Consider the multitude of physical objects that people can remotely monitor and control today. From vehicles and buildings to cell phones and other “smart” devices, many of them wearable, these objects have made the world more interconnected and more accessible then ever. There is a trade-off, however, to being able to remotely unlock a car, manage financial payments, track daily steps, and access GPS capabilities on demand. These “wearables” have brought with them new security and privacy challenges, different from those of traditional user authentication approaches and even from mobile device user authentication approaches.
Similar to mobile device authentication, the current authentication process for wearable devices requires knowledge-based PIN or pattern locks. Every device needs a PIN and also requires users to physically interact with the device each time a user wants access. Because of this many users completely omit the authentication process, which leaves their devices vulnerable to attacks. Another concern is “shoulder surfing.” It’s all too easy to gain information through a wearable simply by watching the keypad or display and observing the PIN as it is entered by its owner.
In order to address these concerns, biometric-based solutions have recently been investigated, where biosignals captured by the wearable (such as heart rate or step count) are used to identify the wearer. These solutions have their own challenges, specifically in terms of accuracy and usability. For example, behavioral biometric-based approaches, such as a person’s gait and gestures, often fail to authenticate a user during periods of low physical activity. In addition, computational capabilities and energy resources are more constrained when dealing with wearable devices, and sensors may be less accurate due to a wearable’s surroundings.
Sudip Vhaduri, a graduate student in the Department of Computer Science and Engineering at the University of Notre Dame, and Christian Poellabauer, associate professor of computer science and engineering, have been pursuing this relatively new research area. In fact, they have developed a generic implicit wearable device user authentication mechanism that uses combinations of three types of less-informative coarse-grained minute-level biometrics: behavioral (step counts), physiological (heart rate) and hybrid (calorie burn and metabolic equivalent of task), all of which can be easily obtained from most wearables.
In a detailed analysis of 421 Fitbit users from a two-year long health study, Vhaduri and Poellabauer were able to authenticate subjects with average accuracy values of around 92% and 88% during sedentary and non-sedentary periods, respectively, which could further be improved using additional sensor modalities. Their work has been published in the International Workshop on the Security and Privacy for The Internet of Things (Biometric-Based Wearable User Authentication During Sedentary and Non-sedentary Periods”) and IEEE Transactions on Information Forensics and Security (“Multi-modal Biometric-based Implicit Authentication of Wearable Device Users”). It was also recently featured in Forbes.
This project, which is part of the NetHealth research effort, was conducted in in collaboration with the Wireless Institute, Advanced Diagnostics & Therapeutics Initiative, and the Interdisciplinary Center for Network Science and Applications. The NetHealth project is sponsored by the National Institutes of Health. For more information on the next steps in this research, visit the project website here.
Originally published by conductorshare.nd.edu on April 22, 2019.at