Figure 1: Existing user authentication mechanisms, from left to right, PIN, password, pattern, fingerprint, facial, and voice.
Ming Li, Ph.D., is an Assistant Professor at the CSE Department. Her research interests include privacy and security, crowd and social sensing, Internet of things, and mobile computing. A major goal of her research is to model, incentivize, and secure the crowd and ubiquitous devices in participating collaborative computation. Such commercialized systems include Google Maps, Waze, Facebook, Yelp, Amazon Mturk etc.
With the high penetration to people's daily life, wearable devices read and store rich information regarding their owners. For example, in the domain of smart health, the current key application of wearable devices focuses on tracking activities or vital signals from the wearers, whose sensitive data, such as heartbeats, weight, blood pressure, are collected by wearable devices. Wearers are unwilling to disclose the information stored in their wearables to others without permission. Therefore, user authentication is of critical needs for wearable devices. Generally, the most commonly used authentication methods on mobile devices are password/PIN/pattern-based methods and biometric-based methods (shown in Figure 1). However, none of them is really suitable for wearables. Typing passwords or drawing patterns on wearable devices can be rather cumbersome due to their small input/output units. Collecting and recognizing physiological biometrics, such as fingerprint, facial characteristics, hand/finger geometry, iris and retina, requires specialized sensing hardware and dedicated processing resources which are always missing in wearables. Due to the fact that many of these sensors are even larger than the size of wearables themselves, it is also impractical to equip them in wearables.
Figure 2: The prototype of Beat-PIN
that we develop for the smartwatch. A
beat-PIN is characterized by the timing
of its beats.
Figure 3: Screenshots of Beat-PIN pro-
totype in enrollment (a) and login stage
(b), (c) and (d).
Dr. Li and her team develop a novel authentication scheme, called Beat-PIN (shown in Figure 2), for wearable devices that are equipped with touch sensors, e.g., a touch screen, a sensed surface, or a single button whose output signals can be stamped. It is a new passcode-style authentication. However, rather than numbers, letters, or characters, users choose different beats/rhythms when tapping on the touch sensor, e.g., screen for a smartwatch. Thus, the rhythm of tapping serves as the secret only known by the legitimate user. We call this rhythm-based password as the beat-PIN. Basically, a beat-PIN can be easily created by the user, for example, extracting some beats from his/her favorite songs or jingles. A beat-PIN is characterized by the timing of its beats, which can be recorded by the device system clock.
Beat-PIN can serve as an ideal authentication method for wearable devices. First, unlike regular passwords or digit-PINs, which have to be entered either on a physical or virtual keyboard, or fingerprint and facial recognition based authentication methods, which require superior sensors, Beat-PIN can work on any wearable device with a simple touch sensor. Second, unlike the pattern-based passwords, which require a large-size screen to draw on, beat-PINs can be performed on a much smaller spot. Besides, it is resilient to infrared attacks and smudge attacks, as a user does not leave such kind of information on the screen when entering a beat-PIN. Moreover, it is also worth mentioning that Beat-PIN is friendly to sight impaired users. The result of this work has been published in ACM ASIACCS'18.
More recently, Dr. Li and her team are working on privacy and security aware mobile crowd sensing (MCS) (Figure 4). Mobile devices, including smartphones and tablets, are becoming extremely prevalent nowadays. Equipped with diverse sensors, from GPS to camera, and paired with the inherent mobility of their owners, mobile devices are capable of acquiring rich information of surrounding environment. However, the wide adoption of mobile crowd sensing is largely hindered by its privacy and security concerns. To facilitate the functionality of each stage of mobile crowd sensing, including sensing task allocation, sensing data collection, and result aggregation, sensing devices report their location information, sensing capabilities, task preferences, and sensing results to servers. Such information can potentially disclose user daily routings, behavior patterns and even identities. Besides, since data are collected from the crowd, it is possible that some malicious users report falsified information to pollute final aggregation results. With these concerns, the overall goal of this project is to address privacy and security issues at different stages of mobile crowd sensing. This project is currently supported by NSF ECCS-1711991.
Figure 4: Basic framework for MCS.