Weixi Gu,Zheng Yang,Longfei Shangguan,Xiaoyu Ji,Yiyang Zhao

DOI: https://doi.org/10.1109/trustcom.2014.34

2014-01-01

Abstract:Near field authentication is of great importance for a range of applications, and has attracted many research efforts in the past decades. Several approaches have been developed and demonstrated their feasibility. The state-of-art works, however, still have much room to improve their automation and usability. First, user assistance is required in most existing approaches, which will be easily observed and imitated by attackers. Second, the authentications of several works heavily depend on special hardware, e.g., Server or high resolution screen, which greatly restricts their application scenarios. In this paper, we present a near field authentication system Tooth that needs little human assistance and is compatible with most smart phones. ToAuth is based on the key insight that the acceleration traces are similar for a pair of smart phones when they are contacting physically and vibrating. The random vibration patterns are sufficiently uncertain to provide high entropy to generate a pair of cryptographic keys yet are inimitable for a third party who does not get in touch with the vibration source. ToAuth leverages the keys to make authentication for smart phones. We implement ToAuth on Android platform and evaluate its performance under various scenarios. Extensive experiments demonstrate ToAuth could achieve around 90% success rate in stable environment, and prevent attacks depended on vibration noise.

Li Lu,Jiadi Yu,Yingying Chen,Hongbo Liu,Yanmin Zhu,Linghe Kong,Minglu Li

DOI: https://doi.org/10.1109/tnet.2019.2891733

2019-01-01

IEEE/ACM Transactions on Networking

Abstract:To prevent users’ privacy from leakage, more and more mobile devices employ biometric-based authentication approaches, such as fingerprint, face recognition, voiceprint authentications, and so on, to enhance the privacy protection. However, these approaches are vulnerable to replay attacks. Although the state-of-art solutions utilize liveness verification to combat the attacks, existing approaches are sensitive to ambient environments, such as ambient lights and surrounding audible noises. Toward this end, we explore liveness verification of user authentication leveraging users’ mouth movements, which are robust to noisy environments. In this paper, we propose a lip reading-based user authentication system, LipPass, which extracts unique behavioral characteristics of users’ speaking mouths through acoustic sensing on smartphones for user authentication. We first investigate Doppler profiles of acoustic signals caused by users’ speaking mouths and find that there are unique mouth movement patterns for different individuals. To characterize the mouth movements, we propose a deep learning-based method to extract efficient features from Doppler profiles and employ softmax function, support vector machine, and support vector domain description to construct multi-class identifier, binary classifiers, and spoofer detectors for mouth state identification, user identification, and spoofer detection, respectively. Afterward, we develop a balanced binary tree-based authentication approach to accurately identify each individual leveraging these binary classifiers and spoofer detectors with respect to registered users. Through extensive experiments involving 48 volunteers in four real environments, LipPass can achieve 90.2% accuracy in user identification and 93.1% accuracy in spoofer detection.

Li Lu,Jiadi Yu,Yingying Chen,Hongbo Liu,Yanmin Zhu,Yunfei Liu,Minglu Li

DOI: https://doi.org/10.1109/infocom.2018.8486283

2018-01-01

Abstract:To prevent users' privacy from leakage, more and more mobile devices employ biometric-based authentication approaches, such as fingerprint, face recognition, voiceprint authentications, etc., to enhance the privacy protection. However, these approaches are vulnerable to replay attacks. Although state-of-art solutions utilize liveness verification to combat the attacks, existing approaches are sensitive to ambient environments, such as ambient lights and surrounding audible noises. Towards this end, we explore liveness verification of user authentication leveraging users' lip movements, which are robust to noisy environments. In this paper, we propose a lip reading-based user authentication system, LipPass, which extracts unique behavioral characteristics of users' speaking lips leveraging build-in audio devices on smartphones for user authentication. We first investigate Doppler profiles of acoustic signals caused by users' speaking lips, and find that there are unique lip movement patterns for different individuals. To characterize the lip movements, we propose a deep learning-based method to extract efficient features from Doppler profiles, and employ Support Vector Machine and Support Vector Domain Description to construct binary classifiers and spoofer detectors for user identification and spoofer detection, respectively. Afterwards, we develop a binary tree-based authentication approach to accurately identify each individual leveraging these binary classifiers and spoofer detectors with respect to registered users. Through extensive experiments involving 48 volunteers in four real environments, LipPass can achieve 90.21% accuracy in user identification and 93.1% accuracy in spoofer detection.

Li Lü,Jiadi Yu,Yingying Chen,Yan Wang

DOI: https://doi.org/10.1145/3397320

2020-01-01

Proceedings of the ACM on Interactive Mobile Wearable and Ubiquitous Technologies

Abstract:Recent years have witnessed the surge of biometric-based user authentication for mobile devices due to its promising security and convenience. As a natural and widely-existed behavior, human speaking has been exploited for user authentication. Existing voice-based user authentication explores the unique characteristics from either the voiceprint or mouth movements, which is vulnerable to replay attacks and mimic attacks. During speaking, the vocal tract, including the static shape and dynamic movements, also exhibits the individual uniqueness, and they are hardly eavesdropped and imitated by adversaries. Hence, our work aims to employ the individual uniqueness of vocal tract to realize user authentication on mobile devices. Moreover, most voice-based user authentications are passphrase-dependent, which significantly degrade the user experience. Thus, such user authentications are pressed to be implemented in a passphrase-independent manner while being able to resist various attacks. In this paper, we propose a user authentication system, VocalLock, which senses the whole vocal tract during speaking to identify different individuals in a passphrase-independent manner on smartphones leveraging acoustic signals. VocalLock first utilizes FMCW on acoustic signals to characterize both the static shape and dynamic movements of the vocal tract during speaking, and then constructs a passphrase-independent user authentication model based on the unique characteristics of vocal tract through GMM-UBM. The proposed VocalLock can resist various spoofing attacks, while achieving a satisfactory user experience. Extensive experiments in real environments demonstrate VocalLock can accurately authenticate user identity in a passphrase-independent manner and successfully resist various attacks.

Feiyu Han,Panlong Yang,Haohua Du,Xiang-Yang Li

DOI: https://doi.org/10.1109/tmc.2023.3314837

IF: 6.075

2023-01-01

IEEE Transactions on Mobile Computing

Abstract:Most existing voice-based user authentication systems mainly rely on microphones to capture the unique vocal characteristics of an individual, which are vulnerable to various acoustic attacks and may suffer high-security risks. In this work, we present Accuth$^+$, a novel authentication system on the wrist-worn device that takes advantage of a low-cost accelerometer to verify the user's identity and resist spoofing acoustic attacks. Accuth$^+$ captures unique sound vibrations during the human pronunciation process and extracts multi-level features to verify the user's identity. Specifically, we analyze and model the differences between the physical sound field of human beings and loudspeakers, and extract a novel sound-field-level liveness feature to defend against spoofing attacks. Accuth$^+$ is an effective complement to existing wearable authentication approaches as it only leverages a ubiquitous, low-cost, and small-size accelerometer. In real-world experiments. Accuth$^+$ achieves over 92.85% averaged identification accuracy among 15 human participants and an averaged equal error rate (EER) of 1.91% for spoofing attack detection.

computer science, information systems,telecommunications

Feiyu Han,Panlong Yang,Haohua Du,Xiang-Yang Li

DOI: https://doi.org/10.1145/3560905.3568522

2022-01-01

Abstract:Most existing voice-based user authentication systems mainly rely on microphones to capture the unique vocal characteristics of an individual, which makes these systems vulnerable to various acoustic attacks and suffer high-security risks. In this work, we present Accuth , a novel authentication system that takes advantage of a low-cost accelerometer to verify the user's identity and resist spoofing acoustic attacks. Accuth captures unique sound vibrations during the human pronunciation process and extracts multi-level features to verify the user's identity. Specifically, we analyze and model the differences between the physical sound field of human beings and loudspeakers, and extract a novel sound-field-level liveness feature to defend against spoofing attacks. Accuth is an effective complement to existing authentication approaches as it only leverages a ubiquitous, low-cost, and small-size accelerometer. In real-world experiments, Accuth achieves over 90% identification accuracy among 15 human participants and an average equal error rate (EER) of 3.02% for spoofing attack detection.

Yanzhi Ren,Tingyuan Yang,Zhiliang Xia,Hongbo Liu,Jiadi Yu,Bo Liu,Hongwei Li

DOI: https://doi.org/10.1109/tmc.2024.3391184

IF: 6.075

2024-01-01

IEEE Transactions on Mobile Computing

Abstract:The two-factor authentication (2FA) has become pervasive as the mobile devices become prevalent. Existing 2FA solutions usually require some form of user involvement, which could severely affect user experience and bring extra burdens to users. In this work, we propose a secure 2FA that utilizes the individual acoustic fingerprint of the speaker/microphone on enrolled device as the second proof. The main idea behind our system is to use both magnitude and phase fingerprints derived from the frequency response of the enrolled device by emitting acoustic beep signals alternately from both enrolled and login devices and receiving their direct arrivals for 2FA. Given the input microphone samplings, our system designs an arrival time detection scheme to accurately identify the beginning point of the beep signal from the received signal. To achieve a robust authentication, we develop a new distance mitigation scheme to eliminate the impact of transmission distances from the sound propagation model for extracting stable fingerprint in both magnitude and phase domain. Our device authentication component then calculates a weighted correlation value between the device profile and fingerprints extracted from run-time measurements to conduct the device authentication for 2FA. Moreover, to thwart the possible co-located attacks, our proximity detection component further makes the enrolled phone to generate an active random vibration signal by its built-in motor, and then matches the signal received by the microphone of login device with the signal received by the accelerometer of enrolled phone to verify the proximity of two devices. Our experimental results show that our proposed system is accurate and robust to various attacks across different scenarios and device models.

Yilin Yang,Chen Wang,Yingying Chen,Yan Wang

DOI: https://doi.org/10.48550/arXiv.2003.09061

2020-04-10

Abstract:User identification plays a pivotal role in how we interact with our mobile devices. Many existing authentication approaches require active input from the user or specialized sensing hardware, and studies on mobile device usage show significant interest in less inconvenient procedures. In this paper, we propose EchoLock, a low effort identification scheme that validates the user by sensing hand geometry via commodity microphones and speakers. These acoustic signals produce distinct structure-borne sound reflections when contacting the user's hand, which can be used to differentiate between different people based on how they hold their mobile devices. We process these reflections to derive unique acoustic features in both the time and frequency domain, which can effectively represent physiological and behavioral traits, such as hand contours, finger sizes, holding strength, and gesture. Furthermore, learning-based algorithms are developed to robustly identify the user under various environments and conditions. We conduct extensive experiments with 20 participants using different hardware setups in key use case scenarios and study various attack models to demonstrate the performance of our proposed system. Our results show that EchoLock is capable of verifying users with over 90% accuracy, without requiring any active input from the user.

Human-Computer Interaction

Bing Zhou,Zongxing Xie,Yinuo Zhang,Jay Lohokare,Ruipeng Gao,Fan Ye

DOI: https://doi.org/10.1109/tmc.2020.3048659

IF: 6.075

2022-01-01

IEEE Transactions on Mobile Computing

Abstract:User authentication on smartphones is the key to many applications, which must satisfy both security and convenience. We propose a novel user authentication system EchoPrint , which leverages acoustics and vision for secure and convenient user authentication, without requiring any special hardware. EchoPrint actively emits almost inaudible acoustic signals from the earpiece speaker to “illuminate” the user's face and authenticates the user by the unique features extracted from the echoes bouncing off the 3D facial contour. To combat changes in phone-holding poses thus echoes, a convolutional neural network (CNN) is trained to extract reliable acoustic features, which are further combined with visual facial features extracted from state-of-the-art face recognition deep models to feed a binary support vector machine (SVM) classifier for final authentication. Because the echo features depend on 3D facial geometries, EchoPrint is not easily spoofed by images or videos like 2D visual face recognition systems. It needs only commodity hardware, thus avoiding the extra costs of special sensors in solutions like FaceID. Experiments with 62 volunteers and non-human objects such as images, photos, and sculptures show that EchoPrint achieves 93.75 percent balanced accuracy and 93.50 percent F-score, while the average precision is 98.05 percent using acoustic features and basic facial landmarks. The precision is further improved to 99.96 percent with sophisticated visual features.

Wei Song,Min Wang,Yuezhong Wu,Chun Tung Chou,Jiankun Hu,Wen Hu

DOI: https://doi.org/10.1145/3495243.3558257

2022-01-01

Abstract:As the human hand makes direct physical contact with smartphones, significant efforts have recently been made to study the behavioral information of hand gripping of smartphones for user authentication purposes. Most existing methods leverage hand gripping behavior (e.g., gripping gesture, gripping position, gripping strength) of smartphones as biometrics to identify users. However, behavioral-based biometric authentication approaches may suffer from two problems: authentication performance (accuracy) degradation due to high-intra class variations arising from changes in user behavior over time, and vulnerability under spoofing attacks. To address these issues, we propose Holdpass, which is a behavior-independent in-hand user authentication method using vibration Holdpass is able to adapt to the changes of hand gripping behavior of smartphones by extracting unique and stable physical features of human hands and eliminating the behavior-related prior information. Specifically, in Holdpass, we propose an adversarial neural network to achieve authentication based on unique physical features. Experiments with 10 users show that Holdpass can authenticate users with 97.39% accuracy while keeping False Accepted Rates (FAR) at a minimum of 2.1%.

Cong Wu,Jing Chen,Kun He,Ziming Zhao,Ruiying Du,Chen Zhang

DOI: https://doi.org/10.1145/3548606.3560553

2022-01-01

Abstract:ABSTRACTBiometric authentication schemes, i.e., fingerprint and face authentication, raise serious privacy concerns. To alleviate such concerns, hand authentication has been proposed recently. However, existing hand authentication schemes use dedicated hardware, such as infrared or depth cameras, which are not available on commodity mobile devices. In this paper, we present EchoHand, a high accuracy and presentation attack resistant authentication scheme that complements camera-based 2-dimensional hand geometry recognition of one hand with active acoustic sensing of the other holding hand. EchoHand plays an inaudible acoustic signal using the speaker to actively sense the holding hand and collects the echoes using the microphone. EchoHand does not rely on any specialized hardware but uses the built-in speaker, microphone and camera. Moreover, EchoHand does not place more burdens on users than existing hand authentication methods. We conduct comprehensive experiments to evaluate the reliability and security of EchoHand. The results show that EchoHand has a low equal error rate of 2.45% with as few as 10 training data points and it defeats presentation attacks.

Dan Liu,Qian Wang,Man Zhou,Peipei Jiang,Qi Li,Chao Shen,Cong Wang

DOI: https://doi.org/10.1109/tdsc.2022.3162718

2023-01-01

Abstract:Mobile two-factor authentication (TFA), which uses mobile devices as a second security layer of protection to online accounts, has been widely applied with the proliferation of mobile phones. Currently, many studies propose to use acoustic fingerprints as the second factor. However, these solutions ignore the variations of the extracted static acoustic fingerprints incurred by the acoustic propagation process, which we show can be leveraged to develop an enhanced man-in-the-middle (MITM) attack to compromise the security strength of these systems, while hiding the traces of the attacking devices. To address this newly-uncovered vulnerability, we propose SoundID, a secure and novel authentication system that introduces a dual challenge-response design through the acoustic signals of the enrolled phone and the login device. Specifically, the enrolled phone first evaluates its proximity to the login device by the similarity of their audio recordings, and then the login authentication server compares the calculated dynamic acoustic fingerprint with the one received from the enrolled phone. To the best of our knowledge, SoundID is the first scheme that extracts dynamic acoustic fingerprints and can effectively defend against the enhanced MITM attack. SoundID combines the benefits of unpredictable influencing factors of acoustic propagation processes and the stable frequency response of the acoustic hardware, whose high complexity prevents attackers from predicting or impersonating them. We build a prototype of SoundID with off-the-shelf smartphones to validate its robustness and effectiveness. Our results show that SoundID is user-friendly and achieves over 96.62% accuracy with an equal error rate around 4.27%.

Zhaopeng Xu,Tong Liu,Ruobing Jiang,Pengfei Hu,Zhongwen Guo,Chao Liu

DOI: https://doi.org/10.1145/3643510

2024-01-01

Abstract:User authentication on smartphones needs to balance both security and convenience. Many image-based face authentication methods are vulnerable to spoofing and are plagued by privacy breaches, so models based on acoustic sensing have emerged to achieve reliable user authentication. However, they can only achieve reasonable performance under specific conditions (i.e., a fixed range), and they can not resist 3D printing attacks. To address these limitations, we present a novel user authentication system, referred to as AFace. The system mainly consists of two parts: an iso-depth model and a range-adaptive (RA) algorithm. The iso-depth model establishes a connection between acoustic echoes and facial structures, while taking into account the influence of biological materials on echo energy, making it resistant to 3D printing attacks (as it's difficult to replicate material information in 3D printing). RA algorithm can adaptively compensate for the distance between the user and the smartphone, enabling flexible authentication modes. Results from experiments with 40 volunteers demonstrate that AFace achieves an average accuracy of 96.9% and an F1 score of 96.9%, and no image/video-based attack is observed to succeed in spoofing.

Chao Shen,Yunpeng Li,Tianwen Yu,Sheng Yuan,Xiao Yi,Xiaohong Guan

DOI: https://doi.org/10.1109/wcica.2016.7578519

2016-01-01

Abstract:Existing smartphone authentication methods (e.g., PIN) typically provide one-time identity verification, but the verified user is still subject to session hijacking or masquerading attacks. This paper presents a framework and performance analysis of a sensor-based smartphone authentication system that continuously verifies the presence of a smartphone user. When a user touches the smartphone screen, motion-sensor data are extracted and analyzed to obtain descriptive features for accurately depicting users' touch habit and rhythm. Then a one-class learning algorithm is employed in the feature space to perform the continuous authentication task. Based on touch-tapping data collected from over 50 users, we conduct a series of experiments to validate the efficacy of our proposed approach. Our experimental results show that our verification system achieves a relatively high accuracy with an equal-error rate of 11.05%. Additional experiment on usability to the observation window size is provided to further examine the effectiveness. Our authentication system can be seamlessly integrated with extant smartphone authentication mechanisms, and is non-intrusive to users and does not need extra hardware.

S. Abhishek Anand,Jian Liu,Chen Wang,Maliheh Shirvanian,Nitesh Saxena,Yingying Chen

DOI: https://doi.org/10.1145/3433210.3437518

2021-01-01

Abstract:Recent advances in speaker verification and speech processing technology have seen voice authentication being adopted on a wide scale in commercial applications like online banking and customer care support and on devices such as smartphones and IoT voice assistant systems. However, it has been shown that the current voice authentication systems can be ineffective against voice synthesis attacks that mimic a user's voice to high precision. In this work, we suggest a paradigm shift from the traditional voice authentication systems operating in the audio domain but susceptible to speech synthesis attacks (in the same audio domain). We leverage a motion sensor's capability to pick up phonatory vibrations, that can help to uniquely identify a user via voice signatures in the vibration domain. The user's speech is played/echoed back by a device's speaker for a short duration (hence our method is termed EchoVib) and the resulting non-linear phonatory vibrations are picked up by the motion sensor for speaker recognition. The uniqueness of the device's speaker and its accelerometer results in a device-specific fingerprint in response to the echoed speech. The use of the vibration domain and its non-linear relationship with audio allows EchoVib to resist the state-of-the-art voice synthesis attacks, shown to be successful in the audio domain. We develop an instance of EchoVib using the onboard loudspeaker and the accelerometer embedded in smartphones, as the authenticator, based on machine learning techniques. Our evaluation shows that even with the low-quality loudspeaker and the low-sampling rate of accelerometer recordings, EchoVib can identify users with an accuracy of over 90%. We also analyze our system against state-of-art-voice synthesis attacks and show that it can distinguish between the morphed and the original speaker's voice samples, correctly rejecting the morphed samples with a success rate of 85% for voice conversion and voice modeling attacks. We believe that using the vibration domain to detect synthesized speech attacks is effective due to the hardness of preserving the unique phonatory vibration signatures and is difficult to mimic due to the non-linear mapping of the unique speaker and accelerometer response in the vibration domain to the voice in the audio domain.

Ling Kuang,Fanzi Zeng,Hongbo Jiang,Daibo Liu,Jie Li,Hui Zheng,Qibo Zhang,Geyong Min

DOI: https://doi.org/10.1109/jiot.2024.3407780

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:Password, fingerprint and face recognition are the most popular authentication schemes on smartphones. However, these user authentication schemes are threatened by shoulder surfing attacks and spoof attacks. In response to these challenges, eye movements have been utilized to secure user authentication since their concealment and dynamics can reduce the risk of suffering those attacks. However, existing approaches based on eye movements often rely on additional hardware (such as high-resolution eye trackers) or involve a time-consuming authentication process, limiting their practicality for smartphones. This paper presents DEyeAuth, a novel dual-authentication system that overcomes these limitations by integrating eyelid patterns with eye gestures for secure and convenient user authentication on smartphones. DEyeAuth first leverages the unique characteristics of eyelid patterns extracted from the upper eyelid margins or creases to distinguish different users and then utilizes four eye gestures (i.e., looking up, down, left, and right) whose dynamism and randomness can counter threats from image and video spoofing to enhance system security. To the best of our knowledge, we are among the first to discover and prove that the upper eyelid margins and creases can be used as potential biometrics for user authentication. We have implemented the prototype of DEyeAuth on Android platforms and comprehensively evaluated its performance by recruiting 50 volunteers. The experimental results indicate that DEyeAuth achieves a high authentication accuracy of 99.38% with a relatively short authentication time of 6.2 seconds, and is effective in resisting image presentation, video replaying, and mimic attacks.

Long Huang,Chen Wang

DOI: https://doi.org/10.1109/sp46214.2022.9833564

2022-01-01

Abstract:Biometrics have been widely applied as personally identifiable data for user authentication. However, existing biometric authentications are vulnerable to biometric spoofing. One reason is that they are easily observable and vulnerable to physical forgeries. Examples are the apparent surface patterns of human bodies, such as fingerprints and faces. A more significant issue is that existing authentication methods are entirely built upon biometric features, which almost never change and could be obtained or learned by an adversary such as human voices. To address this inherent security issue of biometric authentications, we propose a novel acoustically extracted hand-grip biometric, which is associated with every user’s hand geometry, body-fat ratio, and gripping strength; It is implicit and available whenever they grip a handheld device. Furthermore, we integrate a coding technique in the biometric acquisition process, which encodes static biometrics into dynamic biometric features to prevent data reuse. Additionally, this low-cost method can be deployed on any handheld device that has a speaker and a microphone. In particular, we develop a challenge-response biometric authentication system, which consists of a pair of biometric encoder and decoder. We encode the ultrasonic signal according to a challenge sequence and extract a distinct biometric code as the response for each session. We then decode the biometric code to verify the user by a convolutional neural network-based algorithm, which not only examines the coding correctness but also verifies the biometric features presented by each biometric digit. Furthermore, we investigate diverse acoustic attacks to our system, by respectively assuming an adversary could present the correct code, generate similar biometric features or successfully forge both. Extensive experiments on mobile devices show that our system achieves 97% accuracy to distinguish users and rejects 100% replay and synthesis attacks with 6-digit codes.

Long Huang,Chen Wang

DOI: https://doi.org/10.1109/tmc.2024.3474673

IF: 6.075

2024-01-01

IEEE Transactions on Mobile Computing

Abstract:Biometrics have been widely applied for user authentication. However, existing biometric authentications are vulnerable to biometric spoofing, because they can be observed and forged. In addition, they rely on verifying biometric features that rarely change. To address this issue, we propose to verify the handgrip biometric that can be unobtrusively extracted by acoustic signals when the user holds the phone. This biometric is uniquely associated with the user's hand geometry, body-fat ratio, and gripping strength, which are hard to reproduce. Furthermore, we propose two biometric encoding techniques (i.e., temporal-frequential and spatial) to convert static biometrics into dynamic biometric features to prevent data reuse. In particular, we develop a biometric authentication system to work with the challenge-response protocol. We encode the ultrasonic signal according to a random challenge sequence and extract a distinct biometric code as the response. We further develop two decoding algorithms to decode the biometric code for user authentication. Additionally, we investigate multiple new attacks and explore using a latent diffusion model to solve the acoustic noise discrepancies between the training and testing data to improve system performance. Extensive experiments show our system achieves 97% accuracy in distinguishing users and rejects 100% replay attacks with 0.6s challenge sequence.

Haipeng Dai,Wei Wang,Alex X. Liu,Kang Ling,Jiajun Sun

DOI: https://doi.org/10.1109/sahcn.2019.8824958

2019-01-01

Abstract:Voice has been used as biometrics for human authentication because different people have different voice characteristics due to different vocal tract shapes and intonations. However, traditional voice based human authentication is subject to four types of attacks: impersonation, voice conversion, synthesis and voice replay. In this paper, we propose SpeakPrint, an ultrasound based human speech authentication scheme for smartphones which is resistant for these attacks. Compared with traditional speech authentication system which focuses on what a user speaks, SpeakPrint captures how a user speaks by recording mouth and vocal movement through ultrasound signal at the same time. Our key insight is that for the valid user, features extracted from voice signal should be consistent with his mouth and vocal movement recorded from ultrasound signal, while an imitator or an audio player can't produce the same signals in ultrasound domain. SpeakPrint extracts MFCC feature in normal voice frequency and MMSI features from ultrasound signal. An SVM classifier is trained to detect these attacks by comparing above feature differences. We implemented SpeakPrint on Samsung S5 and conducted experiments on 40 users. Experimental results show that SpeakPrint can detect replay attacks with 100% accuracy and replay attack with lip synching for 99.12% for passphrases longer than five words. This technology can be used in multi-factor authentication systems, where multiple authentication mechanisms are used to achieve defense in depth.

Yanzhi Ren,Tingyuan Yang,Zhiliang Xia,Hongbo Liu,Yingying Chen,Nan Jiang,Zhaohui Yuan,Hongwei Li

DOI: https://doi.org/10.1109/infocom53939.2023.10229054

2023-01-01

Abstract:The two-factor authentication (2FA) has become pervasive as the mobile devices become prevalent. Existing 2FA solutions usually require some form of user involvement, which could severely affect user experience and bring extra burdens to users. In this work, we propose a secure 2FA that utilizes the individual acoustic fingerprint of the speaker/microphone on enrolled device as the second proof. The main idea behind our system is to use both magnitude and phase fingerprints derived from the frequency response of the enrolled device by emitting acoustic beep signals alternately from both enrolled and login devices and receiving their direct arrivals for 2FA. Given the input microphone samplings, our system designs an arrival time detection scheme to accurately identify the beginning point of the beep signal from the received signal. To achieve a robust authentication, we develop a new distance mitigation scheme to eliminate the impact of transmission distances from the sound propagation model for extracting stable fingerprint in both magnitude and phase domain. Our device authentication component then calculates a weighted correlation value between the device profile and fingerprints extracted from run-time measurements to conduct the device authentication for 2FA. Our experimental results show that our proposed system is accurate and robust to both random impersonation and Man-in-the-middle (MiM) attack across different scenarios and device models.