Weixi Gu,Zheng Yang,Longfei Shangguan,Xiaoyu Ji,Yiyang Zhao

DOI: https://doi.org/10.1109/trustcom.2014.34

2014-01-01

Abstract:Near field authentication is of great importance for a range of applications, and has attracted many research efforts in the past decades. Several approaches have been developed and demonstrated their feasibility. The state-of-art works, however, still have much room to improve their automation and usability. First, user assistance is required in most existing approaches, which will be easily observed and imitated by attackers. Second, the authentications of several works heavily depend on special hardware, e.g., Server or high resolution screen, which greatly restricts their application scenarios. In this paper, we present a near field authentication system Tooth that needs little human assistance and is compatible with most smart phones. ToAuth is based on the key insight that the acceleration traces are similar for a pair of smart phones when they are contacting physically and vibrating. The random vibration patterns are sufficiently uncertain to provide high entropy to generate a pair of cryptographic keys yet are inimitable for a third party who does not get in touch with the vibration source. ToAuth leverages the keys to make authentication for smart phones. We implement ToAuth on Android platform and evaluate its performance under various scenarios. Extensive experiments demonstrate ToAuth could achieve around 90% success rate in stable environment, and prevent attacks depended on vibration noise.

Yanjiao Chen,Meng Xue,Jian Zhang,Qianyun Guan,Zhiyuan Wang,Qian Zhang,Wei Wang

DOI: https://doi.org/10.1145/3494962

2021-01-01

Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies

Abstract:Voice-based authentication is prevalent on smart devices to verify the legitimacy of users, but is vulnerable to replay attacks. In this paper, we propose to leverage the distinctive chest motions during speaking to establish a secure multi-factor authentication system, named ChestLive. Compared with other biometric-based authentication systems, ChestLive does not require users to remember any complicated information (e.g., hand gestures, doodles) and the working distance is much longer (30cm). We use acoustic sensing to monitor chest motions with a built-in speaker and microphone on smartphones. To obtain fine-grained chest motion signals during speaking for reliable user authentication, we derive Channel Energy (CE) of acoustic signals to capture the chest movement, and then remove the static and non-static interference from the aggregated CE signals. Representative features are extracted from the correlation between voice signal and corresponding chest motion signal. Unlike learning-based image or speech recognition models with millions of available training samples, our system needs to deal with a limited number of samples from legitimate users during enrollment. To address this problem, we resort to meta-learning, which initializes a general model with good generalization property that can be quickly fine-tuned to identify a new user. We implement ChestLive as an application and evaluate its performance in the wild with 61 volunteers using their smartphones. Experiment results show that ChestLive achieves an authentication accuracy of 98.31% and less than 2% of false accept rate against replay attacks and impersonation attacks. We also validate that ChestLive is robust to various factors, including training set size, distance, angle, posture, phone models, and environment noises.

Li Lu,Jiadi Yu,Yingying Chen,Hongbo Liu,Yanmin Zhu,Yunfei Liu,Minglu Li

DOI: https://doi.org/10.1109/infocom.2018.8486283

2018-01-01

Abstract:To prevent users' privacy from leakage, more and more mobile devices employ biometric-based authentication approaches, such as fingerprint, face recognition, voiceprint authentications, etc., to enhance the privacy protection. However, these approaches are vulnerable to replay attacks. Although state-of-art solutions utilize liveness verification to combat the attacks, existing approaches are sensitive to ambient environments, such as ambient lights and surrounding audible noises. Towards this end, we explore liveness verification of user authentication leveraging users' lip movements, which are robust to noisy environments. In this paper, we propose a lip reading-based user authentication system, LipPass, which extracts unique behavioral characteristics of users' speaking lips leveraging build-in audio devices on smartphones for user authentication. We first investigate Doppler profiles of acoustic signals caused by users' speaking lips, and find that there are unique lip movement patterns for different individuals. To characterize the lip movements, we propose a deep learning-based method to extract efficient features from Doppler profiles, and employ Support Vector Machine and Support Vector Domain Description to construct binary classifiers and spoofer detectors for user identification and spoofer detection, respectively. Afterwards, we develop a binary tree-based authentication approach to accurately identify each individual leveraging these binary classifiers and spoofer detectors with respect to registered users. Through extensive experiments involving 48 volunteers in four real environments, LipPass can achieve 90.21% accuracy in user identification and 93.1% accuracy in spoofer detection.

Li Lu,Jiadi Yu,Yingying Chen,Hongbo Liu,Yanmin Zhu,Linghe Kong,Minglu Li

DOI: https://doi.org/10.1109/tnet.2019.2891733

2019-01-01

IEEE/ACM Transactions on Networking

Abstract:To prevent users’ privacy from leakage, more and more mobile devices employ biometric-based authentication approaches, such as fingerprint, face recognition, voiceprint authentications, and so on, to enhance the privacy protection. However, these approaches are vulnerable to replay attacks. Although the state-of-art solutions utilize liveness verification to combat the attacks, existing approaches are sensitive to ambient environments, such as ambient lights and surrounding audible noises. Toward this end, we explore liveness verification of user authentication leveraging users’ mouth movements, which are robust to noisy environments. In this paper, we propose a lip reading-based user authentication system, LipPass, which extracts unique behavioral characteristics of users’ speaking mouths through acoustic sensing on smartphones for user authentication. We first investigate Doppler profiles of acoustic signals caused by users’ speaking mouths and find that there are unique mouth movement patterns for different individuals. To characterize the mouth movements, we propose a deep learning-based method to extract efficient features from Doppler profiles and employ softmax function, support vector machine, and support vector domain description to construct multi-class identifier, binary classifiers, and spoofer detectors for mouth state identification, user identification, and spoofer detection, respectively. Afterward, we develop a balanced binary tree-based authentication approach to accurately identify each individual leveraging these binary classifiers and spoofer detectors with respect to registered users. Through extensive experiments involving 48 volunteers in four real environments, LipPass can achieve 90.2% accuracy in user identification and 93.1% accuracy in spoofer detection.

Jie Ying,Tiantian Zhu,Qiang Liu,Chunlin Xiong,Zhengqiu Weng,Tieming Chen,Lei Fu,Mingqi Lv,Han Wu,Ting Wang,Yan Chen

DOI: https://doi.org/10.1109/tmc.2023.3265071

IF: 6.075

2023-01-01

IEEE Transactions on Mobile Computing

Abstract:The authentication technology of mobile device users has been studied for decades. To balance security, privacy, and usability, motion sensors-based user authentication methods are widely investigated in recent years. However, existing studies meet the problems such as scarcity of training samples, underutilization of data, poor de-noising ability, insufficient transferability, privacy leakage, and low accuracy. To overcome these difficulties, we propose a system, called for Transferable, Real-time, Anti-noise, and Privacy-preserving mobile user COGnition., with the following capabilities: 1) In the phase of data collection, can eliminate man-made noise (mislabeling) through differential training based on down-sampling. 2) In the model training stage, the siamese neural network with Long Short-Term Memory (LSTM) as the sub-network is used to achieve sufficient coverage of sample patterns and the transferability of the model. 3) In the phase of real-world authentication, the privacy of the user is tremendously protected through end-side model deployment and local authentication. Experimental results on a dataset composed of 1,513 users with real-world noise show that TRAP COG has high accuracy and strong transferability, which is much better than state-of-the-art studies.

computer science, information systems,telecommunications

Tiantian Zhu,Zhengqiu Weng,Qijie Song,Yuan Chen,Qiang Liu,Yan Chen,Mingqi Lv,Tieming Chen

DOI: https://doi.org/10.1109/tmc.2020.3012491

IF: 6.075

2020-01-01

IEEE Transactions on Mobile Computing

Abstract:Mobile authentication is a fundamental factor in the protection of user’s private resources. In recent years, motion sensor-based biometric authentication has been widely used for privacy-preserving. However, it faces with the problems including low data collection efficiency, insufficient authentication scenario coverage rate, weak de-noising ability, and poor robustness of models, rendering existing methods difficult to meet the security, privacy, and usability requirements jointly in the real-world scenario. To overcome these difficulties, we propose a system called EspialCog, which is able to 1) collect the sensor data embedded in mobile devices self-adaptively, unobtrusively and efficiently through the evolutionary stable participation game mechanism (ESPGM) with a high scenario coverage rate; 2) minimize noise from collected data by analyzing three types of abnormalities; and 3) authenticate the ownership of mobile devices in real-time by adopting optimized LSTM model with an enhanced stochastic gradient descent (SGD) algorithm. The simulation experiment on 6000 users shows that the efficiency and coverage rates increase dramatically by deploying our ESPGM. Moreover, we conduct experiments on a large-scale real-world noisy dataset with 1513 users and two other small pure real-world datasets. The experimental results show the high accuracy and favorable robustness of EspialCog in the noisy environment.

Chao Shen,Yuanxun Li,Yufei Chen,Xiaohong Guan,Roy A. Maxion

DOI: https://doi.org/10.1109/tifs.2017.2737969

IF: 7.231

2018-01-01

IEEE Transactions on Information Forensics and Security

Abstract:The increasing use of smartphones as personal computing platforms to access personal information has stressed the demand for secure and usable authentication techniques, and for constantly protecting privacy. Smartphone sensors can measure users' unique behavioral characteristics when they interact with smartphones, based on different habits, gestures, and angle preferences of touch actions. This paper investigates the reliability and applicability of using motion-sensor behavior for active and continuous smartphone authentication across various operational scenarios, and presents a systematic evaluation of the distinctiveness and permanence properties of the behavior. For each sample of sensor behavior, kinematic information sequences are extracted and analyzed, which are characterized by statistic-, frequency-, and wavelet-domain features, to provide accurate and fine-grained characterization of users' touch actions. A Markov-based decision procedure, using one-class learning techniques, is developed and applied to the feature space for performing authentication. Analyses are conducted using the sensor data of 520 200 touch actions from 102 subjects across various operational scenarios. Extensive experiments show that motion-sensor behavior exhibits sufficient discriminability and stability for active and continuous authentication, and can achieve a false-rejection rate of 5.03% and a false-acceptance rate of 3.98%. Additional experiments on usability to operation length, sensitivity to application scenario, scalability to user size, contribution to different sensors, and response to behavior change are provided to further explore the effectiveness and applicability. We also implement an authentication system into the Android system that can react to the presence of the legitimate user.

tao feng,xi zhao,nicholas desalvo,zhimin gao,xi wang,weidong shi

DOI: https://doi.org/10.1109/THS.2015.7225268

2015-01-01

Abstract:Coinciding with the surge in popularity and adoption of mobile devices and the ever-expanding capabilities of these devices, the amount of sensitive information accessed and stored has increased exponentially. Inasmuch, these advancements have, and continue to demand great efforts from researchers and the industry alike in terms of improving security therein. Existing technologies either conduct user identity verification via a login stage or request authentication every time the user accesses a sensitive app. We propose, in this paper, an IdentityTracker. This framework is dedicated to tracking the user's identity, performing app-level access control management. Continuous and implicit tracking of the user's identity is accomplished through monitoring fingerprint authentication logs as well as detecting events when the phone has left the user's hand. This approach leverages multiple onboard sensors. We conducted two user-studies acquiring smartphone users' usage statistics to investigate security and usability needs of our solution. To monitor these subtle gestures in real-world uncontrolled environments, multi-session data collection has been conducted to iteratively improve system performance. The evaluation results have demonstrated the feasibility of IdentityTracker.

Chao Shen,Yufei Chen,Xiaohong Guan

DOI: https://doi.org/10.1016/j.ins.2017.11.058

IF: 8.1

2018-01-01

Information Sciences

Abstract:The pervasiveness of mobile devices not only facilitates people’s daily life with a wide variety of services, but also brings users risks of private information leakage (e.g., photos, contact lists, bank accounts), which emphasizes the demand for reliable, feasible and user-friendly authentication mechanisms on mobile devices. In this paper, we develop an authentication mechanism using motion sensors (accelerometer and gyroscope) embedded in smartphones. Our proposed mechanism performs authentication continuously and implicitly by monitoring the user daily activities. We extract time-, frequency- and wavelet-domain features from motion-sensor data, and conduct empirical feature analysis to investigate the optimal combination of features, to acquire a fine-grained characterization of users’ movement patterns. To make a systematic performance evaluation, we have established a dataset containing 27,681 samples, including five kinds of actions and five different smartphone placements. In the evaluation procedure, four kinds of contexts are considered (nothing-aware context, action-aware context, placement-aware context and full-information-aware context), and ten one-class detectors are implemented. The best accuracy (represented as EER) for the four conditions achieves 28.22%, 2.21%, 5.50% and 3.28%, respectively, indicating our proposed approach is feasible and applicable in some real scenarios. Moreover, the performance analyses for sensor combinations and feature combinations are also conducted.

Chao Shen,Yunpeng Li,Tianwen Yu,Sheng Yuan,Xiao Yi,Xiaohong Guan

DOI: https://doi.org/10.1109/wcica.2016.7578519

2016-01-01

Abstract:Existing smartphone authentication methods (e.g., PIN) typically provide one-time identity verification, but the verified user is still subject to session hijacking or masquerading attacks. This paper presents a framework and performance analysis of a sensor-based smartphone authentication system that continuously verifies the presence of a smartphone user. When a user touches the smartphone screen, motion-sensor data are extracted and analyzed to obtain descriptive features for accurately depicting users' touch habit and rhythm. Then a one-class learning algorithm is employed in the feature space to perform the continuous authentication task. Based on touch-tapping data collected from over 50 users, we conduct a series of experiments to validate the efficacy of our proposed approach. Our experimental results show that our verification system achieves a relatively high accuracy with an equal-error rate of 11.05%. Additional experiment on usability to the observation window size is provided to further examine the effectiveness. Our authentication system can be seamlessly integrated with extant smartphone authentication mechanisms, and is non-intrusive to users and does not need extra hardware.

Mohsen Ali Alawami,Tamer AbuHamed,Mohammed AbuHamed,Hyoungshick Kim

DOI: https://doi.org/10.1016/j.pmcj.2024.101922

IF: 3.848

2024-04-05

Pervasive and Mobile Computing

Abstract:Traditional one-time authentication mechanisms cannot authenticate smartphone users' identities throughout the session – the concept of using behavioral-based biometrics captured by the built-in motion sensors and touch data is a candidate to solve this issue. Many studies proposed solutions for behavioral-based continuous authentication; however, they are still far from practicality and generality for real-world usage. To date, no commercially deployed implicit user authentication scheme exists because most of those solutions were designed to improve detection accuracy without addressing real-world deployment requirements. To bridge this gap, we tackle the limitations of existing schemes and reach toward developing a more practical implicit authentication scheme, dubbed MotionID, based on a one-class detector using behavioral data from motion sensors when users touch their smartphones. Compared with previous studies, our work addresses the following challenges: 1 Global mobile average to dynamically adjust the sampling rate for sensors on any device and mitigate the impact of using sensors' fixed sampling rate; 2 Over-all-apps to authenticate a user across all the mobile applications, not only on-specific application; 3 Single-device-evaluation to measure the performance with multiple users' (i.e., genuine users and imposters) data collected from the same device; 4 Rapid authentication to quickly identify users' identities using a few samples collected within short durations of touching (1–5 s) the device; 5 Unconditional settings to collect sensor data from real-world smartphone usage rather than a laboratory study. To show the feasibility of MotionID for those challenges, we evaluated the performance of MotionID with ten users' motion sensor data on five different smartphones under various settings. Our results show the impracticality of using a fixed sampling rate across devices that most previous studies have adopted. MotionID is able to authenticate users with an F1-score up to 98.5% for some devices under practical requirements and an F1-score up to roughly 90% when considering the drift concept and rapid authentication settings. Finally, we investigate time efficiency, power consumption, and memory usage considerations to examine the practicality of MotionID.

computer science, information systems,telecommunications

Abdulaziz Alzubaidi,Jugal Kalita

DOI: https://doi.org/10.48550/arXiv.1911.04104

2019-11-11

Cryptography and Security

Abstract:Smartphones and tablets have become ubiquitous in our daily lives. Smartphones, in particular, have become more than personal assistants. These devices have provided new avenues for consumers to play, work, and socialize whenever and wherever they want. Smartphones are small in size, so they are easy to handle and to stow and carry in users' pockets or purses. However, mobile devices are also susceptible to various problems. One of the greatest concerns is the possibility of breach in security and privacy if the device is seized by an outside party. It is possible that threats can come from friends as well as strangers. Due to the size of smart devices, they can be easily lost and may expose details of users' private lives. In addition, this might enable pervasive observation or imitation of one's movements and activities, such as sending messages to contacts, accessing private communication, shopping with a credit card, and relaying information about where one has been. This paper highlights the potential risks that occur when smartphones are stolen or seized, discusses the concept of continuous authentication, and analyzes current approaches and mechanisms of behavioral biometrics with respect to methodology, associated datasets and evaluation approaches.

Tao Feng,Nicholas DeSalvo,Lei Xu,Xi Zhao,Xi Wang,Weidong Shi

DOI: https://doi.org/10.4108/icst.mobicase.2014.257767

2014-01-01

Abstract:With the rise of Internet connected mobile devices, applications have migrated from PCs to mobile computing platforms. An important aspect, payment processing, faces new security challenges from these developments. Inasmuch, these advancements demand efforts from researchers and industry to meet increasing security needs. Threats can ensue from data loss, theft from lost, stolen, or decommissioned devices, information-stealing malware, and password peeping. We propose a secure framework for sensitive session driven applications which combines biometric-based continuous and implicit tracking of user identities, and TrustZone. This framework is accomplished through monitoring fingerprint authentication logs as well as detecting events when the phone has left the user's hands, all while in TrustZone, a platform for secure computation and storage on mobile devices. This solution leverages multiple onboard sensors as well as the ARM architecture to accomplish these feats. We conducted two user-studies acquiring smartphone users' usage statistics to investigate security and usability needs of our identity-tracking solution. To monitor these subtle gestures in real-world uncontrolled environments, multi-session data collection has been conducted to iteratively improve system performance. The evaluation results have demonstrated the feasibility of this framework as a secure session-based payment system.

Chen Wang,Yan Wang,Yingying Chen,Hongbo Liu,Jian Liu

DOI: https://doi.org/10.1016/j.comnet.2020.107118

IF: 5.493

2020-04-01

Computer Networks

Abstract:<p>Mobile devices have brought a great convenience to us these years, which allow the users to enjoy the anytime and anywhere various applications such as the online shopping, Internet banking, navigation and mobile media. While the users enjoy the convenience and flexibility of the "Go Mobile" trend, their sensitive private information (e.g., name and credit card number) on the mobile devices could be disclosed. An adversary could access the sensitive private information stored on the mobile device by unlocking the mobile devices. Moreover, the user's mobile services and applications are all exposed to security threats. For example, the adversary could utilize the user's mobile device to conduct non-permitted actions (e.g., making online transactions and installing malwares). The authentication on mobile devices plays a significant role to protect the user's sensitive information on mobile devices and prevent any non-permitted access to the mobile devices. This paper surveys the existing authentication methods on mobile devices. In particular, based on the basic authentication metrics (i.e., knowledge, ownership and biometrics) used in existing mobile authentication methods, we categorize them into four categories, including the knowledge-based authentication (e.g., passwords and lock patterns), physiological biometric-based authentication (e.g., fingerprint and iris), behavioral biometrics-based authentication (e.g., gait and hand gesture), and two/multi-factor authentication. We compare the usability and security level of the existing authentication approaches among these categories. Moreover, we review the existing attacks to these authentication approaches to reveal their vulnerabilities. The paper points out that the trend of the authentication on mobile devices would be the multi-factor authentication, which determines the user's identity using the integration (not the simple combination) of more than one authentication metrics. For example, the user's behavior biometrics (e.g., keystroke dynamics) could be extracted simultaneously when he/she inputs the knowledge-based secrets (e.g., PIN), which can provide the enhanced authentication as well as sparing the user's trouble to conduct multiple inputs for different authentication metrics.</p>

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Yetong Cao,Fan Li,Qian Zhang,Song Yang,Yu Wang

DOI: https://doi.org/10.1109/tmc.2021.3133275

IF: 6.075

2021-01-01

IEEE Transactions on Mobile Computing

Abstract:Mobile devices are promising to apply two-factor authentication to improve system security. Existing solutions have certain limits of requiring extra user effort, which might seriously affect user experience and delay authentication time. In this paper, we propose PPGPass, a novel mobile two-factor authentication system, which leverages Photoplethysmography (PPG) sensors available in most wrist-worn wearables. PPGPass simultaneously performs a password/pattern/signature authentication and a physiological-based authentication. To realize both nonintrusive and secure, we design a two-stage algorithm to separate clean heartbeat signals from PPG signals contaminated by motion artifacts so that users do not have to deliberately keep their bodies still. In addition, to deal with noncancelable issues when biometrics are compromised, we design a repeatable and non-invertible method to generate cancelable feature templates as alternative credentials. We leverage the great power of Random Forest and Support Vector Data Description to detect adversaries and verify a user&#x27;s identity. To the best of our knowledge, PPGPass is the first nonintrusive and secure mobile two-factor authentication based on PPG sensors. Extensive experiments demonstrate that PPGPass can achieve the false acceptance rate of 3.11% and the false recognition rate of 3.71%, which confirms its high effectiveness, security, and usability.

computer science, information systems,telecommunications

Zhenyang Guo,Jin Cao,Xiaomeng Bai,Ang Li,Ben Niu,Hui Li

DOI: https://doi.org/10.1109/jsen.2023.3315523

IF: 4.3

2023-01-01

IEEE Sensors Journal

Abstract:Information security and user comfort are the games that smartphone manufacturers have always had to face. The explicit authentication methods, including password, fingerprint recognition, and face recognition, have become the most popular ways to unlock smartphones. However, these methods also incur some troubles in users’ daily lives and even suffer from security problems like shoulder surfing attacks and password reuse attacks. Unlike the explicit authentication methods, the implicit authentication methods employ the user’s behavior, posture, etc., to confirm who the user is. The &quot;Smart Lock (SL),&quot; as a new implicit authentication introduced by the biggest smartphone system manufacturer, Google, has effectively increased user comfort while ensuring user information security. However, we found that the SL is not secure enough, where anyone wearing a smart device can be authenticated. In this paper, based on the &quot;Trusted Devices (DEVICE)&quot; approach in SL, we design a band with sensors commonly found on smart wearables and two authentication models to improve the security of SL scenarios. We use our designed band to collect data in order to evaluate our models. The experimental results show that our designed band is universal. Our authentication model for power-constrained devices such as wearables has 97.01% accuracy and a power overhead of 0.0195mAh per time. The designed authentication model for smartphones has an accuracy of 99.67% and power consumption of 0.83mAh per time. Therefore, our scheme can meet the implicit authentication for different security requirements in different scenarios.

engineering, electrical & electronic,instruments & instrumentation,physics, applied

Chao Shen,Tianwen Yu,Sheng Yuan,Yunpeng Li,Xiaohong Guan

DOI: https://doi.org/10.3390/s16030345

IF: 3.9

2016-01-01

Sensors

Abstract:The growing trend of using smartphones as personal computing platforms to access and store private information has stressed the demand for secure and usable authentication mechanisms. This paper investigates the feasibility and applicability of using motion-sensor behavior data for user authentication on smartphones. For each sample of the passcode, sensory data from motion sensors are analyzed to extract descriptive and intensive features for accurate and fine-grained characterization of users’ passcode-input actions. One-class learning methods are applied to the feature space for performing user authentication. Analyses are conducted using data from 48 participants with 129,621 passcode samples across various operational scenarios and different types of smartphones. Extensive experiments are included to examine the efficacy of the proposed approach, which achieves a false-rejection rate of 6.85% and a false-acceptance rate of 5.01%. Additional experiments on usability with respect to passcode length, sensitivity with respect to training sample size, scalability with respect to number of users, and flexibility with respect to screen size were provided to further explore the effectiveness and practicability. The results suggest that sensory data could provide useful authentication information, and this level of performance approaches sufficiency for two-factor authentication on smartphones. Our dataset is publicly available to facilitate future research.

Akriti Verma,Valeh Moghaddam,Adnan Anwar

DOI: https://doi.org/10.48550/arXiv.2110.03149

2021-10-07

Abstract:Recent studies have shown how motion-based biometrics can be used as a form of user authentication and identification without requiring any human cooperation. This category of behavioural biometrics deals with the features we learn in our life as a result of our interaction with the environment and nature. This modality is related to change in human behaviour over time. The developments in these methods aim to amplify continuous authentication such as biometrics to protect their privacy on user devices. Various Continuous Authentication (CA) systems have been proposed in the literature. They represent a new generation of security mechanisms that continuously monitor user behaviour and use this as the basis to re-authenticate them periodically throughout a login session. However, these methods usually constitute a single classification model which is used to identify or verify a user. This work proposes an algorithm to blend behavioural biometrics with multi-factor authentication (MFA) by introducing a two-step user verification algorithm that verifies the user's identity using motion-based biometrics and complements the multi-factor authentication, thus making it more secure and flexible. This two-step user verification algorithm is also immune to adversarial attacks, based on our experimental results which show how the rate of misclassification drops while using this model with adversarial data.

Machine Learning,Signal Processing

Xi Zhao,Tao Feng,Lei Xu,Weidong Shi

DOI: https://doi.org/10.1117/12.2053162

2014-01-01

Abstract:Employing mobile sensor data to recognize user behavioral activities has been well studied in recent years. However, to adopt the data as a biometric modality has rarely been explored. Existing methods either used the data to recognize gait, which is considered as a distinguished identity feature; or segmented a specific kind of motion for user recognition, such as phone picking-up motion. Since the identity and the motion gesture jointly affect motion data, to fix the gesture (walking or phone picking-up) definitively simplifies the identity sensing problem. However, it meanwhile introduces the complexity from gesture detection or requirement on a higher sample rate from motion sensor readings, which may draw the battery fast and affect the usability of the phone. In general, it is still under investigation that motion based user authentication in a large scale satisfies the accuracy requirement as a stand-alone biometrics modality. In this paper, we propose a novel approach to use the motion sensor readings for user identity sensing. Instead of decoupling the user identity from a gesture, we reasonably assume users have their own distinguishing phone usage habits and extract the identity from fuzzy activity patterns, represented by a combination of body movements whose signals in chains span in relative low frequency spectrum and hand movements whose signals span in relative high frequency spectrum. Then Bayesian Rules are applied to analyze the dependency of different frequency components in the signals. During testing, a posterior probability of user identity given the observed chains can be computed for authentication. Tested on an accelerometer dataset with 347 users, our approach has demonstrated the promising results.

Zhuo Chang,Yan Meng,Wenyuan Liu,Haojin Zhu,Lin Wang

DOI: https://doi.org/10.1016/j.jisa.2022.103130

IF: 4.96

2022-05-01

Journal of Information Security and Applications

Abstract:The prosperity of mobile sensing technology makes smartphone-based authentication more prevalent in mobile environment. The present single-modality security authentication based on human biometrics is vulnerable to counterfeit, and the procedure of basic two-factor authentication (2FA) is cumbersome. In this work, we propose a 2FA method without additional devices and procedures, namely WiCapose. The essential technique is to use the unique correlation of the two side-channel to complete multi-modal feature extraction and fusion authentication. WiCapose can simultaneously extract the radio frequency (RF) gain feature that directly characterizes the finger movement and the inter-frame spatio-temporal difference from the rear camera that indirectly portrays the tapping behaviors, to blend the micro-scale behavior pattern feature of the user's finger and implicit biological features. Then we design and train a deep neural network to fuse both factors for mitigating the limitation of the RF factor in environmental generalization and the uniqueness of the image factor on authentication performance. Experiments involving ten participants demonstrate that our method can achieve a 98% average accuracy on authentication and effectively resist shoulder-surfing attacks and mimic attacks.

computer science, information systems