Weixi Gu,Zheng Yang,Longfei Shangguan,Xiaoyu Ji,Yiyang Zhao

DOI: https://doi.org/10.1109/trustcom.2014.34

2014-01-01

Abstract:Near field authentication is of great importance for a range of applications, and has attracted many research efforts in the past decades. Several approaches have been developed and demonstrated their feasibility. The state-of-art works, however, still have much room to improve their automation and usability. First, user assistance is required in most existing approaches, which will be easily observed and imitated by attackers. Second, the authentications of several works heavily depend on special hardware, e.g., Server or high resolution screen, which greatly restricts their application scenarios. In this paper, we present a near field authentication system Tooth that needs little human assistance and is compatible with most smart phones. ToAuth is based on the key insight that the acceleration traces are similar for a pair of smart phones when they are contacting physically and vibrating. The random vibration patterns are sufficiently uncertain to provide high entropy to generate a pair of cryptographic keys yet are inimitable for a third party who does not get in touch with the vibration source. ToAuth leverages the keys to make authentication for smart phones. We implement ToAuth on Android platform and evaluate its performance under various scenarios. Extensive experiments demonstrate ToAuth could achieve around 90% success rate in stable environment, and prevent attacks depended on vibration noise.

Yijie Li,Yi-Chao Chen,Xiaoyu Ji,Hao Pan,Lanqing Yang,Guangtao Xue,Jiadi Yu

DOI: https://doi.org/10.1145/3372224.3418165

2020-01-01

Abstract:Quick response (QR) codes have been widely used in mobile applications, due to its convenience and the pervasive built-in cameras on smartphones. Recently, however, QR codes have been reported suffering attacks for being sniffed just before the QR code is scanned, which lead to financial loss. In this study, we propose ScreenID, for enhancing the QR code security by identifying its authenticity, which embeds a QR code with information of unique screen fingerprint - PWM frequency. PWM frequencies are adjusted to different values by screen manufacturers, therefore can successfully differentiate screens. To improve the estimation accuracy of PWM frequency, ScreenID incorporates a model for the interaction between the camera and screen in the temporal and spatial domains. Extensive experiments demonstrate that ScreenID can differentiate screens of different models, types and manufacturers and thus improve the security of QR codes.

Yijie Li,Yi-Chao Chen,Xiaoyu Ji,Hao Pan,Lanqing Yang,Guangtao Xue,Jiadi Yu

DOI: https://doi.org/10.1109/infocom42981.2021.9488859

2021-01-01

Abstract:Quick response (QR) codes have been widely used in mobile applications due to its convenience and the pervasive built-in cameras on smartphones. Recently, however, attacks against QR codes have been reported that attackers can capture a QR code of the victim and replay it to achieve a fraudulent transaction or intercept private information, just before the original QR code is scanned. In this study, we enhance the security of a QR code by identifying its authenticity. We propose SCREENID, which embeds a QR code with information of the screen which displays it, thereby the QR code can reveal whether it is reproduced by an adversary or not. In SCREENID, PWM frequency of screens is exploited as the unique screen fingerprint. To improve the estimation accuracy of PWM frequency, SCREENID incorporates a model for the interaction between the camera and screen in the temporal and spatial domains. Extensive experiments demonstrate that SCREENID can differentiate screens of different models, types, and manufacturers, thus improve the security of QR codes.

Libing Wu,Jingxiao Yang,Man Zhou,Yanjiao Chen,Qian Wang

DOI: https://doi.org/10.1109/tifs.2019.2944058

IF: 7.231

2020-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Voice authentication is becoming increasingly popular, which offers potential benefits over knowledge and possession based authentication methods. Meanwhile, the unique features of lip movements during speaking have been proved to be useful for authentication. However, the unimodal biometric authentication systems based on either voice or lip movements have certain limitations. Voice authentication systems are prone to spoofing attacks and suffer from serious performance degradation in noisy environments. Lip movements authentication systems are unstable and are sensitive to the user's physical and psychological conditions. In this paper, we propose and implement LVID, a multimodal biometrics authentication system on smartphones, which resolves the defects of the original systems by combining the advantages of lip movements and voice. LVID simultaneously captures these two biometrics with the built-in audio devices on smartphones and fuses them at the data level. The reliable and effective features are then extracted from the fused data for authentication. LVID is practical as it requires neither cumbersome operations nor additional hardwares but only a speaker and a microphone that are commonly available on smartphones. Our experimental results with 104 participants show that LVID can achieve 95 accuracy for user authentication, and 93.47 of the attacks can be detected. It is also verified that LVID works well with different smartphones and is robust to different smartphone positions.

Li Lü,Jiadi Yu,Yingying Chen,Yan Wang

DOI: https://doi.org/10.1145/3397320

2020-01-01

Proceedings of the ACM on Interactive Mobile Wearable and Ubiquitous Technologies

Abstract:Recent years have witnessed the surge of biometric-based user authentication for mobile devices due to its promising security and convenience. As a natural and widely-existed behavior, human speaking has been exploited for user authentication. Existing voice-based user authentication explores the unique characteristics from either the voiceprint or mouth movements, which is vulnerable to replay attacks and mimic attacks. During speaking, the vocal tract, including the static shape and dynamic movements, also exhibits the individual uniqueness, and they are hardly eavesdropped and imitated by adversaries. Hence, our work aims to employ the individual uniqueness of vocal tract to realize user authentication on mobile devices. Moreover, most voice-based user authentications are passphrase-dependent, which significantly degrade the user experience. Thus, such user authentications are pressed to be implemented in a passphrase-independent manner while being able to resist various attacks. In this paper, we propose a user authentication system, VocalLock, which senses the whole vocal tract during speaking to identify different individuals in a passphrase-independent manner on smartphones leveraging acoustic signals. VocalLock first utilizes FMCW on acoustic signals to characterize both the static shape and dynamic movements of the vocal tract during speaking, and then constructs a passphrase-independent user authentication model based on the unique characteristics of vocal tract through GMM-UBM. The proposed VocalLock can resist various spoofing attacks, while achieving a satisfactory user experience. Extensive experiments in real environments demonstrate VocalLock can accurately authenticate user identity in a passphrase-independent manner and successfully resist various attacks.

Xiaoyu Ji,Xinyan Zhou,Chen Yan,Jiangyi Deng,Wenyuan Xu

DOI: https://doi.org/10.1109/tmc.2020.3025023

IF: 6.075

2022-01-01

IEEE Transactions on Mobile Computing

Abstract:With the proliferation of mobile devices, face-to-face device-to-device (D2D) communication has been applied to a variety of daily scenarios such as mobile payment and short distance file transfer. In D2D communications, a critical security problem is to verify the device legitimacy when they share no secrets in advance. Previous research proposed device authentication schemes based on pre-built database or exploiting physical properties. However, a remaining challenge is to secure face-to-face D2D communication even in the middle of a crowd, within which an attacker may hide. In this paper, we present NAuth, a nonlinearity-enhanced, location-sensitive authentication mechanism. Especially, we target at the secure authentication within a limited range such as 20 cm, which is typical for face-to-face scenarios. NAuth designs a verification scheme based on the nonlinear distortion of speaker-microphone systems and a location-based validation model. The verification scheme guarantees device authentication consistency by extracting acoustic nonlinearity patterns (ANP) while the validation model ensures device legitimacy by measuring the time difference of arrival (TDOA) at two microphones. We analyze the feasibility and security of NAuth theoretically and evaluate its performance experimentally. Results demonstrate that NAuth can verify the device legitimacy in the presence of nearby attackers.

Xinyan Zhou,Xiaoyu Ji,Chen Yan,Jiangyi Deng,Wenyuan Xu

DOI: https://doi.org/10.1109/infocom.2019.8737572

2019-01-01

Abstract:With the increasing prevalence of mobile devices, face-to-face device-to-device (D2D) communication has been applied to a variety of daily scenarios such as mobile payment and short distance file transfer. In D2D communications, a critical security problem is verifying the legitimacy of devices when they share no secrets in advance. Previous research addressed the problem with device authentication and pairing schemes based on user intervention or exploiting physical properties of the radio or acoustic channels. However, a remaining challenge is to secure face-to-face D2D communication even in the middle of a crowd, within which an attacker may hide. In this paper, we present Nhuth, a nonlinearity-enhanced, location-sensitive authentication mechanism for such communication. Especially, we target at the secure authentication within a limited range such as 20 cm, which is the common case for face-to-face scenarios. Nhuth contains averification scheme based on the nonlinear distortion of speaker-microphone systems and a location-based-validation model. The verification scheme guarantees device authentication consistency by extracting acoustic nonlinearity patterns (ANP) while the validation model ensures device legitimacy by measuring the time difference of arrival (TDOA) at two microphones. We analyze the security of Nhuth theoretically and evaluate its performance experimentally. Results show that Nhuth can verify the device legitimacy in the presence of nearby attackers.

Mengjun Xie,Yanyan Li,Kenji Yoshigoe,Remzi Seker,Jiang Bian

DOI: https://doi.org/10.1109/hase.2015.41

2015-01-01

Abstract:Frequent outbreak of password database leaks and server breaches in recent years manifests the aggravated security problems of web authentication using only password. Two-factor authentication, despite being more secure and strongly promoted, has not been widely applied to web authentication. Leveraging the unprecedented popularity of both personal mobile devices (e.g., Smartphones) and barcode scans through camera, we explore a new horizon in the design space of two-factor authentication. In this paper, we present CamAuth, a web authentication scheme that exploits pervasive mobile devices and digital cameras to counter various password attacks including man-in-the-middle and phishing attacks. In CamAuth, a mobile device is used as the second authentication factor to vouch for the identity of a use who is performing a web login from a PC. The device communicates directly with the PC through the secure visible light communication channels, which incurs no cellular cost and is immune to radio frequency attacks. CamAuth employs public-key cryptography to ensure the security of authentication process. We implemented a prototype system of CamAuth that consists of an Android application, a Chrome browser extension, and a Java-based web server. Our evaluation results indicate that CamAuth is a viable scheme for enhancing the security of web authentication.

Hongbo Jiang,Panyi Ji,Taiyuan Zhang,Hangcheng Cao,Daibo Liu

DOI: https://doi.org/10.1109/tmc.2024.3368331

IF: 6.075

2024-01-01

IEEE Transactions on Mobile Computing

Abstract:Keyless entry systems (KES) have become popular due to their high user-friendliness, while fingerprint and digital password authentication are two of the most widely used unlocking ways. However, current KES are vulnerable to security threats, such as fingerprint films that deceive fingerprint sensors and stolen passcodes. To address these issues, this paper presents ${\sf Fingerbeat}$, a two-factor authentication system to defend the security risks of the current widely deployed KES devices. ${\sf Fingerbeat}$ combines original credentials, such as fingerprints and passcodes, with unique and persistent finger-induced vibrations to create a two-factor secure authentication model, while ensuring user-friendliness. ${\sf Fingerbeat}$ leverages the fact that each person's finger structure is distinct and can be represented in distinct vibration patterns. During authentication, FIV is triggered and embodied in the mechanical vibration of the force-bearing body (i.e., KES panel), which can be captured by a low-cost accelerometer. We develop a proof-of-concept prototype of ${\sf Fingerbeat}$, extracting FIV features from mixed vibration recordings and eliminating the impacts of variable behaviors and external disturbance. Finally, we conduct extensive experiments to demonstrate its security and effectiveness.

computer science, information systems,telecommunications

Qinggang Yue,Zhen Ling,Xinwen Fu,Benyuan Liu,Kui Ren,Wei Zhao

DOI: https://doi.org/10.1145/2660267.2660288

2014-01-01

Abstract:In this paper, we introduce a novel computer vision based attack that automatically discloses inputs on a touch-enabled device while the attacker cannot see any text or popup in a video of the victim tapping on the touch screen. We carefully analyze the shadow formation around the fingertip, apply the optical flow, deformable part-based model (DPM), k-means clustering and other computer vision techniques to automatically locate the touched points. Planar homography is then applied to map the estimated touched points to a reference image of software keyboard keys. Recognition of passwords is extremely challenging given that no language model can be applied to correct estimated touched keys. Our threat model is that a webcam, smartphone or Google Glass is used for stealthy attack in scenarios such as conferences and similar gathering places. We address both cases of tapping with one finger and tapping with multiple fingers and two hands. Extensive experiments were performed to demonstrate the impact of this attack. The per-character (or per-digit) success rate is over 97% while the success rate of recognizing 4-character passcodes is more than 90%. Our work is the first to automatically and blindly recognize random passwords (or passcodes) typed on the touch screen of mobile devices with a very high success rate.

Man Zhou,Qian Wang,Xiu Lin,Yi Zhao,Peipei Jiang,Qi Li,Chao Shen,Cong Wang

DOI: https://doi.org/10.1109/tdsc.2022.3151889

2022-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:PIN authentication is widely used on mobile devices due to its usability and simplicity. However, it is known to be susceptible to shoulder surfing attacks, where an adversary spies the user’s PIN by direct human observation or camera-based recording. This paper proposes PressPIN, a novel enhanced PIN authenticator on mobile devices by sensing pressures from the user’s finger. Since pressure-sensitive touch screens are unavailable on most phones, we leverage the structure-borne propagation of sounds to estimate the pressure on the screen. When the user inputs the PINs, the pressure is extracted from each number to form the $n$ -bit pressure code, where $n$ corresponds to the length of the PIN sequence. The pressure code is difficult to be inferred by snooping or videotaping, and increases the entropy of passwords. In this way, PressPIN provides a low-cost, user-friendly, and more secure solution resistant to shoulder surfing attacks. Our extensive experiments with 30 participants and three types of smartphones demonstrate that PressPIN can authenticate legitimate users with high accuracy (e.g., as high as 96.7% within two trials), and is robust to various types of attacks (e.g., only 2.5% attack success rate even when the adversary can observe the legitimate user’s PIN sequence and finger pressing clearly). Additionally, PressPIN requires no additional hardware (e.g., the pressure sensor) and can be readily integrated into existing authentication systems of mobile devices.

Xin Yang,Song Yang,Jian Liu,Chen Wang,Yingying Chen,Nitesh Saxena

DOI: https://doi.org/10.1109/tmc.2021.3057083

IF: 6.075

2021-01-01

IEEE Transactions on Mobile Computing

Abstract:This work enables mobile user authentication via finger inputs on ubiquitous surfaces leveraging low-cost physical vibration. The system we proposed extends finger-input authentication beyond touch screens to any solid surface for IoT devices (e.g., smart access systems and IoT appliances). Unlike passcode or biometrics-based solutions, it integrates passcode, behavioral and physiological characteristics, and surface dependency together to provide a low-cost, tangible and enhanced security solution. The proposed system builds upon a touch sensing technique with vibration signals that can operate on surfaces constructed from a broad range of materials. New algorithms are developed to discriminate fine-grained finger inputs and supports three independent passcode secrets including PIN number, lock pattern, and simple gestures by extracting unique features in the frequency domain to capture both behavioral and physiological characteristics including contacting area, touching force, and etc. The system is implemented using a single pair of low-cost portable vibration motor and receiver that can be easily attached to any surface (e.g., a door panel, a stovetop or an appliance). Extensive experiments demonstrate that our system can authenticate users with high accuracy (e.g., more than 97 percent within two trials), low false positive rate (e.g., less 2 percent) and is robust to various types of attacks.

computer science, information systems,telecommunications

Jianfeng Lu,Zaorang Yang,Lina Li,Wenqiang Yuan,Li Li,Chin-Chen Chang

DOI: https://doi.org/10.1155/2017/4356038

2017-01-01

Mobile Information Systems

Abstract:QR code (quick response code) is used due to its beneficial properties, especially in the mobile payment field. However, there exists an inevitable risk in the transaction process. It is not easily perceived that the attacker tampers with or replaces the QR code that contains merchant’s beneficiary account. Thus, it is of great urgency to conduct authentication of QR code. In this study, we propose a novel mechanism based on visual cryptography scheme (VCS) and aesthetic QR code, which contains three primary schemes for different concealment levels. The main steps of these schemes are as follows. Firstly, one original QR code is split into two shadows using VC multiple rules; secondly, the two shadows are embedded into the same background image, respectively, and the embedded results are fused with the same carrier QR code, respectively, using XOR mechanism of RS and QR code error correction mechanism. Finally, the two aesthetic QR codes can be stacked precisely and the original QR code is restored according to the defined VCS. Experiments corresponding to three proposed schemes are conducted and demonstrate the feasibility and security of the mobile payment authentication, the significant improvement of the concealment for the shadows in QR code, and the diversity of mobile payment authentication.

computer science, information systems,telecommunications

Chen Song,Aosen Wang,Kui Ren,Wenyao Xu

DOI: https://doi.org/10.1109/INFOCOM.2016.7524367

2016-01-01

Abstract:As mobile technology grows rapidly, the smartphone has become indispensable for transmitting private user data, storing the sensitive corporate files, and conducting secure payment transactions. However, with mobile security research lagging, smartphones are extremely vulnerable to unauthenticated access. In this paper, we present, EyeVeri, a novel eye-movement-based authentication system for smartphone security protection. Specifically, EyeVeri tracks human eye movement through the built-in front camera and applies the signal processing and pattern matching techniques to explore volitional and non-volitional gaze patterns for access authentication. Through a comprehensive user study, EyeVeri performs well and is a promising approach for smartphone user authentication. We also discuss the evaluation results in-depth and analyze opportunities for future work.

Dan Liu,Qian Wang,Man Zhou,Peipei Jiang,Qi Li,Chao Shen,Cong Wang

DOI: https://doi.org/10.1109/tdsc.2022.3162718

2023-01-01

Abstract:Mobile two-factor authentication (TFA), which uses mobile devices as a second security layer of protection to online accounts, has been widely applied with the proliferation of mobile phones. Currently, many studies propose to use acoustic fingerprints as the second factor. However, these solutions ignore the variations of the extracted static acoustic fingerprints incurred by the acoustic propagation process, which we show can be leveraged to develop an enhanced man-in-the-middle (MITM) attack to compromise the security strength of these systems, while hiding the traces of the attacking devices. To address this newly-uncovered vulnerability, we propose SoundID, a secure and novel authentication system that introduces a dual challenge-response design through the acoustic signals of the enrolled phone and the login device. Specifically, the enrolled phone first evaluates its proximity to the login device by the similarity of their audio recordings, and then the login authentication server compares the calculated dynamic acoustic fingerprint with the one received from the enrolled phone. To the best of our knowledge, SoundID is the first scheme that extracts dynamic acoustic fingerprints and can effectively defend against the enhanced MITM attack. SoundID combines the benefits of unpredictable influencing factors of acoustic propagation processes and the stable frequency response of the acoustic hardware, whose high complexity prevents attackers from predicting or impersonating them. We build a prototype of SoundID with off-the-shelf smartphones to validate its robustness and effectiveness. Our results show that SoundID is user-friendly and achieves over 96.62% accuracy with an equal error rate around 4.27%.

Matthew Lakier,Dimcho Karakashev,Yixin Wang,Ian Goldberg

DOI: https://doi.org/10.48550/arXiv.1908.09165

2019-08-25

Abstract:Smartphones store a significant amount of personal and private information, and are playing an increasingly important role in people's lives. It is important for authentication techniques to be more resistant against two known attacks called shoulder surfing and smudge attacks. In this work, we propose a new technique called 3D Pattern. Our 3D Pattern technique takes advantage of a new input paradigm called pre-touch, which could soon allow smartphones to sense a user's finger position at some distance from the screen. We implement the technique and evaluate it in a pilot study (n=6) by comparing it to PIN and pattern locks. Our results show that although our prototype takes about 8 seconds to authenticate, it is immune to smudge attacks and promises to be more resistant to shoulder surfing.

Cryptography and Security,Human-Computer Interaction

Sourav Panda,Yuanzhen Liu,Gerhard Petrus Hancke,Umair Mujtaba Qureshi

DOI: https://doi.org/10.3390/s20113015

IF: 3.9

2020-05-26

Sensors

Abstract:This paper explores the security vulnerability of Personal Identification Number (PIN) or numeric passwords. Entry Device (PEDs) that use small strings of data (PINs, keys or passwords) as means of verifying the legitimacy of a user. Today, PEDs are commonly used by personnel in different industrial and consumer electronic applications, such as entry at security checkpoints, ATMs and customer kiosks, etc. In this paper, we propose a side-channel attack on a 4–6 digit random PIN key, and a PIN key user verification method. The intervals between two keystrokes are extracted from the acoustic emanation and used as features to train machine-learning models. The attack model has a 60% chance to recover the PIN key. The verification model has an 88% accuracy on identifying the user. Our attack methods can perform key recovery by using the acoustic side-channel at low cost. As a countermeasure, our verification method can improve the security of PIN entry devices.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Yao Wang,Wandong Cai,Tao Gu,Wei Shao

DOI: https://doi.org/10.1109/tmc.2019.2934690

IF: 6.075

2020-11-01

IEEE Transactions on Mobile Computing

Abstract:The widespread use of smartphones has brought great convenience to our daily lives, while at the same time we have been increasingly exposed to security threats. Keystroke security is essential to user privacy protection. In this paper, we present GazeRevealer, a novel side-channel based keystroke inference framework to infer sensitive inputs on smartphone from video recordings of victim's eye patterns captured from smartphone front camera. We observe that eye movements typically follow the keystrokes typing on the number-only soft keyboard during password input. By exploiting eye movement patterns, we are able to infer the passwords being entered. We propose a novel algorithm to extract sensitive eye images from video streams, and classify these images with Support Vector Classification. We also propose a novel classification enhancement algorithm to further improve classification accuracy. Compared with prior keystroke detection approaches, GazeRevealer does not require any external auxiliary devices, and it only relies on smartphone front camera. We evaluate the performance of GazeRevealer on several smartphones under different real-life usage scenarios. The results show that GazeRevealer achieves an inference rate of 77.89 percent for single key number and an inference rate of 84.38 percent for 6-digit password in the ideal case.

computer science, information systems,telecommunications

Zhuo Chang,Yan Meng,Wenyuan Liu,Haojin Zhu,Lin Wang

DOI: https://doi.org/10.1016/j.jisa.2022.103130

IF: 4.96

2022-05-01

Journal of Information Security and Applications

Abstract:The prosperity of mobile sensing technology makes smartphone-based authentication more prevalent in mobile environment. The present single-modality security authentication based on human biometrics is vulnerable to counterfeit, and the procedure of basic two-factor authentication (2FA) is cumbersome. In this work, we propose a 2FA method without additional devices and procedures, namely WiCapose. The essential technique is to use the unique correlation of the two side-channel to complete multi-modal feature extraction and fusion authentication. WiCapose can simultaneously extract the radio frequency (RF) gain feature that directly characterizes the finger movement and the inter-frame spatio-temporal difference from the rear camera that indirectly portrays the tapping behaviors, to blend the micro-scale behavior pattern feature of the user's finger and implicit biological features. Then we design and train a deep neural network to fuse both factors for mitigating the limitation of the RF factor in environmental generalization and the uniqueness of the image factor on authentication performance. Experiments involving ten participants demonstrate that our method can achieve a 98% average accuracy on authentication and effectively resist shoulder-surfing attacks and mimic attacks.

computer science, information systems

Qinggang Yue,Zhen Ling,Benyuan Liu,Xinwen Fu,Wei Zhao

DOI: https://doi.org/10.48550/arXiv.1403.4829

2014-03-19

Abstract:In this paper, we introduce a novel computer vision based attack that discloses inputs on a touch enabled device, while the attacker cannot see any text or popups from a video of the victim tapping on the touch screen. In the attack, we use the optical flow algorithm to identify touching frames where the finger touches the screen surface. We innovatively use intersections of detected edges of the touch screen to derive the homography matrix mapping the touch screen surface in video frames to a reference image of the virtual keyboard. We analyze the shadow formation around the fingertip and use the k-means clustering algorithm to identify touched points. Homography can then map these touched points to keys of the virtual keyboard. Our work is substantially different from existing work. We target password input and are able to achieve a high success rate. We target scenarios like classrooms, conferences and similar gathering places and use a webcam or smartphone camera. In these scenes, single-lens reflex (SLR) cameras and high-end camcorders used in related work will appear suspicious. To defeat such computer vision based attacks, we design, implement and evaluate the Privacy Enhancing Keyboard (PEK) where a randomized virtual keyboard is used to input sensitive information.

Cryptography and Security