DPhil the Future: Using Inertial Sensors to Authenticate Users

DPhil students Jack Sturgess, Sebastian Köhler and Simon Birnbach look at the role of behavioural biometrics in digital authentication.  

Passwords are still the primary mechanism by which users authenticate themselves to digital services. Passwords must be long and random to resist guessing attacks and they must be often changed and not reused to resist dictionary attacks, all of which makes them burdensome to use effectively at scale. Biometrics, such as fingerprints or face geometry, provide a promising alternative. The initial barriers to adoption that biometric systems faced, such as high error rates and deployment costs, have evaporated in recent years as smartphone-based sensors have become readily available. But there are risks in using biometric authentication, as these characteristics can be captured by an attacker and used in impersonation—and, unlike passwords, they cannot be revoked or changed once compromised. To address this, behavioural biometrics have started to attract interest.  

‘Instead of measuring a physical characteristic, behavioural biometrics measure patterns of movement over time, such as gait or typing dynamics, and therefore can be collected unobtrusively without any effort on the part of the user and are more difficult to capture and impersonate. These systems were regarded as impractical due to the need for continuous measurement, but the widespread use of wearable devices (and therefore continuously worn sensors) has opened up new opportunities for implementation.’ 

Smart watch study   

We have previously presented some of our recent work in mobile payment authentication in which we showed that smartwatch-users can be authenticated to the system using only the inertial sensors in the smartwatch. The movements of the arm and wrist that are performed by the user to make a payment, collectively called a tap gesture, are sufficiently unique to each user as to be capable of verifying identity. Our user study (n=31) also included an active attacker component, in which each participant watched video footage of other users making payments and attempted to impersonate them, and we showed that the system was able to identify and reject such attacks. We also showed that the tap gesture is sufficiently distinct from other arm and wrist movements made throughout the day such that we can recognise when a payment is made intentionally—as opposed to a payment that is accidental or initiated maliciously by a skimming attack, where an attacker rubs a rogue terminal against the payment device to trigger an unwanted payment response. The use of inertial sensors for user authentication and intent recognition come at no cost to the user (in terms of effort or delay) and can help to reduce payment fraud.  

The miniaturisation of hardware has enabled the development of smart rings. Examples on the commercial market include:  

• Amazon Echo Loop, which uses a microphone and speaker to enable the user to interact with the Alexa virtual assistant and to make phonecalls through a paired smartphone.  
• Blinq, which uses inertial sensors for fitness monitoring and provides a discreet panic button that triggers an application on a paired smartphone to send a help message containing geo-location information to contacts or on social media, and  
• Genki Wave, which uses inertial sensors to enable a musician to adjust the digital settings of an instrument by raising or lowering the finger.  

Smart keys (battery-less, NFC-enabled tokens that are powered via NFC when they are close to a terminal, such as contactless payment cards and key fobs) are also being cast in ring format and marketed as feature poor smart rings examples include:  

• Tesla Ring, which can unlock and activate a vehicle  
• Mastercard K-ring, which can make payments.  

‘As smart ring technology evolves and ring-based services start to require greater confidence in the identity of the user, they will require authentication capabilities.'

Ring-based study  

The tiny form factor of a smart ring restricts its input capabilities, which would make password- or PIN-based authentication user-unfriendly. To address this, we investigated the use of inertial sensors for ring-based systems. We conducted a user study (n=21) in which each participant wore a smart ring with inertial sensors embedded into it and performed some basic tasks while we collected their motion data. Firstly, we presented an array of six payment terminals and had each participant make payments using the smart ring by tapping it against the terminals. As with the smartwatch experiment, we also included an active attacker component and allowed participants to watch footage of and impersonate each other.  

We found that the ring-based sensors achieved equal error rates of 6% and were just as effective as the watch-based sensors at authenticating payments. Secondly, we had each participant knock on a closed door while wearing the smart ring to investigate the feasibility of using knock gestures for access control. Each participant knocked in sets of three, sets of five, and then in a ‘secret knock’ pattern of their choosing.  

'To our surprise, we found that we were able to train a classifier that can distinguish between users based on their knocking data and that the knock gesture was suitable for use in user authentication.'

Throughout the study, we also had each participant wear a smartwatch on the same arm as the smart ring and simultaneously collected inertial sensor data from that as well. We found that the ring data could be used to authenticate tap and knock gestures made with the watch and vice versa, meaning that inertial sensors on either device could be used as a second factor to support the other. For the knocking experiment, we also attached inertial sensors to the door itself to see if a door-based system that would automatically grant access based on a knock was feasible— alas, the results for this were less promising.  

Cable authorisation  

Electric vehicles (EV) are gradually becoming more common. To recharge its battery, the user must park the vehicle next to a charging station, connect a charging cable, and make a payment to initiate the charge. A number of payment systems have been deployed by different station operators and include standard tap-and-pay systems, smart keys, and QR codes printed on the station that link to a payment system when scanned by a smartphone. EV batteries charge more slowly and must be recharged more often than the refuelling of vehicles with a combustion engine, so user-friendliness and convenience must be considered. As such, zero-interaction payment schemes, such as AutoCharge and Plug & Charge, are most desirable. These systems work by sending information from the vehicle to the charging station via the charging cable once it is connected; this information is linked to a payment instruction, typically administered by an application on a paired smartphone, to facilitate automatic billing. These schemes treat the vehicle as a token and authenticate the vehicle rather than the user. This could allow a thief to charge a stolen vehicle at the owner’s expense or an attacker to capture information from a victim’s vehicle and to inject it into the communication channel to charge a different vehicle at the victim’s expense. To address this, the system requires some form of user authentication that does not inconvenience the user.  

EV study  

We replicated a charging station and a Volkswagen ID.3 (a typical EV model) in our lab by 3D-printing some enclosures and fixing them in position to match the charging ports. We obtained an authentic charging cable and affixed inertial sensors to the handle and contact sensors on top so that we could timestamp when it was unhooked from or plugged into an enclosure. We conducted a user study (n=20) in which each participant unhooked the cable from its position in the charging station and plugged it in to the EV charging port and we collected the motion data. We segmented user gestures from around each timestamp, so as to disregard any variable travel time between the two actions, which would depend on how far away from the charging station the user had parked the EV, and we found that we were again able to authenticate each user using only inertial sensors. By tuning our model to favour security, we were able to add a layer of protection that rejected 82% of attacks without the user having to do anything. By tuning our model to favour usability, we were able to reduce the number of unnecessary authentication requests made by the application on the paired smartphone by 41% at no cost to security.  

Studies were conducted by DPhil students Jack Sturgess, Sebastian Köhler, Simon Birnbach (with oversight from Professor Ivan Martinovic)  

All user studies were approved by the department’s research ethics committee. For more information, see our published papers entitled WatchAuth, RingAuth, and CableAuth.