DPhil the Future: Wearable Authentication in Mobile Payments using a Smartwatch

DPhil student Jack Sturgess, Researchers Simon Eberz and Ivo Sluganovic, and Professor Ivan Martinovic look at the technological developments in smartwatches 

The popularity of cashless payment systems continues to grow. Early payment cards used magnetic strips to facilitate transactions; then NFC (near-field communication) technology unlocked contactless payments. This quickly became entwined with the rise of the smartphone: mobile payment systems (also known as tap-and-pay systems), such as Google Pay, enabled the user to store payment cards digitally in a virtual wallet so that they can make payments over NFC using the NFC module of the smartphone. Some systems, such as WeChat Pay and Yoyo, also explored the visual channel and enabled payments to be made via QR code.  

In recent years, smartwatches have evolved rapidly. Modern smartwatches typically have an NFC module and, by sharing the virtual wallet of a paired smartphone, they too can enable the user to make payments over NFC. However, unlike smartphones, they lack fingerprint readers and cameras for facial recognition. In order for the system to remain contactless (ie without requiring the wearer to enter a PIN on a point-of-sale terminal), new means of authentication are needed. This is especially pressing in Europe where, in 2020, the EU overhauled its banking regulations with the Updated Payment Services Directive (PSD2), mandating the use of multi-factor authentication in payment transactions.  

For a better user experience, users prefer not to be pestered for the sake of security and favour so-called implicit factors for authentication, ie those that require no additional effort from the user because they are inherent in the task being performed, such as keystroke dynamics when typing or gait when walking.  

The development of smartwatches has been driven with continuous health monitoring in mind, such as step-counters, sleep-trackers, and heart rate monitors. This means that smartwatches offer and support high resolution, always-on sensing by design using inertial sensors, such as accelerometers and gyroscopes, that measure wrist motion.  

In our recent work, entitled WatchAuth, we made use of these sensors to provide an implicit authentication factor when making payments. We showed that the tap gesture, performed as the user taps a smartwatch on a terminal to make a payment, can be used as a biometric to authenticate that user. When the smartwatch initiates an NFC connection with the terminal, we take the last few seconds of inertial sensor data (which is collected continuously) to represent the tap gesture, and we found that this data contains features that are sufficiently unique to each user that it can be used as an authentication factor.  

We constructed a user study by placing some common terminals at different (and broadly representative) angles. We had participants wear a smartwatch and make payments on these terminals to collect their inertial sensor data. We then trained random forest classifiers on this data in a leave-one-out manner to create a terminal-agnostic authentication model (which can work on any terminal, regardless of its position).  

Payments systems are becoming optimised towards convenience, eg Apple Pay Express Mode allows payments to be made with Apple Pay at busy transport barriers without the user needing to authenticate at all, just by hovering the device over the terminal. In the near future smartphones will be able to accept NFC payments as well as making them, meaning that there will be many new potential terminals on the street. These optimisations cause uncertainty for payment providers as to whether a user intended to make a given payment or if it was the result of an accidental swipe or a skimming attack (where an attacker presses a terminal against a card or device to trigger a payment).  

As a solution, we showed that the tap gesture can also be used for intent recognition. That is, we showed that the series of movements required to fulfil a mobile payment, as measured by the inertial sensors on the smartwatch, is sufficiently obscure and deliberate that it can be identified. This means that, whenever an NFC payment is initiated, the smartwatch can check the last few seconds of inertial sensor data to see if a tap gesture was performed and if not, reject the payment.  

To prove this, we had our participants wear smartwatches outside the lab to collect a large dataset of activity data. We identified three activities where the user might be the victim of a skimming attack, namely when commuting on a bus or train, when walking along a busy street, or when in a shop. We then trained random forest classifiers to distinguish between the features of this data and those of a tap gesture.  

Our intent recognition model can be used together with our authentication model, such that a single tap gesture can simultaneously and implicitly both authenticate the user and recognise intent-to-pay. The authentication model requires a training phase, where it gets to know the user. The intent recognition model, on the other hand, does not require any training, meaning it could even be deployed as a standalone module to provide a layer of security for an anonymous user.  

We found that wrist rotation is a key discriminator between tap gestures and other movements. If a terminal is placed in a comfortable position it improves results for authentication, but slightly worsens results for intent recognition and vice versa. Awkwardly placed terminals elicit movements that are only associated with tap gestures, helping to differentiate them.  

More details can be found in our paper, ‘WatchAuth: User Authentication and Intent Recognition in Mobile Payments using a Smartwatch’