Observation Resistant Human Authentication Systems (ORHAS)


Passwords are susceptible to observation, i.e., someone watching a user, either directly or through a hidden camera, typing his/her password can successfully impersonate the user.


An alternative to passwords that is secure against observation yet maintains usability is an important goal. The aim of this project is to develop such alternate authentication schemes. We call such schemes Observation Resistant Human Authentication Systems.

At present, our research focus is on the following sub-projects.

Cognitive Authentication Schemes

Cognitive authentication schemes employ human cognitive abilities to authenticate. The server sends a challenge to the user who responds by mentally computing a function of the challenge and the password. We can think of the responses generated as dynamic passwords.


Our research in cognitive authentication schemes is further divided into two directions

  • Design new and usable cognitive authentication schemes
  • Security analysis of existing cognitive authentication schemes to propose new attacks that will help us build more secure schemes in the future

Continuous and Implicit Authentication

Another alternative to passwords is to use an implicit and continuous authentication system. The system is implicit because of it can authenticate users based on the actions they would carry out anyway while using their devices. The system is continuous because it runs in the background without disturbing the user. The system only asks the user to enter password if an intrusion is detected.


Our current work shows that implicit and continuous authentication is feasible on smart glasses. Our system looks at the touch gestures (taps and swipes) on the touchpad of the smart glass to see if they match the pattern of the user or an intruder.

Hybrid Authentication

One of the major shortcomings of cognitive authentication schemes is that they suffer from usability. The number of rounds required to compute a function of the challenge depend on the cardinality of the response space. The response space cannot be too large, or else the computation cannot be performed by a human. Inevitably, the number or rounds need to be increased (to avoid random guesses), impacting usability.

The aim of this project is to utilise behavioural biometric modalities which have some potential of being observation resistant and couple them with a cognitive authentication scheme. The resulting scheme is more usable, as we can partially rely on hardness of mimicking the behavioural biometric templates, thus reducing the number of rounds.

We have come up with a scheme that combines a new cognitive authentication scheme with a new gesture-based behavioural biometric scheme. The cognitive scheme can be thought of as based on a contrived learning with errors problem. The behavioural biometric scheme uses words constructed from certain letters in the English alphabet that are hard to write.

login_a     login_b

Side Channel Attacks on ORHAS

Just like other cryptosystems, ORHAS may be prone to certain side channel attacks due to variation in human behaviour while executing a protocol. If the complexity of a task performed is high, human behaviour will deviate significantly from the behaviour modelled in an abstract instance of a protocol. An example of such behaviour is the time taken by a human to compute response to a challenge in a cognitive authentication scheme. Since the challenges are randomised, it is highly likely that a human user will compute responses to some challenges faster than other challenges. This opens the door to some sort of timing attack.

We are involved in the University of Surrey and Singapore Management University’s COMMANDO-HUMANS project to explore this research area. The project explores whether human behaviour related insecurity can be detected automatically by applying human cognitive models to model and simulate humans involved in security systems. Currently, we are exploring the extent to which timing attacks can be applied to our proposed hybrid authentication scheme.


  • Hassan Jameel Asghar, Data61-CSIRO.
  • Jagmohan Chauhan, Data61-CSIRO.
  • Benjamin Zi Hao Zhao, Data61-CSIRO.
  • Jonathan Chan, Data61-CSIRO.
  • Dali Kaafar, Data61-CSIRO.
  • Toni Perkovic, University of Split.
  • Shujun Li, University of Surrey.
  • Robert Deng, Singapore Management University.




  • Jagmohan Chauhan, Benjamin Zi Hao Zhao, Hassan Jameel Asghar, Jonathan Chan, Dali Kaafar, BehavioCog: An Observation Resistant Authentication Scheme. Financial Cryptography and Data Security (FC) 2017 (to appear).
  • Jagmohan Chauhan, Hassan Jameel Asghar, Mohamed Ali Kaafar, Anirban Mahanti 2015, Gesture-based Continuous Authentication for Wearable Devices: the Google Glass Case. ACNS 2016.
  • Hassan Jameel Asghar, Ron Steinfeld, Shujun Li, Dali Kaafar, Josef Pieprzyk 2015, On the Linearization of Human Identification Protocols: Attacks based on Linear Algebra, Coding Theory and Lattices. IEEE Transactions on Information Forensics and Security, vol. 10, no, 8, pp. 1643-1655, April, 2015.
  • Hassan Jameel Asghar and Mohamed Ali Kaafar 2015, When are Identification Protocols with Sparse Challenges Safe? The Case of the Coskun and Herley Attack. Under submission