2023 IEEE 43rd International Conference on Distributed Computing Systems (ICDCS)
P 2Auth: Two-factor Authentication Leveraging PIN
and Keystroke-induced PPG measurements
Yuchen Su, Guoqing Jiang, Yicong Du, Yuefeng Chen, Hongbo Liu, Yanzhi Ren
University of Electronic Science and Technology of China
2023 IEEE 43rd International Conference on Distributed Computing Systems (ICDCS) | 979-8-3503-3986-4/23/$31.00 ©2023 IEEE | DOI: 10.1109/ICDCS57875.2023.00074
Chengdu, China
Corresponding author:Hongbo Liu
Huan Dai
Suzhou University of Science and Technology
Suzhou, China
Abstract—Personal Identification Number (PIN), as one of the
primary means of protecting digital properties and privacy on
mobile devices, has been suffering from shoulder surfing attacks
and weak password guessing for the long term. Recent years
witness the growing interest in two-factor authentication that
takes advantage of two different ways for mutual verification,
thereby strengthening user authentication’s accuracy and reli-
ability. Especially with the popularity of smartwatches, more
physiological signals are readily available to facilitate two-factor
authentication. This paper presents a lightweight and unob-
trusive two-factor authentication scheme, P 2 Auth, integrating
the PIN and unique keystroke-related Photoplethysmography
(PPG) measurement on wearables. Specifically, we propose the
transformation of the multivariate PPG signal induced by the
keystrokes to extract reliable biometric features. We develop
short-time energy-based methods to identify the input cases,
thus enabling support the authentication for both one-handed
and two-handed input cases. Furthermore, we also consider the
situation where there is no fixed PIN and design a new enhanced
privacy scheme by combining the PPG measurements of different
keystrokes to improve authentication security. The experiments
involving 15 volunteers demonstrate that our prototype system
can achieve an average authentication accuracy of over 95% for
one-handed cases and over 90% for two-handed cases.
Index Terms—Two-factor authentication, Photoplethysmogra-
phy (PPG) measurements, PIN-induced keystrokes, wearable
device
I. I NTRODUCTION
Authentication, as a crucial way to protect the digital
properties and privacy, is becoming increasingly important for
ubiquitous smartphones. Once the authentication mechanism
is breached, it can lead to privacy leakage and even seri-
ous economic loss. Comparing to conventional authentication
methods (e.g., PIN and biometrics) that are vulnerable to either
inference attacks or replay attacks, two-factor authentication,
emerging in recent years, combines multiple authentication
factors to ensure system security. In the meanwhile, the rise
of smart wearable devices has enabled a wealth of sensory
information to facilitate two-factor authentication. As one
of the most popular wearable devices, smartwatches are the
natural companions for smartphones to facilitate two-factor
user authentication and enable various authentication tech-
2575-8411/23/$31.00 ©2023 IEEE
DOI 10.1109/ICDCS57875.2023.00074
Authorized licensed use limited to: University of Electronic Science and Tech of China. Downloaded on November 06,2023 at 06:58:06 UTC from IEEE Xplore. Restrictions apply.
Email:hongbo.liu@uestc.edu.cn.
Yan Wang Shuai Li Yingying Chen
Temple University University of Oulu Rutgers University
Philadelphia, USA Oulu, Finland New Brunswick, USA
8VHU
33*6LJQDO
濄 濅    
濇 3,1
濊
$WWDFNHU
33*6LJQDO
J
Fig. 1: Basic idea of P 2 Auth
nologies, including: motion-based, voice-based, and biometric-
based. The motion-based approaches require the user to set a
specific gesture [1] [2], so the authentication process requires
additional effort and the gestures can be easily observed and
imitated by attackers. The voice-based approaches use audio
devices (i.e., microphones and speakers) to aid authentication
[3]. However, these approaches are susceptible to ambient
noise and replay attacks [4]. The biometric-based approaches
use the unique physiological information to facilitate au-
thentication, while many of them require the deployment of
additional sensors and thus have extra costs [5]. In contrast,
PPG is much more widely used due to its simplicity and
inexpensiveness. Recently, Shang et al. [6] exploit PPG for
authentication, but it asks the user to make a large action in
authentication and also has a relatively large computational
overhead.
To overcome the limitations of the aforementioned ap-
proaches, we propose a new two-factor authentication system,
P 2 Auth, leveraging the PIN and PPG measurements during
keystrokes on wearables to protect private data, as shown
in Figure 1. Through our empirical study, we find that the
keystroke-induced PPG measurements are specific to each per-
son due to the differences in human tissue structure, wearing
and keystroke habits. This inspires us to combine the PIN
with the keystroke-induced PPG measurements for two-factor
authentication, which does not require additional involvement
beyond the PIN input process and can be better accepted by
726

33*
VHQVRU
/(' 3'
(SLGHUPLV
'HUPLV
5DGLDO
DO %ORRG 9HVVHOV
DUWHU\\
8OQDU
DUWHU\
Fig. 2: Illustration of PPG sensor working principle.
users. We also find that the PPG measurements reveal the
unique gestures for the same user [7]. Therefore, it inspires us
that the authentication system can be designed to eliminate the
necessity of setting fixed PINs on smartphones. To enhance the
system’s security, we also deploy waveform fusion for privacy
enhancement.
Although the idea looks intuitive, several challenges should
be addressed before realizing the proposed system. The
keystrokes for PIN input on smartphones only involve subtle
thumb movements, resulting in slight changes in the PPG
measurements on smartwatches. Thus it is essential to ex-
tract more effective features to facilitate the authentication
process. Furthermore, the computation resources on wearable
devices are relatively limited, which contradicts to the real-
time requirement of authentication process, so our authenti-
cation system should be lightweight while maintaining high
reliability. Meanwhile, it is challenging to accurately detect
the keystroke event and locate the start and end points of
the corresponding PPG measurements. In addition, the noisy
PPG measurements have a significantly negative impact on
authentication accuracy. Therefore, it is crucial to extract
robust features that remain consistent over time from the noisy
PPG measurements.
To address these challenges, we use a ROCKET-based
approach to extract PPG features, which achieve both high
robustness and low computational overhead. In addition, the
keystroke time is accurately determined by fine-grained cali-
bration using extreme point search. Also, the motion artifacts
and baseline drift are effectively removed to enable the identifi-
cation of PIN input cases. In summary, we make the following
main contributions:
• We propose P 2 Auth, a lightweight two-factor authen-
tication system that uses both the PIN and keystrokes-
induced PPG measurements to verify the legitimacy of
the users’ identities. Our method can achieve accurate,
real-time and robust user authentication on commercial
devices. More importantly, no additional user involve-
ment is required.
• We develop a short-time energy based method that ef-
fectively identifies the cases of user input, support both
one-handed and two-handed input. Furthermore, we also
explore the authentication of users without a fixed PIN.
• To improve the protection of user biometrics, we devise
727
Authorized licensed use limited to: University of Electronic Science and Tech of China. Downloaded on November 06,2023 at 06:58:06 UTC from IEEE Xplore. Restrictions apply.
a waveform fusion approach for security enhancement.
Without extra overhead, we increase the security of the
system while preserving the habit of entering PINs.
• We build a prototype system and conduct extensive exper-
iments with commercial PPG sensors. The experimental
results show that the authentication accuracy of P 2 Auth
can reach as high as 98% in a one-handed case and over
83% for other cases with a rejection rate of 98% under
the attacks.
II. R ELATED WORK
With the continuous development of smart devices and
mobile communication, mobile authentication serves as the
first line of defense for the security of the transmitted data.
To safeguard against illegal access to sensitive private infor-
mation on mobile devices, the devices initially conduct user
authentication with one factor due to its low cost and user-
friendliness [8] [9]. In general, there are three authentication
factors: 1) knowledge factor (e.g., passwords); 2) ownership
factor (e.g., tokens and smartphones); and 3) biometric factor
(e.g., voices, facial features [10], and fingerprints). Despite
the ease of use, one-factor authentication usually suffers from
various attacks and only provides weak authentication capa-
bilities [11]. In the case of knowledge-based authentication,
for example, utilizing a password makes it easy to determine
the legitimacy of a user’s identity, while the password can be
compromised by launching brute force attacks [12] or applying
social engineering techniques [13]. Therefore, some additional
requirements for password complexity must be satisfied, but
it is shown that increasing the length of passwords from 4 to
6 digits still does not directly result in a significant security
improvement [14].
To provide more secure mobile authentication than using a
single factor, two- or multi-factor authentication is proposed
to deny unauthorized access by integrating more than one
authentication factor. For example, Safe et al. [15] conduct
two-factor authentication by utilizing a gaze tracker to input a
graphic secret and asking the user to show the face and gaze
at a secret icon moving across the screen. Also, Kim et al.
[16] propose an enhanced multimodal authentication method
by combining multiple biometric traits (e.g., face, teeth, and
voice) captured from a mobile device equipped with a camera
and a microphone. However, the above two- or multi-factor
authentication methods require the mobile devices to carry
additional output devices, thus restricting their adoption in
daily use.
As emerging sensing capabilities are integrated into mobile
devices, many researchers start to collect multiple factors for
mobile authentication without incurring additional costs or
efforts. EchoPrint [17] leverages acoustic sensing and visual
features on commodity mobiles for two-factor authentica-
tion. Moreover, Typing-Proof [18] enables user authentication
without the involvement of significant costs by combining
two factors: the password and the proximity of a mobile
phone to a computer. Despite their low costs and ease of
use, the performance of these approaches can be degraded
 (a) PPG sensor 1
Fig. 3: PPG measurements for different keystrokes of a volunteer.
by the effects of ambient noise. Shang et al. [6] apply a
relatively stable authentication source, photoplethysmography
(PPG) signals, to authenticate users on smartwatches, while
their scheme requires users to make an expressive hand gesture
in authentication, which usually greatly impacts the user’s
experience. Different from the existing work, we leverage
the changes of PPG measurements caused by keystrokes for
mobile authentication. Without extra user involvement, our
method can be deployed on commercial devices at a low cost.
III. F EASIBILITY S TUDY
A. Key insights
PPG sensors have been increasingly deployed in wearable
devices for heart rate monitoring over the past decade. As
shown in Figure 2, a PPG sensor usually consists of a couple
of LEDs and a photodetector (PD). The light emitted by the
LEDs is partly absorbed and reflected by the tissue, while
photodetectors are used to measure the intensity of reflected
light, capturing the changes in blood volume in the tissues. The
periodical changes of blood volume in vessels are caused by
heartbeat, and the heartbeat cycle can therefore be obtained
by analyzing the period of the change in the reflected light
intensity from the PPG measurements. In general, the wrist and
finger movements introduce some motion artifacts into PPG
measurements while measuring heartbeat rate [19]. However,
in recent years, some researchers attempt to take advantage of
such artifacts to recognize the hand gestures [7]. Inspired by
related work, we further observe that the PPG measurements
are different across different users when they are performing
the same hand gestures.
Most of the users unlock the smartphones by typing PINs
with their thumbs, and the keystroke-induced thumb move-
ments cause a series of complicated wrist muscle movements
and different degrees of vascular deformation , resulting in
changes in PPG. Similarly, the signal changes caused by
728
Authorized licensed use limited to: University of Electronic Science and Tech of China. Downloaded on November 06,2023 at 06:58:06 UTC from IEEE Xplore. Restrictions apply.
(b) PPG sensor 2
keystrokes vary significantly for different users. The differ-
ences in physiology and keystroke habits can be sensitively
captured by PPG sensors so that users can be differentiated.
For a specific individual, different keystrokes bring about dif-
ferent pulse patterns, resulting in different PPG measurements.
Such patterns can be used to distinguish different actions of the
same user. Inspired by these observations, it comes to us that
the combination of PIN and keystroke-induced PPG changes
allows for the senseless two-factor authentication.
B. Preliminary Study
To verify the soundness and feasibility of the above insights,
we conduct preliminary experiments by asking the volunteers
to imitate entering PINs on smartphones. Specifically, each
user is asked to wear a wristband with two PPG sensors fixed
on the inner side of the wrist, entering a four-digit PIN every
three seconds. Our system will record the period of keystroke
and keystroke-induced PPG samples. We conducted an 8-week
long experiment involving 5 volunteers and collected over
2000 samples in total.
Through the analysis on the collected PPG samples, the
following insights are drawn:
• The same keystroke-induced PPG measurements from
different users are always highly different, confirming that
they can serve for distinguishing the users’ identities.
• The PPG patterns of the same user are different when
tapping different keys as shown in Figure 3, where ar-
ranged according to the layout of the PIN pad. Sensors 1
and 2 are attached at both sides of the wrist, respectively.
• Keystroke involves blood volume changes in the mi-
crovascular bed of tissue and therefore could produce
more pronounced peaks or troughs in the PPG measure-
ments relative to the heartbeat and other noise.
• Additionally, the PPG measurements maintain a consis-
tent pattern over time, enabling to extract robust biometric
features and avoid frequenct updating.
 WW'ĂƚĂŶĚ PIN. However, the noise and baseline drift introduce nonnegli-
<ĞLJƐƚƌŽŬĞdŝŵĞ gible interference. Hence, the authentication for different input
cases remains challenging.
D. Attack Model
EŽŝƐĞZĞŵŽǀĂů
We consider two typical attacks for our proposed authenti-
&ŝŶĞͲŐƌĂŝŶĞĚ<ĞLJƐƚƌŽŬĞdŝŵĞĂůŝďƌĂƚŝŽŶ cation system.
Random attack (RA). The attacker is unaware of the vic-
W/E/ŶƉƵƚĂƐĞ/ĚĞŶƚŝĨŝĐĂƚŝŽŶ
tim’s information, so it can only enter random PINs to pass
ůĂƐƐŝĨŝĐĂƚŝŽŶ the user authentication. Except for taking advantage of the
W/E proposed authentication algorithm deployed on the proposed
ĂƚĂďĂƐĞ
system, any prior knowledge is not required for the attackers.
This attack places the fewest demands on the attacker’s abili-
KŶĞ,ĂŶĚ dǁŽ,ĂŶĚƐ W/EsĞƌŝĨŝĐĂƚŝŽŶ ties, making it more difficult to compromise the authentication
tĂǀĞĨŽƌŵ system.
WƌŝǀĂĐLJKK^d
^ĞŐŵĞŶƚĂƚŝŽŶ KŶĞͲŚĂŶĚĞĚ dǁŽͲŚĂŶĚĞĚΘ Emulating attack (EA). The attacker not only understands
EŽW/E the authentication algorithm but also has knowledge of the
ZK<dͲďĂƐĞĚ WƌŝǀĂĐLJ ^ŝŶŐůĞtĂǀĞĨŽƌŵ
&ĞĂƚƵƌĞdžƚƌĂĐƚŝŽŶ KK^d ŚĞĐŬ
victim’s keystroke habits and even the legitimate PIN (e.g.,
by shoulder surfing). By inputting the PIN in a similar way
ƵƚŚĞŶƚŝĐĂƚŝŽŶ &ƵůůtĂǀĞĨŽƌŵ ƵƚŚĞŶƚŝĐĂƚŝŽŶ
DŽĚĞůdƌĂŝŶŝŶŐ ŚĞĐŬ ZĞƐƵůƚƐ/ŶƚĞŐƌĂƚŝŽŶ to a victim, the attackers try to authenticate themselves on
the victim’s wearable devices. This attack poses more security
ƵƚŚĞŶƚŝĐĂƚŝŽŶ risks to the authentication system than the random attack does.
^ŝŶŐůĞ &Ƶůů
tĂǀĞĨŽƌŵDŽĚĞů tĂǀĞĨŽƌŵDŽĚĞů ZĞƐƵůƚƐ
ZĞƐƵůƚƐ Moreover, we assume that the attacker has no access to the
storage of the victim’s wearable devices or the authentication
server, implying that the attacker is unaware of the keystroke-
Fig. 4: Workflow of P 2 Auth. induced PPG measurements.
Our experiments confirm that it is potential to verify the
IV. S YSTEM DESIGN
users’ identities with the keystroke-induced PPG measure-
ments and thereby facilitate two-factor authentication together A. Basic idea
with the PINs. The basic idea of our two-factor authentication system is to
leverage both the PIN and the keystroke-induced PPG pattern
C. Challenges on smartwatches to authenticate the user’s identity on mobile
In order to build a lightweight and unobtrusive two-factor devices. Towards this end, the proposed system needs to go
authentication system based on keystroke-related PPG sam- through three major phases, including preprocessing, enroll-
ples, several major challenges should be addressed beforehand: ment and authentication, and the corresponding workflow is
Accurate keystroke detection. Due to the small range of shown in Figure 4.
keystroke motion and the resulting subtle PPG variations, Preprocessing phase. For both the enrollment and authenti-
it is challenging to detect the keystroke events from the cation phases, the system performs the PPG Samples Prepro-
heartbeat waveform and extract the PPG samples representing cessing containing three modules. First, the Noise Removal
the keystroke motion. To address this challenge, an accurate module filters out the noise in the PPG samples by applying
keystroke detection approach is required to eliminate the a median filter. To accurately extract the PPG samples repre-
impact of the embedded heartbeat component. senting the keystroke action, the Fine-grained Keystroke Time
Robust features extraction. Due to the low sampling rate Calibration module calibrates the time for a true keystroke
of PPG sensors on most commercial wearable devices, PPG moment. Given the calibrated samples, the PIN Input Case
signals are always mixed with ambient noise and motion Identification module differentiates the input cases to support
artifacts. Therefore, it is crucial to extract robust features that the different keystroke habits of users.
keep consistent over time from the noisy PPG samples. Enrollment phase. In this phase, our system asks the user
Lightweight and secure authentication. Considering that to enter a PIN to register while wearing the smartwatch. In
wearable devices are with limited resources, our authentication the one-handed case, the Privacy Boost module takes authen-
system needs to be less computationally expensive. In addition, tication security one step further and is optional for users. In
biometric information leakage poses a significant security risk, the two-handed case, the Waveform Segmentation intercepts
so a new security mechanism should be designed to protect single keystroke induced PPG measurements based on the
PPG patterns from potential attackers. calibrated time. To extract unique features of the keystroke
Reliable usage scenarios recognition. To facilitate generic process, ROCKET-based Feature Extraction performs a feature
use, the proposed authentication system should be able to transformation on the PPG samples. Next, the system performs
support one-handed and two-handed use, even without a fixed Authentication Model Training to train binary classifiers for

729

Authorized licensed use limited to: University of Electronic Science and Tech of China. Downloaded on November 06,2023 at 06:58:06 UTC from IEEE Xplore. Restrictions apply.

(a) Signal after filtering (b) Signal and keystroke times af-
ter calibration
(c) Signal after de-trending (d) Short-time energy of de-
trending signals
Fig. 5: Data preprocessing.
each user. Among the classifiers, the full waveform model
achieves one-handed authentication, and the single waveform
model achieves two-handed and no PIN authentication.
Authentication phase. In this phase, our system takes PIN
and PPG samples for two-factor authentication. PIN Verifi-
cation module first verifies the PIN entered. Then, for the
one-handed case, the system uses the full waveform model to
verify the legitimacy of the PPG samples. For the two-handed
cases, the system selects the single waveform model based on
the input, and then Authentication Results Integration module
combines the results of the single keystroke authentication.
We next introduce each module of our proposed system in
details as follows.
B. Workflow of P 2 Auth
1) Data preprocessing:
1.1) Noise Removal: Given that PPG samples from low-
cost sensors are susceptible to interference from noise, we
apply a median filter to the raw signals, as shown in Figure
5a. This is because median filtering is a non-linear filtering
method that performs well at preserving detailed information
about the signals while filtering out the noise.
1.2) Fine-grained Keystroke Time Calibration: During
the authentication process, P 2 Auth needs to segment the
entire PPG measurement to obtain the signal change caused
by a single keystroke, so it is necessary to obtain the exact
moment of each keystroke.
In the data acquisition, the user’s smartphone records the
start time of the authentication process and the corresponding
moment of each keystroke. However, due to the dynamically
changing communication delay between the smartphone and
the PPG acquisition device, the moments recorded by the
system are still coarse-grained, as shown by the red line in
Figure 5a. Therefore, it is still necessary for the system to
further calibrate the time at a fine-grained level.
730
Authorized licensed use limited to: University of Electronic Science and Tech of China. Downloaded on November 06,2023 at 06:58:06 UTC from IEEE Xplore. Restrictions apply.
濄
濅
6HQVRU 濉 濊
濋 6HQVRU
濃
6HQVRU
6HQVRU
(a) One-handed keystroke (b) Two-handed keystroke
Fig. 6: Two input cases for user authentication.
Our preliminary study finds that keystrokes always produce
larger peaks and troughs than heartbeats do. Therefore, if
a keystroke exists near the recorded point, it should be the
extreme point that deviates the most from the mean among
all points in the window. Based on the above observation, we
can achieve fine-grained temporal calibration by searching for
suitable extreme points within the window.
To this end, we apply a SG filter to remove locally unimpor-
tant details while retaining the wave’s shape. This is because
there are many local fluctuations near the recorded point in
the PPG measurements, which interfere with the selection of
extreme points. Meanwhile, filtering preserves the detailed
features in PPG measurements, helping with identity infor-
mation extraction and user authentication. Given the filtered
PPG measurements, we apply a peak searching algorithm
to find the candidate set (denoted by S) of extreme points.
Specifically, we formulate the following objective function for
fined-grained calibration of keystroke time::
 
 w 
 1 2

argmax ys − ys+i , (1)
s∈S  w+1 
i=− w
2
where s ∈ S is the extreme point within the window, ys is
the filtered PPG samples, w is the size of the window. At
100Hz sampling rate, the window size is set to 30. Figure 5b
shows the keystroke action point after calibration, where the
deviation from the mean value within the window reaches the
maximum.
1.3) PIN Input Case Identification: To make the system
more user-friendly, P 2 Auth identifies different input cases to
support both one-handed and two-handed typing habits, as
shown in Figure 6. In this step, we first remove motion artifacts
and baseline drift and then analyze the short-time energy of
the filtered signal to achieve input case identification.
The non-linear baseline drift in the original samples can
cause irregular energy variations that interfere with the subse-
quent energy-based analysis. To address this issue, we apply
the smoothness prior approach [20] to remove the trend of
the signal itself. The approach only requires adjustment of
the regularization parameter λ to adjust the baseline drift
estimation. Assuming Y ∈ Rn is the original pulse wave
ˆ ∈ Rn can be expressed as
signal, its detrended signal Ydet
 follows:
ˆ = Y − H θˆλ = [I − (I + λ2 D2T D2 )−1 ]Y,
Ydet
⎡ ⎤
1 −2 1 0 · · · 0 0 0
⎢0 1 −2 1 · · · 0 0 0⎥
⎢ ⎥
D2 = ⎢ . .. .. .. . . . .. .. ⎥ ,
⎣ .. . . . . .. . .⎦
0 0 0 0 · · · 1 −2 1
where H ∈ Rn×m is the observation matrix, I is unit
matrix, θˆλ is the regression parameter, D2 ∈ R(n−2)×n is the
regularization matrix and we use the second order differential
matrix. Figure 5c shows the Ydet ˆ of the original PPG after
removing the baseline trend.
The key to input case identification is to determine whether
there is a keystroke near the calibrated time. After removing
the baseline drift, the PPG measurements near the keystroke
position has a higher energy. Therefore, we use a threshold-
based approach to determine the presence of a keystroke.
Specifically, if the total energy exceeds the threshold in the
time window near the calibrated time, a keystroke event
is considered to be present. Figure 5d shows the result of
calculating the short-term energy. If four keystrokes are suc-
cessfully detected then the one-handed model will be used
for authentication, otherwise the two-handed model will be
adopted. After adjustment, we set the decision threshold to 12
of the mean value of all short-time energy. Set the window
size to 20.
2) Enrollment Phase.
After preprocessing, we register the user data to obtain
the authentication models. First, P 2 Auth processes the PPG
samples separately to support various user habits for different
input cases such as one-handed keystrokes and two-handed
keystrokes. After that, the system uses a rocket-based method
to extract features from the samples. Finally, we build the
binary classifiers for user authentication.
In this study, we consider the legitimate user identification
as a binary classification problem. We divide the identities
of people in the data-set into legitimate users, attackers, and
third parties. Third parties’ data is stored on the smartphone
for model training. Therefore, this paper uses the data in the
following ways:
• Training set: Training data includes part of legitimate
user’s data and a small part randomly extracted from third
parties’ data. In the enrollment phase, the dataset is binary
classified to obtain a user-specific authentication model.
• Test set: The test data includes data from both legitimate
users and attackers. Legitimate user data is used to test
the authentication accuracy of the system, and attacker
data is used to test the rejection rate of random attacks
and emulating attacks.
Here, we describe the enrollment process separately accord-
ing to the different input cases.
2.1) One-handed case: In the case of one-handed input,
the user performs the full four keystrokes. Therefore, the whole
PPG samples can be used for identity authentication instead
of wave segmentation.
Authorized licensed use limited to: University of Electronic Science and Tech of China. Downloaded on November 06,2023 at 06:58:06 UTC from IEEE Xplore. Restrictions apply.
The PPG sample Pu with user identity u denotes the data
to be classified and y denotes its class (y ∈ {−1, 1}). We
(2)
use {(Pu,s , yu,s ), u = 1, . . . , U, s = 1, . . . , S} to denote a
set of PPG samples associated with the user identity u. U is
the total number of legitimate users and S is the number of
(3)
individual user experiments. The subsequent issue is to extract
user features to identify user identity.
2.2) One-handed Case with Privacy Boost: To reduce the
risk of data leakage in the authentication processing, we pro-
pose a waveform fusion mechanism as an option for boosting
privacy. As a unique physiological information, keystroke-
induced PPG measurement can be used for authentication.
However, once PPG measurements are leaked, the protection
of the system will also be lost. For example, a single theft of
data entered by a user with one hand results in four keystrokes
that can no longer be used. Therefore, we wish to enhance
the security of the system by fusing several different single
keystroke waveforms. We fuse the different waveforms using
an additive method, expressed as follows:

K
S= h
Pu,s , (4)
h=1
where K is the number of individual keystrokes included in
h
the full waveform. Pu,s is the pulse wave of a single keystroke.
Since the fusion of individual waveforms inevitably loses some
useful information and thus reduces the accuracy of authenti-
cation, we make it an optional part of the privacy boost. Our
experiments can show that sacrificing the convenience during
the authentication to significant improvements in security and
privacy protection is acceptable.
2.3) ROCKET-based Feature Extraction: The most criti-
cal part of the enrollment phase is to extract effective features
that represent the user and are resistant to attacks. We try
several feature extraction and classification models for time
series, and find that miniRocket [21] performs well on our
dataset. The miniRocket model uses convolutional kernels to
transform the input time series, achieving high accuracy at
very low computational cost on the UCR archive of benchmark
[22]. In addition, we also try related classification methods
based on manual extraction of features, but this is not as
effective as the above feature extraction models.
In the miniRocket model, the convolution is first calculated
by sampling the input sequence on an exponential scale using
a kernel dilation. The transformation of the original sequence
using the convolution kernel is expressed as follows:

m−1
X ∗Wd = xi− m2 ·d+(j·d) ·wj , ∀i ∈ {0, 1, ..., n−1}, (5)
j=0
where X = [x0 , x1 , ..., xn−1 ] represents the input PPG mea-
surement, d denotes kernel dilation, usually to the exponential
power of 2, and W = [w0 , w1 , ..., wm−1 ] denotes the convo-
lution kernel. Specifically, the number of kernels defaults to
84 and the weights are limited to two values.
The convolutional transform converts the original PPG
measurements into a feature vector and utilizes the proportion
731

(a) Prototype device (b) Device placement
Fig. 7: Experiment Setup.
of positive values (P P V ) to enable a classifier to weight the
prevalence of a given pattern in a time series. P P V is an im-
portant feature that can achieve higher classification accuracy
than many hand-constructed features, which is expressed as
follows:
1 
N
P P V (Z) = sgn(zi ),
N i=1
where Z = X ∗ Wd − b and sgn(·) denotes the sign function.
2.4) Authentication Model Training: After the above
transformations are completed, each sample to be classified
can be transformed into a feature vector of length 10K. We
classify the extracted feature vectors using a ridge regression
classifier with cross-validation, with a linear classifier of the
form:
f (Pu,s ) = w · Pu,s + b, (7)
where w denotes the vector of parameters to be solved for, b
is the constant offset. The regular risk minimization problem
can be expressed as:

m
min L(yi , f (xi )) + λw2 ,
w In the two-handed case, for safety reasons, only cases where
i=1
where L(·) denotes the loss function, and w2 is the 2-norm
of the parameter to avoid overfitting; λ is the coefficient of
the norm. In the end, the authentication result is determined
as:
1 success,
F (Pu,s ) = (9)
−1 f ailure.
2.5) Waveform segmentation: Given that we have ob-
tained precise keystroke moments during the pre-processing
phase, we can intercept in a window near the moment to
obtain PPG samples for individual keystrokes. While there
are some small differences in keystroke speed between users,
it is generally concentrated within a relatively short time
window. The averaging time interval between two keystrokes
is calculated to be 1.1 s. We set the window size to 90 to avoid
overlapping the pulse waveform of adjacent keystrokes.
2.6) Two-handed case and no PIN: After waveform seg-
mentation is completed, the system obtains PPG measurements
for individual keystrokes. Similar to the one-handed case,
the system uses miniROCKET to perform feature extraction
Authorized licensed use limited to: University of Electronic Science and Tech of China. Downloaded on November 06,2023 at 06:58:06 UTC from IEEE Xplore. Restrictions apply.
on each sample. Next we build binary gradient classifiers
bk , k = 1...K for each keystroke. The reason for using a
binary classifier is that binary classifiers have a high accuracy
in discriminating one keystroke from the others, while multi-
classifiers have a relatively low accuracy when performing the
same classification task [23].
In the two-handed keystroke case, as the smartwatch is
usually worn on one hand, only the keystroke behavior of
the hand wearing the watch is recorded in the samples. We
consider the case where the hand wearing the watch presses
two keys or three keys. When verifying the identity of a
user, if all the pulse waves of every single keystroke are
verified, the user will be authenticated. Since the PPG sample
corresponding to a single keystroke event is short, for the sake
of system security, if only one keystroke event is detected, the
authentication process is rejected.
The same method is applicable without setting a fixed PIN
password. The difference is that the NO-PIN case will not
check the legitimacy of the password entered by the user. The
(6) user is authenticated only by the keystroke pattern. Unlock
phone without having to preset a PIN in advance, overcoming
the problem of PIN losing and effectively preventing emulating
attacks.
3) Authentication Phase:
In the authentication phase, the system uses PIN and PPG
measurements for two-factor authentication. The PIN Verifi-
cation module first verifies the correctness of PIN input. If
the PIN is illegal and no PIN is not allowed when the user
registers, this authentication request is rejected. Otherwise, the
legitimacy of the keystroke-induced PPG samples is checked.
According to the different input cases, the system processes
them separately.
In the one-handed case, the system determines whether to
perform privacy boost based on the settings, and then uses the
(8) classifier of the full waveform for authentication.
two and three keystrokes are detected in the full waveform
are considered. If only a single keystroke is detected in the
PPG measurement, this request is rejected. Then, the binary
classifier bk is selected using the input k corresponding to
each waveform to classify previously unseen keystroke-related
feature set x. Finally, the Authentication Results Integration
module combines the results of individual keystrokes. In the
case of three keys detected, the user is considered legitimate
as long as two keystrokes of the waveform pass the authenti-
cation. In the case of two keystrokes, all must be legal to pass
the system.
V. P ERFORMANCE E VALUATION
A. Experimental Methodology
Wearable Prototype. As most commercial wearable de-
vices do not provide raw PPG data directly, we design a
wearable prototype to help us achieve two-factor authentica-
tion based on keystroke PPG signals. Our prototype system
consists of two integrated commodity PPG sensor modules
(MAX30101), which include red and infra-red LEDs. The
732
 Fig. 8: Overall performance of privacy boost.
Fig. 9: PPG samples for PIN “1648” with four different users.
data collected by the two modules is sent back to the PC
through two channels. One way is connected to the PC through
the EVK evaluation board, and the interactive and real-time
drawing display is realized through a program. The other
way is received and completed simple processing through the
STM32, and then packaged and sent back to the PC through
the USB-TTL module. The prototype equipment is shown
in Figure 7. In addition, the circuit board also includes a
three-axis accelerometer LIS2DH12, which can be used for
comparative experiments. The PPG and motion sensors are
embedded in two circuit boards, which are attached to a wrist
band. The sampling rate of each channel for PPG is 100 Hz,
while the motion signal is sampled at 75 Hz.
Data Collection. We recruit 15 volunteers including 11
males and 4 females whose ages are between 20 to 30 using
our wearable prototype. During the experiments, the volunteers
sit in a fixed position and enter the five PINs (1628, 3570,
5094, 6938, 7412) on their Android devices according to
the given prompts. Each volunteer is required to repeat the
process at least 18 times. After this, volunteers perform two-
handed and random keystrokes in the same way. Meanwhile,
our wearable prototype records PPG measurements during
keystrokes on the left wrist and records keystroke moments via
Android. The data was then transferred to a desktop computer
equipped with an Intel(R) Core(TM) i7-10750H @ 2.60 GHz
CPU and 16 GB of RAM for analysis and processing.
733
Authorized licensed use limited to: University of Electronic Science and Tech of China. Downloaded on November 06,2023 at 06:58:06 UTC from IEEE Xplore. Restrictions apply.
Fig. 10: Authentication accuracy for 5 cases.
B. Evaluation Metrics
We mainly rely on the following two metrics to evaluate
system performance:
Authentication accuracy. This metric indicates the proba-
bility of a true example in authentication. We use this metric to
measure the probability that a valid user will be authenticated.
The higher its value, the better the usability of the system.
True rejection rate. The probability that an attacker is
rejected. We use this metric to measure a system’s ability
to defend against random attacks and emulating attacks. The
higher its value, the less likely it is that an attacker will be
able to pass authentication.
C. Authentication Performance
In this section, we present the evaluation results of our
method for user authentication. We first evaluate the authen-
tication accuracy of our system. Figure 10 illustrates the
system performance in different cases, where single boost
means single-handed keystroke authentication using waveform
fusion, double-3 means three keystrokes by the hand wearing
the watch, and double-2 means two keystrokes. It can be
seen that our system can provide an average authentication
accuracy of 84% in five cases. Afterward, we compare a
manual feature extraction-based method with our solution, and
the results show that our method has clear advantages in terms
of efficiency and accuracy. Compared to accelerometers, PPG
 Fig. 11: Comparison with manual feature extraction methods.
is more accurate in the authentication of passwords entered
in static cases and is better resistant to random and emulating
attacks.
Authentication performance for legitimate users. We
evaluated our method first for the one-handed keystroke case.
As shown in Figure 9, there is a large variation in pulse wave
variation between users when 1628 keystrokes are performed
consecutively. The data is recorded by infrared light on the
sensing platform and the mean values have been removed.
Thus, it is relatively easy to authenticate a user in this case.
As can also be seen in Figure 10, the one-handed keystroke
achieves the best authentication accuracy with an average of
98% accuracy and 2.98% variance in different cases.
After that, we consider using waveform fusion to hide
the waveform of a single keystroke. Figure 8 shows the
authentication accuracy for 12 different volunteer waveform
fusion cases in our system. Although waveform fusion loses
some of the information from individual keystrokes, it still
preserves the specificity of the data quite well. During the
experiment, we found that the stability of behaviors is dif-
ferent for volunteers in our experiment. For some users (e.g.,
volunteer 8), their authentication accuracy was stable because
not many additional small actions were performed during the
experiment. For the other users (e.g., volunteer 11), their
additional actions in the experiment introduce a certain amount
of noise into the signal, which leads to lower authentication
accuracy than those of users who had more stable behaviors.
Even so, the average authentication accuracy of the volunteers
reached 83%, and the true rejection rates were all close to or
above 90%. Thus, with the waveform fusion method, a little
convenience in authentication can be sacrificed for a further
increase in security.
Then we tested the two-handed keystroke case. For reasons
of system security, two-handed keystroke cases require that
at least two keystrokes are detected. When two out of three
keystrokes are determined to be legitimate, or when there are
only two keystrokes and both are legitimate, the model will
authenticate and determine the user as a valid user. With only
two keystrokes by the hand wearing the watch, the system still
achieves an authentication accuracy of almost 70% and 88%
with three keystrokes.
Performance against two types of attacks. A good au-
734
Authorized licensed use limited to: University of Electronic Science and Tech of China. Downloaded on November 06,2023 at 06:58:06 UTC from IEEE Xplore. Restrictions apply.
Fig. 12: Comparison with accelerometer-based method.
thentication system needs to be resistant to attacks, so we
designed both random attacks and emulating attacks to test
the performance of the system.
For random attacks, we set four attackers to randomly guess
each user’s PIN password and enter the PIN to break the
system. We evaluate the true rejection rate of three iterations of
our system by picking 150 random entries from the attacker
data. We can see that our system can provide a mean true
rejection rate of 98%, which means that our system can
accurately detect a random attacker.
For emulating attacks, the attacker can observe the user’s
input then imitate the user’s gestures and attempt to break the
system using the correct PIN. Figure 10 shows the average
98% true rejection rate of our system against emulating
attacks. We can notice that the system’s ability to resist
random attacks and emulating attacks is comparable, which
also demonstrates that the physiological differences between
people in the keystroke process are difficult to mimic through
actions.
D. Comparison with manual feature extraction methods
We next examine the performance of our ROCKET-based
user authentication method compared to a manually con-
structed feature-based method. We note the work of shang et
al. who achieved an average accuracy of 96.31% in identifying
users using pre-defined gesture-induced blood flow changes.
The advantage of this method is that it can build a strong clas-
sifier based on only the data of the legitimate user without any
information from the attacker or third parties. We reproduced
this paper and fine-tuned it on our dataset. The information
from the four sensors is leveraged by feature extraction and
averaging over different channels, while the threshold τ is
tested and adjusted to 1.7 to balance the accuracy and rejection
requirements.
TABLE I: Computational and memory overheads of the two
model.
Enrollment Phase Authentication Phase
Time/Sec Memory/MiB Time/Sec Memory/MiB
ROCKET-based 1.06 378.4 0.302 379.3
Manual Feature-based 104.89 367.5 10.57 367.5
 (a) Different channel numbers (b) Individual channels
Fig. 13: Performance with channels.
Figure 11 shows the comparison of the authentication
accuracy and true rejection rate when using ROCKET-based
and manual feature-based methods for one-handed keystrokes
without privacy boost. We observe that the authentication
accuracy of the reference method is only 0.62 and the P 2 Auth
method has a significant advantage in both authentication
accuracy and true rejection rate. In comparison, our approach
also has the following advantages:
(1) The reference approach uses a threshold-based approach,
which is sensitive to the setting of thresholds and varies
with each individual optimum. In contrast, P 2 Auth does not
require adjustment for each person.
(2) The reference paper needs to calculate the DTW of
the sequence when extracting features, resulting in a long
authentication time, whereas our method is computationally
simple and very lightweight. In addition, to provide a more
comprehensive view of the computational overhead of the
proposed approach, we also use python’s line profiler and
memory profiler for memory and computational overhead
analysis. As shown in Table I, with a small difference in
memory overhead, our method takes only 1% of the training
time and only 3% of the authentication time.
(3) The reference paper uses a larger amplitude of move-
ment, whereas a relatively small amplitude of motion during
keystrokes, so our approach allows for more senseless and
accurate authentication.
E. Comparison with accelerometer-based method
Accelerometers are a more direct way to provide motion
information than through PPG signals. Therefore, we further
compare the certified accuracy of the accelerometer data and
the PPG data. On each of the two different data sets, we
used the ROCKET-based feature extraction and classification
method. Figure 12 shows that PPG-based authentication is
resilient to attacks and outperforms accelerometer-based au-
thentication. The reason for this is that the volunteer stays
relatively stable during key presses with little wrist move-
ment, so the accelerometer data does not change significantly.
In contrast, the movement of the fingers will engage the
wrist muscles, thus altering the blood flow. Significant signal
changes allow authentication based on movement information
to be more accurate and robust. Moreover, from a security
point of view, the differences in physiological anatomy also
give the system good resistance to attacks.
735
Authorized licensed use limited to: University of Electronic Science and Tech of China. Downloaded on November 06,2023 at 06:58:06 UTC from IEEE Xplore. Restrictions apply.
Fig. 14: Different third- Fig. 15: Different Machine
party dataset size. learning methods.
F. Impact of Different Impact Factors
Impact of Channel Number. The number of channels
affects the power consumption and computational cost in
wearable devices. Most the commodity wearables have more
than two PPG sensors. For example, the apple watch series 4
is equipped with six PPG sensors for green and infrared light
[24],and later series have added red light [25]. Therefore, we
set our wearable prototype to collect PPG measurements with
different number of channels. Figure 13a shows the average
accuracy and true rejection rates for authentication under
different numbers of channels. This experiment uses data
from a single handed keystroke with security enhancements,
other cases give similar results. We find that the accuracy of
authentication increases significantly with channel numbers,
while the rejection rate remains essentially the same. As the
results implied, our system is compatible with most current
commodity wearables and can be deployed on existing systems
at a very low cost. Further, we have compared the performance
of each channel. As can be seen in Figure 13b, the infrared
data performs better on authentication accuracy, while the red
light performs better on rejection rate, and the two have a
degree of complementary effect.
Impact of Third-party Dataset Size. We change the
amount of third-party data used for training to investigate the
performance of our system at different training data sizes.
More third-party data means larger storage occupancy and
higher computational overhead in the enrollment phase. As
shown in Figure 14, we randomly select 8 dataset sizes
from 20 to 300 to test the system’s performance. We note
that the rejection rate is increasing for both types, while the
authentication accuracy rate is decreasing. This is because in
order to keep the system easy to use, the user is always asked
to enter up to 9 PINs. Owing to the very small number of
training samples, machine learning-based methods suffer from
severe overfitting under the influence of much larger third-
party data.
Therefore, there is a trade-off in determining the training
dataset size for classifiers. If the third-party data set is small,
the user can be accurately authenticated, but more attackers
will be wrongly recognized as the user. Otherwise, if the third-
party dataset is too large, the system can reject almost all
attackers, but the legitimate user may also be rejected, making
it much more problematic to use. For the purpose of system
security, we set the amount of third party data to 100 in our

Fig. 16: Different sampling Fig. 17: Different sampling
rates with four channels. rates and number of channels.
previous experiments.
Impact of Machine Learning Models. We study the im-
pact of different machine learning models on authentication
accuracy. Specifically, we used three algorithms, Resnet, KNN
and RNN-FNN. Figure 15 shows the results of the experiment.
rocket outperforms the other models with an accuracy of 0.96
for the complete test data and takes the shortest computation
time. Although other models are slightly more accurate in
authenticating real users, the lower rejection rate implies an
insecure system. The above results show that our system can
achieve good recognition performance and security, ensuring
convenience for practical usage.
Impact of Sampling Rate. Finally, we investigate the ef-
fect of sampling rate on system performance. The sampling
rate affects the power consumption and computational cost in
the wearable devices. Figure 16 and 17 show how a change
in sampling rate will affect a privacy boost system. In this
case, Figure 16 shows the effect of sampling rate on the
accuracy and rejection rate of four channels authentication.
In particular, we find that the authentication accuracy can
reach 68% at the lowest sampling rate (i.e., 30 Hz). As the
sampling rate increases, the system performance does not
change significantly. Excluding the random factor of the model
itself, the sampling rate does not significantly affect the system
performance. Figure 17 illustrates the effect of sample rate and
number of channels on accuracy. The results show that our
system is not only suitable for commercial wearable devices,
but can also be at a wide range of combinations of sampling
rates and number of channels. Also, as the number of channels
increases, the random factor caused by the model itself is
smaller and the model is more stable overall.
VI. D ISCUSSION
Impact of watch wearing habits. Different people have
different wearing habits, with more people choosing to wear
the watch on the side of the back of their hand. Our system
requires the user to place the watch on the inside when
authenticating because keystrokes are more noticeable to the
muscles on the inside of the wrist. The sensor can better recog-
nize the keystrokes and authenticate the user more accurately.
We also conducted experiments with the back of the hand.
However, the results showed that the back of the hand was less
stable. Differences in sensor placement can cause significant
changes to the signal characteristics, which can affect the
authentication results. As the authentication process does not
736
Authorized licensed use limited to: University of Electronic Science and Tech of China. Downloaded on November 06,2023 at 06:58:06 UTC from IEEE Xplore. Restrictions apply.
occur frequently, we believe that occasional adjustments to the
user’s wearing position will not affect the system’s ease of use.
Impact of moving hands. The user can perform many
activities while wearing the watch, such as waving, running,
etc. In these situations, other movements performed by the
hand will bring about changes in the wrist muscles and thus
introduce noise into the PPG signal. However, our system
is unnecessarily adapted to the user’s daily movements. The
user’s authentication should take place at the initial moment
of wearing the watch, after which the wear of the watch is
detected based on the heart rate status. Additional authenti-
cation actions are required when performing other sensitive
activities, such as making payments. In comparison to daily
activities, authentication, such as payments, is relatively static.
We, therefore, believe that our approach is not disturbed by a
user’s movement.
VII. CONCLUSION
This paper proposes a novel two-factor authentication sys-
tem based on PIN and unique keystroke-related PPG measure-
ment from the smartwatch. The insight is that the wrist muscle
movements and vascular deformation caused by keystroke
action result in changes in PPG measurement, which can be
used for identity verification. In order to authenticate users,
our system detects the keystroke-related signals from each new
PPG measurement and determines whether the signals come
from the legitimate user or attackers through cross-checking
between the extracted PPG features and the PIN. Furthermore,
we consider both one-handed and two-handed cases and
discuss the situation where there is no fixed PIN. And we
also present a new approach to improve authentication security
by combining the PPG signals of different keystrokes. The
experiment results demonstrate that our system achieves high
accuracy both in accepting the legitimate user and rejecting
attackers.
VIII. ACKNOWLEDGMENT
This work is partially supported by National Natural
Science Foundation of China under Grant No.62172080
and No.62271124, Natural Science Foundation of Sichuan
Province under Grants 2023NSFSC0478 and 2023NS-
FSC0488, and National Key R&D Program of China
No.2022YFB3103404.
R EFERENCES
[1] X. Yu, Z. Zhou, M. Xu, X. You, and X.-Y. Li, “Thumbup: Identification
and authentication by smartwatch using simple hand gestures,” in 2020
IEEE International Conference on Pervasive Computing and Communi-
cations (PerCom). IEEE Computer Society, 2020, pp. 1–10.
[2] Y. Zhao, R. Gao, and H. Tu, “Smartwatch user authentication based on
the arm-raising gesture,” Interacting with Computers, vol. 32, no. 5-6,
pp. 569–580, 2020.
[3] P. Shrestha and N. Saxena, “Listening watch: Wearable two-factor
authentication using speech signals resilient to near-far attacks,” in
Proceedings of the 11th ACM conference on security & privacy in
wireless and mobile networks, 2018, pp. 99–110.
[4] B. Shrestha, M. Shirvanian, P. Shrestha, and N. Saxena, “The sounds of
the phones: Dangers of zero-effort second factor login based on ambient
audio,” ser. CCS ’16. Association for Computing Machinery, 2016, p.
908–919.
 [5] B. Fan, X. Liu, X. Su, P. Hui, and J. Niu, “Emgauth: An emg-based
smartphone unlocking system using siamese network,” in 2020 IEEE
International Conference on Pervasive Computing and Communications [16]
(PerCom), 2020, pp. 1–10.
[6] J. Shang and J. Wu, “A usable authentication system using wrist-
worn photoplethysmography sensors on smartwatches,” in 2019 IEEE
Conference on Communications and Network Security (CNS). IEEE, [17]
2019, pp. 1–9.
[7] T. Zhao, J. Liu, Y. Wang, H. Liu, and Y. Chen, “Towards low-cost sign
language gesture recognition leveraging wearables,” IEEE Transactions
on Mobile Computing, vol. 20, no. 4, pp. 1685–1701, 2021.
[8] J. Abbott and S. Patil, “How mandatory second factor affects the authen- [18]
tication user experience,” in Proceedings of the 2020 CHI Conference
on Human Factors in Computing Systems, ser. CHI ’20. New York,
NY, USA: Association for Computing Machinery, 2020, p. 1–13.
[9] v. d. V. V. Konoth, Radhesh Krishnan and H. Bos, “How anywhere [19]
computing just killed your phone-based two-factor authentication,” in Fi-
nancial Cryptography and Data Security. Berlin, Heidelberg: Springer
Berlin Heidelberg, 2017, pp. 405–421.
[10] Y. Chen, J. Sun, X. Jin, T. Li, R. Zhang, and Y. Zhang, “Your face your
heart: Secure mobile face authentication with photoplethysmograms,” in
IEEE INFOCOM 2017-IEEE Conference on Computer Communications. [20]
IEEE, 2017, pp. 1–9.
[11] A. J. Aviv, J. T. Davin, F. Wolf, and R. Kuber, “Towards baselines for
shoulder surfing on mobile authentication,” in Proceedings of the 33rd [21]
Annual Computer Security Applications Conference, ser. ACSAC ’17.
Association for Computing Machinery, 2017, p. 486–498.
[12] M.-K. Lee, “Security notions and advanced method for human shoulder-
surfing resistant pin-entry,” IEEE Transactions on Information Forensics
and Security, vol. 9, no. 4, pp. 695–708, 2014.
[22]
[13] R. Heartfield and G. Loukas, “A taxonomy of attacks and a survey
of defence mechanisms for semantic social engineering attacks,” ACM
Comput. Surv., vol. 48, no. 3, dec 2015.
[14] P. Markert, D. V. Bailey, M. Golla, M. Dürmuth, and A. J. Aviv, “This
pin can be easily guessed: Analyzing the security of smartphone unlock
pins,” in 2020 IEEE Symposium on Security and Privacy (SP), 2020,
pp. 286–303. [24]
[15] A. Boehm, D. Chen, M. Frank, L. Huang, C. Kuo, T. Lolic, I. Marti-
novic, and D. Song, “Safe: Secure authentication with face and eyes,”
[23] M. Galar, A. Fernández, E. Barrenechea, H. Bustince, and F. Herrera, [25]
“An overview of ensemble methods for binary classifiers in multi-class
737
Authorized licensed use limited to: University of Electronic Science and Tech of China. Downloaded on November 06,2023 at 06:58:06 UTC from IEEE Xplore. Restrictions apply.
in 2013 International Conference on Privacy and Security in Mobile
Systems (PRISMS), 2013, pp. 1–8.
D.-J. Kim, K.-W. Chung, and K.-S. Hong, “Person authentication using
face, teeth and voice modalities for mobile device security,” IEEE
Transactions on Consumer Electronics, vol. 56, no. 4, pp. 2678–2685,
2010.
B. Zhou, J. Lohokare, R. Gao, and F. Ye, “Echoprint: Two-factor au-
thentication using acoustics and vision on smartphones,” in Proceedings
of the 24th Annual International Conference on Mobile Computing and
Networking, 2018, pp. 321–336.
X. Liu, Y. Li, and R. H. Deng, “Typing-proof: Usable, secure and low-
cost two-factor authentication based on keystroke timings,” in Proceed-
ings of the 34th Annual Computer Security Applications Conference,
2018, pp. 53–65.
D. Biswas, L. Everson, M. Liu, M. Panwar, B.-E. Verhoef, S. Patki,
C. H. Kim, A. Acharyya, C. Van Hoof, M. Konijnenburg, and
N. Van Helleputte, “Cornet: Deep learning framework for ppg-based
heart rate estimation and biometric identification in ambulant environ-
ment,” IEEE Transactions on Biomedical Circuits and Systems, vol. 13,
no. 2, pp. 282–291, 2019.
M. P. Tarvainen, P. O. Ranta-aho, and P. A. Karjalainen, “An advanced
detrending method with application to HRV analysis,” IEEE Trans.
Biomed. Eng., vol. 49, no. 2, pp. 172–175, 2002.
A. Dempster, D. F. Schmidt, and G. I. Webb, “Minirocket: A very fast
(almost) deterministic transform for time series classification,” in KDDx‘
’21: The 27th ACM SIGKDD Conference on Knowledge Discovery and
Data Mining, Virtual Event, Singapore, August 14-18, 2021. ACM,
2021, pp. 248–257.
H. A. Dau, A. Bagnall, K. Kamgar, C.-C. M. Yeh, Y. Zhu, S. Gharghabi,
C. A. Ratanamahatana, and E. Keogh, “The ucr time series archive,”
IEEE/CAA Journal of Automatica Sinica, vol. 6, no. 6, pp. 1293–1305,
2019.
problems: Experimental study on one-vs-one and one-vs-all schemes,”
Pattern Recognition, vol. 44, no. 8, pp. 1761–1776, 2011.
Simon, “Apple watch photoplethysmography (ppg),”
https://www.helixapps.co.uk/blog/apple-watch-photoplethysmography-
ppg, accessed Oct. 26, 2022.
Apple, “Monitor your heart rate with apple watch,”
https://support.apple.com/en-us/HT204666, accessed Oct. 26, 2022.