April 13, 2021
UChicago computer scientists explore a method to provide millions of secure authentications without memorizing a single password
As more of our lives take place online, digital security has become ever more important and ever more vulnerable. A new authentication method built upon electrical muscle stimulation could provide top-notch security—no password or PIN memorization required.
The SAND Lab (Security, Algorithms, Networking and Data) at the University of Chicago has created a novel technique for user authentication that takes advantage of an individual’s unique response to stimuli. By providing a variety of gentle electrical stimuli to the muscles of the forearm and measuring the resulting finger movements, users can be robustly and uniquely identified.
“We wanted to use the human body properties to act like a one-time password,” says SAND Lab co-director and Neubauer Professor of Computer Science Heather Zheng. “The natural response is like answering a question without having to actively involve the brain.”
Traditional biometric authentication methods, like fingerprints, provide security based on an individual’s unique characteristics and avoid the need for memorization. However, if compromised in a security breach, these static biometric methods cannot ever be used again. After all, getting a new set of fingerprints is not a feasible solution to a security breach.
Interactive systems, however, provide the enhanced security of biometrics but with the added advantage of adaptability. This is the premise behind ElectricAuth, the active electrical muscle stimulation biometric authentication system developed by Zheng and her collaborators.
“These tiny little triggers on your arm can generate about 64 million questions, or challenges, for a single user with a small, simple set-up,” says Zheng.
The set-up is a sleeve containing electrodes that attach to the user’s skin. These electrodes can then deliver an electrical impulse to four of the user’s forearm muscles, resulting in involuntary movements of the fingers and hand that can be measured by the device. And no, it doesn’t hurt.
“The current doesn’t go into the sensory nerve, just into the muscle,” explains Yuxin Chen, UChicago graduate student and the paper’s lead author.
Graduate student Zhuolin Yang, co-author, agrees. “I tried it about a thousand times, and it’s mostly like a massage.”
Electrical muscle stimulation has traditionally been used in physical therapy and rehabilitation.
“Currently electrical muscle stimulation usage isn’t taking advantage of the different response by each user,” says Zheng. “In fact, that characteristic is often suppressed.” The team was excited at the opportunity to turn that uniqueness into a positive as a method for authentication.
The response of a given individual to electrical muscle stimulation is dictated by a wide range of factors, such as the shape and size of a limb or the elasticity of a muscle, that interact in complex ways. Verifying the unique response of each individual was a big challenge for the team.
“Modeling the intervariability across humans is very difficult,” says Zheng. “That’s something we’ll be investigating more.” For now, ElectricAuth uses a machine learning model to analyze and record the user’s responses during registration.
When a user registers with ElectricAuth, they are fitted with a custom sleeve. This sleeve allows the electrodes to be customized in placement to target the desired muscles and be adjusted for comfort. This sleeve is then used in future sessions to quickly place the electrodes correctly. Another benefit of the sleeve is an additional layer of protection, as an attacker would need access to an individual’s personalized sleeve for impersonation.
During registration, the user records their response to the signals. In this case, the response is captured via small nodes attached to the fingers, but alternative systems, such as visual-based cameras, could be used as well. The team has already tested the system extensively.
Each signal is about one second in length and is varied in the number of pulses sent through the electrodes as well as the time between the pulses. This enables a huge set of unique stimuli that can be used as challenges.
“Rather than using just one face or ten fingers, we now have 64 million possible interpretations to use for authentication,” says Zheng.
After registration, any of the pre-recorded responses can be used as a challenge for authentication. The user’s response is evaluated by the machine learning model and, if consistent, access is granted. Once this is done, that challenge is removed. In this way, the challenges function as one-time use authentication, which provides strong security even against attackers able to watch or record a legitimate user.
The team investigated the performance of ElectricAuth during a user study with 13 participants. The three experiments of the study focused on authentication accuracy and defense against various types of attack: impersonation attack, when an impostor tries to pose as the authenticated user; replay attack, when an impostor records an authenticated user’s response for later use; and synthesis attack, when an impostor tries to use previous responses from an authenticated user to recreate the correct response to a new challenge.
In addition, an exploratory longitudinal study with two users investigated how well ElectricAuth performed over three weeks with a variety of different conditions.
“We tried things like steaming up in a bathroom and pumping up our muscles and it still worked,” says Yang.
“We worked out the muscles every day for the longitudinal study,” says Chen. “And the system still can recognize our responses registered on the first day.”
Going forward, the team is hoping to conduct a larger study and collaborate across other fields, such as biology and neuroscience, to improve the system.
“There are a lot of applications for this,” says Zheng. “Wearables are the future. And if you wear the device, why not use it to authenticate you?”
Citation: Yuxin Chen, Zhuolin Yang, Ruben Abbou, Pedro Lopes, Ben Y. Zhao and Haitao Zheng. 2021. User Authentication via Electrical Muscle Stimulation. In Proceedings of CHI Conference on Human Factors in Computing Systems 2021 (CHI'2021). Project webpage.
Partial funding from the National Science Foundation.