A Key to Your Heart: Biometric Authentication Based on ECG Signals

In recent years, there has been a shift of interest towards the field of biometric authentication, which proves the identity of the user using their biological characteristics. We explore a novel biometric based on the electrical activity of the human heart in the form of electrocardiogram (ECG) signals. In order to explore the stability of ECG as a biometric, we collect data from 55 participants over two sessions with a period of 4 months in between. We also use a consumer-grade ECG monitor that is more affordable and usable than a medical-grade counterpart. Using a standard approach to evaluate our classifier, we obtain error rates of 2.4% for data collected within one session and 9.7% for data collected across two sessions. The experimental results suggest that ECG signals collected using a consumer-grade monitor can be successfully used for user authentication.Comment: Appears in the "Who Are You?! Adventures in Authentication" workshop (WAY 2019) co-located with the Symposium on Usable Privacy and Security (SOUPS

PILOT: Password and PIN Information Leakage from Obfuscated Typing Videos

This paper studies leakage of user passwords and PINs based on observations of typing feedback on screens or from projectors in the form of masked characters that indicate keystrokes. To this end, we developed an attack called Password and Pin Information Leakage from Obfuscated Typing Videos (PILOT). Our attack extracts inter-keystroke timing information from videos of password masking characters displayed when users type their password on a computer, or their PIN at an ATM. We conducted several experiments in various attack scenarios. Results indicate that, while in some cases leakage is minor, it is quite substantial in others. By leveraging inter-keystroke timings, PILOT recovers 8-character alphanumeric passwords in as little as 19 attempts. When guessing PINs, PILOT significantly improved on both random guessing and the attack strategy adopted in our prior work [4]. In particular, we were able to guess about 3% of the PINs within 10 attempts. This corresponds to a 26-fold improvement compared to random guessing. Our results strongly indicate that secure password masking GUIs must consider the information leakage identified in this paper