Shocking User Authentication

Remembering lots of passwords is a pain — especially when they have strict requirements to contain upper- and lowercase characters, numbers, special characters, ancient Egyptian hieroglyphs, and cuneiform characters. But this pain is a necessary evil, right? We do not want anyone to get access to our personal information, after all.

Well, maybe. A new concept in user authentication has recently come out of the University of Chicago by the name of ElectricAuth. The basic premise is that, when given a distinctive pattern of electrical stimulations on the forearm, each individual will have a unique response that can serve as a signature to authenticate their identity.

There are three primary components in ElectricAuth: 1) a medically-compliant electrical muscle stimulation (EMS) device, 2) an inertial measurement unit (IMU), and 3) a trained machine learning model. First, a Hasomed Rehastim EMS device, with eight individually controllable channels, is fitted on the forearm. A sequence of light electrical pulses are then delivered to the wearer’s arm. The user’s response to this electrical stimulation challenge is recorded by a set of five 9-DOF IMUs, each placed on a finger tip with the help of a 3D-printed ring. Finally, two deep neural networks work together to authenticate a previously registered user.

Before using the device for the first time, each user must register their identity. This is accomplished by being given a sequence of electrical stimulation challenges, then recording the user’s unique responses. This data is used to train the neural networks.

Once trained, the networks are ready for authentication. In the first step, an unsupervised anomaly detector verifies if a response appears to have been generated by the user that the model belongs to. This step seeks to eliminate the possibility of impersonation attacks. If no anomalies are detected, then a challenge classifier is next employed. This classifier is designed to reject replay attacks by verifying that the observed response is a reaction to the challenge used in the current authentication session.

A study of thirteen participants was conducted to assess the performance of the system. In it, ElectricAuth was found to have an overall authentication accuracy of 99.78%. The findings also showed that the device can tell the difference between a legitimate user and an impersonator, and also is robust against even the most extreme of replay and synthesis attacks.

ElectricAuth has an advantage over several other existing biometric authentication procedures that use fingerprint, face, or iris imagery in that it can not be so easily spoofed by an attacker. However, at least in the current prototype form, it requires wearing a sizable EMS device on the forearm, and rings on each finger tip, in addition to the associated wiring, which is impractical for daily use. They note that the IMUs may be able to be replaced with cameras which may help with the bulk of the device, but would also place limitations on the real world use cases.

The developers note that while ElectricAuth worked well in their small study, further research is needed to ensure sufficient intersubject variability of electrical stimulus responses in larger populations.