Weixi Gu,Zheng Yang,Longfei Shangguan,Xiaoyu Ji,Yiyang Zhao

DOI: https://doi.org/10.1109/trustcom.2014.34

2014-01-01

Abstract:Near field authentication is of great importance for a range of applications, and has attracted many research efforts in the past decades. Several approaches have been developed and demonstrated their feasibility. The state-of-art works, however, still have much room to improve their automation and usability. First, user assistance is required in most existing approaches, which will be easily observed and imitated by attackers. Second, the authentications of several works heavily depend on special hardware, e.g., Server or high resolution screen, which greatly restricts their application scenarios. In this paper, we present a near field authentication system Tooth that needs little human assistance and is compatible with most smart phones. ToAuth is based on the key insight that the acceleration traces are similar for a pair of smart phones when they are contacting physically and vibrating. The random vibration patterns are sufficiently uncertain to provide high entropy to generate a pair of cryptographic keys yet are inimitable for a third party who does not get in touch with the vibration source. ToAuth leverages the keys to make authentication for smart phones. We implement ToAuth on Android platform and evaluate its performance under various scenarios. Extensive experiments demonstrate ToAuth could achieve around 90% success rate in stable environment, and prevent attacks depended on vibration noise.

Yuanchao Shu,Yu Gu,Jiming Chen

DOI: https://doi.org/10.1109/MASS.2012.6502522

2012-01-01

Abstract:Access card authentication is critical and essential for many modern access control systems, which have been widely deployed in various government, commercial and residential environments. However, due to the static identification information exchange among the access cards and access control clients, it is very challenging to fight against access control system breaches due to reasons such as loss, stolen or unauthorized duplications of the access cards. Although advanced biometric authentication methods such as fingerprint and iris identification can further identify the user who is requesting authorization, they incur high system costs and access privileges can not be transferred among trusted users. In this work, we introduce a sensory-data-enhanced authentication for access control systems. By combining sensory-data obtained from onboard sensors on the access cards as well as the original encoded identification information, we are able to effectively tackle the problems such as access card loss and stolen. Our solution is backward-compatible with existing access control systems and significantly increases the key spaces for authentication. We theoretically demonstrate the potential key space increases with simple sensor data and empirically demonstrate simple rotations can increase key space by more than 30, 000 times with an authentication accuracy of 95%. We performed extensive simulations under various environment settings and implemented our design on WISP to experimentally verify the system performance.

Yuanchao Shu,Yu (Jason) Gu,Jiming Chen

DOI: https://doi.org/10.1109/tpds.2013.153

IF: 5.3

2014-01-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:Access card authentication is critical and essential for many modern access control systems, which have been widely deployed in various government, commercial, and residential environments. However, due to the static identification information exchange among the access cards and access control clients, it is very challenging to fight against access control system breaches due to reasons such as loss, stolen or unauthorized duplications of the access cards. Although advanced biometric authentication methods such as fingerprint and iris identification can further identify the user who is requesting authorization, they incur high system costs and access privileges cannot be transferred among trusted users. In this work, we introduce a dynamic authentication with sensory information for the access control systems. By combining sensory information obtained from onboard sensors on the access cards as well as the original encoded identification information, we are able to effectively tackle the problems such as access card loss, stolen, and duplication. Our solution is backward-compatible with existing access control systems and significantly increases the key spaces for authentication. We theoretically demonstrate the potential key space increases with sensory information of different sensors and empirically demonstrate simple rotations can increase key space by more than 1,000,000 times with an authentication accuracy of 90 percent. We performed extensive simulations under various environment settings and implemented our design on WISP to experimentally verify the system performance.

Jing Tian,Chengzhang Qu,Wenyuan Xu,Song Wang

2013-01-01

Abstract:Password-based authentication is easy to use but its security is bounded by how much a user can remember. Biometrics-based authentication requires no memorization but ‘resetting’ a biometric password may not always be possible. In this paper, we propose a user-friendly authentication system (KinWrite) that allows users to choose arbitrary, short and easy-to-memorize passwords while providing resilience to password cracking and password theft. KinWrite lets users write their passwords in 3D space and captures the handwriting motion using a low cost motion input sensing device—Kinect. The low resolution and noisy data captured by Kinect, combined with low consistency of in-space handwriting, have made it challenging to verify users. To overcome these challenges, we exploit the Dynamic Time Warping (DTW) algorithm to quantify similarities between handwritten passwords. Our experimental results involving 35 signatures from 18 subjects and a brute-force attacker have shown that KinWrite can achieve a 100% precision and a 70% recall (the worst case) for verifying honest users, encouraging us to carry out a much larger scale study towards designing a foolproof system.

Hao Kong,Li Lu,Jiadi Yu,Yanmin Zhu,Feilong Tang,Yi-Chao Chen,Linghe Kong,Feng Lyu

DOI: https://doi.org/10.1109/infocom48880.2022.9796740

2022-01-01

Abstract:With the development of smart indoor environments, user authentication becomes an essential mechanism to support various secure accesses. Although recent studies have shown initial success on authenticating users with human activities or gestures using WiFi, they rely on predefined body gestures and perform poorly when meeting undefined body gestures. This work aims to enable WiFi-based user authentication with undefined body gestures rather than only predefined body gestures, i.e., realizing a gesture-independent user authentication. In this paper, we first explore physiological characteristics underlying body gestures, and find that statistical distributions under WiFi signals induced by body gestures can exhibit invariant individual uniqueness unrelated to specific body gestures. Inspired by this observation, we propose a user authentication system, which utilizes WiFi signals to identify individuals in a gesture-independent manner. Specifically, we design an adversarial learning-based model, which suppresses specific gesture characteristics, and extracts invariant individual uniqueness unrelated to specific body gestures, to authenticate users in a gesture-independent manner. Extensive experiments in indoor environments show that the proposed system is feasible and effective in gesture-independent user authentication.

Weiye Xu,Jianwei Liu,Shimin Zhang,Yuanqing Zheng,Feng Lin,Fu Xiao,Jinsong Han

DOI: https://doi.org/10.1109/infocom42981.2021.9488737

IF: 6.075

2024-01-01

IEEE Transactions on Mobile Computing

Abstract:Current facial authentication (FA) systems are mostly based on the images of human faces, thus suffering from privacy leakage and spoofing attacks. Mainstream systems utilize facial geometry features for spoofing mitigation. which are still easy to deceive with the feature manipulation, e.g., 3D-printed human faces. In this paper, we propose a novel privacy-preserving anti-spoofing FA system, named RFace, which extracts both the 3D geometry and inner biomaterial features of faces using a COTS RFID tag array. These features are difficult to obtain and forge, hence are resistant to spoofing attacks. RFace only requires users to pose their faces in front of a tag array for a few seconds, without leaking their visual facial information. We build a theoretical model to rigorously prove the feasibility of feature acquisition and the correlation between the facial features and RF signals. For practicality, we design an effective algorithm to mitigate the impact of unstable distance and angle deflection from the face to the array. Extensive experiments with 30 participants and three types of spoofing attacks show that RFace achieves an average authentication success rate of over 95.7% and an EER of 4.4%. More importantly, no spoofing attack succeeds in deceiving RFace in the experiments.

Jianwei Liu,Xiang Zou,Jinsong Han,Feng Lin,Kui Ren

DOI: https://doi.org/10.1109/iwqos49365.2020.9212855

2023-01-01

Abstract:Multi-factor user authentication (MFUA) becomes increasingly popular due to its superior security comparing with single-factor user authentication. However, existing MFUAs require multiple interactions between users and different authentication components when sensing the multiple factors, leading to extra overhead and bad use experiences. In this paper, we propose a secure and user-friendly MFUA system, namely BioDraw, which utilizes four categories of biometrics (impedance, geometry, composition, and behavior) of human hand plus the pattern-based password to identify and authenticate users. A user only needs to draw a pattern on a RFID tag array, while four biometrics can be simultaneously collected. Particularly, we design a gradient-based pattern recognition algorithm for pattern recognition and then a CNN-LSTM-based classifier for user recognition. Furthermore, to guarantee the systemic security, we propose a novel anti-spoofing scheme, called Binary ALOHA, which utilizes the inhabit randomness of RFID systems. We perform extensive experiments over 21 volunteers. The experiment result demonstrates that BioDraw can achieve a high authentication accuracy (with a false reject rate less than 2%) and is effective in defending against various attacks.

Yuchen Miao,Chaojie Gu,Zhenyu Yan,Sze Yiu Chau,Rui Tan,Qi Lin,Wen Hu,Shibo He,Jiming Chen

DOI: https://doi.org/10.1145/3596264

2023-01-01

Abstract:Secure device pairing is important to wearables. Existing solutions either degrade usability due to the need of specific actions like shaking, or they lack universality due to the need of dedicated hardware like electrocardiogram sensors. This paper proposes TouchKey, a symmetric key generation scheme that exploits the skin electric potential (SEP) induced by powerline electromagnetic radiation. The SEP is ubiquitously accessible indoors with analog-to-digital converters widely available on Internet of Things devices. Our measurements show that the SEP has high randomness and the SEPs measured at two close locations on the same human body are similar. Extensive experiments show that TouchKey achieves a high key generation rate of 345 bit/s and an average success rate of 99.29%. Under a range of adversary models including active and passive attacks, TouchKey shows a low false acceptance rate of 0.86%, which outperforms existing solutions. Besides, the overall execution time and energy usage are 0.44 s and 2.716 mJ, which make it suitable for resource-constrained devices.

Yao Wang,Tao Gu,Tom H. Luan,Minjie Lyu,Yue Li

DOI: https://doi.org/10.1109/jiot.2022.3196143

IF: 10.6

2022-12-10

IEEE Internet of Things Journal

Abstract:Continuous authentication is crucial for protecting user's privacy throughout their login session. Existing studies employ wireless sensing technologies to provide device-free and unobtrusive authentication; the user's behavior is continually assessed without their direct involvement until it deviates from their normal pattern. However, these works primarily concentrate on single-user authentication, which poses challenges in multiuser scenarios, such as smart homes and offices, where more than one user usually exists. In this article, we propose HeartPrint, a continuous multiuser authentication system, that employs a single commodity mmWave radar to capture the unique self-driving heartbeat motions from multiple users. Specifically, HeartPrint leverages the effect of skin surface vibrations caused by heartbeat on radio frequency (RF) transmissions. To profile individual heartbeat signals from the entangled components that are induced by multiple users, we first use a clustering method to position each user in the environment, then focus on the signal reflected from each position separately. The irrelevant body movements are eliminated from the RF signal by using a proposed signal energy comparison method for preserving fine-grained heartbeat traits. We then develop a pipeline to extract the most informative features for characterizing each user and feed them to an elaborated classifier for user authentication. We evaluate HeartPrint with 54 participants and demonstrate that it achieves an average authentication accuracy of over 95%. Additionally, we show that it is resilient against spoofing attacks, with an average attack success rate of less than 3%.

computer science, information systems,telecommunications,engineering, electrical & electronic

Jingyi Ning,Lei Xie,Chuyu Wang,Yanling Bu,Fengyuan Xu,Da-Wei Zhou,Sanglu Lu,Baoliu Ye

DOI: https://doi.org/10.1109/tmc.2021.3097912

IF: 6.075

2021-01-01

IEEE Transactions on Mobile Computing

Abstract:Nowadays, authentication systems are usually required to provide continuous, contactless, and non-intrusive services. In this paper, we propose RF-Badge, a vital sign-based authentication scheme on human subjects to meet the above requirements by using RFID technology. We consider two biometric features with individual diversity to characterize the vital sign of users, including the movement effect from respiration and the reflection effect from organs, especially the heart. To derive the movement effect from respiration, we build a phase-based geometric model to restore the fine-grained badge moving trace as the feature. To derive the reflection effect from human internal organs, we extract the reflection signal from the original signal and generate the spectrum as the feature. Besides, to deal with the feature deviation in different physical conditions of users, we propose a multi-condition network (MCNet) to further guarantee the generalization of RF-Badge. We implement a prototype system and evaluate the performance in real environments. The experiment results show that our system achieves the average false positive rate (FPR) of 3.9 percent and false negative rate (FNR) of 3.3 percent for continuous authentication within four signal cycles.

Weiye Xu,Jianwei Liu,Shimin Zhang,Yuanqing Zheng,Feng Lin,Fu Xiao,Jinsong Han

DOI: https://doi.org/10.1109/tmc.2023.3289708

IF: 6.075

2023-01-01

IEEE Transactions on Mobile Computing

Abstract:Current facial authentication (FA) systems are mostly based on the images of human faces, thus suffering from privacy leakage and spoofing attacks. Mainstream systems utilize facial geometry features for spoofing mitigation, but they are still vulnerable to feature manipulation, e.g., 3D-printed human faces. In this paper, we propose a novel privacy-preserving anti-spoofing FA system, named RFace, which extracts both the 3D geometry and inner biomaterial features of faces using a COTS RFID tag array. These features are difficult to obtain and forge, hence are resistant to spoofing attacks. Unlike images, RF signals are not perceptible to human eyes, so RFace protects user's privacy. We build a theoretical model to rigorously prove the feasibility of feature acquisition and the correlation between facial features and RF signals. To enhance the security of RFace, we specify the tag reading order for each authentication to defend against the signal replay attack. For practicality, we design an effective algorithm to mitigate the impact of unstable distance and angle deflection from the face to the array. Extensive experiments with 30 participants and three types of spoofing attacks show that RFace achieves an average authentication success rate of over 95.7$\%$ and an EER of 4.4$\%$. More importantly, no replay attack or spoofing attack succeeds in deceiving RFace in the experiments.

computer science, information systems,telecommunications

Ruxin Wang,Long Huang,Kaitlyn Madden,Chen Wang

DOI: https://doi.org/10.1145/3643833.3656128

2024-01-01

Abstract:Because of the great convenience and being not readable to humans, Quick Response (QR) codes are increasingly being utilized to offer a variety of security applications to mobile users, such as online payments, website logins, and private data sharing. To facilitate these security applications, QR codes usually contain sensitive information, such as bank account details, credit card numbers, and personal/organizational/device data, or they are specifically designed to work with cloud servers to provide security services. However, there is currently no existing solution to verify the identity of the smartphone user who scans a QR code from a Kiosk or another phone's screen. Verifying the scanner's identity is essential to ensure that financial transactions go to the correct recipient and that sensitive data is securely shared to its intended destination. This work aims to equip QR code providers with the ability to verify human scanners' identities, facilitating authorization and auditing. When a phone is held close to scan a QR code, we utilize the front camera of the code provider (a Kiosk or phone) to simultaneously verify the scanner's hand. Instead of requiring the scanner to present a stretched palm to obtain traditional hand geometries, we find that the geometry of an individual's hand, when it grips a phone, is also identifiable. We thus design a vision-based approach to extract gripping hand biometrics. We leverage the QR code's screen to cast light onto the scanner's gripping hand, ensuring adequate illumination even in low-light conditions. We then use a hand tracking tool, MediaPipe, to detect and localize the hand and develop a transformer-based algorithm to verify four types of gripping hand biometric features extracted from the hand image, including hand contour, skeleton, color, and surface. We further capture the subtle hand joint movements for liveness validation, because the user needs to click touchscreen buttons to start QR code scanning. Extensive experiments, including a long-term study spanning over 32 months, show that the system achieves 98.3% accuracy in verifying the user and mitigating 2D and 3D replay attacks. Compared to the widely used facial recognition, this approach addresses the recent struggles of identifying faces behind masks and the public concerns about privacy erosion.

Yan Zhuang,Chen Song,Feng Lin,Yiran Li,Changzhi Li,Wenyao Xu

DOI: https://doi.org/10.1109/rws.2016.7444405

2016-01-01

Abstract:Cryptographic security is of great importance. Biometrics play a vital role in modern authentication systems. Among all emerging biometrics, heart-based biometrics are promising because they are unique and hard to counterfeit. The current solutions on cardiac motion detection are either obtrusive or incapable of providing comprehensive cardiac motion information. To this end, we present Non-contact Cardiac Motion Sensing (NCMS), an end-to-end hardware and software solution, to sense and characterize the cardiac motion in a continuous, unobtrusive and user-friendly manner. We evaluate the performance of NCMS and compare the cardiac motion cycle on human subjects. Experimental results indicate the feasibility of NCMS to detect the cardiac motion and show the concept of a new modality in emerging heart-based biometrics.

ZOU Xiang,HAN Jinsong,QU Yuhang,XIAO Jian,XU Xian

DOI: https://doi.org/10.11959/j.issn.2096−109x.2021022

2021-01-01

Abstract:A biometric lock design method was proposed based on the internal features of human body, namely PBLock.It used the backscattered RF signals to collect the impedance characteristics of human fingertips through the contact between human fingers and tags.The advantage of such authentication method is that the human impedance was not easy to be stolen, and it was fully integrated with the hardware characteristics of the device (RFID tags), which greatly increased the difficulty for the attacker to copy and clone.To ensure the availability and efficiency of the system, an optimization authentication mechanism was proposed by cutting tag antenna, which effectively improved the impedance sensitivity.Moreover, the feasibility of passive drive was discussed by using the electromagnetic energy advantage of RFID system.Through a large number of experimental evaluations, the authentication accuracy of PBLock can reach 96%, and the average time cost of a single authentication is 1.4 seconds.Some attack models were presented based on practical environment.The results show that PBLock can effectively prevent counterfeiting attack, impersonation attack and replay attack, which provides an opportunity for the secure application of new biometric electronic locks.

Hongbo Jiang,Panyi Ji,Taiyuan Zhang,Hangcheng Cao,Daibo Liu

DOI: https://doi.org/10.1109/tmc.2024.3368331

IF: 6.075

2024-01-01

IEEE Transactions on Mobile Computing

Abstract:Keyless entry systems (KES) have become popular due to their high user-friendliness, while fingerprint and digital password authentication are two of the most widely used unlocking ways. However, current KES are vulnerable to security threats, such as fingerprint films that deceive fingerprint sensors and stolen passcodes. To address these issues, this paper presents ${\sf Fingerbeat}$, a two-factor authentication system to defend the security risks of the current widely deployed KES devices. ${\sf Fingerbeat}$ combines original credentials, such as fingerprints and passcodes, with unique and persistent finger-induced vibrations to create a two-factor secure authentication model, while ensuring user-friendliness. ${\sf Fingerbeat}$ leverages the fact that each person's finger structure is distinct and can be represented in distinct vibration patterns. During authentication, FIV is triggered and embodied in the mechanical vibration of the force-bearing body (i.e., KES panel), which can be captured by a low-cost accelerometer. We develop a proof-of-concept prototype of ${\sf Fingerbeat}$, extracting FIV features from mixed vibration recordings and eliminating the impacts of variable behaviors and external disturbance. Finally, we conduct extensive experiments to demonstrate its security and effectiveness.

computer science, information systems,telecommunications

Zhigang Tao,Yingtian Hu,Xiaoping Wang

DOI: https://doi.org/10.1088/1755-1315/252/3/032210

2019-01-01

Abstract:Biometrics is a highly efficient method of personal identification in civil fields. In this paper, we present a new biometrics system based on inner-knuckle-print (IKP). A new IKP image acquisition device with a finger guide is built for restricting the finger posture in a friendly way. A modified maximum curvature point method is proposed for feature extraction; it can extract the central region of the IKP line pattern robustly against illumination variation. The experimental results show that the proposed method achieves the equal error rate of 0.36%, performing better other traditional methods. In addition, it works in real-time.

Ang Li,Jiawei Li,Yan Zhang,Dianqi Han,Tao Li,Yanchao Zhang

DOI: https://doi.org/10.1109/twc.2022.3226753

IF: 10.4

2022-01-01

IEEE Transactions on Wireless Communications

Abstract:Commodity ultra-high-frequency (UHF) RFID authentication systems only provide weak user authentication, as RFID tags can be easily stolen, lost, or cloned by attackers. This paper presents the design and evaluation of SmartRFID, a novel UHF RFID authentication system to promote commodity crypto-less UHF RFID tags for security-sensitive applications. SmartRFID explores extremely popular smart devices and requires a legitimate user to enroll his smart device along with his RFID tag. Besides authenticating the RFID tag as usual, SmartRFID verifies whether the user simultaneously possesses the associated smart device with both feature-based machine learning and deep learning techniques. The user is considered authentic if and only if passing the dual verifications. Comprehensive user experiments on commodity smartwatches and RFID devices confirmed the high security and usability of SmartRFID. In particular, SmartRFID achieves a true acceptance rate of above 97.5% and a false acceptance rate of less than 0.7% based on deep learning. In addition, SmartRFID can achieve an average authentication latency of less than 2.21 s, which is comparable to inputting a PIN on a door keypad or smartphone.

telecommunications,engineering, electrical & electronic

Jiawei Li,Chuyu Wang,Ang Li,Dianqi Han,Yan Zhang,Jinhang Zuo,Rui Zhang,Lei Xie,Yanchao Zhang

DOI: https://doi.org/10.1109/infocom41043.2020.9155427

2020-01-01

Abstract:Passive RFID technology is widely used in user authentication and access control. We propose RF-Rhythm, a secure and usable two-factor RFID authentication system with strong resilience to lost/stolen/cloned RFID cards. In RF-Rhythm, each legitimate user performs a sequence of taps on his/her RFID card according to a self-chosen secret melody. Such rhythmic taps can induce phase changes in the backscattered signals, which the RFID reader can detect to recover the user’s tapping rhythm. In addition to verifying the RFID card’s identification information as usual, the backend server compares the extracted tapping rhythm with what it acquires in the user enrollment phase. The user passes authentication checks if and only if both verifications succeed. We also propose a novel phase-hopping protocol in which the RFID reader emits Continuous Wave (CW) with random phases for extracting the user’s secret tapping rhythm. Our protocol can prevent a capable adversary from extracting and then replaying a legitimate tapping rhythm from sniffed RFID signals. Comprehensive user experiments confirm the high security and usability of RF-Rhythm with false-positive and false-negative rates close to zero.

Jiawei Li,Chuyu Wang,Ang Li,Dianqi Han,Yan Zhang,Jinhang Zuo,Rui Zhang,Lei Xie,Yanchao Zhang

DOI: https://doi.org/10.1109/TNET.2022.3204204

2023-01-01

Abstract:Passive RFID technology is widely used in user authentication and access control. We propose RF-Rhythm, a secure and usable two-factor RFID authentication system with strong resilience to lost/stolen/cloned RFID cards. In RF-Rhythm, each legitimate user performs a sequence of taps on his/her RFID card according to a self-chosen secret melody. Such rhythmic taps can induce phase changes in the backscattered signals, which the RFID reader can detect to recover the user's tapping rhythm. In addition to verifying the RFID card's identification information as usual, the backend server compares the extracted tapping rhythm with what it acquires in the user enrollment phase. The user passes authentication checks if and only if both verifications succeed. We also propose a novel phase-hopping protocol in which the RFID reader emits Continuous Wave (CW) with random phases for extracting the user's secret tapping rhythm. Our protocol can prevent a capable adversary from extracting and then replaying a legitimate tapping rhythm from sniffed RFID signals. Comprehensive user experiments confirm the high security and usability of RF-Rhythm with false-positive and false-negative rates close to zero.

Cong Wu,Kun He,Jing Chen,Ziming Zhao,Ruiying Du

DOI: https://doi.org/10.1109/tdsc.2021.3116552

2022-01-01

Abstract:Fingerprint authentication has gained increasing popularity on mobile devices in recent years. However, it is vulnerable to presentation attacks, which include that an attacker spoofs with an artificial replica. Many liveness detection solutions have been proposed to defeat such presentation attacks; however, they all fail to defend against a particular type of presentation attack, namely puppet attack , in which an attacker places an unwilling victim's finger on the fingerprint sensor. In this article, we propose FinAuth , an effective and efficient software-only solution, to complement fingerprint authentication by defeating both synthetic spoofs and puppet attacks using fingertip-touch characteristics. FinAuth characterizes intrinsic fingertip-touch behaviors including the acceleration and the rotation angle of mobile devices when a legitimate user authenticates. FinAuth only utilizes common sensors equipped on mobile devices and does not introduce extra usability burdens on users. To evaluate the effectiveness of FinAuth , we carried out experiments on datasets collected from 90 subjects after the IRB approval. The results show that FinAuth can achieve the average balanced accuracy of 96.04% with 5 training data points and 99.28% with 100 training data points. Security experiments also demonstrate that FinAuth is resilient against possible attacks. In addition, we report the usability analysis results of FinAuth , including user authentication delay and overhead.