A user demonstrates the EMS authentication method. Image courtesy of SAND Lab.
A user demonstrates the EMS authentication method. Image courtesy of SAND Lab.

By Nora Bailey, for the Physical Sciences Division

As more of our lives take place online, digital security has become ever more important and ever more vulnerable. A new authentication method built upon electrical muscle stimulation could provide top-notch security—no password or PIN memorization required.

The SAND Lab (Security, Algorithms, Networking and Data) at the University of Chicago has created a novel technique for user authentication that takes advantage of an individual’s unique response to stimuli. By providing a variety of gentle electrical stimuli to the muscles of the forearm and measuring the resulting finger movements, users can be robustly and uniquely identified.

“We wanted to use the human body properties to act like a one-time password,” says SAND Lab co-director and Neubauer Professor of Computer Science Heather Zheng. “The natural response is like answering a question without having to actively involve the brain.”

Traditional biometric authentication methods, like fingerprints, provide security based on an individual’s unique characteristics and avoid the need for memorization. However, if compromised in a security breach, these static biometric methods cannot ever be used again. After all, getting a new set of fingerprints is not a feasible solution to a security breach.

Interactive systems, however, provide the enhanced security of biometrics but with the added advantage of adaptability. This is the premise behind ElectricAuth, the active electrical muscle stimulation biometric authentication system developed by Zheng and her collaborators.

“These tiny little triggers on your arm can generate about 64 million questions, or challenges, for a single user with a small, simple set-up,” says Zheng.

The set-up is a sleeve containing electrodes that attach to the user’s skin. These electrodes can then deliver an electrical impulse to four of the user’s forearm muscles, resulting in involuntary movements of the fingers and hand that can be measured by the device. And no, it doesn’t hurt.

“The current doesn’t go into the sensory nerve, just into the muscle,” explains Yuxin Chen, UChicago graduate student and the paper’s lead author. 

Graduate student Zhuolin Yang, co-author, agrees. “I tried it about a thousand times, and it’s mostly like a massage.”

Electrical muscle stimulation has traditionally been used in physical therapy and rehabilitation. 

“Currently electrical muscle stimulation usage isn’t taking advantage of the different response by each user,” says Zheng. “In fact, that characteristic is often suppressed.” The team was excited at the opportunity to turn that uniqueness into a positive as a method for authentication.

The response of a given individual to electrical muscle stimulation is dictated by a wide range of factors, such as the shape and size of a limb or the elasticity of a muscle, that interact in complex ways. Verifying the unique response of each individual was a big challenge for the team. 

“Modeling the intervariability across humans is very difficult,” says Zheng. “That’s something we’ll be investigating more.” For now, ElectricAuth uses a machine learning model to analyze and record the user’s responses during registration.  

When a user registers with ElectricAuth, they are fitted with a custom sleeve. This sleeve allows the electrodes to be customized in placement to target the desired muscles and be adjusted for comfort. This sleeve is then used in future sessions to quickly place the electrodes correctly. Another benefit of the sleeve is an additional layer of protection, as an attacker would need access to an individual’s personalized sleeve for impersonation.

During registration, the user records their response to the signals. In this case, the response is captured via small nodes attached to the fingers, but alternative systems, such as visual-based cameras, could be used as well. The team has already tested the system extensively. 

Each signal is about one second in length and is varied in the number of pulses sent through the electrodes as well as the time between the pulses. This enables a huge set of unique stimuli that can be used as challenges.

“Rather than using just one face or ten fingers, we now have 64 million possible interpretations to use for authentication,” says Zheng.

After registration, any of the pre-recorded responses can be used as a challenge for authentication. The user’s response is evaluated by the machine learning model and, if consistent, access is granted. Once this is done, that challenge is removed. In this way, the challenges function as one-time use authentication, which provides strong security even against attackers able to watch or record a legitimate user.

[Watch a video demo of the device.]

The team investigated the performance of ElectricAuth during a user study with 13 participants. The three experiments of the study focused on authentication accuracy and defense against various types of attack: impersonation attack, when an impostor tries to pose as the authenticated user; replay attack, when an impostor records an authenticated user’s response for later use; and synthesis attack, when an impostor tries to use previous responses from an authenticated user to recreate the correct response to a new challenge.

In addition, an exploratory longitudinal study with two users investigated how well ElectricAuth performed over three weeks with a variety of different conditions. 

“We tried things like steaming up in a bathroom and pumping up our muscles and it still worked,” says Yang.

“We worked out the muscles every day for the longitudinal study,” says Chen. “And the system still can recognize our responses registered on the first day.”

Going forward, the team is hoping to conduct a larger study and collaborate across other fields, such as biology and neuroscience, to improve the system.

“There are a lot of applications for this,” says Zheng. “Wearables are the future. And if you wear the device, why not use it to authenticate you?”

Citation: Yuxin Chen, Zhuolin Yang, Ruben Abbou, Pedro Lopes, Ben Y. Zhao and Haitao Zheng. 2021. User Authentication via Electrical Muscle Stimulation. In Proceedings of CHI Conference on Human Factors in Computing Systems 2021 (CHI'2021). Project webpage.

Partial funding from the National Science Foundation.

Related News

More UChicago CS stories from this research area.
UChicago CS News

Five UChicago CS Students Named to Siebel Scholars 2023 Class

Sep 22, 2022
UChicago CS News

UChicago CS Students Emily Wenger and Xu Zhang Receive Harper Fellowships

Sep 14, 2022
In the News

Internet Disconnect

Sep 13, 2022
UChicago CS News

Asst. Prof. Aloni Cohen Receives Award For Revealing Flaws in Deidentifying Data

Sep 09, 2022
UChicago CS News

UChicago/Argonne Computer Scientist Ian Foster Receives ACM/IEEE Ken Kennedy Award

Sep 07, 2022
UChicago CS News

First In-Person Robotics Class Lets Students See Code Come To (Artificial) Life

Sep 06, 2022
UChicago CS News

UChicago/Argonne Researchers Will Cultivate AI Model “Gardens” With $3.5M NSF Grant

Aug 30, 2022
UChicago CS News

High School Students in College Prep Program Visit UChicago CS

Aug 23, 2022
UChicago CS News

UChicago Hosts NSF Workshop on Frontiers of Quantum Advantage

Aug 15, 2022
UChicago CS News

New 2022-23 Faculty Add Expertise in Linguistics, Visualization, Economics, and Data Science Education

Aug 11, 2022
In the News

UChicago Co-Leads $10 Million NSF Institute on Foundations of Data Science

Aug 09, 2022
UChicago CS News

UChicago CS Faculty Receive Industry Grants From J.P. Morgan, Google

Jul 19, 2022
arrow-down-largearrow-left-largearrow-right-large-greyarrow-right-large-yellowarrow-right-largearrow-right-smallbutton-arrowclosedocumentfacebookfacet-arrow-down-whitefacet-arrow-downPage 1CheckedCheckedicon-apple-t5backgroundLayer 1icon-google-t5icon-office365-t5icon-outlook-t5backgroundLayer 1icon-outlookcom-t5backgroundLayer 1icon-yahoo-t5backgroundLayer 1internal-yellowinternalintranetlinkedinlinkoutpauseplaypresentationsearch-bluesearchshareslider-arrow-nextslider-arrow-prevtwittervideoyoutube