User Authentication via Electrical Muscle Stimulation

We propose a novel modality for active biometric authentication: electrical muscle stimulation (EMS). To explore this, we engineered an interactive system, which we call ElectricAuth, that stimulates the user’s forearm muscles with a sequence of electrical impulses (i.e., EMS challenge) and measures the user’s involuntary finger movements (i.e., response to the challenge). ElectricAuth leverages EMS’s intersubject variability, where the same electrical stimulation results in different movements in different users because everybody’s physiology is unique (e.g., differences in bone and muscular structure, skin resistance and composition, etc.). All these differences add up to create individual responses to the same stimulus, which our system uses as the key feature to authenticate a user. As such, ElectricAuth allows users to login without memorizing passwords or PINs.

Furthermore, ElectricAuth generates a very large pool of challenges by exploring an underutilized property of EMS: muscles respond differently depending on their current state of contraction, which can be altered by varying the timing between two impulses. Using four muscles, six impulses and seven time gaps, ElectricAuth encodes one of 68M possible challenges in 1.2s. As such, ElectricAuth is robust against data breaches and replay attacks because it never reuses the same challenge twice in authentications. ElectricAuth rejects replay of recorded responses to any previously used challenges, and can quickly recover from leak/breach of either authentication model or stored challenge-response pairs by asking the user to register responses to a new set of challenges (like registering new one-time passwords).

We evaluated our prototype of ElectricAuth by means of four different evaluations: (1) in our user studies, we found that ElectricAuth offers accurate user verification and resists three common biometric attacks: impersonation, replay and synthesis attacks; (2) in our longitudinal study, we found that ElectricAuth’s pre-trained authentication model performed stably over 21 days against various muscle conditions (fatigue, humidity, etc.) that were absent from the training data; (3) we showed that ElectricAuth, after receiving a response, can verify the user in 3ms on laptop’s CPU and 35ms on a small embedded device; we also confirmed the use of depth camera as an alternative motion tracking modality; and, (4) we generated synthetic impersonator responses to test ElectricAuth’s robustness against impersonation attacks at scales larger than our user studies.