An official website of the United States government
Commodity ultra-high-frequency (UHF) RFID authentication systems only provide weak user authentication, as RFID tags can be easily stolen, lost, or cloned by attackers. This paper presents the design and evaluation of SmartRFID, a novel UHF RFID authentication system to promote commodity crypto-less UHF RFID tags for security-sensitive applications. SmartRFID explores extremely popular smart devices and requires a legitimate user to enroll his smart device along with his RFID tag. Besides authenticating the RFID tag as usual, SmartRFID verifies whether the user simultaneously possesses the associated smart device with both feature-based machine learning and deep learning techniques. The user is considered authentic if and only if passing the dual verifications. Comprehensive user experiments on commodity smartwatches and RFID devices confirmed the high security and usability of SmartRFID. In particular, SmartRFID achieves a true acceptance rate of above 97.5% and a false acceptance rate of less than 0.7% based on deep learning. In addition, SmartRFID can achieve an average authentication latency of less than 2.21s, which is comparable to inputting a PIN on a door keypad or smartphone.
more »
« less
WearRF-CLA: Continuous Location Authentication with Wrist Wearables and UHF RFID
Continuous location authentication (CLA) seeks to continuously and automatically verify the physical presence of legitimate users in a protected indoor area. CLA can play an important role in contexts where access to electrical or physical resources must be limited to physically present legitimate users. In this paper, we present WearRF-CLA, a novel CLA scheme built upon increasingly popular wrist wearables and UHF RFID systems. WearRF-CLA explores the observation that human daily routines in a protected indoor area comprise a sequence of human-states (e.g., walking and sitting) that follow predictable state transitions. Each legitimate WearRF-CLA user registers his/her RFID tag and also wrist wearable during system enrollment. After the user enters a protected area, WearRF-CLA continuously collects and processes the gyroscope data of the wrist wearable and the phase data of the RFID tag signals to verify three factors to determine the user's physical presence/absence without explicit user involvement: (1) the tag ID as in a traditional RFID authentication system, (2) the validity of the human-state chain, and (3) the continuous coexistence of the paired wrist wearable and RFID tag with the user. The user passes CLA if and only if all three factors can be validated. Extensive user experiments on commodity smartwatches and UHF RFID devices confirm the very high security and low authentication latency of WearRF-CLA.
more »
« less
- Award ID(s):
- 2055751
- PAR ID:
- 10400744
- Date Published:
- Journal Name:
- 2022 ACM on Asia Conference on Computer and Communications Security
- Page Range / eLocation ID:
- 508 to 520
- Format(s):
- Medium: X
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
Passive RFID technology is widely used in user authentication and access control. We propose RF-Rhythm, a secure and usable two-factor RFID authentication system with strong resilience to lost/stolen/cloned RFID cards. In RF-Rhythm, each legitimate user performs a sequence of taps on his/her RFID card according to a self-chosen secret melody. Such rhythmic taps can induce phase changes in the backscattered signals, which the RFID reader can detect to recover the user’s tapping rhythm. In addition to verifying the RFID card’s identification information as usual, the backend server compares the extracted tapping rhythm with what it acquires in the user enrollment phase. The user passes authentication checks if and only if both verifications succeed. We also propose a novel phase-hopping protocol in which the RFID reader emits Continuous Wave (CW) with random phases for extracting the user’s secret tapping rhythm. Our protocol can prevent a capable adversary from extracting and then replaying a legitimate tapping rhythm from sniffed RFID signals. Comprehensive user experiments confirm the high security and usability of RF-Rhythm with false-positive and false-negative rates close to zero.more » « less
-
Traditional one-time user authentication processes might cause friction and unfavorable user experience in many widely-used applications. This is a severe problem in particular for security-sensitive facilities if an adversary could obtain unauthorized privileges after a user’s initial login. Recently, continuous user authentication (CA) has shown its great potential by enabling seamless user authentication with few active participation. We devise a low-cost system exploiting a user’s pulsatile signals from the photoplethysmography (PPG) sensor in commercial wrist-worn wearables for CA. Compared to existing approaches, our system requires zero user effort and is applicable to practical scenarios with non-clinical PPG measurements having motion artifacts (MA). We explore the uniqueness of the human cardiac system and design an MA filtering method to mitigate the impacts of daily activities. Furthermore, we identify general fiducial features and develop an adaptive classifier using the gradient boosting tree (GBT) method. As a result, our system can authenticate users continuously based on their cardiac characteristics so little training effort is required. Experiments with our wrist-worn PPG sensing platform on 20 participants under practical scenarios demonstrate that our system can achieve a high CA accuracy of over 90% and a low false detection rate of 4% in detecting random attacks.more » « less
-
Passive RFID is ubiquitous for key use-cases that include authentication, contactless payment, and location track- ing. Yet, RFID chips can be read without users’ knowledge and consent, causing security and privacy concerns that reduce trust. To improve trust, we employed physically-intuitive design prin- ciples to create On-demand RFID (ORFID). ORFID’s antenna, disconnected by default, can only be re-connected by a user pressing and holding the tag. When the user lets go, the antenna automatically disconnects. ORFID helps users visibly examine the antenna’s connection: by pressing a liquid well, users can observe themselves pushing out a dyed, conductive liquid to fill the void between the antenna’s two bisected ends; by releasing their hold, they can see the liquid recede. A controlled evaluation with 17 participants showed that users trusted ORFID significantly more than a commodity RFID tag, both with and without an RFID- blocking wallet. Users attributed this increased trust to visible state inspection and intentional activation.more » « less
-
One-time login process in conventional authentication systems does not guarantee that the identified user is the actual user throughout the session. However, it is necessary to re-verify the user identity periodically throughout a login session, which is lacking in existing one-time login systems. In this paper, we introduce a usable and reliable Wearable-Assisted Continuous Authentication (WACA), which relies on the sensor-based keystroke dynamics and the authentication data is acquired through the built-in sensors of a wearable (e.g., smartwatch) while the user is typing. The acquired data is periodically and transparently compared with the registered profile of the initially logged-in user with one-way classifiers. With this, WACA continuously ensures that the current user is the user who logged-in initially. We implemented the WACA framework and evaluated its performance on real devices with real users. The empirical evaluation of WACA reveals that WACA is feasible and its error rate is as low as 1% with 30 seconds of processing time and 2 -3% for 20 seconds. The computational overhead is minimal. Furthermore, WACA is capable of identifying insider threats with very high accuracy (99.2%).more » « less
- Free Publicly Accessible Full Text
-
Accepted Manuscript1.0
- Conference Paper:
- https://doi.org/10.1145/3488932.3517426
