CRII: SaTC: Securing Cardiac-Based Continuous Authentication on Mobile and Wearable Devices from Presentation Attacks

About This Grant

Smartphones and wearable devices such as smartwatches have become part of everyday life, offering people convenient access to personal, health, and digital services. Some emerging systems use heart-based biometric signals, captured through photoplethysmography (PPG) sensors in these devices, to authenticate users continuously without requiring passwords or active interaction. This seamless, unobtrusive form of authentication can enhance both security and user experience. However, PPG-based continuous authentication also introduces new privacy and cybersecurity risks if attackers can fool the system. In particular, biometric systems can be subject to impersonation attacks, where an attacker tries to present signals that mimic a target user. This project explores the risks of presentation attacks in PPG-based biometric systems, in which an adversary captures a person's heart signals via video and replays a synthetic version tailored for a target device to impersonate the user. The project team also explores defense mechanisms that identify unique characteristics of signals from real human users that are difficult to reproduce synthetically. By examining this practical attack and developing a targeted defense, the research aims to reduce impersonation risks, build trust in biometric authentication, and support the broader adoption of PPG-based authentication systems in security-sensitive applications. The project also contributes to national priorities in cybersecurity, STEM education, and workforce development through student mentoring, curriculum integration, and outreach to local schools and communities. This project examines the feasibility of presentation attacks on PPG-based continuous authentication systems used in mobile and wearable devices and develops practical methods for defending against it. The research includes four coordinated components. First, the investigators will study how cardiac signals can be acquired remotely using video-based remote PPG sensing under realistic, covert recording conditions. This component applies data-driven enhancement techniques to reduce the impacts of motion and lighting variation, improving signal quality for adversarial use. Second, the project will develop a deep learning framework to transform remotely captured signals into synthetic waveforms that closely resemble those generated by contact PPG sensors in the wearable and mobile devices. Domain adaptation techniques will be investigated to ensure the model generalizes across different device configurations while reducing retraining efforts. Third, the team will design a physical signal injection method that uses a controllable external light source, guided by a learned model of sensor response, to deliver spoofed signals to the target device's PPG sensor. This method is intended to operate without modifying the device's hardware or software, enabling a low-effort and covert attack pathway. Finally, the researchers will develop a hybrid liveness detection system that distinguishes genuine cardiac signals from synthetic ones by identifying subtle physiological features that are difficult to reproduce. Adaptive learning strategies will be incorporated to address natural variability in heart signals, enhancing detection reliability over time. Project outcomes will include curated datasets, hardware prototype designs, and educational resources to extend the project's impact to both academic and public audiences while supporting workforce development in cybersecurity and intelligent sensing technologies. This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.