top of page

Muscle Memory Authenticator: Proposal 

Problem Statement

Traditional authentication methods (such as password information) tend to be burdensome or inefficient for many users, causing them to be used in an insecure manner. EMG technology can provide secure platform for biometric authentication, alleviating the insecurities associated with traditional methods. Not exclusive to current digital platforms, passwords have been in use since ancient times to get access into secret societies and as an authentication tool. This method of authentication is based on the assumption that only certain unique individuals will have access to that information, that is the password. The issue with this approach to authentication is that (1) passwords don’t bind to an individual’s identity, allowing any (possibly unintended) users access to resource. (2) Passwords can be easily forgotten, burdening users with the necessity of remembering the phrase, or encouraging the insecure practice of reusing the same passwords. Biometric authentication systems alleviate most of the issues associated with passwords. Through some uniqueness in our character, or physicality (such as fingerprints, retinal patterns, facial structures), biometric authentication systems bind some uniqueness of individual character to the individual’s identity. We propose a novel platform of biometric authentication using noninvasive, commodity hardware in the Myo by Thalmic Labs [1] to capture electromyographic (EMG) muscle signals to be used towards authentication of the wearer. Our key insight lies in the leverage of muscle memory which seems to be unique per individual. Such repeatable patterns of movement, ideally unique across all possible users, could be mapped from the EMG wave patterns to a signature specific which only a single user has the ability to possibly generate. This technology may be used to (1) supplement password entry (allowing for a two-step authentication system) which reduces the importance of complicated passwords, or (2) define a standalone method of authentication, solely composed of mappings to the uniqueness of an individual’s EMG signals. This approach to biometric authentication does not fall to the current state of the art biometric authentication systems. Retinal scans, being limited to well lit environments, and fingerprints susceptible to forgery. A seemingly similar service is provided by Coursera in their typing pattern based authentication. Users’ typing patterns are used to gauge whether or not the same individual is present in all submissions through a particular course. This design tends to fail open with users with typing styles unrefined enough to be duplicated by some other similarly unrefined users. Users whom do not carry a measurable enough pattern may not be effectively authenticated. Our proposed approach should account for such lack of refinement through other very subtle movements and features of typing which are not exposed through a keyboard-only interface. Another motivation for these kind of system, is for Alzheimer’s patients who suffer from memory loss and thus face higher difficulty in remembering passwords that are mostly used for authentication. For these patients it will be a boon if such systems exists that they just need to wear and type some arbitrary or predefined words and based on the EMG signals generated get authentication to various websites and forums. We think that our Muscle memory authenticator will significantly influence the way generally old people (who are more prone to not remembering passwords) use forums and websites which require authentication effortlessly.

Needfindings

Surveys, interviews and observations are the three need-finding techniques that will be used to gather information in this project. Interviews provide valuable, critical insight into user-interaction and experience. Participants will be selected for an interview through stratified sampling taken from the beta-tester population. That is, the beta-testers of the device will be categorized based off of university status- professor, upperclassman student, freshman, etc. with individuals randomly selected from each group to provide feedback. Through one-on-one interviews, we hope to garner implicit insight of the users’ experience with the device and application- particularly that of which may not have been pertinent from observations or surveying. Convenience sampling will be used to recruit participants as well as social media advertisement. The drawbacks of this sampling method are potential limitations in student disciplines and grade-distribution. Utilizing social media may also limit user diversity as only certain populations may be able to access certain pages such as a specific individual’s Facebook feed or the ”UR Class of 2020” group chat. 

Interviews

Interviews

A better way to obtain insights about ease of password entry is to talk to users.  It would be very simple since nearly everyone with devices use passwords.  We can ask questions similar to the survey questions.  When anecdotes of having difficulty with passwords are shared, we can probe these in more depth.  We can seek representatives from various groups thought to have difficulty with password entry such as people with physical disabilities and the elderly.

 

 

 

The following is the general schema of the interviewing process:

​

1.Introduction-Do you think security is important for authentication mechanism ? Are you satisfied with the authentication mechanisms that are currently available(like passwords PINs) ?    How has your general experience been with passwords? Do you ever have trouble/worry about password authentication?
 2. Kickoff- What are the types of passwords that you use? What password methods do you think are the strongest? Weakest? 
 3. Build Rapport- How was your experience with the Myo device? How do you think it compared with your usual password methods?
 4. Main Experiment- What did you like most about the device? What was most effective? What was the least effective? Do you think you personally would use this device in the future? Or would you recommend to someone and/or a person of a specific audience?
 5. Reflection- What kind of wearables would you feel comfortable with? If any, state why?
 6. Wrap-Up- What would your most ideal experience be if you were using muscles as a method of password authentication? Any general comments/feedback?

Interview Questions

Surveys

Surveys will also be used to assist with user feedback in this project because of their ability to quickly capture users’ explicit opinions in a short time span. The survey will be created via Google Forms and will be distributed to all persons that will interact with the device. The quantitative data collected will be of utmost use in examining users’ opinions regarding the application interface, ease of use, etc. to both implement future design decisions as well as areas of improvement. Users will be asked to fill out the survey immediately after product assessment and interaction. Below are the a list of the survey questions that will be asked:

Survey Questions

The following is a link to the Google Survey form that was sent out: 

​

https://goo.gl/forms/fP6oR5M9TzBhYAit2

​

Observations

It is necessary to exercise some caution here as we will be observing people enter their passwords, a private act. We would take care not to look at the keyboard so that people feel comfortable. It is also important to be aware of the Hawthorne effect. Subjects may change their behavior when they are being observed. For example, they could take more care in entering the password. We want to see how comfortable users are when they authenticate. We also want to see how physically disabled people interact with authentication methods. How “hard” do they work to enter the password? Could that action be abbreviated? Do they have to reach for the keyboard? Do they exhibit any annoyance? Otherwise, there isn’t much observation to be done because it is inherently a private act too easily influenced by observers’ presence and it would be unethical and unfeasible to do so without subjects’ knowledge.

Prototyping 

For this project, we will be using the prototype technique of storyboarding to incrementally develop our system. Storyboarding is able to best accomplish our interests with regards to design because a large portion of our project isn’t necessarily the interface itself, but rather the tasks it is going to accomplish. The storyboard outline will focus on the setting and sequence of the actions and tasks. Because an additional device (Myo) is used aside from our application, it is important to consider where one might use the application taking into account how portable and convenient the Myo device is for the user. This information will also assist in understanding the primary target audience of our application or what motivates a user to use such an application. Because of lack of time needed to create a storyboard, we will continuously create multiple storyboards (apart from the initial prototype) as we garner user feedback and opinions. In reference to prototype breadth and depth, the prototype sequence will focus much more on functionality of the design rather than the features. This is because the application does not have a wide-variety of features. Instead, it focuses strictly on how one’s muscles can serve as a unique identifier. Hence, it is much more significant to concentrate on the extent to which the application can identify a user and how protective the identifier is in contrast to other small features that may be offered in the application. Below is a low fidelity initial storyboard of our application:

 

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

 

 

Based off the prototype, we found that it is important to focus on the relationship between the Myo and the application that is, instead of centering strictly on the target audience of our own device, it of utmost importance to also consider the target audience of the Myo device and adjust our own device accordingly. Moreover, with regards to creating the initial authentication process, it is important to consider what gestures we would like the user to do as well as account for users that make have disabilities that would affect authentication. It was brought to our attention that though the storyboard prototype was effective with respect to user interaction, it would be wise to a storyboard of each interface-builder to focus on the actual design of the advice. From this feedback, another prototype will be created at the next meeting.

Implementation

Our designs for EMG-based authentication in this project, will be encompassed behind a Google Chrome-based browser extension. Although the intended scope for a biometric authentication system should be expanded to further applications, such as a mobile authentication service, this sets a feasible goal for the given time frame of the project.

Back-End

Two primary methods of pattern recognition will be utilized to effectively identify users based off EMG signals. First, methods of non-parametric sampling [2] to achieve effective texture synthesis will be experimented with due to the similarity of EMG signals and 1 dimensional textures. Second, audio recognition techniques can be utilized due to EMG signals’ similar behavior. In particular, Shazam’s methodology of audio fingerprinting [3] proves to be applicable to this data space.

Texture Synthesis Methods

In Efros and Leung’s paper discussing Texture Synthesis and Non-parametric Sampling, textures (EMG signals for our study) are modeled as Markov Random Fields (MRFs). Effectively, a particular data point in the texture (or our EMG series) is dependent on a finite set of neighboring points. During texture synthesis, a new point is generated by finding an existing point in the series which maximizes the similarity of neighboring points. This is done using a sliding window technique, where only points within the window are considered to be neighboring. The sliding window is moved across the image in texture synthesis, and a distance is calculated between the set of neighboring points of the current point of interest, and the neighboring points around the center of the sliding window. This distance (or dissimilarity) is minimized so that a suitable point is selected for synthesis. In our approach we shift the set of neighboring points to those which precede the point of interest in the EMG series. In a similar manner we measure the dissimilarity between an authentication attempt and points which comprise of a users EMG patterns. After selecting a point which minimizes dissimilarity, we can require it to be below a particular threshold value to indicate the positive identification of a user. If no point can be found to produce a dissimilarity below the threshold, the user will pass authentication.

Audio Fingerprinting 

The second method we propose for pattern matching is based off Shazam’s approach to matching audio signals to particular tracks. They use a combinatorial hashing procedure to create signatures for audio tracks. This has the added benefit of effectively shrinking the search space down quite considerably – rather than searching for patterns over a continuous audio signals, a discrete set of points, orders of magnitude smaller than the audio files, is used to match tracks. Only peaks in their audio signals are considered. It is information at these peaks which is used in calculating the signature of an audio file. Similarly, smaller signatures are created for audio captured by a microphone. Our approach utilizing this methodology needs requires some slight modification due a crucial difference in our expected data sets. Audio files and playback will generally have much less temporal variation than the EMG signals we expect to record. As such, the intervals between peaks within the data series will need to be adjusted to a much lower resolution (instead of seconds, we may record in 5s of seconds).

Front-End

As mentioned before, the front end will be built as a Google Chrome extension. Using the JavaScript APIs, we will implement an interface tied to a user’s Google account. The extension will manage launching data collection scripts and further invoking the previously discussed back-end analysis procedures. As a first step, the interface will supplement the login interface to act as a two-step authentication system. A following goal will be to allow for users to achieve an “always logged in” system which authenticates users in real-time, and blocking out unidentified users when unusual activity is recognized.

Evaluation

User Evaluation

Get a mixture of people for the study,some who are proficient in typing ,some who are average and some who are not very experienced with typing.Also we can check our prototype with Alzheimer’s patients.Running experiments on participants is essential to understand the level of proficiency in typing they have (something like typeracer can be used), this will help us to set baselines for each participants. Counter balancing technique will be used, we will divide the participants into two groups based on the baseline we got, one group will use the generic password authentication technique of a website first (say Facebook) and then our prototype and the other group will use our prototype first and then the website which requires passwords. At the end they will need to fill up a survey and answer some questions in an casual interview that will give us some feedback and insight on how our prototype works. For the low fidelity prototype testing we hope to have at least 16-20 participants to test the uniqueness of the EMG pattern.As for the final working product we should have near about 30 participants to get appropriate feedback on our product.Recruiting students as participants from various departments of the university will ensure that we have the right balance of people (as computer science students tend to be more proficient with typing on a keyboard than others ). Incentives can be provided to attract participation.

Evaluation

Parameters of Evaluation

Certain metrics that can be used to measure that the proposed solution is better than what exits today are:

 

1) Computation cost of storing an encrypted password and then matching it with a decrypted version for authentication versus storing the signature EMG for a person.

 

2) Ease of authentication. This can be measured from the feedback of the users, like whether they have to stress themselves to get authenticated or not. (like trying hard to remember passwords).

​

3) Is it helpful to Alzheimer’s patients who can’t remember passwords.

 

4) Security of our method. It is speculated that it will be difficult to imitate the EMG waves generated by a person in consciousness. Fingerprints can be used of a person, who is not conscious or dead. There are other methods of duplicating fingerprints by using some imprint gloves. For retina scan and facial recognition good source of light is required.

Fallback Solution

It may so happen that in our trials we find that EMG waves generated from people are not unique. Two-step mechanism will attempt to extract some sort of signature from the trials, supplementing a PIN, both to be used together for authentication. Even in the case of following a two-step authentication system (the biometric supplemented by a pin), the user would be less burdened with requiring to remember a password for authentication. The two-step approach still shifts a portion of the authentication away from the memory of the user, and more towards some identifying information of the user. Further, the two-step biometric & pin mechanism would add more security than a single-step password mechanism.

Alternative Solutions

If we cannot have access to Myo hardware, we can use other electromyograph circuits such as the MyoWare Muscle Sensor (https://www.sparkfun.com/products/13723). It is also possible to build our own EMG circuits (http://www.instructables.com/id/DIYElectromyography/). Jeff has plenty of microcontrollers that can be “donated” to this project. These commodity sensors would allow much more flexibility with regard to which measurements can be recorded. The armband approach would be limited to readings over the arms or calves, while individual sensors could record data from any of a subject’s exterior muscles. Although much cheaper and more flexible, the commodity of these products comes with a significantly larger margin of effort required to assemble a working system. The Myo Armband not only provides the hardware existing on the device, but also a set of libraries and documentation, contributing to a smoother development environment for our study.ii If it turns out that the software cannot reliably use EMG signals to authenticate users, we can use EMG signals as a second factor in authentication. We also could use EMG signals as a form of password entry. We also could try using the accelerometer signals instead of the EMG signals. If electromyography is still too immature for our purposes, we can explore other novel authentication techniques. We could look at ways to authenticate with EEG signals or eye gaze tracking.

References

1] Myo, by thalmic labs, 2013. https://www.myo.com/.

[2] Alexei A Efros and Thomas K Leung. Texture synthesis by non-parametric sampling. In Computer Vision, 1999. The Proceedings of the Seventh IEEE International Conference on, volume 2, pages 1033–1038. IEEE, 1999. [3] Avery Wang et al. An industrial strength audio search algorithm. In Ismir, volume 2003, pages 7–13. Washington, DC, 2003.

bottom of page