RFID Authentication System Based on User Biometric Information ^†

Abstract

Traditional authentication technologies usually perform identity authentication based on user information verification (e.g., entering the password) or biometric information (e.g., fingerprints). However, there are security risks when applying only these authentication methods. For example, if the password is compromised, it is unlikely to determine whether the user entering the password is legitimate. In this paper, we subdivide biometric information into physiological and behavioral information, and we propose a novel user authentication system, RF-Ubia, which utilizes the low-cost radio frequency identification (RFID) technology to capture unique biological or behavioral information rooted in the user and can be used in two schemes for user authentication. Consisting of an array of nine passive tags and a commercial RFID reader, RF-Ubia provides double assurance for security of identity authentication by combining user information and biometric characteristics. It first verifies the user’s password, and then identifies the biometric characteristics of the legitimate user. Due to the coupling effect among tags, any change in tag signal caused by the user’s touch will affect other tag signals at the same time. Since each user has different fingertip impedance, their touch will cause unique tag signal changes. Therefore, by combining biometric information, the tag array will uniquely identify users. The evaluation results show that RF-Ubia achieves excellent authentication performance with an average recognition rate of 93.8%.

1. Introduction

With the rapid development of modern technology, new automatic identification technologies emerge in endlessly, among which radio frequency identification (RFID) technology has become the core technology of the Internet of Things with its excellent advantages.

With the commercialization of RFID, its application is becoming more and more widespread, including item tracking, motion detection [1,2], goods security and so on [3,4,5,6,7]. As the increasing demand on protection for security industry and personal privacy, user authentication technology has become particularly important. The purpose of user authentication is to verify whether a user is indeed a legitimate user registered in the system, which is a vital task in many applications, such as area or event access control and electronic payment.

In the existing work, user authentication methods are mainly divided into two categories: device authentication and user authentication. Authentication devices such as personal identity cards, authentication users such as fingerprints, etc.; both authentication technologies are each facing many potential risks and hidden dangers due to imperfect security mechanisms. Device authentication may have the risk of being lost, stolen, or copied. When users set their passwords too short or simple, their accounts can easily be stolen, leading to insecure accounts on other systems as well. If complex passwords consisting of numbers and letters are used alternately, it can increase the security strength of the password, but it will increase the complexity of the system usage and is very unfriendly to users. When the system uses ID cards to identify and verify user identity, the cards may be at risk of being copied or lost. As in the Hu-Fu (Wang et al. [8,9]) authentication scheme, if the authentication tag is stolen by an attacker, the attacker can pass the authentication without any hindrance; with RF-Mehndi (Zhao et al. [10]), although the personal card is also able to resist the attacker’s counterfeit when it is lost or stolen, the user card needs to be recreated and the information collected will still cause trouble to the user. User authentication-based schemes to verify users’ biological information, such as Vauth (Feng et al. [11]), Cardiac Scan (Lin et al. [12]), BioTag (Hu et al. [13].), and TrueHeart (Zhao et al. [14]) continuous authentication schemes, mostly require the use of dedicated sensors, which have major limitations in terms of cost and applicability. While the mainstream user authentication methods now use biometric features such as the user’s fingerprint, face (Xu et al. [15]), and iris to authenticate the user’s identity, biometric features such as fingerprints provide a more excellent authentication performance compared to traditional authentication techniques. However, it is by nature a static image or data matching and still has the possibility of being copied. To overcome these problems, cutting-edge research has proposed a concept of continuous authentication, i.e., using some device to continuously extract dynamic human biometric features for authentication, such as breathing (Wang et al. [16]), heart rate (Zhao et al. [14]), and sound resonance (Feng et al. [11]). However, continuous authentication requires a very high acquisition rate and computational power of the device, leading to excessive cost and difficulty, and it can still only be implemented in an experimental setting.

In summary, although many user authentication methods have been proposed [5,8,9,10], they have some contradictions and drawbacks in terms of application target, deployment scope, cost, system complexity, and security resistance. It is a new challenge to find a simple and secure authentication method. To address the shortcomings of current user authentication methods, we subdivide biometric information into physiological and behavioral characteristics, and we design and implement RF-Ubia, which is a simple and secure user authentication method for different people, supports both password and passwordless authentication methods, and can achieve high recognition accuracy and at a much lower cost than existing work.

RF-Ubia consists of nine passive tags forming a cryptographic array, with each tag acting as a cryptographic button, as shown in Figure 1. Users only need to touch the tag surface once to enter a password number. When the user touches multiple tags continuously, the digital sequence obtained is used as the user authentication password. In the process of touching, we also skillfully incorporate the biometric information into tag signals. When different users touch the RFID tags, distinctive phase changes will occur as a result of users’ different body impedance. The closer these tags are in the array, the stronger the coupling effect among them will become [8,9,10]. When a tag is touched, not only its signal will change, but also the signals of the other eight tags will change due to the coupling effect. These signal changes are highly correlated with the user’s body impedance. Normally, the impedance of the human body is about 300–1000 $\mathsf{\Omega }$. Different users have different body impedance, which leads to different changes in the phase signal of the tags. Combined with user’s biometric information, different users who entered the same password can be distinguished. The main contributions of our work are summarized as follows:

• We propose a low-cost simple user authentication method called RF-Ubia, which allows users to effectively resist password theft even with simple passwords.
• We propose an extension of the RF-Ubia system that fuses user impedance and behavioral features, allowing users to authenticate users even if they forget their passwords, and ensures security that is largely immune to environmental interference, achieving an average recognition accuracy of 0.94. We improve the traditional anomaly detection and feature extraction algorithms to obtain more fine-grained feature information to improve accuracy. We used Random Forest in Wake to classify, and RF-Ubia was able to achieve an average recognition accuracy of 0.96 while existing work based on template matching or convolutional neural networks (CNN) was below 0.92 under the same conditions.

2. Related Work

User authentication methods can be divided into three main categories: information, possessions, physiological and behavioral characteristics.

Information, such as passwords or security codes. The information-based approach is designed to use traditional cryptographic algorithms to perform authentication and use encryption technology to protect tags from illegal access [17,18,19,20,21]. Most of these methods require modifications to commercial communication protocols or tag hardware, making it difficult to apply them to lightweight passive tags.

Possessions, such as various certificates or ID cards. The physical information-based approaches identify and verify the tags by taking advantage of the differences in the tag circuit characteristics, which will be reflected in the backscattering signal. Ding et al. propose a reader authentication solution based on physical layer signals, namely Arbitrator [22,23], which can effectively prevent unauthorized access to tags. Ma et al. [24] propose a new physical layer recognition system based on internal similarity, GenePrint. Yang et al. [25] use additional phase offset as a new fingerprint called Tagprint for identifying a pair of readers and tags. Chen et al. explore a new fingerprint called Eingerprint [26] to authenticate passive tags in the commodity RFID system, which uses the electrical energy stored in the tag circuit as a fingerprint. Wang et al. explore a verification method called Hu-Fu [8]. The authors observe inductive coupling between two adjacent tags [27,28]. When two tags are placed very close and the coupling effect occurs, Hu-Fu can achieve the purpose of verification.

Physiological or behavioral characteristics. In recent years, the mainstream user authentication methods are based on different biological characteristics (e.g., fingerprint, face and retina) for identification. Compared with traditional authentication technology, the biometric authentication technology (especially fingerprint authentication) has achieved more excellent performance owing to its universality, uniqueness, permanence and anti-counterfeiting characteristics. RF-Mehndi [10] uses the physical characteristics of the tag and the biometric characteristics of the holder to verify the user’s validity. When the user touches the tag, the physical layer information of the tag and the user’s body impedance are combined to achieve verification.

Although RF-Mehndi combines the physical characteristics of the tags with the user’s biometric information, it still cannot handle the case where the use’s ID card is lost, which brings trouble to the user. Therefore, we design a system that can verify the user by combining its password with its biometric information, without the need for an ID card.

3. Design Background and Overview

In this section, we will introduce passive tags and how they are coupled, as well as the implementation process of our system.

3.1. Passive Tag

Our system uses passive tags, which do not have their own energy source, and obtain working electric energy by reflecting the carrier signals emitted by the reader [29]. An RF tag consists of an antenna and a chip. The main functions of the antenna are: (1) to receive the radio frequency signal emitted by the reader; (2) to transmit it to the chip for processing; (3) to send the chip data to the reader. The antenna is a conductor structure specially designed for coupling radiated electromagnetic energy. In general, the smaller the size of the antenna, the lower its radiation impedance and the working efficiency. Considering the above factors, the tag layout should be as small and simple as possible while still meeting the efficiency requirements. The model of the tag we use is Alien-9629, which measures 22.5 mm × 22.5 mm, and operates at 840–960 MHz.

3.2. Tag Coupling

Tag coupling is actually the energy transfer and information exchange between two devices. There are two ways of tag coupling: Backscatter coupling and Inductive coupling.

3.2.1. Backscatter Coupling

After the user touches the target tag, the electromagnetic wave emitted by the antenna activates it and brings back the tag information. This process is based on the spatial propagation law of electromagnetic waves. The recognition range is greater than 1 m.

Passive tags require sustained energy from electromagnetic waves emitted by the reader to keep working. We know that a changing magnetic field creates an electric field, and a changing electric field creates a magnetic field. When magnetic flux changes, an induced current will be generated in the closed coil. The current in the signal transmitter radiates radio electromagnetic waves through the antenna, forming a changing electromagnetic field. The changing electromagnetic field is induced by the antenna coil at the receiving end, and the voltage is generated inside the coil. The tag can be thought of as a closed coil that generates an induced current inside when it senses the signal emitted by the reader. It should be noted that the induced current generated in the tag will also radiate electromagnetic waves back to the reader antenna after modulation, and generate signals that can be recognized by the reader antenna, also known as backscattered signals.

3.2.2. Inductive Coupling

The inductive coupling is realized through the magnetic field of the tag according to the law of electromagnetic induction. Each tag, when activated, generates a magnetic field around its coil. When two tags are placed close to each other, their magnetic fields pass through each other’s coils, resulting in a change in magnetic flux. The induced electromotive force will be generated inside the tag, thus affecting its power and signal. Figure 2 shows the state of a single tag state and the coupling state of two tags. When users touch the surface of one of the tags in the array, the tag circuit is then equivalent to adding an additional resistance, which causes the total resistance in the circuit to change and the tag power to change. Each user has a different body impedance, which makes it possible for the user to have unique biological information and to be distinguished from other users.

3.3. System Architecture

In this part, we briefly describe the four steps for implementing the RF-Ubia system.

Hardware Settings. In order to realize the password function of RF-Ubia, we need to arrange nine RFID tags into a 3 × 3 layout first. The tag array is then fixed to prevent signal changes caused by the relative movement of the tags from affecting the user authentication results.

Tag Identification. The reader sends a signal to activate the nine tags in the array, then carries out a preliminary identification according to the EPC [30] of the tag. After the reader obtains the signal of the legitimate tag, it waits for the user to touch the corresponding tag and collects the signal data.

Data Processing. The purpose of this step is to process the tag data acquired by the reader to eliminate the inverted $\mathsf{\pi }$ phenomenon and periodic signal surround (i.e., phase unwrapping) of the tag phase. Then, we extract the characteristic information we need and identify the password sequence entered by the user.

User Authentication. The system first determine whether the identified password sequence is a valid password. If the password sequence entered by the user is indeed registered in the system, the second stage of verification will be performed. In the second stage, the system verifies whether the user is legitimate to prevent an illegal attacker from stealing the password sequence of the legitimate users.

4. System Design

In this section, we will describe the working flow of RF-Ubia in four parts, including signal collection, data preprocessing, feature extraction and authentication. Figure 3 depicts these four key steps.

4.1. Signal Collection

The signal collection part of RF-Ubia is divided into registration stage and verification stage. In the registration stage, each user sets his or her password and touches the tag corresponding to the password in order. As users touch the tags multiple times, their identity information associated with their own password and body impedance is collected. Different impedance and passwords of different users make each person’s identity information unique. In the verification stage, the user only needs to enter his or her password set in the registration stage, and the system back-end can obtain the relevant signal data of the tag and complete the authentication.

4.2. Data Preprocessing

The phase is a periodical function with the periodic signal surround and the inverted $\mathsf{\pi }$ phenomenon, which are the essential characteristics of the tag signal. As shown in Figure 4, the figure above shows the wrapped phase, and the figure below shows the inverted $\mathsf{\pi }$ phenomenon of the phase. In order to obtain usable phase characteristics, we need to preprocess the data after getting the tag signal to obtain the tag information with the phase unwrapped and the inverted $\mathsf{\pi }$ phenomenon eliminated.

In general, the first n data of the tag are the signal data when the tag is more stable, i.e., the tag signal without user touch interference. We select the phase average ${\theta }_m$ of the first n data of the tag as the tag phase reference value. Thus, the difference between the first n phase values of the tag and the reference value, respectively, $\Delta {\theta }_i=|{\theta }_i-{\theta }_m|$, can be obtained.

We handle anomalies by setting thresholds. Since the phase of the tag fluctuates on its own and changes when touched by the user, if the threshold [3] is set too large or too small, it can lead to some data being processed incorrectly and ultimately affect the overall experimental data. We set the threshold value as

$$\left\{\begin{array}{cc}\hfill thre{s}_1& =\pi -thres,\hfill \\ \hfill thre{s}_2& =\pi +thres,\hfill \end{array}\right.and{\theta }_i=\left\{\begin{array}{cc}{\theta }_i,\hfill & \Delta {\theta }_i\le thre{s}_1\hfill \\ ({\theta }_i+\pi )mod2\pi ,\hfill & thre{s}_1<\Delta {\theta }_i<thre{s}_2\hfill \\ {\theta }_i-2\pi ,\hfill & {\theta }_i-{\theta }_m\ge thre{s}_2\hfill \\ {\theta }_i+2\pi ,\hfill & {\theta }_i-{\theta }_m\le -thre{s}_2\hfill \end{array}\right.$$

(1)

where the value of thres will be selected as the optimal value by iterative adjustment during the experiment. By comparing the difference $\Delta {\theta }_i$ with the set threshold, if $\Delta {\theta }_i\le thre{s}_1$, then the phase is normal data; if $thre{s}_1<\Delta {\theta }_i<thre{s}_2$, then it is judged to be an inverted $\mathsf{\pi }$ phenomenon; if $\Delta {\theta }_i\ge thre{s}_2$, then it is judged to be the occurrence of a phase wrapping phenomenon, as shown in Equation (1).

After processing the first n stable phases of the tag, the subsequent data of the tag are processed using a sliding window. We improve and optimize the processing algorithm because the user touch operation may cause a large abrupt change in the tag phase; for example, touching the tag causes the tag phase to change beyond $thre{s}_1$, which is a phase change caused by the touch operation and not an inverse $\mathsf{\pi }$ phenomenon or a phase wrapping phenomenon. In this case, as the user’s touch has a continuous effect on the phase and the inverted $\mathsf{\pi }$ is an episodic phenomenon, we will use the data after this phase to make a judgment. As shown in Equation (2), the average value of this phase ${\theta }_k$ and the m phases after it is taken, and if the difference between the phase value and the average value is small compared to the threshold value $thre{s}_3$, then the phase is not anomalous and does not need to be processed.

$$\left|{\theta }_k-\frac{{\displaystyle \sum _{i=1}^m}{\theta }_{k+i-1}}{m}\right|<thre{s}_3.$$

(2)

When the user touches the tags in the array, we find that some of them cannot feedback the tag signal. In Figure 5, two adjacent pieces of data are connected by dashed lines. A large amount of signal data is missing between the two pieces of data surrounded by blue circles. This is because the tag power becomes relatively small due to the influence of body impedance and coupling when the user touches, so it cannot reach the threshold value for activating the tag. Therefore, the tag has no phase signal during this touch stage and the reader cannot read the tag data. We take advantage of this phenomenon as a feature when verifying the user’s identity. In order to preserve this feature, interpolation and data smoothing processing are not performed.

4.3. Feature Extraction

After data preprocessing, we obtain a continuously available tag phase signal, and further extract the phase features related to user identity information. We find that the signal changes are relatively complex and chaotic at the moment when the user touches the tag, and the phase characteristics are also unstable. However, during touch, the phase signal of the tag tends to be stable. So, we propose an anomaly detection algorithm to extract the stable part in the middle of the tag phase signal. We first empirically set up a fixed-size window to detect the abnormal part. The average amplitude in the k-th window [2] of tag i can be expressed as

$$A_i\left(k\right)=\frac{{\displaystyle \sum _{j=1}^l}\left|{\theta }_j-{\theta }_m\right|}{l}and{\theta }_m=\frac{{\displaystyle \sum _{j=1}^l}\left|{\theta }_j\right|}{l},$$

(3)

where l represents the data volume of the phase in the window, ${\theta }_j$ represents the phase value, and ${\theta }_m$ represents the average phase value of the tag obtained from the stable tag signal in the first window and is used as a metric to evaluate the anomaly. In Equation (4), the amplitude function $G\left(k\right)$ is obtained [2] by summing the amplitudes of all tags in the same window.

$$G\left(k\right)=\sum _{i=1}^9{A}_i\left(k\right).$$

(4)

After sliding window anomaly detection and comparison with the set threshold value, an anomaly sequence can be obtained. The first exception window detected is taken as the left exception window, which is caused by the user just touching the tag. The last one in a continuous set of exception windows starting from the left exception window is taken as the right exception window, which is caused by the user’s finger leaving the tag surface. We take the middle window between the left exception window and the right exception window as our feature window. The purpose is to avoid using the more unstable signal caused by the user just touching the tag, and to obtain the relatively stable signal brought by the user’s continuous touch. Figure 5 shows the feature window of the tag phase signal. The mean value of the nine tag phases in this window is

$$V=[A_1^{\prime },A_2^{\prime },A_3^{\prime },A_4^{\prime },A_5^{\prime },A_6^{\prime },A_7^{\prime },A_8^{\prime },A_9^{\prime }].$$

(5)

Then, the phase difference between any two of the nine tags is calculated to form an eigenvalue:

$$\Delta A_{ij}=\left|A_i^{\prime }-A_j^{\prime }\right|.$$

(6)

Since $\Delta A_{ij}$ and $\Delta A_{ji}$ are equal, and $\Delta A_{ii}$ is equal to 0, we can obtain 36 effective eigenvalues from a feature window to form the eigenvector

$$F=[\Delta A_{12},\cdots ,\Delta A_{19},\Delta A_{23},\cdots ,\Delta A_{29},\Delta A_{34},\cdots ,\Delta A_{89}].$$

(7)

4.4. Authentication

For authentication, we use the classification function in Weka to train the user information collected during the registration stage into the validation model. After collecting user data and extracting feature information, the classification model can determine whether the user is legitimate.

4.5. Experiment and Evaluation

In this section, we first implement RF-Ubia, and then verify its performance through extensive experiments.

The RF-Ubia consists of a commercial reader, a directional antenna and several passive tags. The RFID reader we use is ImpinJ R420 commercial reader, the antenna model is Laird S9028PCR, and the tag model is Alien-9629. The software of RF-Ubia ran on a computer with an Intel(R) Core(TM) i5-3230M processor (2.60 GHz) and 12 GB RAM.

Experimental setups. We carry out the experiment in a conference room. As shown in Figure 6, the tag array formed by 9 Alien-9629 tags is fixed on the top of the box, and the antenna connected to the reader is placed at the bottom of the box to read the tag data. Finally, the data are processed by the computer.

Parameter Setting. In the data preprocessing stage, we take the first 10 phases of the tag as the signal data when it is stable, and set the size of the sliding window to 6, that is, there are six phases in the window. The sliding window size used in the anomaly detection algorithm is set to 0.5, indicating that the window contains 0.5 s of tag data. The settings for the remaining parameters in the preprocessing and exception detection algorithms are shown in

Table 1. Algorithm parameter setting.

Parameter Name	Parameter Values
$thre{s}_1$	$\mathsf{\pi }-1$
$thre{s}_2$	$\mathsf{\pi }$ + 1
$thre{s}_3$	1.5
$thre{s}_4$	2
m	4

.

Metric. We use three major indicators to describe the performance of RF-Ubia, namely True Positive Rate (TPR), False Positive Rate (FPR) and Accuracy. TPR [4], as shown in Equation (8), is used to measure the accuracy of a single password identification performance. FPR, as shown in Equation (9), is used to measure the ratio of illegal users that pass the validation of RF-Ubia to all illegal users. Accuracy refers to the combination of the validation results, including the first stage and second stage of RF-Ubia.

$$TPR=\frac{turepositives}{turepositives+falsenegatives}$$

(8)

$$FPR=\frac{falsepositives}{falsepositives+turenegatives}$$

(9)

First, we evaluate the performance of the system for password identification (i.e., identifying the tags touched by the user). We collected 360 sets of data for evaluation. The TPR of each password (i.e., tag) from 1 to 9 is shown in Figure 7. The average accuracy of the system in identifying passwords exceeds 96.9%, indicating that RF-Ubia can effectively distinguish the tags touched by the user and enable the function of entering passwords.

We verify the validity of RF-Ubia when multiple users use the same password. As shown in Figure 8, the FPR of the RF-Ubia does not exceed 0.04 when the password length is 2, indicating that RF-Ubia can effectively distinguish different users. In addition, we also evaluate the accuracy of RF-Ubia in identifying users with the same password when the password is longer. When the password length is 3, the identification accuracy of users with the same password is 98.75%. When the password length is 4, the accuracy reaches 100%. The longer the password is, the more user features can be utilized and therefore the higher the accuracy of user identification is. Considering password identification and user differentiation, the average accuracy of RF-Ubia system exceeds 92.8%.

Discussion. In this section, we propose a solution that uses a fusion of user information and biometric information for user authentication, which achieves a high user identification accuracy rate even when using only a simple password. However, it has some drawbacks—we still need to use passwords, which is not friendly to people who usually forget their passwords, such as elderly people with poor memory and those who do not use the authentication system regularly. We also need to try out different experimental environments to improve the robustness of the system. In our experiments, it can be observed that RFID signals are susceptible to dynamic environmental changes (e.g., someone moving), and since the typical bandwidth of normal human finger movements is between 3 and 5 Hz, the use of low-pass filters (e.g., Butterworth filters) is possible to mitigate such effects. For other normal movements of people, they lie between 0 and 18 Hz. Therefore, we can use advanced signal processing techniques (e.g., empirical pattern decomposition) to filter out noise with overlapping frequencies.

5. Extension of Authentication System

In order to make up for the above shortcomings, we refine the biometric technology and propose an authentication method based on the user’s physiological and behavioral characteristics. Specifically, we authenticate users by allowing them to touch a specified sequence of tags without entering a specified password.

Behavioral characteristics and time series of touch. When the user touches a fixed tag sequence, he or she may touch it with unique habits or rhythm. As shown in Figure 9, the tag signal obtained by the user’s touch contains time information, so an anomaly detection algorithm can be used to detect the signal changes to get the fragments of the user’s touch and record the user’s touch situation at each moment. Then, the user’s touch rhythms, namely, the user’s behavioral characteristics, can be extracted using the time series of touch.

User Characteristic Information. We use the physiological and behavioral characteristics of users to authenticate their identities. When the user touches the tag surface in the specified order, the system collects information related to the user’s body impedance and behavior. After extracting the phase values of the tag touched by the user, the phase difference between two tags is calculated to form the feature value. Each touch of the user generates a feature vector with a length of 36, and the phase features of all the touches form the physiological feature information of the user. In addition, the system can obtain two time values for each touch of the user, that is, the beginning and the end of each touch, as shown in Figure 10. Finally, the user’s behavioral characteristic information includes four parts: the duration of each touch, the interval between each touch, the frequency of touch and the duration error of each touch corresponding to the tag.

5.1. System Design

In this section, we will introduce the implementation process of the improved system, including five steps of data collection, data preprocessing, anomaly detection, feature extraction and authentication.

Data collection. When registering, the user needs to touch each tag in a tag sequence specified by the system in order. For example, “$1379$” means that the user needs to touch the four tags 1, 3, 7, and 9 in sequence. The system can collect multiple sets of data when the user touches the tag with its own habits or rhythms. In the authentication phase, the user still only needs to touch the tags according to the tag sequence. Since the tag signal can change drastically with the touch, the user should make each touch last for a short period of time so that the system can obtain relatively stable tag phase values. After collecting the user data, the system needs to perform preprocessing and anomaly detection, and further extract the characteristic information of different users, and finally perform user authentication.

Data preprocessing. The system needs to preprocess the raw data from the user to obtain continuous and stable tag signal. This part is consistent with the data preprocessing method used before the improvement scheme. Specifically, for each tag, the difference between its phase value and the average of the phases values of other tags around it should be calculated to distinguish whether the data are abnormal. Then, compare the value with the set threshold value to determine whether periodic signal surround or inverted $\mathsf{\pi }$ phenomenon occurs, and perform the corresponding data processing according to the determination result.

Anomaly detection. In this scheme, the label signal is detected by the sliding window. After obtaining the exception window using the previous anomaly detection algorithm, we can get the left exception window and the right exception window with fuzzy time characteristics. In the anomaly detection algorithm, if the size and moving step of the sliding window are both large, the time span of the left and right exception window is also large, so the exact time when the user touches the tag cannot be obtain. Therefore, it is necessary to further process the exception window to obtain more accurate time features.

For the left exception window $left$, the sum of its amplitude $G\left(left\right)$ is larger than the threshold $thre{s}_4$, while $G(left-1)$ is smaller than the threshold, indicating that the precise time of user touch must be between the left boundary $(left-1)$ of window and the right boundary $left$ of the window. Take the beginning time of the window $(left-1)$ to the end time of the window $left$ as the detection area of the exact time, and set the size and moving step of the sliding window to a smaller time granularity t, and then the average amplitude of the tag phase [2] in the window can be recalculated as

$$A_i^{\prime }\left(k\right)=\frac{{\displaystyle \sum _{j=1}^l}\left|{\theta }_j-{\theta }_m\right|}{l}and{\theta }_m^{\prime }=\frac{{\displaystyle \sum _{j=1}^5}{\theta }_j}{5},$$

(10)

where l represents the number of tag phases in the window of size t. The new amplitude function can be obtained [2] from the average amplitude of each tag in the window.

$$G^{\prime }\left(k\right)=\sum _{i=1}^9{A}_i^{\prime }\left(k\right).$$

(11)

In anomaly detection, the time of the first window from left to right that detects an anomaly is taken as the precise time of the beginning of user’s touch. Similarly, for the right exception window $right$, when the sum of its amplitude $G\left(right\right)$ is greater than the threshold $thre{s}_4$, and $G(right+1)$ is less than the threshold, it means that the precise time of user touch must be between the left boundary $right$ and the right boundary $(right+1)$ of the window. Take the beginning time of the window $right$ to the end time of the window $(right+1)$ as the detection area of the exact time, then the time of the first window from right to left that detects an anomaly is taken as the precise time of the end of the user’s touch.

Feature Extraction. So far, we have obtained the tag phase value, the beginning time and the end time of each touch. Using Equations (5)–(7), we can calculate the user’s physiological characteristic information $F_{user}=[F_{tag1},F_{tag2},\dots ,F_{tagn}]$. The time series of user’s multiple touches is

$$[t_1,t_2,t_3,t_4,\dots ,t_{2n-1},t_{2n}].$$

(12)

Subtracting the start time from the end time of the $Kth$ touch gives the duration of the touch as

$$T_{persist}\left(k\right)=t_{2k}-t_{2k-1}.$$

(13)

Subtracting the start time of the $(K+1)th$ touch from the end time of the $Kth$ touch gives the time interval between two touches as

$$T_{interval}\left(k\right)=t_{2k+1}-t_{2k}.$$

(14)

We can obtain n touches, n touch duration and $n-1$ duration between two touches. Then, according to the total time of user touch and the number of touches, the user touch frequency can be calculated as

$$frequency=\frac{n}{t_{2n+1}-t_1}.$$

(15)

The user’s behavioral characteristic information is composed of the duration, time interval and the frequency of the touch. Therefore, the behavioral characteristic information can be defined as

$$F_{behavior}=[T_{persist},T_{interval},frequency].$$

(16)

Finally, the user’s physiological and behavioral characteristic information are combined to form the user’s identification feature [$F_{user},F_{behavior}$].

Authentication. Our system identifies users based on their physiological and behavioral characteristics. Users do not need to remember their passwords, just touch the specified tags in order with their habits and rhythms, and the system can obtain their identity characteristics. In the registration phase, the system needs to collect multiple groups of data (at least 20 groups) as the training data for the classification model. In the authentication phase, users touch the same tag sequence, and the system extracts feature information from the user’s touch and uses the classification model to authenticate users. We use the Random Forest classifier in Weka to identify and classify user identities. For each user, there are 20 groups of data for training and 20 groups of data for testing.

During the registration phase, users will need to collect multiple sets of data (a minimum of 20 sets) as training data for the classification model. In the authentication stage, users touch the same label order, the system collects user data and extracts feature information, and finally uses the classification model to authenticate users. User identity is identified and classified by using a Random Forest classifier in Weka. Twenty sets of data per user are used to train the classifier model and 20 sets of data are used as test samples.

5.2. Experiment and Evaluation

In the previous section, we describe the user’s behavioral characteristics in detail and introduce how to extract it. We also improve the anomaly detection algorithm and obtain the precise time sequence of user’s touches. In this section, we conduct specific experiments to verify the performance of the proposed system.

Experimental setups. The hardware part of the system consists of an RFID commercial reader, a directional antenna and nine passive tags. The RFID reader is an ImpinJ R420 commercial reader, the antenna model is Laird S9028PCR and the tag model is Alien 9629. We implemented the user interface and verification module on a Thinkpad laptop which collects data from the RFID reader through a low-level reader protocal-LLRP. The final data are processed and analyzed by a computer and MATLAB software.

Metric. We evaluate the impact of different lengths of the tag sequence that need to be touched on the performance of the scheme, and the lengths are set to 2, 3 and 4, respectively. In addition, with the sliding window’s size is set to 0.3, we evaluate the impact of moving step size of the window on the performance. Different lengths will lead to changes in the amount of physiological and behavioral information of users. The longer the tag sequence, the more information about the user’s physiological and behavioral characteristics. As shown in Figure 11, when the length is 2, the recognition rate of the system for users is 90.97%. When the length is 3, this figure increases to 97.92%. When the length is 4, this figure increases to 100%. The results show that the longer the sequence is, the more characteristic information is available, resulting in higher accuracy of user authentication.

Impact of moving step size of the sliding window. In the anomaly detection phase, a different moving step size of the sliding window will lead to a different time accuracy of user’s touch obtained by the algorithm, and different time series correspond to different behavioral characteristics of the user. Figure 12 shows the impact of different moving step size of the sliding windows on the performance of user authentication when only behavioral characteristics are used. The results show that the smaller the step size, the higher the accuracy of user authentication. A larger step size leads to poorer performance of authentication.

Impact of the classification model. We evaluated six different classification models. To ensure fairness, we used the network structure and used the default parameter settings used in [31]. As can be seen in Figure 13, Random Forest gives the highest relative accuracy (0.959) for our RF-Ubia, and its latency is small. The rest of the classification models were relatively poor.

Time Overhead Evaluation. When the user touches tags for authentication, the time overhead of the system to process the tag signal data can be divided into three parts, including data preprocessing, anomaly detection and feature extraction. When the length of the tag sequence that users need to touch is 4, it takes 0.376 s on average and 0.52 s at most to process a single data sample, and 0.52 s at most, which can satisfy people’s daily authentication needs. The time cost of our method could be lower if a computer with better hardware equipment is available or the data processing algorithm can be further improved.

Comparison with State-of-the-art Authentication System. To be fair, we compared the Hu-Fu authentication scheme with other authentication systems in the same experimental environment. As shown in

Table 2. Comparison with the performance of different authentication systems.

	Ours	HuFu [8]	Mehndit [10]	VAuth [11]	Cardiac [12]
Cost	Low	Normal	Low	Higher	Higher
Anti-interference	Normal	Normal	poor	Normal	poor
User Friendly	good	Normal	poor	Normal	good
Accuracy over Time	Normal	Normal	poor	good	Normal
Security Performance	good	Normal	Limited	Normal	Normal
Applicability	good	Limited	Normal	Limited	Limited
Mean Accuracy	93.8%	92.6%	90.6%	89.2%	91.2%

, in the Hu-Fu [8] authentication scheme, if the authentication tag is stolen by an attacker, the attacker can pass authentication without hindrance; in the RF-Mehndi [10] scheme, although the personal card is also resistant to counterfeiting by an attacker if it is lost or stolen, the need to recreate the user card and the collection of information can still cause problems for the user. Continuous authentication schemes such as VAuth [11] and Cardiac Scan [12], on the other hand, most require the use of specialized sensors, which have significant limitations in terms of cost overhead and applicability.

5.3. Discussion

We have extended the previous authentication method to incorporate the user’s physiological and behavioral characteristics, allowing the user to simply touch a specified sequence of tags in sequence without using a password, where the user’s touch habits and rhythm constitute their behavioral characteristics. We have improved the anomaly detection and feature extraction algorithms to more accurately find the start and end points of the action to extract accurate user touch times and improve the accuracy of the system. More experiments are needed for the selection of the classification model, and it is desirable to design an adaptive classifier model to improve the robustness of the system. Experimental results show that the proposed scheme incorporates the physiological and behavioral characteristics of the user and can identify different users with a high degree of accuracy.

6. Conclusions

We propose RF-Ubia, a low-cost user authentication system that utilizes commodity low-cost RFID devices to authenticate based on the user’s biometric characteristics. In this work, we take into account different population groups where users can authenticate with or without passwords. We also improve the traditional sliding window anomaly detection algorithm to obtain a more accurate user touch time and compute information about the user’s behavioral characteristics. We use the Random Forest classifier in Weka to identify and classify user identities, and extensive experiments show that the proposed system requires only a little training to reliably perform user authentication and detect attackers under random and mimic attacks. Comprehensive experiments have confirmed the high security and practicality of RF-Ubia, with an average accuracy rate of 94% for both authentication methods. RF-Ubia also leaves room for further research, including exploring more potential user behavior and extending more experiments to enhance authentication performance.