Xinyan Zhou,Xiaoyu Ji,Chen Yan,Jiangyi Deng,Wenyuan Xu

DOI: https://doi.org/10.1109/infocom.2019.8737572

2019-01-01

Abstract:With the increasing prevalence of mobile devices, face-to-face device-to-device (D2D) communication has been applied to a variety of daily scenarios such as mobile payment and short distance file transfer. In D2D communications, a critical security problem is verifying the legitimacy of devices when they share no secrets in advance. Previous research addressed the problem with device authentication and pairing schemes based on user intervention or exploiting physical properties of the radio or acoustic channels. However, a remaining challenge is to secure face-to-face D2D communication even in the middle of a crowd, within which an attacker may hide. In this paper, we present Nhuth, a nonlinearity-enhanced, location-sensitive authentication mechanism for such communication. Especially, we target at the secure authentication within a limited range such as 20 cm, which is the common case for face-to-face scenarios. Nhuth contains averification scheme based on the nonlinear distortion of speaker-microphone systems and a location-based-validation model. The verification scheme guarantees device authentication consistency by extracting acoustic nonlinearity patterns (ANP) while the validation model ensures device legitimacy by measuring the time difference of arrival (TDOA) at two microphones. We analyze the security of Nhuth theoretically and evaluate its performance experimentally. Results show that Nhuth can verify the device legitimacy in the presence of nearby attackers.

Weixi Gu,Zheng Yang,Longfei Shangguan,Xiaoyu Ji,Yiyang Zhao

DOI: https://doi.org/10.1109/trustcom.2014.34

2014-01-01

Abstract:Near field authentication is of great importance for a range of applications, and has attracted many research efforts in the past decades. Several approaches have been developed and demonstrated their feasibility. The state-of-art works, however, still have much room to improve their automation and usability. First, user assistance is required in most existing approaches, which will be easily observed and imitated by attackers. Second, the authentications of several works heavily depend on special hardware, e.g., Server or high resolution screen, which greatly restricts their application scenarios. In this paper, we present a near field authentication system Tooth that needs little human assistance and is compatible with most smart phones. ToAuth is based on the key insight that the acceleration traces are similar for a pair of smart phones when they are contacting physically and vibrating. The random vibration patterns are sufficiently uncertain to provide high entropy to generate a pair of cryptographic keys yet are inimitable for a third party who does not get in touch with the vibration source. ToAuth leverages the keys to make authentication for smart phones. We implement ToAuth on Android platform and evaluate its performance under various scenarios. Extensive experiments demonstrate ToAuth could achieve around 90% success rate in stable environment, and prevent attacks depended on vibration noise.

Yanjiao Chen,Meng Xue,Jian Zhang,Qianyun Guan,Zhiyuan Wang,Qian Zhang,Wei Wang

DOI: https://doi.org/10.1145/3494962

2021-01-01

Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies

Abstract:Voice-based authentication is prevalent on smart devices to verify the legitimacy of users, but is vulnerable to replay attacks. In this paper, we propose to leverage the distinctive chest motions during speaking to establish a secure multi-factor authentication system, named ChestLive. Compared with other biometric-based authentication systems, ChestLive does not require users to remember any complicated information (e.g., hand gestures, doodles) and the working distance is much longer (30cm). We use acoustic sensing to monitor chest motions with a built-in speaker and microphone on smartphones. To obtain fine-grained chest motion signals during speaking for reliable user authentication, we derive Channel Energy (CE) of acoustic signals to capture the chest movement, and then remove the static and non-static interference from the aggregated CE signals. Representative features are extracted from the correlation between voice signal and corresponding chest motion signal. Unlike learning-based image or speech recognition models with millions of available training samples, our system needs to deal with a limited number of samples from legitimate users during enrollment. To address this problem, we resort to meta-learning, which initializes a general model with good generalization property that can be quickly fine-tuned to identify a new user. We implement ChestLive as an application and evaluate its performance in the wild with 61 volunteers using their smartphones. Experiment results show that ChestLive achieves an authentication accuracy of 98.31% and less than 2% of false accept rate against replay attacks and impersonation attacks. We also validate that ChestLive is robust to various factors, including training set size, distance, angle, posture, phone models, and environment noises.

Libing Wu,Jingxiao Yang,Man Zhou,Yanjiao Chen,Qian Wang

DOI: https://doi.org/10.1109/tifs.2019.2944058

IF: 7.231

2020-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Voice authentication is becoming increasingly popular, which offers potential benefits over knowledge and possession based authentication methods. Meanwhile, the unique features of lip movements during speaking have been proved to be useful for authentication. However, the unimodal biometric authentication systems based on either voice or lip movements have certain limitations. Voice authentication systems are prone to spoofing attacks and suffer from serious performance degradation in noisy environments. Lip movements authentication systems are unstable and are sensitive to the user's physical and psychological conditions. In this paper, we propose and implement LVID, a multimodal biometrics authentication system on smartphones, which resolves the defects of the original systems by combining the advantages of lip movements and voice. LVID simultaneously captures these two biometrics with the built-in audio devices on smartphones and fuses them at the data level. The reliable and effective features are then extracted from the fused data for authentication. LVID is practical as it requires neither cumbersome operations nor additional hardwares but only a speaker and a microphone that are commonly available on smartphones. Our experimental results with 104 participants show that LVID can achieve 95 accuracy for user authentication, and 93.47 of the attacks can be detected. It is also verified that LVID works well with different smartphones and is robust to different smartphone positions.

Ping Dong,Namin Hou,Yuting Tang,Yushi Cheng,Xiaoyu Ji

DOI: https://doi.org/10.1016/j.hcc.2024.100222

2024-01-01

High-Confidence Computing

Abstract:The development of wireless communication network technology has provided people with diversified and convenient services. However, with the expansion of network scale and the increase in the number of devices, malicious attacks on wireless communication are becoming increasingly prevalent, causing significant losses. Currently, wireless communication systems authenticate identities through certain data identifiers. However, this software-based data information can be forged or replicated. This article proposes the authentication of device identity using the hardware fingerprint of the terminal’s Radio Frequency (RF) components, which possesses properties of being genuine, unique, and stable, holding significant implications for wireless communication security. Through the collection and processing of raw data, extraction of various features including time-domain and frequency-domain features, and utilizing machine learning algorithms for training and constructing a legal fingerprint database, it is possible to achieve close to a 97% recognition accuracy for Fifth Generation (5G) terminals of the same model. This provides an additional and robust hardware-based security layer for 5G communication security, enhancing monitoring capability and reliability.

Li Lü,Jiadi Yu,Yingying Chen,Yan Wang

DOI: https://doi.org/10.1145/3397320

2020-01-01

Proceedings of the ACM on Interactive Mobile Wearable and Ubiquitous Technologies

Abstract:Recent years have witnessed the surge of biometric-based user authentication for mobile devices due to its promising security and convenience. As a natural and widely-existed behavior, human speaking has been exploited for user authentication. Existing voice-based user authentication explores the unique characteristics from either the voiceprint or mouth movements, which is vulnerable to replay attacks and mimic attacks. During speaking, the vocal tract, including the static shape and dynamic movements, also exhibits the individual uniqueness, and they are hardly eavesdropped and imitated by adversaries. Hence, our work aims to employ the individual uniqueness of vocal tract to realize user authentication on mobile devices. Moreover, most voice-based user authentications are passphrase-dependent, which significantly degrade the user experience. Thus, such user authentications are pressed to be implemented in a passphrase-independent manner while being able to resist various attacks. In this paper, we propose a user authentication system, VocalLock, which senses the whole vocal tract during speaking to identify different individuals in a passphrase-independent manner on smartphones leveraging acoustic signals. VocalLock first utilizes FMCW on acoustic signals to characterize both the static shape and dynamic movements of the vocal tract during speaking, and then constructs a passphrase-independent user authentication model based on the unique characteristics of vocal tract through GMM-UBM. The proposed VocalLock can resist various spoofing attacks, while achieving a satisfactory user experience. Extensive experiments in real environments demonstrate VocalLock can accurately authenticate user identity in a passphrase-independent manner and successfully resist various attacks.

Li Lu,Jiadi Yu,Yingying Chen,Hongbo Liu,Yanmin Zhu,Yunfei Liu,Minglu Li

DOI: https://doi.org/10.1109/infocom.2018.8486283

2018-01-01

Abstract:To prevent users' privacy from leakage, more and more mobile devices employ biometric-based authentication approaches, such as fingerprint, face recognition, voiceprint authentications, etc., to enhance the privacy protection. However, these approaches are vulnerable to replay attacks. Although state-of-art solutions utilize liveness verification to combat the attacks, existing approaches are sensitive to ambient environments, such as ambient lights and surrounding audible noises. Towards this end, we explore liveness verification of user authentication leveraging users' lip movements, which are robust to noisy environments. In this paper, we propose a lip reading-based user authentication system, LipPass, which extracts unique behavioral characteristics of users' speaking lips leveraging build-in audio devices on smartphones for user authentication. We first investigate Doppler profiles of acoustic signals caused by users' speaking lips, and find that there are unique lip movement patterns for different individuals. To characterize the lip movements, we propose a deep learning-based method to extract efficient features from Doppler profiles, and employ Support Vector Machine and Support Vector Domain Description to construct binary classifiers and spoofer detectors for user identification and spoofer detection, respectively. Afterwards, we develop a binary tree-based authentication approach to accurately identify each individual leveraging these binary classifiers and spoofer detectors with respect to registered users. Through extensive experiments involving 48 volunteers in four real environments, LipPass can achieve 90.21% accuracy in user identification and 93.1% accuracy in spoofer detection.

Li Lu,Jiadi Yu,Yingying Chen,Hongbo Liu,Yanmin Zhu,Linghe Kong,Minglu Li

DOI: https://doi.org/10.1109/tnet.2019.2891733

2019-01-01

IEEE/ACM Transactions on Networking

Abstract:To prevent users’ privacy from leakage, more and more mobile devices employ biometric-based authentication approaches, such as fingerprint, face recognition, voiceprint authentications, and so on, to enhance the privacy protection. However, these approaches are vulnerable to replay attacks. Although the state-of-art solutions utilize liveness verification to combat the attacks, existing approaches are sensitive to ambient environments, such as ambient lights and surrounding audible noises. Toward this end, we explore liveness verification of user authentication leveraging users’ mouth movements, which are robust to noisy environments. In this paper, we propose a lip reading-based user authentication system, LipPass, which extracts unique behavioral characteristics of users’ speaking mouths through acoustic sensing on smartphones for user authentication. We first investigate Doppler profiles of acoustic signals caused by users’ speaking mouths and find that there are unique mouth movement patterns for different individuals. To characterize the mouth movements, we propose a deep learning-based method to extract efficient features from Doppler profiles and employ softmax function, support vector machine, and support vector domain description to construct multi-class identifier, binary classifiers, and spoofer detectors for mouth state identification, user identification, and spoofer detection, respectively. Afterward, we develop a balanced binary tree-based authentication approach to accurately identify each individual leveraging these binary classifiers and spoofer detectors with respect to registered users. Through extensive experiments involving 48 volunteers in four real environments, LipPass can achieve 90.2% accuracy in user identification and 93.1% accuracy in spoofer detection.

Namin Hou,Yushi Cheng,Xiaoyu Ji,Wenyuan Xu

DOI: https://doi.org/10.1109/ICCCS61882.2024.10603286

2024-01-01

Abstract:The advancement of Fifth-Generation (5G) technology has greatly enriched individuals' access to a broad array of convenient services, offering significant benefits in mobile communications, autonomous driving, smart homes, and the Internet of Things. However, with the increase in the number of network access devices, large and frequent data interactions have brought potential security risks to wireless networks, which are related to user privacy security, traffic safety, and even social security. Malicious intrusions targeting wireless communications have resulted in significant disruptions and incurred substantial losses. Presently, user identities in wireless communications rely on software-based data identifiers, which can be forged easily. This paper proposes a hardware-level device authentication mechanism that uses the intrinsic hardware characteristics of the transmitter (shown as impairments in the radio signal of the transmission link) for identity authentication. The resulting fingerprint is naturally distinctive and highly resistant to counterfeiting attempts. We use 5 devices across different models and 10 devices of the same model for experimental evaluation. Then we apply machine learning algorithms to construct a fingerprint database and device authentication, achieving an average of 82.4% precision, 89.9% recall, and 85.9% F1-score, which can help to safeguard the security of 5G communication.

Zhihao Wu,Yushi Cheng,Jiahui Yang,Xiaoyu Ji,Wenyuan Xu

DOI: https://doi.org/10.1109/SP46215.2023.10179429

2023-01-01

Abstract:Face authentication has been widely used in access control, and the latest 3D face authentication systems employ 3D liveness detection techniques to cope with the photo replay attacks, whereby an attacker uses a 2D photo to bypass the authentication. In this paper, we analyze the security of 3D liveness detection systems that utilize structured light depth cameras and discover a new attack surface against 3D face authentication systems. We propose DepthFake attacks that can spoof a 3D face authentication using only one single 2D photo. To achieve this goal, DepthFake first estimates the 3D depth information of a target victim's face from his 2D photo. Then, DepthFake projects the carefully-crafted scatter patterns embedded with the face depth information, in order to empower the 2D photo with 3D authentication properties. We overcome a collection of practical challenges, e.g., depth estimation errors from 2D photos, depth images forgery based on structured light, the alignment of the RGB image and depth images for a face, and implemented DepthFake in laboratory setups. We validated DepthFake on 3 commercial face authentication systems (i.e., Tencent Cloud, Baidu Cloud, and 3DiVi) and one commercial access control device. The results over 50 users demonstrate that DepthFake achieves an overall Depth attack success rate of 79:4% and RGB-D attack success rate of 59:4% in the real world.

Hao Kong,Li Lu,Jiadi Yu,Yingying Chen,Xiangyu Xu,Feilong Tang,Yi-Chao Chen

DOI: https://doi.org/10.1145/3466772.3467032

2021-01-01

Abstract:ABSTRACTWith the increasing integration of humans and the cyber world, user authentication becomes critical to support various emerging application scenarios requiring security guarantees. Existing works utilize Channel State Information (CSI) of WiFi signals to capture single human activities for non-intrusive and device-free user authentication, but multi-user authentication remains a challenging task. In this paper, we present a multi-user authentication system, MultiAuth, which can authenticate multiple users with a single commodity WiFi device. The key idea is to profile multipath components of WiFi signals induced by multiple users, and construct individual CSI from the multipath components to solely characterize each user for user authentication. Specifically, we propose a MUltipath Time-of-Arrival measurement algorithm (MUTA) to profile multipath components of WiFi signals in high resolution. Then, after aggregating and separating the multipath components related to users, MultiAuth constructs individual CSI based on the multipath components to solely characterize each user. To identify users, MultiAuth further extracts user behavior profiles based on the individual CSI of each user through time-frequency analysis, and leverages a dual-task neural network for robust user authentication. Extensive experiments involving 3 simultaneously present users demonstrate that MultiAuth is accurate and reliable for multi-user authentication with 87.6% average accuracy and 8.8% average false accept rate.

Yuanchao Shu,Yu (Jason) Gu,Jiming Chen

DOI: https://doi.org/10.1109/tpds.2013.153

IF: 5.3

2014-01-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:Access card authentication is critical and essential for many modern access control systems, which have been widely deployed in various government, commercial, and residential environments. However, due to the static identification information exchange among the access cards and access control clients, it is very challenging to fight against access control system breaches due to reasons such as loss, stolen or unauthorized duplications of the access cards. Although advanced biometric authentication methods such as fingerprint and iris identification can further identify the user who is requesting authorization, they incur high system costs and access privileges cannot be transferred among trusted users. In this work, we introduce a dynamic authentication with sensory information for the access control systems. By combining sensory information obtained from onboard sensors on the access cards as well as the original encoded identification information, we are able to effectively tackle the problems such as access card loss, stolen, and duplication. Our solution is backward-compatible with existing access control systems and significantly increases the key spaces for authentication. We theoretically demonstrate the potential key space increases with sensory information of different sensors and empirically demonstrate simple rotations can increase key space by more than 1,000,000 times with an authentication accuracy of 90 percent. We performed extensive simulations under various environment settings and implemented our design on WISP to experimentally verify the system performance.

Weiye Xu,Jianwei Liu,Shimin Zhang,Yuanqing Zheng,Feng Lin,Fu Xiao,Jinsong Han

DOI: https://doi.org/10.1109/infocom42981.2021.9488737

IF: 6.075

2024-01-01

IEEE Transactions on Mobile Computing

Abstract:Current facial authentication (FA) systems are mostly based on the images of human faces, thus suffering from privacy leakage and spoofing attacks. Mainstream systems utilize facial geometry features for spoofing mitigation. which are still easy to deceive with the feature manipulation, e.g., 3D-printed human faces. In this paper, we propose a novel privacy-preserving anti-spoofing FA system, named RFace, which extracts both the 3D geometry and inner biomaterial features of faces using a COTS RFID tag array. These features are difficult to obtain and forge, hence are resistant to spoofing attacks. RFace only requires users to pose their faces in front of a tag array for a few seconds, without leaking their visual facial information. We build a theoretical model to rigorously prove the feasibility of feature acquisition and the correlation between the facial features and RF signals. For practicality, we design an effective algorithm to mitigate the impact of unstable distance and angle deflection from the face to the array. Extensive experiments with 30 participants and three types of spoofing attacks show that RFace achieves an average authentication success rate of over 95.7% and an EER of 4.4%. More importantly, no spoofing attack succeeds in deceiving RFace in the experiments.

Yanzhi Ren,Chen Chen,Hongbo Liu,Jiadi Yu,Zhourong Zheng,Yingying Chen,Pengcheng Huang,Hongwei Li

DOI: https://doi.org/10.1109/tmc.2022.3232172

IF: 6.075

2022-01-01

IEEE Transactions on Mobile Computing

Abstract:The two-factor authentication ($2$FA) has drawn increasingly attention as the mobile devices become more prevalent. For example, the user's possession of the enrolled phone could be used by the $2$FA system as the second proof to protect his/her online accounts. Existing $2$FA solutions mainly require some form of user-device interaction, which may severely affect user experience and creates extra burdens to users. In this work, we propose a secure $2$FA system utilizing the proximity of a user's enrolled phone and the login device as the second proof without requiring the user's interactions. The basic idea of our $2$FA system is to derive location signatures based on acoustic beep signals emitted alternately by both devices and sensing the echoes with microphones, and compare the extracted signatures for proximity detection. Moreover, to further enhance the security of our system, we also design a device authentication scheme which derives the acoustic fingerprint between the login device and enrolled phone to verify the identity of two devices. Given the received beep signal, our system designs a period selection scheme to identify two sound segments accurately: the chirp period is the sound segment propagating directly from the speaker to the microphone whereas the echo period is the sound segment reflected back by surrounding objects. To achieve an accurate proximity detection, we develop a new energy loss compensation extraction scheme by utilizing the extracted chirp periods to estimate the intrinsic differences of energy loss between microphones of the enrolled phone and the login device. Our proximity detection component then conducts the similarity comparison between the identified two echo periods after the energy loss compensation to effectively determine whether the enrolled phone and the login device are in proximity for $2$FA. Moreover, to provide higher security, our device fingerprint-assisted proximity detection further utilizes the overall energy loss between the login device and enrolled phone as their hardware fingerprint to authenticate the identity of two devices. Our experimental results show that our system is accurate in providing $2$FA and robust to both man-in-the-middle (MiM) and co-located attacks across different scenarios and device models.

computer science, information systems,telecommunications

Yongchao Dang,Yin Chen,Huihui Wu,Yulong Shen,Xiaohong Jiang

DOI: https://doi.org/10.1109/nana.2017.38

2017-01-01

Abstract:Physical layer security is expected to address the security issue in wireless networks by taking advantage of the unique attributes of fading channels. In this paper, we propose a novel physical layer authentication scheme by measuring the locations of surrounding noise sources between communication participants. Typically, the transmitting power of surrounding noise is unknown, so a maximum likelihood (ML) method is adopted to estimate the locations of noise sources, based on the received signal strength (RSS) and angle of arrival (AoA). We analyze the security of the proposed scheme under both passive and active attacks, and show that the proposed scheme can work under highly dynamical scenarios.

Man Zhou,Qian Wang,Qi Li,Wenyu Zhou,Jingxiao Yang,Chao Shen

DOI: https://doi.org/10.1109/tmc.2024.3367781

IF: 6.075

2024-01-01

IEEE Transactions on Mobile Computing

Abstract:Face authentication usually utilizes deep learning models to verify users with high recognition accuracy. However, face authentication systems are vulnerable to various attacks that cheat the models by manipulating the digital counterparts of human faces. So far, lots of liveness detection schemes have been developed to prevent such attacks. Unfortunately, the attacker can still bypass these schemes by constructing wide-ranging sophisticated attacks. We study the security of existing face authentication services (e.g., Microsoft, Amazon, and Face++) and typical liveness detection approaches. Particularly, we develop a new type of attack, i.e., the low-cost 3D projection attack that projects manipulated face videos on a 3D face model, which can easily evade these face authentication services and liveness detection approaches. To this end, we propose FaceLip, a novel liveness detection scheme for face authentication, which utilizes unforgeable lip motion patterns built upon well-designed acoustic signals to enable a strong security guarantee. The unique lip motion patterns for each user are unforgeable because FaceLip verifies the patterns by capturing and analyzing the acoustic signals that are dynamically generated according to random challenges, which ensures that our signals for liveness detection cannot be manipulated. Specially, we develop robust algorithms for FaceLip to eliminate the impact of noisy signals in the environment and thus can accurately infer the lip motions at larger distances. We prototype FaceLip on off-the-shelf smartphones and conduct extensive experiments under different settings. Our evaluation with 44 participants validates the effectiveness and robustness of FaceLip.

Zhihao Wu,Yushi Cheng,Xiaoyu Ji,Wenyuan Xu

DOI: https://doi.org/10.1109/tdsc.2024.3445570

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Face authentication technology has been widely used in physical access control to critical infrastructures. The security of a face authentication system has been threatened by photo replay attacks and thus the 3D liveness detection techniques have been deployed to safeguard such systems. In this paper, we conduct a comprehensive analysis of the security aspects pertaining to 3D liveness detection systems that employ structured light depth camera, and propose a novel attack surface targeting 3D face authentication systems involving multiple modalities such as Depth, RGB and IR. We propose the DepthFake attack, a multi-modal spoofing attack against real-world 3D face authentication using only a single 2D photo. To achieve it, DepthFake first reconstruct the depth information of the victim's face from his 2D photo. Then, DepthFake actively projects a carefully-crafted scatter patterns embedded with the face depth information, in order to empower the 2D photo with 3D authentication properties. We address a range of practical challenges, including mitigating depth estimation errors, achieving depth images forgery techniques based on structured light, ensuring accurate alignment between various modalities of face images, and effectively implementing DepthFake in real world. We validated DepthFake on 5 commercial face authentication systems (i.e., Tencent Cloud, Baidu Cloud, 3DiVi, Ali Cloud and ArcSoft) and two commercial access control devices. The results over 50 users demonstrate that DepthFake achieves an overall Depth attack success rate of $79.4\%$ , RGB-D attack success rate of $59.4\%$ , IR-D attack success rate of $79.4\%$ , and RGB-IR attack success rate of $83.8\%$ in the real world.

Weiye Xu,Wenfan Song,Jianwei Liu,Yajie Liu,Xin Cui,Yuanqing Zheng,Jinsong Han,Xinhuai Wang,Kui Ren

DOI: https://doi.org/10.1145/3495243.3560515

2022-01-01

Abstract:Face authentication (FA) schemes are universally adopted. However, current FA systems are mainly camera-based and hence susceptible to face occlusion (e.g., facial masks) and vulnerable to spoofing attacks (e.g., 3D-printed masks). This paper exploits the penetrability, material sensitivity, and fine-grained sensing capability of millimeter wave (mmWave) to build an anti-spoofing FA system, named mmFace . It scans the human face by moving a commodity off-the-shelf (COTS) mmWave radar along a specific trajectory. The mmWave signals bounced off the human face carry the facial biometric features and structure features, which allows mmFace to achieve reliable liveness detection and FA. Due to the penetrability of mmWave, mmFace can still work well even if users wear masks. We explore a distance-resistant facial structure feature to suppress the impact of unstable face-to-device distance. To avoid inconvenient on-site registration, we also propose a novel virtual registration approach based on the core idea of cross-modal transformation from photos to mmWave signals. We implement mmFace with various antenna configurations and prototype two typical modes of mmFace. Extensive experiments show that mmFace can realize accurate FA as well as reliable liveness detection.

Si Chen,Muyuan Li,Zhan Qin,Bingsheng Zhang,Kui Ren

DOI: https://doi.org/10.1109/INFCOMW.2014.6849232

2014-01-01

Abstract:Short-range wireless communication technologies have been used in many security-sensitive smartphone applications and services such as contactless micro payment and device pairing. Typically, the data confidentiality of existing short-range communication systems relies on key-exchange then encryption mechanism, which is inefficient, especially for short communication sessions. In this work, we present AcousAuth, a smartphone empowered system designed for personal authentication. AcousAuth adopts the emerging friendly jamming technique from radio communication for data confidentiality and it features a seamless, faster, easier and safer user authentication process without the need for special infrastructure. Our system is intended to provide security assurances comparable to or greater than that of conventional authentication systems while offering the same user experience as inputing a password alone. AcousAuth provides a purely software-based solution to secure smartphone short-range communication without key agreement phase and it is potentially well suited for legacy mobile devices. Despite the computational restrictions and bandwidth of mobile device, our mobile application is able to maintain real-time performance.

Dan Liu,Qian Wang,Man Zhou,Peipei Jiang,Qi Li,Chao Shen,Cong Wang

DOI: https://doi.org/10.1109/tdsc.2022.3162718

2023-01-01

Abstract:Mobile two-factor authentication (TFA), which uses mobile devices as a second security layer of protection to online accounts, has been widely applied with the proliferation of mobile phones. Currently, many studies propose to use acoustic fingerprints as the second factor. However, these solutions ignore the variations of the extracted static acoustic fingerprints incurred by the acoustic propagation process, which we show can be leveraged to develop an enhanced man-in-the-middle (MITM) attack to compromise the security strength of these systems, while hiding the traces of the attacking devices. To address this newly-uncovered vulnerability, we propose SoundID, a secure and novel authentication system that introduces a dual challenge-response design through the acoustic signals of the enrolled phone and the login device. Specifically, the enrolled phone first evaluates its proximity to the login device by the similarity of their audio recordings, and then the login authentication server compares the calculated dynamic acoustic fingerprint with the one received from the enrolled phone. To the best of our knowledge, SoundID is the first scheme that extracts dynamic acoustic fingerprints and can effectively defend against the enhanced MITM attack. SoundID combines the benefits of unpredictable influencing factors of acoustic propagation processes and the stable frequency response of the acoustic hardware, whose high complexity prevents attackers from predicting or impersonating them. We build a prototype of SoundID with off-the-shelf smartphones to validate its robustness and effectiveness. Our results show that SoundID is user-friendly and achieves over 96.62% accuracy with an equal error rate around 4.27%.