MobiCom '20 Paper #1046 Reviews and Comments
===========================================================================
Paper #1046 Towards Usable and Secure Location-based Smartphone
Authentication


Review #1046A
===========================================================================

Overall merit
-------------
2. Weak paper, limited novelty and limited evaluation

Novelty and Excitement
----------------------
1. Unremarkable ideas

Technical Quality
-----------------
1. Flawed and unlikely to be fixable in camera-ready

Writing Quality
---------------
B. Needs improvement

Reviewer expertise
------------------
2. Good

Paper summary
-------------
This paper first conducted an interview study to understand users’ perceptions and expectations on the use of trusted locations to implicitly unlock their phones. Based on the requirements identified through the study, the authors developed a location-based screen lock application for Android and conducted a real-world field study. Through analysis, the authors identified security risks associated with freely allowing users to choose locations for unlocking phones and offer design recommendations for enhancing location selection security.

Strengths
---------
+ This paper studies users’ perceptions on the location-based smartphone authentication and identifies vital design requirements such as the need to support fine-grained indoor location registration through interview study.

+ The authors implemented a lightweight indoor location-based authentication application that uses WiFi signal strength measurements collected from nearby access points to detect trusted locations to reduce 37% unlock attempts. Moreover, the authors offer design recommendations for enhancing location selection security.

Weaknesses
----------
- Although the authors explored the users’ perceptions of the location-based smartphone authentication, the technical contribution of the proposed application is not very outstanding.

- The authors do not solve the security problem in location-based smartphone authentication, and the conclusion raised by the authors seems a little contradicted with the principle of the proposed model.  

- In the requirement study section, the popularity of the location-based smartphone authentication is not confirmed in the interview study, and the necessity of developing location-based smartphone unlocking is not very clear.

- How to work in outdoor locations, and the mechanism of context detector are not very clear.

- The authors empirically determined the optimal threshold for the proposed method; however, how to adjust the threshold when the environment is changed should be further studied.

- The accuracy analysis might be added to the proposed model to evaluate the security of the proposed model.

Comments for author
-------------------
- Although the authors explored the users’ perceptions on the location-based smartphone authentication and conducted a field study with 29 participants to study real-world usage behaviors with a fully working application, the technical contribution of the proposed method seems very limited. The authors should at least explain the challenges in the technical part and make a comprehensive comparison with existing works in indoor and outdoor environments, such as Google’s Smart Lock.

- The authors do not solve the security problem in location-based smartphone authentication, because no attack model is proposed in this work, and how to protect the users from privacy leak in non-private locations is not very clear. Furthermore, the authors suggest that people often register non-private locations as trusted locations and select largest (phone unlock) coverage areas using the proposed model. However, based on this assumption, it seems that an adversary would be able to easily unlock users’ phones by just going near those locations. Besides, the critical functions of the proposed model, including fine-grained indoor location registration and adjustable location coverage sizes, seems a little redundant.

- In the requirement study section, the popularity of the location-based smartphone authentication is not confirmed in the interview study. According to the authors’ background research, few works had studied the requirement of location-based smartphone unlocking, which reflects the small number of demands of such authentication methods to some degree. Since there are many existing efficient unlocking methods in smartphone devices, analyzing the necessity of developing location-based smartphone unlocking might be more critical.

- How to work in outdoor locations, and the mechanism of context detector are not very clear. The authors propose to use GPS data for outdoor localization. However, the differences between the proposed model and Google’s Smart Lock for outdoor localization is not very clear. Moreover, the context detector which uses the accelerometer to determine when to stop and start collecting WiFi signal should be explained in detail if available. It is necessary to clarify if the proposed model could work properly when users are moving.

- The authors empirically determined the optimal threshold for the proposed method. However, since the physical barriers would have a significant impact on the performance of WiFi-based methods, how to adjust the threshold when the environment is changed should be further studied. Moreover, the reviewer suggests that the threshold of different locations might be stored separately rather than calculating a final threshold by simply averaging all thresholds in different places.

- The accuracy analysis might be added to the proposed model to evaluate the security of the proposed model. Because many users often choose the largest possible phone unlock coverage areas, it is obvious that these users would get low false rejection rates. Besides, since users are not required to test the unlocking accuracy and false acceptance rate near the edge of the trusted location coverage area, it is likely that the false acceptance rate is very high if the users are not far from the trusted area. Thus, further accuracy evaluation might be added to evaluate the robustness and security of the proposed model.


Review #1046B
===========================================================================

Overall merit
-------------
2. Weak paper, limited novelty and limited evaluation

Novelty and Excitement
----------------------
1. Unremarkable ideas

Technical Quality
-----------------
1. Flawed and unlikely to be fixable in camera-ready

Writing Quality
---------------
B. Needs improvement

Reviewer expertise
------------------
2. Good

Paper summary
-------------
This paper conducts an interview study and a user study on location-base smartphone authentication and reports the results and findings.

Strengths
---------
+ location-based smartphone authentication may be interesting
+ good user study and detailed description on the findings

Weaknesses
----------
- lack of technique contributions
- finding are not very new or insightful

Comments for author
-------------------
Location-based smartphone authentication is an interesting problem. The authors did good work in conducting an interview study to understand users’ perceptions and expectations, developing a real app to conduct a field study to collect real-world user behaviors, and reporting the findings. 

My main concern on this paper is its technique contribution. It is a user study paper and the technique part is very weak. However, as a user study paper, the number of participants may be small. 

The findings from the real-world usage data are good and reasonable. However, those findings are also kind of expected, and thus less insightful or exciting.  Location-based smartphone authentication requires highly accurate in-door localization which is currently not available thus prevents such an implicit authentication from serious usage.

Some concerns on the field study results: the FAR and FRR reported seem too low. How trustworthy are the results? Indeed, one participant reported zero numbers, leading the concern whether the results reported by the participants can be trusted or not. In Figure 4, the numbers of visiting home also look too small. It may need more explanation. In addition, in Table 5, one participant chose 6 non-private places but no private place. It seems very strange and it will be good if the authors can do more investigations on the case.


Review #1046C
===========================================================================

Overall merit
-------------
2. Weak paper, limited novelty and limited evaluation

Novelty and Excitement
----------------------
1. Unremarkable ideas

Technical Quality
-----------------
1. Flawed and unlikely to be fixable in camera-ready

Writing Quality
---------------
A. Well written paper

Reviewer expertise
------------------
3. Expert

Paper summary
-------------
The paper presents details of a study on handset unlocking settings preferences. The authors have carried out semi-structured interviews to understand the app usage, and have used an app and a volunteer-based study to assess the usage of GPS + wifi settings in the phone to unlock the phone.

Strengths
---------
- interesting detailed interviews and qualitative data acquisition
- closed look into the usage of the app and locations

Weaknesses
----------
- small-scale data for broad inferences
- data doesn't take us much beyond the known

Comments for author
-------------------
auto unlocking has been a feature of android for a few years and Google and other vendors have been using a number of settings and features to further enhance this. One of the main criteria is the location has been location, but recently features such as bluetooth have been added, in addition to the adition of \emph{Trusted Face} and \emph{Trusted Voice. Additionally , a number of trusted locations can be added in the new version.

The study presented in this paper looks at the use of accelerometer for activity recognition, in addition to WiFi and GPS use for detection home/prefered location. One of the interesting findings has been th addition of potentially unsafe locations by the users. 

The Wifi and battery usage studies are rather basic (based on idle experiments in section 3.4). Some of these findings have already been reported in works such as SensingKit and alike. I was not clear if only GPS location was used, or or the \emph{high-accuracy mode} was used which uses WiFi and cell tower as well to achieve higher accuracy within few meters. Frequent Wifi sensing might not be essential in this case, as Android provides the association already via https://developer.android.com/reference/android/net/wifi/WifiManager

Perhaps tools such as bluetooth, NFC, or simply being in charge or cradle could also be considered as simple ways of detecting a safe or trusted location, or proximity to a watch or similar equipment (e.g., streaming music to bluetooth headsets.)

in Table 6, wouldn't locations like bathroom or kitchen be part of the house (or an office environment?). It would be interesting to find out why individuals set subway entrance or a hospital as a trusted location. 

While I enjoyed reading the paper and the interviews, the studied carried out and the findings are not directly comparable with the level of details expected for mobicom, and might be better suited to venues focusing on user studies on privacy/security such as USIT and SOUPS.