110 COMMUNICATIONS OF THE ACM | FEBRUARY 2017 | VOL. 60 | NO. 2
addressed via some form of active authentication, for example, a challenge-response mechanism. In a face recognition system a user might be asked to turn his head or look
at a particular point during the authentication process.
Although this reduces the chance of a photo passing for the
real person, the user is forced to take active part in the process,
which can be disruptive and annoying if authentication
happens on a continuous basis. Also, a good 3D model of a
human head can still fool such measures.
Fingerprint scanners often include some protection
against replay. This might be accomplished by detecting
other characteristics normally associated with a live finger,
for example, temperature, or presence of sweat or skin oils.
Such counter-measures make it more difficult to use skintight gloves or “cold dead fingers” to fool the biometric system. Still, replay remains a major challenge, especially for
low-end fingerprint readers.
In the context of the pulse-response biometric, unlike
fingerprints or face recognition, it is difficult (yet not
impossible) to separate the biometric from the individual
to whom it belongs. If the adversary manages to capture a
user’s pulse-response on some compromised hardware,
replaying it successfully would require specialized hardware that mimics the exact conductivity of the original user.
We believe that this is feasible: the adversary can devise a
contraption that consists of flat adhesive-covered electrodes attached to each finger-tip (five for each hand going
into one terminal) with a single wire connecting the two
terminals. The pulse response of the electrode-wire-elec-trode has to exactly replicate that of the target user. Having
attached electrodes to each finger-tip, the adversary can
type on the keyboard and the system could thus be effectively fooled. However, the effort required is significantly
harder than in cases of facial recognition (where a photo
suffices) or fingerprints, which are routinely left—and can
be lifted from—numerous innocuous locations.
Finally, the real power of the pulse-response biometric is evident when used for continuous authentication
(see Section 6). Here, the person physically uses a secure
terminal and constantly touches the keyboard as part of
routine work. Authentication happens on a continuous
basis and it is not feasible to use the terminal while at the
same time providing false input signals to the authentication system. Of course, the adversary could use thick
gloves, thereby escaping detection, but the authentication system will see input from the keyboard without the
expected pulse-response measurement to accompany it,
and will lock the session.
5. COMBINING PIN ENTRY WITH BIOMETRIC CAPTURE
This section describes the envisaged use of pulse-response
to unobtrusively enhance the security of PIN entry systems.
5. 1. System and adversary models
We use a running example of a metal PIN key-pad with an adja-
cent metal pad for the user’s other hand. The keypad has the
usual digit (0– 9) buttons as well as an “enter” button. It also
has an embedded sensor that captures the pulse-signal trans-
mitted by the adjacent metal pad. This setup corresponds to a
bank ATM or a similar setting.
The adversary’s goal is to impersonate an authorized user
and withdraw cash. We assume that the adversary cannot
fool the pulse-response classifier with probability higher
than that found in our experiments described later in this
We also assume that the ATM is equipped with a modified
authentication module which, besides verifying the PIN,
captures the pulse-response biometric and determines the
likelihood of the measured response corresponding to the
user identified by the inserted ATM card and the just-entered
PIN. We assume that the ATM has access to a database of
valid users, either locally or over a network. Alternatively, the
user’s ATM card can contain data needed to perform pulse-response verification. If stored on the card, this data must be
encrypted and authenticated using a key known to the ATM;
otherwise, the adversary (who can be assumed to be in possession of the card) could replace it with data matching its
5. 2. PIN entry scheme
The ATM has to determine whether data sampled from the
user while entering the PIN is consistent with that stored in
the database. This requires a classifier that yields the likelihood of a sample coming from a known distribution. The
likelihood is used to determine whether the newly measured
samples are close enough to the samples in the database to
produce a match. Using our prototype, we can make such
decisions with high confidence; see Section 7. 4.
Before discussing security of the pulse-response PIN entry
system, we check whether it meets the design goals.
Universal. A person using the modified PIN entry system
must use both hands, one placed on the metal pad and one
to enter the pin. This requires the user to actually have two
hands. In contrast, a normal PIN entry system can be operated with one hand. Thus, universality of our system is somewhat lower. This is a limitation of the biometric, although a
remedy could be to store a flag on the user’s ATM card indicating that disability, thus exempting this person from the
pulse-response check. This would allow our approach to
gracefully degrade to a generic PIN entry system.
Unique and Permanent. In Section 7. 4, we show that our
prototype can determine, with high probability, whether a subject matches a specific pulse-response. Thus, it is extremely
unlikely for two people to exhibit exactly the same pulse-response. We also show that an individual’s pulse-response
remains fairly consistent over time.
Unobtrusive. The proposed scheme is very unobtrusive,
since from the user’s perspective, the only thing that changes
from current operation is the added requirement to place the
free hand on a metal pad. There can even be two such pads
accommodating both left- and right-handed people. Also,
the ATM screen could display system usage instructions,
even pictorially to accommodate people who cannot read.
Similarly, audio instructions could be given for the sake of
those who are vision-impaired.
Difficult to circumvent. Given that pulse-response is unique,
the only other way to circumvent it is to provide the sensor
(built into the PIN pad) with a signal that would correspond