Long Huang,Chen Wang

DOI: https://doi.org/10.1109/tmc.2024.3474673

IF: 6.075

2024-01-01

IEEE Transactions on Mobile Computing

Abstract:Biometrics have been widely applied for user authentication. However, existing biometric authentications are vulnerable to biometric spoofing, because they can be observed and forged. In addition, they rely on verifying biometric features that rarely change. To address this issue, we propose to verify the handgrip biometric that can be unobtrusively extracted by acoustic signals when the user holds the phone. This biometric is uniquely associated with the user's hand geometry, body-fat ratio, and gripping strength, which are hard to reproduce. Furthermore, we propose two biometric encoding techniques (i.e., temporal-frequential and spatial) to convert static biometrics into dynamic biometric features to prevent data reuse. In particular, we develop a biometric authentication system to work with the challenge-response protocol. We encode the ultrasonic signal according to a random challenge sequence and extract a distinct biometric code as the response. We further develop two decoding algorithms to decode the biometric code for user authentication. Additionally, we investigate multiple new attacks and explore using a latent diffusion model to solve the acoustic noise discrepancies between the training and testing data to improve system performance. Extensive experiments show our system achieves 97% accuracy in distinguishing users and rejects 100% replay attacks with 0.6s challenge sequence.

Yanjiao Chen,Meng Xue,Jian Zhang,Qianyun Guan,Zhiyuan Wang,Qian Zhang,Wei Wang

DOI: https://doi.org/10.1145/3494962

2021-01-01

Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies

Abstract:Voice-based authentication is prevalent on smart devices to verify the legitimacy of users, but is vulnerable to replay attacks. In this paper, we propose to leverage the distinctive chest motions during speaking to establish a secure multi-factor authentication system, named ChestLive. Compared with other biometric-based authentication systems, ChestLive does not require users to remember any complicated information (e.g., hand gestures, doodles) and the working distance is much longer (30cm). We use acoustic sensing to monitor chest motions with a built-in speaker and microphone on smartphones. To obtain fine-grained chest motion signals during speaking for reliable user authentication, we derive Channel Energy (CE) of acoustic signals to capture the chest movement, and then remove the static and non-static interference from the aggregated CE signals. Representative features are extracted from the correlation between voice signal and corresponding chest motion signal. Unlike learning-based image or speech recognition models with millions of available training samples, our system needs to deal with a limited number of samples from legitimate users during enrollment. To address this problem, we resort to meta-learning, which initializes a general model with good generalization property that can be quickly fine-tuned to identify a new user. We implement ChestLive as an application and evaluate its performance in the wild with 61 volunteers using their smartphones. Experiment results show that ChestLive achieves an authentication accuracy of 98.31% and less than 2% of false accept rate against replay attacks and impersonation attacks. We also validate that ChestLive is robust to various factors, including training set size, distance, angle, posture, phone models, and environment noises.

Li Lu,Jiadi Yu,Yingying Chen,Hongbo Liu,Yanmin Zhu,Yunfei Liu,Minglu Li

DOI: https://doi.org/10.1109/infocom.2018.8486283

2018-01-01

Abstract:To prevent users' privacy from leakage, more and more mobile devices employ biometric-based authentication approaches, such as fingerprint, face recognition, voiceprint authentications, etc., to enhance the privacy protection. However, these approaches are vulnerable to replay attacks. Although state-of-art solutions utilize liveness verification to combat the attacks, existing approaches are sensitive to ambient environments, such as ambient lights and surrounding audible noises. Towards this end, we explore liveness verification of user authentication leveraging users' lip movements, which are robust to noisy environments. In this paper, we propose a lip reading-based user authentication system, LipPass, which extracts unique behavioral characteristics of users' speaking lips leveraging build-in audio devices on smartphones for user authentication. We first investigate Doppler profiles of acoustic signals caused by users' speaking lips, and find that there are unique lip movement patterns for different individuals. To characterize the lip movements, we propose a deep learning-based method to extract efficient features from Doppler profiles, and employ Support Vector Machine and Support Vector Domain Description to construct binary classifiers and spoofer detectors for user identification and spoofer detection, respectively. Afterwards, we develop a binary tree-based authentication approach to accurately identify each individual leveraging these binary classifiers and spoofer detectors with respect to registered users. Through extensive experiments involving 48 volunteers in four real environments, LipPass can achieve 90.21% accuracy in user identification and 93.1% accuracy in spoofer detection.

Li Lu,Jiadi Yu,Yingying Chen,Hongbo Liu,Yanmin Zhu,Linghe Kong,Minglu Li

DOI: https://doi.org/10.1109/tnet.2019.2891733

2019-01-01

IEEE/ACM Transactions on Networking

Abstract:To prevent users’ privacy from leakage, more and more mobile devices employ biometric-based authentication approaches, such as fingerprint, face recognition, voiceprint authentications, and so on, to enhance the privacy protection. However, these approaches are vulnerable to replay attacks. Although the state-of-art solutions utilize liveness verification to combat the attacks, existing approaches are sensitive to ambient environments, such as ambient lights and surrounding audible noises. Toward this end, we explore liveness verification of user authentication leveraging users’ mouth movements, which are robust to noisy environments. In this paper, we propose a lip reading-based user authentication system, LipPass, which extracts unique behavioral characteristics of users’ speaking mouths through acoustic sensing on smartphones for user authentication. We first investigate Doppler profiles of acoustic signals caused by users’ speaking mouths and find that there are unique mouth movement patterns for different individuals. To characterize the mouth movements, we propose a deep learning-based method to extract efficient features from Doppler profiles and employ softmax function, support vector machine, and support vector domain description to construct multi-class identifier, binary classifiers, and spoofer detectors for mouth state identification, user identification, and spoofer detection, respectively. Afterward, we develop a balanced binary tree-based authentication approach to accurately identify each individual leveraging these binary classifiers and spoofer detectors with respect to registered users. Through extensive experiments involving 48 volunteers in four real environments, LipPass can achieve 90.2% accuracy in user identification and 93.1% accuracy in spoofer detection.

Li Lü,Jiadi Yu,Yingying Chen,Yan Wang

DOI: https://doi.org/10.1145/3397320

2020-01-01

Proceedings of the ACM on Interactive Mobile Wearable and Ubiquitous Technologies

Abstract:Recent years have witnessed the surge of biometric-based user authentication for mobile devices due to its promising security and convenience. As a natural and widely-existed behavior, human speaking has been exploited for user authentication. Existing voice-based user authentication explores the unique characteristics from either the voiceprint or mouth movements, which is vulnerable to replay attacks and mimic attacks. During speaking, the vocal tract, including the static shape and dynamic movements, also exhibits the individual uniqueness, and they are hardly eavesdropped and imitated by adversaries. Hence, our work aims to employ the individual uniqueness of vocal tract to realize user authentication on mobile devices. Moreover, most voice-based user authentications are passphrase-dependent, which significantly degrade the user experience. Thus, such user authentications are pressed to be implemented in a passphrase-independent manner while being able to resist various attacks. In this paper, we propose a user authentication system, VocalLock, which senses the whole vocal tract during speaking to identify different individuals in a passphrase-independent manner on smartphones leveraging acoustic signals. VocalLock first utilizes FMCW on acoustic signals to characterize both the static shape and dynamic movements of the vocal tract during speaking, and then constructs a passphrase-independent user authentication model based on the unique characteristics of vocal tract through GMM-UBM. The proposed VocalLock can resist various spoofing attacks, while achieving a satisfactory user experience. Extensive experiments in real environments demonstrate VocalLock can accurately authenticate user identity in a passphrase-independent manner and successfully resist various attacks.

Zhiheng Chang,Yuchen Su,Hongbo Liu

DOI: https://doi.org/10.1109/ainit61980.2024.10581665

2024-01-01

Abstract:The proliferation of wearable and handheld smart devices has enabled a wide range of applications, such as monitoring personal health and facilitating mobile payment. In the meanwhile, it is crucial to ensure the authenticity of users. Biometric-based method offers convenience to authenticate individuals, but they still face the vulnerabilities to mimic attack. The human body vibration feedback triggered by the built-in vibration motor when user is holding the device, as a novel biometric authentication method, offers improved availability and concealment while ensuring high accuracy. However, the authentication method relying solely on a single biometric is vulnerable to impersonation and biometric leakage. To address this issue, we propose a two-factor method integrating a sequence of vibration feedback triggered by random hand gestures, representing the PIN code, and the unique biometric pattern of each corresponding feedback response to facilitate the verification of user identities. Specifically, the vibration feedback varies due to physiological factors among different people such as muscle tension and bone size across distinct gestures. We design the segmentation algorithm to obtain distinct biometric patterns and further extract relevant features utilizing two modern time-series feature extraction tools. Subsequently, the experiments are conducted involving 15 volunteers on the designed prototype, which demonstrate an average authentication accuracy of 92.50% for our proposed method.

Ruxin Wang,Long Huang,Kaitlyn Madden,Chen Wang

DOI: https://doi.org/10.1145/3643833.3656128

2024-01-01

Abstract:Because of the great convenience and being not readable to humans, Quick Response (QR) codes are increasingly being utilized to offer a variety of security applications to mobile users, such as online payments, website logins, and private data sharing. To facilitate these security applications, QR codes usually contain sensitive information, such as bank account details, credit card numbers, and personal/organizational/device data, or they are specifically designed to work with cloud servers to provide security services. However, there is currently no existing solution to verify the identity of the smartphone user who scans a QR code from a Kiosk or another phone's screen. Verifying the scanner's identity is essential to ensure that financial transactions go to the correct recipient and that sensitive data is securely shared to its intended destination. This work aims to equip QR code providers with the ability to verify human scanners' identities, facilitating authorization and auditing. When a phone is held close to scan a QR code, we utilize the front camera of the code provider (a Kiosk or phone) to simultaneously verify the scanner's hand. Instead of requiring the scanner to present a stretched palm to obtain traditional hand geometries, we find that the geometry of an individual's hand, when it grips a phone, is also identifiable. We thus design a vision-based approach to extract gripping hand biometrics. We leverage the QR code's screen to cast light onto the scanner's gripping hand, ensuring adequate illumination even in low-light conditions. We then use a hand tracking tool, MediaPipe, to detect and localize the hand and develop a transformer-based algorithm to verify four types of gripping hand biometric features extracted from the hand image, including hand contour, skeleton, color, and surface. We further capture the subtle hand joint movements for liveness validation, because the user needs to click touchscreen buttons to start QR code scanning. Extensive experiments, including a long-term study spanning over 32 months, show that the system achieves 98.3% accuracy in verifying the user and mitigating 2D and 3D replay attacks. Compared to the widely used facial recognition, this approach addresses the recent struggles of identifying faces behind masks and the public concerns about privacy erosion.

Zhenyang Guo,Hao Yan,Jin Cao,Jiawei Yang,Ben Niu,Ang Li,Hui Li

DOI: https://doi.org/10.1109/jiot.2024.3450692

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:Presently, the prevalent authentication approaches in smartphones are susceptible to interference from light,0 noise, temperature, and the risk of replay attacks. In light of these vulnerabilities, and taking into account user behavior alongside smartphone interaction patterns, we have developed an innovative behavioral-based authentication system. This system harnesses the distinctiveness of individual keystroke dynamics for secure user authentication, offering resilience against noise and light fluctuations. In this unique approach, our smartphone’s speakers and microphones emit and capture high-frequency acoustic signals (AS). To the best of our knowledge, this is the first instance of employing the Doppler effect generated by the high-frequency AS in response to keystroke activity as a distinctive user feature. Our definition of ’keystroke behavior’ encompasses the motions involved in tapping screen buttons while holding the smartphone, effectively capturing unique user attributes without necessitating any special procedures or passwords. Our initial experiments have convincingly shown that the AS Doppler effect, triggered by keystroke actions, is uniquely identifiable per user during button presses. Subsequently, we utilized a Convolutional Autoencoder (CAE) to distill keystroke behaviors from the reflected signals, employing a One-Class Support Vector Machine (OCSVM) for user authentication and identification processes. We then implemented a prototype of this scheme on smartphones and rigorously tested its performance across four real-world scenarios. The outcomes are promising, demonstrating that our scheme not only withstands disturbances from noise and light but also achieves an impressive average accuracy rate of 95.08%. Regarding security, it effectively thwarts replay and record attacks, further underscoring its robustness and reliability.

Wenyuan Xu,Jing Tian,Yu Cao,Song Wang

DOI: https://doi.org/10.1109/tdsc.2017.2752164

2017-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Challenge-response (CR) is an effective way to authenticate users even if the communication channel is insecure. Traditionally CR authentication relies on one-way hashes and shared secrets to verify the identities of users. Such a method cannot cope with an insider attack, where a user can obtained the secret (i.e., the response) from a legitimate user. To cope with it, we design a biometric-based CR authentication scheme (hereafter MoCRA), which is derived from the motions as a user operates emerging depth-sensor- based input devices, such as a Leap Motion controller. We envision that to authenticate a user, MoCRA randomly chooses a string (e.g., a few words), and the user has to write the string in the air. Using Leap Motion, MoCRA captures the user's writing movements and then extracts his / her handwriting style. After verifying that what the user writes matches what is asked for, MoCRA leverages a Support Vecter Machine (SVM) with co-occurrence matrices to model the handwriting styles and can reliably authenticate users, even if what they write is completely different every time. Evaluated on data from 24 subjects over 7 months, MoCRA managed to verify a user with an average of 1.18% (Equal Error Rate) EER and to reject impostors with 2.45% EER.

Cong Wu,Jing Chen,Kun He,Ziming Zhao,Ruiying Du,Chen Zhang

DOI: https://doi.org/10.1145/3548606.3560553

2022-01-01

Abstract:ABSTRACTBiometric authentication schemes, i.e., fingerprint and face authentication, raise serious privacy concerns. To alleviate such concerns, hand authentication has been proposed recently. However, existing hand authentication schemes use dedicated hardware, such as infrared or depth cameras, which are not available on commodity mobile devices. In this paper, we present EchoHand, a high accuracy and presentation attack resistant authentication scheme that complements camera-based 2-dimensional hand geometry recognition of one hand with active acoustic sensing of the other holding hand. EchoHand plays an inaudible acoustic signal using the speaker to actively sense the holding hand and collects the echoes using the microphone. EchoHand does not rely on any specialized hardware but uses the built-in speaker, microphone and camera. Moreover, EchoHand does not place more burdens on users than existing hand authentication methods. We conduct comprehensive experiments to evaluate the reliability and security of EchoHand. The results show that EchoHand has a low equal error rate of 2.45% with as few as 10 training data points and it defeats presentation attacks.

Jianwei Liu,Wenfan Song,Leming Shen,Jinsong Han,Kui Ren

DOI: https://doi.org/10.1109/tmc.2022.3193847

IF: 6.075

2022-01-01

IEEE Transactions on Mobile Computing

Abstract:Biometric plays an important role in user authentication. However, the most widely used biometrics, such as facial feature and fingerprint, are easy to capture or record, and thus vulnerable to spoofing attacks. On the contrary, intracorporal biometrics, such as electrocardiography and electroencephalography, are hard to collect, and hence more secure for authentication. Unfortunately, adopting them is not user-friendly due to their complicated collection methods or inconvenient constraints on users. In this paper, we propose a novel biometric-based authentication system, namely MandiPass . MandiPass leverages inertial measurement units, which have been widely deployed in portable devices, to collect intracorporal biometric from the vibration of user's mandible. It provides not only one-time verification function but also continuous authentication function. Both the two functions are secure and user-friendly. We theoretically validate the feasibility of MandiPass and develop a series of deep learning techniques for effective biometric extraction. We also utilize a Gaussian matrix to defend against replay attacks. Extensive experiment results with 34 volunteers show that MandiPass can achieve low equal error rate, even under various harsh environments.

J Liu,X Zou,F Lin,J Han,X Xu,K Ren

DOI: https://doi.org/10.1109/ICDCS51616.2021.00103

2021-01-01

Abstract:Biometrics have been widely used in user authentications. However, existing outer-body biometrics (e.g., fingerprint), collecting from body surface, are vulnerable to spoofing attacks. Although inner-body biometrics, such as the electrocardiogram, are hard to be forged, their complex acquisition methods and instability lead to unsatisfactory user experience. Therefore, achieving good user-friendliness and high security simultaneously in biometric-based authentication is challenging. In this paper, we propose Hand-Key, an attack-resilient and user-friendly user authentication system to address the above challenge. Hand-Key utilizes a low-cost radio frequency identification (RFID) tag array to simultaneously collect the inner-body composition and outer-body geometric features of human hand to identify users. Users are merely required to hold their hands in a 'handshaking' pose between a reader's antenna and a tag array during authentication. To further enhance the security, we tactfully leverage the inherent randomness of the anti-collision scheme in RFID systems to make Hand-Key immune against replay attacks. We built a prototype of Hand-Key and conducted extensive experiments with 30 volunteers. The results show that Hand-Key achieves an authentication success rate of 99%+.

Zhanglei Shu,Zhangsen Wang,Guozheng Yang,Cheng Zang,Zhe Ma,Feng Lin,Kui Ren

DOI: https://doi.org/10.1109/ICPADS56603.2022.00013

2023-01-01

Abstract:Fingerprint recognition technology is the most widely used technology in the field of biometrics and is also the preferred solution for mobile devices and the financial industry. However, traditional fingerprint recognition technology requires expensive sensors on the one hand and risks leaking fingerprint images on the other hand. In this paper, we propose Fingersound, a low-cost and deployable authentication system that utilizes the sound generated by finger sliding as an identity feature. We use a microphone array to record continuous sliding sound and extract multiple features in the frequency and time domains. Then we use various algorithms including a deep neural network to perform user authentication. We also design a mobile phone application that can interact with the embedded system to manage users and record authentication history. In our experiments, 100 participants used this system and achieved an equal error rate of 5.2%. Additionally, we investigate the system’s robustness within different sliding materials, texturesand under noise disturbances. We further demonstrate the resistance of Fingersound to replay attack.

Huijie Chen,Fan Li,Wan Du,Song Yang,Matthew Conn,Yu Wang

DOI: https://doi.org/10.1145/3411809

2020-01-01

Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies

Abstract:Inputting a pattern or PIN code on the touch screen is a popular method to prevent unauthorized access to mobile devices. However, these sensitive tokens are highly susceptible to being inferred by various types of side-channel attacks, which can compromise the security of the private data stored in the device. This paper presents a second-factor authentication method, TouchPrint, which relies on the user's hand posture shape traits (dependent on the individual different posture type and unique hand geometry biometrics) when the user inputs PIN or pattern. It is robust against the behavioral variability of inputting a passcode and places no restrictions on input manner (e.g., number of the finger touching the screen, moving speed, or pressure). To capture the spatial characteristic of the user's hand posture shape when input the PIN or pattern, TouchPrint performs active acoustic sensing to scan the user's hand posture when his/her finger remains static at some reference positions on the screen (e.g., turning points for the pattern and the number buttons for the PIN code), and extracts the multipath effect feature from the echo signals reflected by the hand. Then, TouchPrint fuses with the spatial multipath feature-based identification results generated from the multiple reference positions to facilitate a reliable and secure MFA system. We build a prototype on smartphone and then evaluate the performance of TouchPrint comprehensively in a variety of scenarios. The experiment results demonstrate that TouchPrint can effectively defend against the replay attacks and imitate attacks. Moreover, TouchPrint can achieve an authentication accuracy of about 92% with only ten training samples.

Bing Zhou,Zongxing Xie,Yinuo Zhang,Jay Lohokare,Ruipeng Gao,Fan Ye

DOI: https://doi.org/10.1109/tmc.2020.3048659

IF: 6.075

2022-01-01

IEEE Transactions on Mobile Computing

Abstract:User authentication on smartphones is the key to many applications, which must satisfy both security and convenience. We propose a novel user authentication system EchoPrint , which leverages acoustics and vision for secure and convenient user authentication, without requiring any special hardware. EchoPrint actively emits almost inaudible acoustic signals from the earpiece speaker to “illuminate” the user's face and authenticates the user by the unique features extracted from the echoes bouncing off the 3D facial contour. To combat changes in phone-holding poses thus echoes, a convolutional neural network (CNN) is trained to extract reliable acoustic features, which are further combined with visual facial features extracted from state-of-the-art face recognition deep models to feed a binary support vector machine (SVM) classifier for final authentication. Because the echo features depend on 3D facial geometries, EchoPrint is not easily spoofed by images or videos like 2D visual face recognition systems. It needs only commodity hardware, thus avoiding the extra costs of special sensors in solutions like FaceID. Experiments with 62 volunteers and non-human objects such as images, photos, and sculptures show that EchoPrint achieves 93.75 percent balanced accuracy and 93.50 percent F-score, while the average precision is 98.05 percent using acoustic features and basic facial landmarks. The precision is further improved to 99.96 percent with sophisticated visual features.

Yang Gao,Yincheng Jin,Jagmohan Chauhan,Seokmin Choi,Jiyang Li,Zhanpeng Jin

DOI: https://doi.org/10.1145/3448113

2021-01-01

Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies

Abstract:With the rapid growth of wearable computing and increasing demand for mobile authentication scenarios, voiceprint-based authentication has become one of the prevalent technologies and has already presented tremendous potentials to the public. However, it is vulnerable to voice spoofing attacks (e.g., replay attacks and synthetic voice attacks). To address this threat, we propose a new biometric authentication approach, named EarPrint, which aims to extend voiceprint and build a hidden and secure user authentication scheme on earphones. EarPrint builds on the speaking-induced body sound transmission from the throat to the ear canal, i.e., different users will have different body sound conduction patterns on both sides of ears. As the first exploratory study, extensive experiments on 23 subjects show the EarPrint is robust against ambient noises and body motions. EarPrint achieves an Equal Error Rate (EER) of 3.64% with 75 seconds enrollment data. We also evaluate the resilience of EarPrint against replay attacks. A major contribution of EarPrint is that it leverages two-level uniqueness, including the body sound conduction from the throat to the ear canal and the body asymmetry between the left and the right ears, taking advantage of earphones' paring form-factor. Compared with other mobile and wearable biometric modalities, EarPrint is a low-cost, accurate, and secure authentication solution for earphone users.

Wei Song,Min Wang,Yuezhong Wu,Chun Tung Chou,Jiankun Hu,Wen Hu

DOI: https://doi.org/10.1145/3495243.3558257

2022-01-01

Abstract:As the human hand makes direct physical contact with smartphones, significant efforts have recently been made to study the behavioral information of hand gripping of smartphones for user authentication purposes. Most existing methods leverage hand gripping behavior (e.g., gripping gesture, gripping position, gripping strength) of smartphones as biometrics to identify users. However, behavioral-based biometric authentication approaches may suffer from two problems: authentication performance (accuracy) degradation due to high-intra class variations arising from changes in user behavior over time, and vulnerability under spoofing attacks. To address these issues, we propose Holdpass, which is a behavior-independent in-hand user authentication method using vibration Holdpass is able to adapt to the changes of hand gripping behavior of smartphones by extracting unique and stable physical features of human hands and eliminating the behavior-related prior information. Specifically, in Holdpass, we propose an adversarial neural network to achieve authentication based on unique physical features. Experiments with 10 users show that Holdpass can authenticate users with 97.39% accuracy while keeping False Accepted Rates (FAR) at a minimum of 2.1%.

Weidong Luo,Bowen Lan,Xinyi Wan,Zhihong Liu,Yong Zeng,Jianfeng Ma

DOI: https://doi.org/10.1109/icct50939.2020.9295824

2020-01-01

Abstract:PIN is widely used as an authentication method on the mobile phone in various public places. However a malicious person nearby may peek into the screen and remember the password. This kind of shoulder surfing attack is more difficult to prevent in modern society. A stronger adversary may use his camera or video surveillance system to record the entry process. In this paper, we present three approaches to solve this problem. Those approaches utilize the phone’s vibration as the covert channel to deliver challenge- response secretly from camera. The experimental results show that those approaches can effectively prevent the shoulder surfing attack, even if the password entry process is completely exposed to the adversary's camera.

Xinyue Fang,Jianwei Liu,Yike Chen,Jinsong Han

DOI: https://doi.org/10.1109/icpads63350.2024.00019

2024-01-01

Abstract:With a wide range of common and privacy-sensitive applications, smartphones are frequently accessed for substantial personal information. Therefore, user-friendliness and security are crucial for user authentication on smartphones. Recently, convenient and secure biometric-based authentication is widely employed for smartphones, where the facial authentication stands out due to its potential for advancements in both user-friendliness and security. However, existing facial authentication methods possess some defects. For example, camera-based methods require good illumination conditions and are susceptible to 2D spoofing attacks. Moreover, previous acoustic-based methods either require camera assistance, or still suffer from 3D spoofing attacks. Even worse, some acoustic-based methods use audible sound waves, causing discomfort to users. To solve these questions, in this paper we propose UltraFace, an anti-spoofing and user-friendly facial authentication system on smartphones. It extracts facial geometry features and acoustic impedance features from imperceptible ultrasound. Leveraging the principle of ultrasound propagation, UltraFace correlates spectrograms of reflected signals with facial biometrics. Utilizing a deep learning model as a feature extractor, UltraFace mines fine-grained facial geometry features and acoustic impedance features from the spectrograms for accurate user authentication. Extensive experiments show that UltraFace achieves $97.2 \%$ accuracy in user authentication and can effectively defend against spoofing attacks. Furthermore, UltraFace exhibits robustness for long-term usage.

Yanzhi Ren,Tingyuan Yang,Zhiliang Xia,Hongbo Liu,Jiadi Yu,Bo Liu,Hongwei Li

DOI: https://doi.org/10.1109/tmc.2024.3391184

IF: 6.075

2024-01-01

IEEE Transactions on Mobile Computing

Abstract:The two-factor authentication (2FA) has become pervasive as the mobile devices become prevalent. Existing 2FA solutions usually require some form of user involvement, which could severely affect user experience and bring extra burdens to users. In this work, we propose a secure 2FA that utilizes the individual acoustic fingerprint of the speaker/microphone on enrolled device as the second proof. The main idea behind our system is to use both magnitude and phase fingerprints derived from the frequency response of the enrolled device by emitting acoustic beep signals alternately from both enrolled and login devices and receiving their direct arrivals for 2FA. Given the input microphone samplings, our system designs an arrival time detection scheme to accurately identify the beginning point of the beep signal from the received signal. To achieve a robust authentication, we develop a new distance mitigation scheme to eliminate the impact of transmission distances from the sound propagation model for extracting stable fingerprint in both magnitude and phase domain. Our device authentication component then calculates a weighted correlation value between the device profile and fingerprints extracted from run-time measurements to conduct the device authentication for 2FA. Moreover, to thwart the possible co-located attacks, our proximity detection component further makes the enrolled phone to generate an active random vibration signal by its built-in motor, and then matches the signal received by the microphone of login device with the signal received by the accelerometer of enrolled phone to verify the proximity of two devices. Our experimental results show that our proposed system is accurate and robust to various attacks across different scenarios and device models.