A Study on User Authentication Method Using EEG Biometric Information in the Fast Identity Online System
Cheol-Joo Chae1, Han-Jin Cho2, Hyun Mi Jung3*
1Korea National College of Agriculture and Fisheries, Republic of Korea
2Far East University, Republic of Korea
3Korea Institute of Science and Technology Information, Republic of Korea
*Corresponding author E-mail : [email protected]
Abstract
Recently, the world started to use biometrics with the convergence of information technology and financial systems. Using such biometrics FIDO (Fast Identity Online), Samsung and Apple launched Samsung Pay and Apple Pay respectively. The FIDO authentication technology has substituted conventional authentication methods such as password. Among these biometric technologies, fingerprint recognition has drawn an attention from the world in that it can minimize user denial, and the device is relatively cheap. In fingerprint data, however, the amount of information a user can get is limited.
In addition, if they are leaked by a hacker, they cannot be reused. Therefore, this study proposes a way to authenticate users using an EEG signal, one of biometric technologies.
It increased convenience, using a single-channel EEG device instead of conventional multi-channel EEG devices. Furthermore, this study suggested a method to use EEG signals in the FIDO system. More precisely, it explains how to utilize EEG signals as a means of user authentication when a user recognizes a specific object.
Key words: Biometric, electroencephalography, Fast Identity Online, Authentication
1. Introduction
These days, cyber-attacks on network services by taking advantage of loopholes in user authentication have been growing. User authentication is a process to prove your identity to a third party. In general, a user is being authenticated by his/her secret information. So far, users have proven their identity with their resident registration number, authentication certificate, password and others. Under this kind of conventional approach, however, a third party can prove the other’s identity using such secret information. To overcome this problem, a new authentication method using biometric information (e.g., the iris, fingerprint, etc.) has been adopted. Lately, with the development of FIDO authentication technology, biometric authentication has been used in diverse fields. In terms of biometric information-based authentication, users’ bio-information is recognized, using smartphone camera and fingerprint sensor. Since biometric information is owned by each user only, it cannot be granted to a third party. However, because such biometric information is limited, it is often used after being modified with template, instead of utilizing the original. Under such biometric authentication, personal bio-information is used. In privacy protection, reusability and anti-replay-attack technologies, therefore, it is crucial to implement biometric authentication technology [1-3].
Recently, global tech giants such as Microsoft and Google started to review FIDO’s security authentication technology. As a result, smartphone manufacturers and financial companies have planned to adopt biometric authentication technology. Furthermore, there has been active competition to take over the market prior to rivals through the development of smartphone-based biometric authentication technology. The FIDO authentication technology was enacted by the FIDO Alliance comprised of global technology leaders such as Google, Microsoft, Intel and Samsung. With the FIDO
technology, it is able to build a platform that can support diverse user authentications such as biometric authentication and knowledge-based authentication. Therefore, it can provide safe and convenient authentication services to users and build a non-redundant authentication system for service providers.
Therefore, this study proposes a biometric authentication method which can be used in the FIDO system. In conventional biometric information, fingerprint-based methods are commonly used. However, its amount is limited, and reusability is poor. Therefore, this study suggests EEG signal-based approaches. This paper is structured as follows: In chapter 2, biometric information-based FIDO authentication technology is analyzed. In chapter 3, an EEG signal ratio-based user authentication system is proposed. In chapter 4, the performances of the proposed system are evaluated. In chapter 5, conclusions are given.
2. FIDO authentication technology using biometric information
2.1 FIDO Authentication Technology
The FIDO authentication technology was developed to get over security issues resulting from holding authentication means such as authentication certificate and memorizing a secret code including password. The FIDO authentication provides UAF and U2F standards. The UAF authentication is a standard which uses personal biometric information which is securer than conventional ID/password authentication systems. In contrast, U2F is a method which adds a separate authentication unit to such conventional authentication system [4-7].
The UAF protocol is a technology which authenticates in connection with online services at user’s device. Under the FIDO’s UAF protocol, it is able to get access to the FIDO server by recognizing biometric information through a user device. It also has a procedure to enter a security key provided by the user device. The UAF protocol standard consists of UAF protocol specification which defines UAF messages which are linked among the web server, FIDO server and user device.
Figure 1 FIDO UAF High-Level Architecture
Figure 1 above reveals FIDO UAF high-level structure. In the FIDO UAF, a user device is comprised of Browser APP, FIDO Client, ASM (Authenticator Specific Module), FIDO Authenticator, Authentication Key and Attestation Key. The FIDO UAF uses PKI authentication technology. However, it differs from conventional PKI methods in that it has Attestation Certificate and Attestation Private Key in the user device authentication module. When both public and private keys are sent to a web server, an authentication
interworking.
2.2 EEG Authentication Technology
An EEG signal is an electrical signal which is generated when a signal is transmitted among cranial nerves. It has complicated waveforms. An EEG signal can be classified into delta, theta, alpha, beta and gamma by frequency band for convenience. Since such EEG signal has its own attribute by band and reveals different characteristics by user, it is applicable to EEG-based user authentication methods. For the measurement of EEG signals, in general, 20 or more electrodes should be grounded to the scalp and ear as shown in Figure 2. With the development of EEG sensor technology, however, the devices which can easily measure with 20 or less electrodes have been developed.
For the measurement of EEG signals, a measuring position is decided based on the electrode attachment position proposed by Jasper. According to his proposal, the parts with 10% or 20% off of distance between reference points are set as measuring points, which is generally called ’International 10-20 System’. As shown in Figure 2, the FP represents the frontal lobe while A1 and A2 stand for the left and right earlobes respectively. Then, the brainwaves being measured can be measured in multi-channels across the head. If EEG signals are simultaneously measured in each measurement point, more accurate signals can be obtained [8-11].
Figure 2 International 10-20 EEG placement system showing Modified Combinatorial Nomenclature
With the development of EEG signal measuring devices, however, the number of electrodes needed to collect EEG signals has decreased. Instead, it has evolved in a way to transmit EEG signals through mobile communication. As shown in Figure 3, EEG signal measuring devices includes EMOTIVE’s EPOC+ and Neurosky’s MindWave, and the number of EEG measurement electrodes was simplified into 14 channels and single channels. In terms of MindWave EEG-based user authentication, there have been studies on the achievement of 94% authentication accuracy on the EEG signal data of 15 persons collected without external stimulation through the extraction of EEG waveforms by Fourier transform and band-pass filter and measurement of cosine similarity [12-15].
Figure 3 EEG Signal Measuring Devices
3. Design of user authentication method using EEG signal in FIDO system
This study proposes a way to authenticate users, using EEG in FIDO environments.
The EEG-based biometric information recognition technology is a technology to recognize biometric information, using electroencephalogram which responds according to particular situations. Such electroencephalogram can be classified into waveforms with different frequencies and amplitudes. Delta waves (0-4Hz) are generated during sleep while theta waves (4-8Hz) are produced during drowsiness or deep meditation. In addition, alpha waves (8-12Hz) are generated in a relaxed or comfortable state, and beta waves (15- 30Hz) are produced during conscious activity or concentration. Lastly, gamma waves (30- 50Hz) are generated in an anxious or stressed state. This study proposes a way to authenticate users using the EEG signals which are generated when a user recognizes the string produced by a security code. A security code is a combination of English and Korean alphabets and numerals. EEG signals are measured when a user recognizes the security code. After separating the signals by waveform and measuring the theta-alpha ratio, user authentication is performed. Figure 4 below shows proposed system.
Figure 4 User Authentication using EEG in the FIDO System
Users can be authenticated by creating authentication information after pattern- processing EEG signals and transmitting it to the FIDO authenticator. To get authentication information, it is needed to get user fingerprints, fingerprint-random code matched security code and security code-recognized brainwave information. Compared to the use of biometric information only, attack complexity increases further. In addition, it has the advantage of solving the finiteness of biometric information, which is the weakness of biometric information-based authentication.
The EEG information-based user authentication in the FIDO environment consists of authentication registration and authentication phases. In the user registration phase, after confirming user identity, FIDO registration protocol instead of conventional authentication password is combined, and biometric information is used. In the user authentication phase, authentication is verified after authenticating users, using the biometric information registered in combination with the FIDO authentication protocol.
Figure 5 below illustrates EEG-based user registration and authentication process in the FIDO environments.
Figure 5 EEG-based User Authentication Process
• User Registration Phase
A user requests the registration of user information to the FIDO server. The FIDO server requests the authentication information to the user and sends the related policy. A security code is generated, using a secure random function through the biometric devices.
When a user recognizes the security code, EEG signals are extracted. Then, the extracted EEG signals are separated by band, and they are used as authentication information after measuring a beta-theta ratio. Then public key, private key is generated. The EEG device sends the public key and attestation to the FIDO server. The FIDO server saves the user’s public key acquired from the EEG device.
• User Authentication Phase
A user asks the FIDO server to check the authentication/transaction. The server generates challenge for authentication and sends it to the user. When a user recognizes the security code, the saved private key is extracted through the EEG authentication information. EEG device sends the digital signature to the server. The server verify if the digital signature from the EEG device are forged or altered, using a private key.
4. Evaluation of proposal method
This study extracted the user’s EEG raw signals, using Neurosky’s Mindwave EEG device and developed a program which can divide such signals by band. For EEG extraction, raw signals measured by the EEG device using Neurosky’s Mindwave API were obtained. Then, a program which can separate them according to a data format was developed, using Visual Studio 2010. For the extraction of EEG raw signals, the EEG raw signal intensity was set to –2048 thru +2047. Then, they were extracted 512 times per second. Then, each EEG signal’s features were obtained by dividing EEG raw signals by band as follows: Delta (0.5-2.75HZ), theta (3.5-6.75Hz), low-alpha (7.5-9.25Hz), high- alpha (10-11.75Hz), low-beta (13-16.75Hz), high-beta (18-29.75Hz), low-gamma (31- 39.75Hz), mid-gamma (41-49.75Hz). Figure 6 below reveals the results of the extraction of the user’s EEG signals by bandwidth.
Figure 6 Extraction of User’s EEG by Bandwidth
EEG signals before and after a user recognizes a security code were measured and established through learning modeling. When a user recognizes the security code’s specific string, the maximum EEG signal increases in all categories but delta and high- gamma. According to analysis of a ratio against EEG signals before and after a user recognizes an object, the intensity of theta-alpha ratio revealed the greatest change. Figure 7 below illustrates the results of the measurement of the EEG signals ratio changes through the recognition of specific objects.
Figure 7 Measurement of EEG Signals Ratio changes through Recognition of Specific Objects
5 Conclusions and Future Work
Biometric information is attracting attention as an authentication means for existing authentication means such as a password. FIDO authentication technology standard debate has begun in recognition of problems of password authentication method.
Biometrics technology has already begun to be used in the Pintech technology where IT technology and financial system are merged. In this paper, we propose a user authentication method in FIDO environment using EEG signal among biometric information. When the user recognizes the security code, the user is authenticated using the changed EEG signal. The signal ratio was used for the authentication using the EEG signal and the Theta / Alpha signal ratio changed the greatest. In the future, we plan to study how to authenticate users by standardizing EEG signals according to time without using fingerprint.
Research Foundation of Korea(NRF) funded by the Ministry of Education(NRF- 2017R1D1A1B03032876).
References
[1] DOBKIN, Bruce H. Brain–computer interface technology as a tool to augment plasticity and outcomes for neurological rehabilitation. The Journal of physiology, (2007), 579.3: 637-642.
[2] WOLPAW, Jonathan R.; MCFARLAND, Dennis J. VAUGHAN, Theresa M. Brain-computer interface research at the Wadsworth Center. IEEE Transactions on Rehabilitation Engineering, (2000), 8.2: 222- 226.
[3] COSTIGAN, Neil. Behavioural Biometrics–A New Era of Security. The FinTech Book: The Financial Technology Handbook for Investors, Entrepreneurs and Visionaries, (2016), 109-111.
[4] MACHANI, Salah, et al. FIDO UAF Review Draft Spec Set. FIDO Alliance Proposed Standard, (2014), 1-202.
[5] LINDEMANN, Rolf, et al. Fido uaf protocol specification v1. 0. FIDO Alliance, (2014).
[6] MACHANI, Salah, et al. FIDO UAF architectural overview. FIDO Alliance, (2014).
[7] FIDO, UAF. Protocol Specification. FIDO Alliance Implementation Draft, 02 February (2017).
[8] PFURTSCHELLER, Gert, et al. Mu rhythm (de) synchronization and EEG single-trial classification of different motor imagery tasks. NeuroImage, (2006), 31.1: 153-159.
[9] DONCHIN, Emanuel; COLES, Michael GH. Is the P300 component a manifestation of context updating?. Behavioral and brain sciences, (1988), 11.3: 357-374.
[10] MAMPUSTI, Ella T., et al. Measuring academic affective states of students via brainwave signals. In:
2011 Third International Conference on Knowledge and Systems Engineering. IEEE, (2011). p. 226- 231.
[11] MARTINOVIC, Ivan, et al. On the Feasibility of Side-Channel Attacks with Brain-Computer Interfaces. In: USENIX security symposium. (2012). p. 143-158.
[12] CHUANG, John, et al. I think, therefore i am: Usability and security of authentication using brainwaves. In: International Conference on Financial Cryptography and Data Security. Springer, Berlin, Heidelberg, (2013). p. 1-16.
[13] SAŁABUN, Wojciech. Processing and spectral analysis of the raw EEG signal from the MindWave.
Przeglad Elektrotechniczny, (2014), 90.2: 169-174.
[14] KATONA, Jozsef, et al. Speed control of Festo Robotino mobile robot using NeuroSky MindWave EEG headset based brain-computer interface. In: Cognitive Infocommunications (CogInfoCom), 2016 7th IEEE International Conference on. IEEE, (2016). p. 000251-000256.
[15] KATONA, J., et al. Evaluation of the NeuroSky MindFlex EEG headset brain waves data. In: Applied Machine Intelligence and Informatics (SAMI), 2014 IEEE 12th International Symposium on. IEEE, (2014). p. 91-94.
[16] Kumar NM, Mallick PK. The Internet of Things: Insights into the building blocks, component interactions, and architecture layers. Procedia computer science. (2018) Jan 1;132:109-17.
