By Ivan Martinovic, Kasper Rasmussen, Marc Roeschlin, and Gene Tsudik
We propose a new biometric based on the human body’s
response to an electric square pulse signal, called pulse-
response. We explore how this biometric can be used to
enhance security in the context of two example applications: ( 1) an additional authentication mechanism in PIN
entry systems, and ( 2) a means of continuous authentication on a secure terminal. The pulse-response biometric
is effective because each human body exhibits a unique
response to a signal pulse applied at the palm of one hand,
and measured at the palm of the other. Using a prototype
setup, we show that users can be correctly identified, with
high probability, in a matter of seconds. This identification
mechanism integrates well with other established methods
and offers a reliable additional layer of security, either on
a continuous basis or at login time. We build a proof-of-concept prototype and perform experiments to assess the
feasibility of pulse-response as a practical biometric. The
results are very encouraging, achieving accuracies of 100%
over a static data set, and 88% over a data set with samples
taken over several weeks.
Many modern access control systems augment the traditional two-factor authentication procedure (something you
know and something you have) with a third factor: “
something you are,” that is, some form of biometric authentication. This additional layer of security comes in many flavors:
from fingerprint readers on laptops used to facilitate easy
login with a single finger swipe, to iris scanners used as auxiliary authentication for accessing secure facilities. In the latter case, the authorized user typically presents a smart card,
then types in a PIN, and finally performs an iris (or fingerprint) scan.
In this paper, we propose a new biometric based on the
human body’s response to a square pulse signal. We consider
two motivating scenarios:
The first is the traditional access control setting described
above where the biometric is used as an additional layer of
security when a user enters a PIN, for example, into a bank
ATM. The pulse-response biometric facilitates unification of
PIN entry and biometric capture. We use PIN entry as a run-
ning example for this scenario throughout the paper. This
is because PIN pads are often made of metal, which makes
capturing pulse-response biometric straightforward: a user
would place one hand on a metal pad adjacent to the key-pad,
while using the other hand to enter a PIN. This conductive
pad would transmit the pulse and a sensor in the PIN pad
would capture the measurement.
The second scenario corresponds to continuous authentication, for example, verifying that the user, who securely
logged in earlier, is the same person currently present at the
keyboard. For this scenario, we need a mechanism that periodically samples one or more biometric. However, for obvious
usability reasons, ideally this would be done unobtrusively.
The pulse-response biometric is particularly well-suited for
this setting. Assuming that it can be made from—or coated
by—a conductive material, the keyboard would generate the
pulse signal and measure response, while the user (
remaining oblivious) is typing. The main idea is that the user’s
pulse-response is captured at login time and the identity of
the person currently at the keyboard can be verified transparently, at the desired frequency.
To assess the efficacy and feasibility of the pulse-response
biometric, we built a prototype platform that enables gathering pulse-response data. Its main purpose is to assess whether
we can identify users from a population of test subjects. The
same platform can test the distinguishing ability and stability of this biometric over time. We also explored two systems
that apply the pulse-response biometric to the two sample
scenarios discussed above: one to unobtrusively capture the
biometric as an additional layer of security when entering a
PIN, and the other to implement continuous authentication.
This section provides background on biometrics, summarizes the terminology and introduces our design goals.
2. 1. Biometrics
The meaning of biometric varies depending on context.
Throughout this paper we use it to denote a measurable
biological (anatomical and physiological) or behavioral
characteristic that can be used for automated recognition of
Usually, biometric measurements are divided into two
categories, physiological, and behavioural. 3 The former relies
on the physiology of a person, such as fingerprints, facial
features, or DNA. Behavioral biometrics are based on user
behavior, such as keystroke timings, speech patterns, handwriting characteristics, gait, and many others.
Physiological biometrics can help identify an individual
among large pool of candidates. However, there are some
caveats. In general, physiological biometrics are considered
moderately difficult to circumvent. For example, although
A full version of this paper was presented at the Network
and Distributed System Security (NDSS) Symposium 2014.