FEBRUARY 2017 | VOL. 60 | NO. 2 | COMMUNICATIONS OF THE ACM 111
of the authorized (at login time) user, physically accesses the
unattended terminal and attempts to proceed within an
already-open session. We assume that the adversary at the
keyboard has full access to the active session. The goal of
our system is to detect that the original user is no longer
present, and that the keyboard is operated by someone else.
If a different user is detected, the system consults a policy
database and takes appropriate actions, for example, locks
the session, logs out the original user, raises alarms, or
notifies system administrators.
In addition to the peripherals required to capture the pulse-response signal, the continuous authentication system consists of a software process that manages initial login and
frequency of periodic reacquisition of the biometric. This
process is also responsible for displaying user warnings and
reacting to suspected violations. We refer to it as the
continuous authentication process (CAP) and assume that neither the
legitimate user nor the adversary can disable it.
6. 2. Continuous authentication scheme
At login time, CAP measures and records the initial pulse-response biometric of the authorized user. Periodically, for
example, every few seconds, CAP reacquires the biometric by
sending and receiving a pulse signal through the keyboard.
Each newly acquired measurement is checked against the
value acquired at login. If the new measurement is sufficiently distinct from that sampled from the original user,
CAP consults its policy database and takes appropriate
actions, as discussed above. Figure 1 shows a sample CAP
The envisaged continuous authentication system can be
useful for training (e.g., corporate) users to adopt security-conscious behavior. For example, users can be motivated to
behave securely whenever they leave a secure terminal, for
example, by getting a warning every time they forget to log
out and/or allow someone else to take over a secure session.
Before considering the security of the continuous authentication system, we look back at the design goals.
Universal. The users of the system must have two hands
in order for the pulse-response biometric to be captured.
The same arguments, as in the case of PIN entry, apply here.
Unique and Permanent. In Section 7. 4, we show that our
prototype can match a pulse-response to previous samples
to the legitimate user. Although this is very hard to test pre-
cisely, assuming that the adversary is unaware of the target
user’s pulse-response measurements, the task seems very
difficult, if not impossible.
5. 3. Security of PIN entry scheme
The additional layer of security provided by the pulse-response
biometric is completely independent from security of the
PIN entry system alone. Therefore, we model the probability
Pbreak that the proposed PIN entry system can be subverted, as:
Pbreak = Pguess ⋅ Pforge
where Pguess is the probability of the adversary correctly
guessing the PIN and Pforge is the average probability that the
adversary can fool the classifier. We model this as the false
positive rate divided by the number of users. The false positive rate, that is, when an adversary is incorrectly classified
as an authorized user, is the complement of specificity. 10
In Section 7. 4, we determine specificity to be 88% and thus
Pforge = ( 1 − 0.88) on average.
If a PIN consists of n decimal digits and the adversary has
t guesses then . Together with Pforge this yields the
For example, if the adversary is allowed three guesses with
a 4-digit pin, Pbreak = 3. 6 ⋅ 10− 5, whereas a 4-digit plain-PIN
system has a subversion probability of 3 ⋅ 10− 4. Though this
improvement might not look very impressive on its own, it is
well known that most PIN attacks are performed by “
shoulder surfing” and do not involve the adversary guessing the
PIN. If we assume that the adversary already knows the PIN,
Pbreak = 12% with our system, as opposed to 100% without it.
6. CONTINUOUS AUTHENTICATION
We now present a continuous authentication scheme. Its
goal is to verify that the same user who securely logged into
a secure terminal, continues to be physically present at the
keyboard. Here, the pulse response biometric is no longer
used as an additional layer of security at login time. Rather,
the user’s pulse-response biometric is captured at login time
and subsequent measurements are used to authenticate the
user using the initial reference.
6. 1. System and adversary models
We continue using the example for continuous authentication introduced in Section 1. It entails a secure terminal
where authorized users can login and access sensitive data.
The system consists of a terminal with a special keyboard
that sends out pulse signals and captures the pulse-response
biometric. This requires the keyboard to be either made
from, or coated by, a conductive material. Alternatively, the
pulse signal transmitter could be located in a mouse that the
user operates with one hand and the keyboard captures the
pulse-response. Without loss of generality, we assume the
We assume that the adversary, with or without consent
Figure 1. Flowchart of the Continuous Authentication Process
Wait for login.