Weixi Gu,Zheng Yang,Longfei Shangguan,Xiaoyu Ji,Yiyang Zhao

DOI: https://doi.org/10.1109/trustcom.2014.34

2014-01-01

Abstract:Near field authentication is of great importance for a range of applications, and has attracted many research efforts in the past decades. Several approaches have been developed and demonstrated their feasibility. The state-of-art works, however, still have much room to improve their automation and usability. First, user assistance is required in most existing approaches, which will be easily observed and imitated by attackers. Second, the authentications of several works heavily depend on special hardware, e.g., Server or high resolution screen, which greatly restricts their application scenarios. In this paper, we present a near field authentication system Tooth that needs little human assistance and is compatible with most smart phones. ToAuth is based on the key insight that the acceleration traces are similar for a pair of smart phones when they are contacting physically and vibrating. The random vibration patterns are sufficiently uncertain to provide high entropy to generate a pair of cryptographic keys yet are inimitable for a third party who does not get in touch with the vibration source. ToAuth leverages the keys to make authentication for smart phones. We implement ToAuth on Android platform and evaluate its performance under various scenarios. Extensive experiments demonstrate ToAuth could achieve around 90% success rate in stable environment, and prevent attacks depended on vibration noise.

Jiaqi Pan,Xinyan Zhou,Yue Hou,Xiaoyu Ji,Haiming Chen

DOI: https://doi.org/10.1109/jsen.2024.3443914

IF: 4.3

2024-01-01

IEEE Sensors Journal

Abstract:With the popularity of wearable devices, verifying the user identity of wearable devices is critical for system security, especially when performing sensitive operations such as financial payments. In this paper, we propose M-PPG, which uses photoplethysmography (PPG) measurements with motor vibrations to authenticate user identities. Specifically, our observations reveal a strong correlation between PPG measurements and users, such as the user’s heartbeat characteristics and wearing habits reflected by PPG measurements are implicitly associated with users’ identities, and the motor vibration provides stable excitation signals for better security performance. M-PPG requires zero user effort with a built-in sensor and actuator in most wearable devices, i.e., PPG sensor and motor. Additionally, we reveal that indoor lighting strobe noise is an unavoidable noise in PPG-based authentication methods, and a noise reduction mechanism is designed to mitigate such phenomenon. Moreover, a multiple authentication scheme and an adaptive update scheme are proposed to keep a long-term authentication in M-PPG. The experimental results among 20 participants demonstrate that M-PPG achieves an average accuracy of 94:5% in daily situations. With a well-designed authentication mechanism, the pass rate of legitimate users can reach 99:9%, while the pass rate of attackers is only 0:6%.

Yijie Li,Yi-Chao Chen,Xiaoyu Ji,Hao Pan,Lanqing Yang,Guangtao Xue,Jiadi Yu

DOI: https://doi.org/10.1145/3372224.3418165

2020-01-01

Abstract:Quick response (QR) codes have been widely used in mobile applications, due to its convenience and the pervasive built-in cameras on smartphones. Recently, however, QR codes have been reported suffering attacks for being sniffed just before the QR code is scanned, which lead to financial loss. In this study, we propose ScreenID, for enhancing the QR code security by identifying its authenticity, which embeds a QR code with information of unique screen fingerprint - PWM frequency. PWM frequencies are adjusted to different values by screen manufacturers, therefore can successfully differentiate screens. To improve the estimation accuracy of PWM frequency, ScreenID incorporates a model for the interaction between the camera and screen in the temporal and spatial domains. Extensive experiments demonstrate that ScreenID can differentiate screens of different models, types and manufacturers and thus improve the security of QR codes.

Yijie Li,Yi-Chao Chen,Xiaoyu Ji,Hao Pan,Lanqing Yang,Guangtao Xue,Jiadi Yu

DOI: https://doi.org/10.1109/infocom42981.2021.9488859

2021-01-01

Abstract:Quick response (QR) codes have been widely used in mobile applications due to its convenience and the pervasive built-in cameras on smartphones. Recently, however, attacks against QR codes have been reported that attackers can capture a QR code of the victim and replay it to achieve a fraudulent transaction or intercept private information, just before the original QR code is scanned. In this study, we enhance the security of a QR code by identifying its authenticity. We propose SCREENID, which embeds a QR code with information of the screen which displays it, thereby the QR code can reveal whether it is reproduced by an adversary or not. In SCREENID, PWM frequency of screens is exploited as the unique screen fingerprint. To improve the estimation accuracy of PWM frequency, SCREENID incorporates a model for the interaction between the camera and screen in the temporal and spatial domains. Extensive experiments demonstrate that SCREENID can differentiate screens of different models, types, and manufacturers, thus improve the security of QR codes.

Li Lu,Jiadi Yu,Yingying Chen,Hongbo Liu,Yanmin Zhu,Yunfei Liu,Minglu Li

DOI: https://doi.org/10.1109/infocom.2018.8486283

2018-01-01

Abstract:To prevent users' privacy from leakage, more and more mobile devices employ biometric-based authentication approaches, such as fingerprint, face recognition, voiceprint authentications, etc., to enhance the privacy protection. However, these approaches are vulnerable to replay attacks. Although state-of-art solutions utilize liveness verification to combat the attacks, existing approaches are sensitive to ambient environments, such as ambient lights and surrounding audible noises. Towards this end, we explore liveness verification of user authentication leveraging users' lip movements, which are robust to noisy environments. In this paper, we propose a lip reading-based user authentication system, LipPass, which extracts unique behavioral characteristics of users' speaking lips leveraging build-in audio devices on smartphones for user authentication. We first investigate Doppler profiles of acoustic signals caused by users' speaking lips, and find that there are unique lip movement patterns for different individuals. To characterize the lip movements, we propose a deep learning-based method to extract efficient features from Doppler profiles, and employ Support Vector Machine and Support Vector Domain Description to construct binary classifiers and spoofer detectors for user identification and spoofer detection, respectively. Afterwards, we develop a binary tree-based authentication approach to accurately identify each individual leveraging these binary classifiers and spoofer detectors with respect to registered users. Through extensive experiments involving 48 volunteers in four real environments, LipPass can achieve 90.21% accuracy in user identification and 93.1% accuracy in spoofer detection.

Li Lu,Jiadi Yu,Yingying Chen,Hongbo Liu,Yanmin Zhu,Linghe Kong,Minglu Li

DOI: https://doi.org/10.1109/tnet.2019.2891733

2019-01-01

IEEE/ACM Transactions on Networking

Abstract:To prevent users’ privacy from leakage, more and more mobile devices employ biometric-based authentication approaches, such as fingerprint, face recognition, voiceprint authentications, and so on, to enhance the privacy protection. However, these approaches are vulnerable to replay attacks. Although the state-of-art solutions utilize liveness verification to combat the attacks, existing approaches are sensitive to ambient environments, such as ambient lights and surrounding audible noises. Toward this end, we explore liveness verification of user authentication leveraging users’ mouth movements, which are robust to noisy environments. In this paper, we propose a lip reading-based user authentication system, LipPass, which extracts unique behavioral characteristics of users’ speaking mouths through acoustic sensing on smartphones for user authentication. We first investigate Doppler profiles of acoustic signals caused by users’ speaking mouths and find that there are unique mouth movement patterns for different individuals. To characterize the mouth movements, we propose a deep learning-based method to extract efficient features from Doppler profiles and employ softmax function, support vector machine, and support vector domain description to construct multi-class identifier, binary classifiers, and spoofer detectors for mouth state identification, user identification, and spoofer detection, respectively. Afterward, we develop a balanced binary tree-based authentication approach to accurately identify each individual leveraging these binary classifiers and spoofer detectors with respect to registered users. Through extensive experiments involving 48 volunteers in four real environments, LipPass can achieve 90.2% accuracy in user identification and 93.1% accuracy in spoofer detection.

Mohamed Khamis,Mariam Hassib,Emanuel von Zezschwitz,Andreas Bulling,Florian Alt

DOI: https://doi.org/10.1145/3136755.3136809

2017-11-03

Abstract:Although mobile devices provide access to a plethora of sensitive data, most users still only protect them with PINs or patterns, which are vulnerable to side-channel attacks (e.g., shoulder surfing). How-ever, prior research has shown that privacy-aware users are willing to take further steps to protect their private data. We propose GazeTouchPIN, a novel secure authentication scheme for mobile devices that combines gaze and touch input. Our multimodal approach complicates shoulder-surfing attacks by requiring attackers to ob-serve the screen as well as the user’s eyes to and the password. We evaluate the security and usability of GazeTouchPIN in two user studies (N=30). We found that while GazeTouchPIN requires longer entry times, privacy aware users would use it on-demand when feeling observed or when accessing sensitive data. The results show that successful shoulder surfing attack rate drops from 68% to 10.4%when using GazeTouchPIN.

Sourav Panda,Yuanzhen Liu,Gerhard Petrus Hancke,Umair Mujtaba Qureshi

DOI: https://doi.org/10.3390/s20113015

IF: 3.9

2020-05-26

Sensors

Abstract:This paper explores the security vulnerability of Personal Identification Number (PIN) or numeric passwords. Entry Device (PEDs) that use small strings of data (PINs, keys or passwords) as means of verifying the legitimacy of a user. Today, PEDs are commonly used by personnel in different industrial and consumer electronic applications, such as entry at security checkpoints, ATMs and customer kiosks, etc. In this paper, we propose a side-channel attack on a 4–6 digit random PIN key, and a PIN key user verification method. The intervals between two keystrokes are extracted from the acoustic emanation and used as features to train machine-learning models. The attack model has a 60% chance to recover the PIN key. The verification model has an 88% accuracy on identifying the user. Our attack methods can perform key recovery by using the acoustic side-channel at low cost. As a countermeasure, our verification method can improve the security of PIN entry devices.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Yanyan Li,Junshuang Yang,Mengjun Xie,Dylan Carlson,Han Gil Jang,Jiang Bian

DOI: https://doi.org/10.1109/milcom.2015.7357627

2015-01-01

Abstract:Personal identification numbers (PIN) and unlock patterns are highly popular authentication mechanisms on smart mobile devices but they are not sufficiently secure. PIN or pattern mechanisms enhanced by additional, implicit behavioral biometric authentication can offer stronger authentication assurance while preserving usability, therefore becoming very attractive. Individual studies on PIN- and pattern-based behavioral biometric authentication on smartphones were conducted but their results cannot be directly compared. In this work, we present a comparison study on the authentication accuracy between PIN-based and pattern-based behavioral biometric authentication using both smartphone and tablet. We developed a uniform framework for both PIN-based and pattern-based schemes and used two representative methods-Histogram and DTW-for user verification. We recruited 15 users and collected behavioral biometric data for both simple and complex PINs and patterns. Our experimental results show that PIN-based and pattern-based behavioral biometric authentication schemes can achieve about the same level of accuracy but not all verification methods are equal. The Histogram method can achieve more consistent results and handle template aging better than the DTW method based on our results. Our findings are expected to shed light on the exploration and analysis of effective behavioral biometric verification methods and facilitate more comprehensive investigation on behavioral biometric authentication for mobile devices.

Maryam Mehrnezhad,Ehsan Toreini,Siamak F. Shahandashti,Feng Hao

DOI: https://doi.org/10.1007/s10207-017-0369-x

2017-04-18

Abstract:In this paper, we present the actual risks of stealing user PINs by using mobile sensors versus the perceived risks by users. First, we propose <a class="link-external link-http" href="http://PINlogger.js" rel="external noopener nofollow">this http URL</a> which is a JavaScript-based side channel attack revealing user PINs on an Android mobile phone. In this attack, once the user visits a website controlled by an attacker, the JavaScript code embedded in the web page starts listening to the motion and orientation sensor streams without needing any permission from the user. By analysing these streams, it infers the user's PIN using an artificial neural network. Based on a test set of fifty 4-digit PINs, <a class="link-external link-http" href="http://PINlogger.js" rel="external noopener nofollow">this http URL</a> is able to correctly identify PINs in the first attempt with a success rate of 74% which increases to 86 and 94% in the second and third attempts, respectively. The high success rates of stealing user PINs on mobile devices via JavaScript indicate a serious threat to user security. With the technical understanding of the information leakage caused by mobile phone sensors, we then study users' perception of the risks associated with these sensors. We design user studies to measure the general familiarity with different sensors and their functionality, and to investigate how concerned users are about their PIN being discovered by an app that has access to all these sensors. Our studies show that there is significant disparity between the actual and perceived levels of threat with regard to the compromise of the user PIN. We confirm our results by interviewing our participants using two different approaches, within-subject and between-subject, and compare the results. We discuss how this observation, along with other factors, renders many academic and industry solutions ineffective in preventing such side channel attacks.

Cryptography and Security

Maro Choi,Shincheol Lee,Minjae Jo,Ji Sun Shin

DOI: https://doi.org/10.3390/s21062242

2021-03-23

Abstract:Authentication methods using personal identification number (PIN) and unlock patterns are widely used in smartphone user authentication. However, these authentication methods are vulnerable to shoulder-surfing attacks, and PIN authentication, in particular, is poor in terms of security because PINs are short in length with just four to six digits. A wide range of research is currently underway to examine various biometric authentication methods, for example, using the user's face, fingerprint, or iris information. However, such authentication methods provide PIN-based authentication as a type of backup authentication to prepare for when the maximum set number of authentication failures is exceeded during the authentication process such that the security of biometric authentication equates to the security of PIN-based authentication. In order to overcome this limitation, research has been conducted on keystroke dynamics-based authentication, where users are classified by analyzing their typing patterns while they are entering their PIN. As a result, a wide range of methods for improving the ability to distinguish the normal user from abnormal ones have been proposed, using the typing patterns captured during the user's PIN input. In this paper, we propose unique keypads that are assigned to and used by only normal users of smartphones to improve the user classification performance capabilities of existing keypads. The proposed keypads are formed by randomly generated numbers based on the Mersenne Twister algorithm. In an attempt to demonstrate the superior classification performance of the proposed unique keypad compared to existing keypads, all tests except for the keypad type were conducted under the same conditions in earlier work, including collection-related features and feature selection methods. Our experimental results show that when the filtering rates are 10%, 20%, 30%, 40%, and 50%, the corresponding equal error rates (EERs) for the proposed keypads are improved by 4.15%, 3.11%, 2.77%, 3.37% and 3.53% on average compared to the classification performance outcomes in earlier work.

Athanasios Papadopoulos,Toan Nguyen,Emre Durmus,Nasir Memon

DOI: https://doi.org/10.1109/TIFS.2017.2725199

2017-08-22

Abstract:We address the problem of shoulder-surfing attacks on authentication schemes by proposing IllusionPIN (IPIN), a PIN-based authentication method that operates on touchscreen devices. IPIN uses the technique of hybrid images to blend two keypads with different digit orderings in such a way, that the user who is close to the device is seeing one keypad to enter her PIN, while the attacker who is looking at the device from a bigger distance is seeing only the other keypad. The user's keypad is shuffled in every authentication attempt since the attacker may memorize the spatial arrangement of the pressed digits. To reason about the security of IllusionPIN, we developed an algorithm which is based on human visual perception and estimates the minimum distance from which an observer is unable to interpret the keypad of the user. We tested our estimations with 84 simulated shoulder-surfing attacks from 21 different people. None of the attacks was successful against our estimations. In addition, we estimated the minimum distance from which a camera is unable to capture the visual information from the keypad of the user. Based on our analysis, it seems practically almost impossible for a surveillance camera to capture the PIN of a smartphone user when IPIN is in use.

Cryptography and Security

Man Zhou,Yuting Zhou,Shuao Su,Qian Wang,Qi Li,Shengshan Hu,Chunwu Yu,Zhengxiong Li

DOI: https://doi.org/10.1109/tmc.2023.3338148

IF: 6.075

2024-01-01

IEEE Transactions on Mobile Computing

Abstract:Pattern lock is widely used for user authentication in mobile devices due to its simplicity and ease of remembering. However, it is vulnerable to various attacks, e.g. , shoulder surfing attacks. In this paper, we propose FingerPattern, a novel enhanced pattern lock authentication system by using friction sound as a second authentication factor. When the user inputs the pattern by swiping his/her fingertip on the screen, the friction sound is generated based on the user's fingerprint and is unique. Thus, FingerPattern can identify and rule out the illegality by utilizing fingerprint-dependent friction sound even if the adversary has inferred the pattern. By this method, FingerPattern secures pattern lock without the need for a change in user unlocking habits. Extensive experiments demonstrate that FingerPattern can identify legitimate users with 97.5% TAR in one attempt and defend against various attacks ( e.g. , only 16.8% FAR in five attempts even if the adversary can clearly spy on the user's unlocking process). FingerPattern can be incorporated into the existing pattern lock of mobile devices, which is cost-free. Furthermore, a user experience study shows that FingerPattern is well-received by users.

Matthew Lakier,Dimcho Karakashev,Yixin Wang,Ian Goldberg

DOI: https://doi.org/10.48550/arXiv.1908.09165

2019-08-25

Abstract:Smartphones store a significant amount of personal and private information, and are playing an increasingly important role in people's lives. It is important for authentication techniques to be more resistant against two known attacks called shoulder surfing and smudge attacks. In this work, we propose a new technique called 3D Pattern. Our 3D Pattern technique takes advantage of a new input paradigm called pre-touch, which could soon allow smartphones to sense a user's finger position at some distance from the screen. We implement the technique and evaluate it in a pilot study (n=6) by comparing it to PIN and pattern locks. Our results show that although our prototype takes about 8 seconds to authenticate, it is immune to smudge attacks and promises to be more resistant to shoulder surfing.

Cryptography and Security,Human-Computer Interaction

Matteo Cardaioli,Mauro Conti,Kiran Balagani,Paolo Gasti

DOI: https://doi.org/10.48550/arXiv.1905.08742

2019-05-22

Abstract:Personal Identification Numbers (PIN) are widely used as authentication method for systems such as Automated Teller Machines (ATMs) and Point of Sale (PoS). Input devices (PIN pads) usually give the user a feedback sound when a key is pressed. In this paper, we propose an attack based on the extraction of inter-keystroke timing from the feedback sound when users type their PINs. Our attack is able to reach an accuracy of 98% with a mean error of 0.13 +/-6.66 milliseconds. We demonstrate that inter-keystroke timing significantly improves the guessing probability of certain subsets of PINs. We believe this represents a security problem that has to be taken into account for secure PIN generation. Furthermore, we identified several attack scenarios where the adversary can exploit inter-keystroke timing and additional information about the user or the PIN, such as typing behavior. Our results show that combining the inter-keystroke timing with other information drastically reduces attempts to guess a PIN, outperforming random guessing. With our attack, we are able to guess 72% of the 4-digit PINs within 3 attempts. We believe this poses a serious security problem for systems that use PIN-based authentication.

Cryptography and Security

Zhangyu Meng,Jun Kong,Juan Li

DOI: https://doi.org/10.1016/j.cose.2021.102187

2021-04-01

Abstract:<p>Due to its invisibility feature, pressure is useful to enhance the security of authentication, especially preventing the shoulder surfing attack. However, users are more familiar with digital passwords than pressure-based passwords. In order to improve the usability of pressure-based authentication, this paper instantiates a pressure-based password (i.e., a sequence of pressures) to a decimal number. In addition, our approach features personalized pressure detection. The personalization further enhances security since an attacker must have a pressure habit that is consistent with the user. We conducted a series of user studies to compare the traditional four-digit password with our pressure-based password. The empirical result indicates that a pressure-based password is more resistant to the shoulder surfing attack than a four-digit password. However, it takes more time to input a pressure-based password on the first-time usage. The slowdown is caused by a modality change from vision to pressure. A field study that lasted for 10 days revealed that the side effect of modality change can be overcome through regular usages.</p>

computer science, information systems

Ding Wang,Qianchen Gu,Xinyi Huang,Ping Wang

DOI: https://doi.org/10.1145/3052973.3053031

2017-01-01

Abstract:Personal Identification Numbers (PINs) are ubiquitously used in embedded computing systems where user input interfaces are constrained. Yet, little attention has been paid to this important kind of authentication credentials, especially for 6-digit PINs which dominate in Asian countries and are gaining popularity worldwide. Unsurprisingly, many fundamental questions (e.g., what's the distribution that human-chosen PINs follow?) remain as intact as about fifty years ago when they first arose. In this work, we conduct a systematic investigation into the characteristics, distribution and security of both 4-digit PINs and 6-digit PINs that are chosen by English users and Chinese users. Particularly, we, for the first time, perform a comprehensive comparison of the PIN characteristics and security between these two distinct user groups. Our results show that there are great differences in PIN choices between these two groups of users, a small number of popular patterns prevail in both groups, and surprisingly, over 50% of every PIN datasets can be accounted for by just the top 5%~8% most popular PINs. What's disturbing is the observation that, as online guessing is a much more serious threat than offline guessing in the current PIN-based systems, longer PINs only attain marginally improved security: human-chosen 4-digit PINs can offer about 6.6 bits of security against online guessing and 8.4 bits of security against offline guessing, and this figure for 6-digit PINs is 7.2 bits and 13.2 bits, respectively. We, for the first time, reveal that Zipf's law is likely to exist in PINs. Despite distinct language/cultural backgrounds, both user groups choose PINs with almost the same Zipf distribution function, and such Zipf PIN-distribution from one source (about which we may know little information) can be well predicted by real-world attackers by running Markov-Chains with PINs from another known source. Our Zipf theory would have foundational implications for analyzing PIN-based protocols and for designing PIN creation policies, while our security measurements provide guidance for bank agencies and financial authorities that are planning to conduct PIN migration from 4-digits to 6-digits.

Yuchen Miao,Chaojie Gu,Zhenyu Yan,Sze Yiu Chau,Rui Tan,Qi Lin,Wen Hu,Shibo He,Jiming Chen

DOI: https://doi.org/10.1145/3596264

2023-01-01

Abstract:Secure device pairing is important to wearables. Existing solutions either degrade usability due to the need of specific actions like shaking, or they lack universality due to the need of dedicated hardware like electrocardiogram sensors. This paper proposes TouchKey, a symmetric key generation scheme that exploits the skin electric potential (SEP) induced by powerline electromagnetic radiation. The SEP is ubiquitously accessible indoors with analog-to-digital converters widely available on Internet of Things devices. Our measurements show that the SEP has high randomness and the SEPs measured at two close locations on the same human body are similar. Extensive experiments show that TouchKey achieves a high key generation rate of 345 bit/s and an average success rate of 99.29%. Under a range of adversary models including active and passive attacks, TouchKey shows a low false acceptance rate of 0.86%, which outperforms existing solutions. Besides, the overall execution time and energy usage are 0.44 s and 2.716 mJ, which make it suitable for resource-constrained devices.

Hongji Yang,Lin Chen,Kaigui Bian,Yang Tian,Fan Ye,Wei Yan,Tong Zhao,Xiaoming Li

DOI: https://doi.org/10.1109/ICC.2015.7249465

2015-01-01

Abstract:In this paper, we present TapLock as a smartphone password system that exploits the finger tap events on capacitive touch screens for increasing the password's resilience to shoulder-surfing attacks (where the password input by a user can be easily observed by a bystander over the user's shoulder). TapLock captures the size and the axis length of the finger touch area on the phone screen for creating a password, which cannot be easily observed by a shoulder surfer. Our user study shows that TapLock has several advantages over existing smartphone password systems, including its strong attack resilience, small authentication delay, and haptic input feedback that improves the usability.

Chao Shen,Tianwen Yu,Sheng Yuan,Yunpeng Li,Xiaohong Guan

DOI: https://doi.org/10.3390/s16030345

IF: 3.9

2016-01-01

Sensors

Abstract:The growing trend of using smartphones as personal computing platforms to access and store private information has stressed the demand for secure and usable authentication mechanisms. This paper investigates the feasibility and applicability of using motion-sensor behavior data for user authentication on smartphones. For each sample of the passcode, sensory data from motion sensors are analyzed to extract descriptive and intensive features for accurate and fine-grained characterization of users’ passcode-input actions. One-class learning methods are applied to the feature space for performing user authentication. Analyses are conducted using data from 48 participants with 129,621 passcode samples across various operational scenarios and different types of smartphones. Extensive experiments are included to examine the efficacy of the proposed approach, which achieves a false-rejection rate of 6.85% and a false-acceptance rate of 5.01%. Additional experiments on usability with respect to passcode length, sensitivity with respect to training sample size, scalability with respect to number of users, and flexibility with respect to screen size were provided to further explore the effectiveness and practicability. The results suggest that sensory data could provide useful authentication information, and this level of performance approaches sufficiency for two-factor authentication on smartphones. Our dataset is publicly available to facilitate future research.