touching the screen.) Having to retain
password-based authentication significantly hurts the value of the
approach, since many of the drawbacks (described in Section 1)
of password-based authentication will continue to apply. For example,
smudge attack will still apply. Also, continuously detecting intruders
is no longer possible since the intruder can repeatedly input
passwords when biometric-based authentication fails. 

[Concrete questions for authors]