TC 11 Briefing Papers
Step & turn—A novel bimodal behavioral biometric-based user verification scheme for physical access control

https://doi.org/10.1016/j.cose.2022.102722Get rights and content

Abstract

Step & Turn is a novel bimodal behavioral biometric-based verification scheme for physical access control. In today’s rapidly evolving smart physical spaces, frictionless and smooth interactions are emerging as critical usability requirements. Such demands need to coexist with mandatory requirements like security. Step & Turn addresses the fundamental limitations of the conventional physical access control schemes, i.e., users having a specific knowledge or possessing a particular device or token, to satisfy both usability and security requirements. We design and develop a prototype of Step & Turn by exploiting two natural human behaviors: single footstep and hand-movement to authenticate the users. To evaluate Step & Turn, we design multi-class verification models using three different classifiers. The system achieves a True Acceptance Rate of 97.25% at False Acceptance Rate of 0.01% on a dataset of 1,600 samples collected from 40 participants. We also assess its usability using the System Usability Scale. The solution obtained a score of 76.72 providing evidence that users have a positive perspective towards the use of Step & Turn.

Introduction

Cyber technology transformations are not confined only to electronic or computing devices but they permeate across traditional physical spaces. The introduction of computing and communication capabilities in many physical spaces further synergized with machine intelligence is making them “smarter” (Tavčar and Horváth, 2018). In this context, this paper focuses on controlling access to smart homes and smart buildings. These emerging smart spaces require some form of physical access control (i.e., locks, doors, barriers, etc.) that must be both reliable and usable for the users (Krašovec et al., 2020). Consequently, physical access control systems are undergoing a swift technological evolution related to the underlying user verification mechanisms.

All major lock manufacturers (Schlage, Yale) offer modern locks leveraging knowledge-based schemes (e.g., PIN/Password), device-pairing (e.g., smart cards, smartphones), and physiological biometrics (e.g., face, fingerprints), illustrated in Fig. 1(a). However, existing solutions are still prone to many attacks like insider-, replay-, and spoofing attacks  (Gupta, Buriro, Crispo, 2019, Ho, Leung, Mishra, Hosseini, Song, Wagner, 2016). They have also shown usability issues, e.g., add cognitive load on users, ergonomically inefficient for new smart ecosystems (Katsini, Belk, Fidas, Avouris, Samaras, 2016, Ometov, Petrov, Bezzateev, Andreev, Koucheryavy, Gerla, 2019). A recent report (Yubico, 2021) based on inputs from 563 individual users, reports that 55% of users prefer password-less access, 62% of them do not prefer to use a second-factor verification, and 50% of users sometimes share passwords with a colleague. Furthermore, 65% of users believe that biometrics would increase security, but 30% of them are highly concerned about their privacy when providing biometric data.

Typically, physiological biometric-based access control systems are considered more secure than the other authentication schemes (Sabater, 2019, Sharma, Gupta, Khatri, 2019). In Baidya et al. (2017), a fingerprint-based door access system reported accuracy of more than 95% by exploiting basic patterns (arch, loop, and whorl) of fingerprint ridges. In Shi et al. (2019), a face recognition system for door locks achieved an accuracy of 98.3% and implemented an interactive face liveness detection method by monitoring the eye and mouth state. In Yu et al. (2020), an iris-based access control management system is proposed to fully realize automatic management of the personnel who attempt to pass the access control system. All these systems require users’ explicit interaction for their verification. Examples include placing a finger on a fingerprint scanner, standing in front of a camera, or closely looking at the iris scanner. Hence, their unobtrusiveness is limited (Vegas et al., 2020). Moreover, end-users have expressed privacy concerns in providing biometric modalities like a fingerprint, face, and iris (Carpenter, McLeod, Hicks, Maasberg, 2018, Chan, 2016, North-Samardzic, 2019). In Rui and Yan (2018), potential attacks and security risks assessment for popular biometric-based authentication schemes are discussed. These limitations motivate the design of physical access control systems based on a new approach using behavioral biometrics.

Step & Turn is the first bimodal scheme to exploit users’ single footstep and hand-movement behavior while they seek an entry to physical space illustrated in Fig. 1(b). The left- and right footstep pressure-data is sensed from 88 pressure sensors arrays embedded in the doormats, and the hand-movement is modeled as 3-dimensional signature by acquiring the raw data from 3-axis motion sensors. We design, prototype, and evaluate user verification models by employing random forest (RF), support vector machine (SVM), and Fisher linear discriminant (FISHERC) classifiers. We also perform Step & Turn’s usability analysis to establish efficiency, effectiveness, and satisfaction. The key contributions of the paper are thus the following:

  • We propose a novel multi-class user verification scheme that exploits users’ single footstep and hand-movement for securing physical access. The combination of footstep and hand-movement does not require explicit users’ cooperation and both modalities can be collected unobtrusively, which can address usability aspects.

  • We collect a new dataset for hand-movement from 40 volunteers. We design a hardware prototype using Adafruit9-DOFAccel/Mag/Gyro breakout board to acquire users’ hand-movement while they interact with the door handle. A smart office scenario was replicated in our lab by fixing the prototype to the door handle and placing two doormats in front of the door to give a real experience to the volunteers.

  • A chimerical dataset containing 1,600 samples (40 per participant) is generated by combining our collected hand-movement dataset and the Swansea University Speech and Image Research Group footstep data having an equal number of participants. The main reason for relying on the existing footstep dataset is because hand-movement and footstep are two independent behavior, thus, it can be assumed that the classification decision will not be affected for designing a proof-of-concept, even if the two modalities are acquired from two different subjects. Also, the fusion of datasets collected from different subjects self-anonymizes the dataset for experimentation purposes, which may prevent dataset misuse.

  • Step & Turn achieves a TAR of 97.25% at FAR of 0.01% using RF classifier and obtains a score of 76.72 in the SUS survey. Moreover, a score-level fusion using F-ratio is implemented to improve the Step & Turn’s verification accuracy. Step & Turn achieves approximately 10% of the TAR improvement after fusing hand-movement and footstep compared to SmartHandle that only rely on hand-movement behavior.

Paper Structure: Section 2 discusses the prior related work that employed hand-movement and footstep behavioral biometric traits for user recognition. Section 3 furnishes the prototyping of the Step & Turn user verification system together with the system setup and details of the hardware used. Section 4 provides the design methodology that includes the data collection, features extraction, features selection, and fusion. Section 5 describes the performance metrics, user verification model construction, evaluation results under different settings, score-level fusion, and a broad-level discussion on security goals. Section 6 presents usability analysis of Step & Turn system. Ultimately, Section 7 presents the conclusions and the outline for possible future works.

Section snippets

Related work

Smart locks are gradually replacing traditional locks in smart homes and smart buildings  (Xin et al., 2020). Many researchers have worked on the security and reliability of smart locks based on physiological biometric, radio-frequency identification (RFID), smart card, PIN, or password (Nehete, Chaudhari, Pachpande, Rane, 2016, Yu, 2018, Zhang, Tian, Zhang, 2018). This section reviews the prior work that exploited hand-movement and footstep behavioral biometric traits for user recognition.

Step & turn: System setup

This section provides an overview of Step & Turn setup and the software and hardware details of our proposed user verification method for physical access control.

Design methodology

In this section, we present the methodology to design Step & Turn verification scheme using hand-movements and footsteps biometric that include the data collection, feature extraction, and feature selection process.

Evaluation

Step & Turn is designed for multi-users verification. Thus, we consider two different scenarios, i.e., a verifying legitimate user scenario, and an impostor scenario using a zero-effort attack, to evaluate the underlying verification models. Further, this section describes the performance metrics, user verification models, verification results, score-level fusion, and a discussion on security goals.

Usability analysis

This section presents the usability analysis of Step & Turn user verification system. Usability assessment becomes the strategic criteria to establish the efficiency, effectiveness, and satisfaction of the user verification methods (Blanco-Gonzalo et al., 2019).

We use the System Usability Scale (SUS) tool (Brooke, 2013) to perform usability assessments of Step & Turn system. Participants conducted the SUS survey after finishing the experiment. Participants can specify their decision on a

Conclusions and future work

Step & Turn offers a secure and usable user verification scheme for controlling access to physical space unlike conventional verification schemes, it does not require the active participation of the user. Step & Turn provides a multi-class classification solution for physical access control. Our proposed scheme attains the TAR of 97.25% (@FAR of 0.01%) using an RF classifier-based verification model on a chimerical dataset of 40 users. Some of the challenges and limitations in the mass

CRediT authorship contribution statement

Sandeep Gupta: Conceptualization, Methodology, Investigation, Software, Writing – original draft. Mouna Kacimi: Methodology, Validation, Writing – review & editing. Bruno Crispo: Conceptualization, Methodology, Supervision, Project administration, Writing – review & editing.

Declaration of Competing Interest

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

Sandeep Gupta received his Ph.D. degree in Information & Communication Technology from the University of Trento, Italy in 2020. He is a recipient of the prestigious Marie Sklodowska-Curie research fellowship. Since 2016, he is/was participated in EU H2020 projects - E-Corridor, NeCS, CyberSec4Europe. Previously, he worked with Samsung, Accenture, and Mentor Graphics (now Siemens) in cyber security field. His research interests include biometrics-based access control schemes, AI & machine

References (59)

  • T. Fawcett

    An introduction to ROC analysis

    Pattern Recognit Lett

    (2006)
  • S. Furnell

    The usability of security–revisited

    Computer Fraud & Security

    (2016)
  • R.J. Urbanowicz et al.

    Relief-based feature selection: introduction and review

    J Biomed Inform

    (2018)
  • A.F. Abate et al.

    I-am: implicitly authenticate meperson authentication on mobile devices through ear shape and arm gesture

    IEEE Transactions on Systems, Man, and Cybernetics: Systems

    (2017)
  • S. Amini et al.

    Deepauth: A framework for continuous user re-authentication in mobile apps

    Proceedings of the 27th ACM International Conference on Information and Knowledge Management

    (2018)
  • S. Anchal et al.

    Person identification and imposter detection using footstep generated seismic signals

    IEEE Trans Instrum Meas

    (2020)
  • M. Andries et al.

    Localization of humans, objects, and robots interacting on load-sensing floors

    IEEE Sens J

    (2016)
  • J. Baidya et al.

    Design and implementation of a fingerprint based lock system for shared access

    Proceedings of the 7thAnnual Computing and Communication Workshop and Conference (CCWC)

    (2017)
  • R. Blanco-Gonzalo et al.

    Biometric systems interaction assessment: the state of the art

    IEEE Trans Hum Mach Syst

    (2019)
  • J. Brooke

    Sus: a retrospective

    J Usability Stud

    (2013)
  • A. Buriro et al.

    Risk-driven behavioral biometric-based one-shot-cum-continuous user authentication scheme

    J Signal Process Syst

    (2021)
  • D. Carpenter et al.

    Privacy and biometrics: an empirical examination of employee concerns

    Information Systems Frontiers

    (2018)
  • M.P. Centeno et al.

    Smartphone continuous authentication using deep learning autoencoders

    Proceedings of the 15thAnnual Conference on Privacy, Security and Trust (PST)

    (2017)
  • K.J. Chan

    Privacy perceptions in biometrics operations

    Proceedings of the International Conference on e-Learning, e-Business, Enterprise Information Systems, and e-Government (EEE)

    (2016)
  • O. Costilla-Reyes et al.

    Analysis of spatio-temporal representations for robust footstep recognition with deep residual neural networks

    Transactions on pattern analysis and machine intelligence

    (2018)
  • M. Edwards et al.

    Footstep pressure signal analysis for human identification

    Proceedings of the 7thInternational Conference on Biomedical Engineering and Informatics

    (2014)
  • S. Gupta

    Next-generation user authentication schemes for IoT applications

    (2020)
  • S. Gupta et al.

    A risk-driven model to minimize the effects of human factors on smart devices

    Proceedings of the International Workshop on Emerging Technologies for Authorization and Authentication

    (2019)
  • S. Gupta et al.

    Smarthandle: A novel behavioral biometric-based authentication scheme for smart lock systems

    Proceedings of the 3rdInternational Conference on Biometric Engineering and Applications

    (2019)
  • S. Gupta et al.

    A perspective study towards biometric-based rider authentication schemes for driverless taxis

    Proceedings of the International Conference On Innovation And Intelligence For Informatics, Computing, And Technologies

    (2019)
  • G. Ho et al.

    Smart locks: Lessons for securing commodity internet of things devices

    Proceedings of the 11th ACM on Asia conference on computer and communications security

    (2016)
  • A. Huang et al.

    Au-id: automatic user identification and authentication through the motions captured from sequential human activities using rfid

    Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies

    (2019)
  • IBIA, 2021. Behavioral biometrics....
  • ISO, 2021. Iso/iec 24713-2:2008(en). Online web resource Accessed on...
  • ISO, 2021. Biometric information protection. IEC24745:2011(en) Online web resource, Accessed on 01–05...
  • C. Katsini et al.

    Security and usability in knowledge-based user authentication: A review

    Proceedings of the 20thPan-Hellenic Conference on Informatics

    (2016)
  • A. Krašovec et al.

    Not quite yourself today: behaviour-based continuous authentication in iot environments

    Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies

    (2020)
  • R.D. Labati et al.

    Toward unconstrained fingerprint recognition: a fully touchless 3-d system based on two views on the move

    IEEE transactions on systems, Man, and cybernetics: systems

    (2015)
  • J.R. Lewis et al.

    Item benchmarks for the system usability scale

    J Usability Stud

    (2018)
  • Cited by (7)

    • Impact of Biometric Sensors on Physical Activity

      2024, Communications in Computer and Information Science
    • Introduction

      2023, Artificial Intelligence for Biometrics and Cybersecurity: Technology and applications
    • Usable Identity and Access Management Schemes for Smart Cities

      2023, Advanced Sciences and Technologies for Security Applications
    View all citing articles on Scopus

    Sandeep Gupta received his Ph.D. degree in Information & Communication Technology from the University of Trento, Italy in 2020. He is a recipient of the prestigious Marie Sklodowska-Curie research fellowship. Since 2016, he is/was participated in EU H2020 projects - E-Corridor, NeCS, CyberSec4Europe. Previously, he worked with Samsung, Accenture, and Mentor Graphics (now Siemens) in cyber security field. His research interests include biometrics-based access control schemes, AI & machine learning, usable security & privacy for IoT, and cyber-physical systems.

    Mouna Kacimi received her Ph.D. degree in computer science from the University of Bourgogne, France, in 2007. She is an assistant professor at the KRDB Research Centre for Knowledge and Data, Faculty of Computer Science, Free University of Bolzano. Before that, she spent three years as postdoc at the Max-Panck Institute for Informatics in Saarbrucken, Germany. She has expertise on entity search, ranking models, and query processing. Her current research interests focus on information extraction and machine learning where the goal is to develop fine-grained information extraction from unstructured text to enhance search, summarization, and predictive models.

    Bruno Crispo received his Ph.D. degree in computer science from the University of Cambridge, UK. in 1999, having received the M.Sc. degree in computer science from the University of Turin, Italy, in 1993. He is a full professor at the University of Trento since September 2005. Before that, he was an associate professor at Vrije Universiteit in Amsterdam. He is the co-editor of the Security Protocol International Workshop proceedings since 1997. He is a member of ACM. His main interests span the field of security and privacy. In particular, his recent work focuses on the topic of security protocols, access control in very large distributed systems, distributed policy enforcement, embedded devices, and smartphone security and privacy, and privacy-breaching malware detection. He has published more than 100 papers in international journals and conferences on security-related topics.

    View full text