Editor: Roy Want n n [email protected]

Personal Touch- Identification Tokens

Tam Vu and Marco Gruteser

Editor’s Intro pervasive devices. Capacitive touch sensors have emerged as a dominant One of the goals of pervasive computing is the automatic personalization of com- user interface technology for mobile puter infrastructure to create a customized user experience that’s better suited to and pervasive devices. Touch sensors the task at hand. The ideas presented in this article are a significant step toward reside in hundreds of millions of smart- that goal. The authors provide a convenient and accurate mechanism to convey a unique identifier using no more than a signet ring pressed against the capacitive phones and tablets as well as in ATM touchscreen of a computer. It brings to mind the “secret decoder ring” used by the machines, car dashboard displays, and fictional character, Dick Tracy—but this time it’s for real. — Roy Want even home appliances such as televi- sions, microwaves, and refrigerators. Given that touch is the predominant n this emerging era of pervasive com- users and serve age-appropriate con- way of navigating and interacting with I puting, we interact with and rapidly tent and media. Our approach is to use today’s computer-embedded devices, switch among a diverse set of digital a wearable personal token to commu- our approach seeks to identify who devices. We tend to transition from a nicate an identification code through touches a device, which can be more to a notebook when arriving touch. accurate (or secure) than user-proximity in the office, and when we return home, sensing with short-range radios such as we often switch to a tablet. In between, User Identification Bluetooth or NFC. When there are sev- we might use large wall-mounted dis- Challenges eral potential users near a device, one plays, car navigation systems, self- Current user-identification techniques of the most meaningful ways to identify checkout kiosks at retail stores, and are often based on logins and PIN who’s really interacting with the device home security or smart home controls. codes or passwords. The overhead of is to identify who is touching it. Many of these devices—even if only used logging in was more acceptable when in the home—have multiple users. Over we used to sit down for long sessions A Touch-Identification the next decade, this range of devices will of work in front of a PC, but it now Token likely increase, and our time with any has become a nuisance—to the point We’ve explored how to design a wear- single device will grow shorter. where many users forgo any authentica- able personal token that exploits the We argue that it’s time for touch- tion on their mobile devices. Biometric pervasive capacitive touchscreen and based personal tokens that let devices techniques, such as fingerprint readers touchpad input devices as receivers for unobtrusively identify who is interact- or face recognition, are more resource an identification code or password. Our ing with the device at any given time. intensive and face their own usability current token is in the form of a ring, This would let devices tailor services to challenges. Fingerprint readers require but other devices, such as wristbands users and apply authentication to con- space on a device, add cost, and can be or watches, are also possible. The trol access to sensitive information and difficult to use in low-humidity envi- token transmits electrical signals when online services. Consider, for example, ronments. Face recognition has higher brought in contact with a device’s touch- that a child reportedly spent more than processing requirements and can be dif- screen or when the user’s finger touches $1,000 on in-app purchases while ficult in low-lighting conditions. the screen. In this latter case, the sig- playing games on his mother’s iPhone.1 Our goal has therefore been to find nal is transmitted through the human Devices that know their users could a less obtrusive way to identify users skin. The transmitted electrical signals limit such spending from unauthorized during their regular interactions with from the token essentially spoofs the

10 PERVASIVE computing Published by the IEEE CS n 1536-1268/13/$31.00 © 2013 IEEE

PC-12-02-Smartphones.indd 10 3/21/13 10:57 AM device’s touchscreen, mimicking the sig- 1 0110… nals from up and down movements of a Input bit sequence finger, while the finger (or token) itself remains stationary on the device.2 … Transmitter To understand this, consider how a (a hardware token) capacitive touchscreen works.3 It com- On-off keying modulation prises an array of conducting electrodes Electrical pulses behind a transparent insulating glass Channel layer, which form a capacitor with the (touch screen human finger when the user touches the hardware and firmware) screen. The finger is in turn capacitively coupled through the human body (and Artificial touch events sometimes through the ground) to the Receiver Threshold-based demodulation device’s case. A touch can therefore be (software decoder) detected by driving the electrodes with 1 0110 an AC signal to repeatedly charge and bit discharge the capacitor and measure Received bit sequence period the change in capacitance through the change in charge voltage. Where on Figure 1. Modeling the system as a classical communication system that includes a the electrode array this change occurs transmitter, communication channel, and receiver. reveals the location of the touch. Owing to the small capacitance events to receive the originally trans- the same input, generating different involved, a charge integration circuit mitted bit sequence). received bit patterns. For example, the might be necessary. When this change number of touch events registered when in voltage exceeds a certain threshold The transmitter generates elec- a one bit is sent after a long sequence of and meets several other filtering crite- trical pulses that are modulated to zeros is lower than that of a one bit that ria, the screen’s firmware reports the carry the input bit sequence using on- comes after a long sequence of ones. presence of a new touch event to the off keying modulation—that is, a one The variable delay between the trans- device’s operating system, which then bit is represented by turning on the elec- mission of a bit and its reception at the traverses up the software stack to the trical signal, and a zero bit is represented receiver makes it even more challenging application level. As our wearable hard- by switching that signal off. As a result, to demodulate it to retrieve the original ware token comes in contact with the the pattern of the sequence of touch bit sequence. screen, its own AC signal charges and events generated follows the original bit In addition, the channel adds an discharges the capacitor formed with sequence. These events thus can be used unknown delay between the receiver the screen’s electrodes, leading to repet- to reconstruct the originally transmit- and the transmitter due to the unknown itive but irregular touch events captured ted bit sequence on the receiver side— processing delay of the device, which by the touchscreen controller. otherwise unknown to the screen. The depends on the device’s workload. As Our system then exploits this ability software component, acting as the a result, traditional demodulation tech- to generate touch events through elec- receiver, counts the number of touch niques aren’t applicable. Instead, we trical signals to modulate these events events in each bit period to determine devised a two-step process to decode the and communicate a short identification which bit was transmitted. It receives a originally transmitted data: first calibra- code between the token and device. one bit if the number of events appear- tion, then correlation. During offline As Figure 1 shows, the system can be ing in that bit period is greater than a calibration, the software component viewed as a classical communication certain threshold; otherwise, it receives selects a threshold, which is used for bit system with a a zero bit. detection during the correlation phase. The offline calibration step computes • transmitter (a hardware token); Decoding Challenges the expected number of touch events • communication channel (the hard- Because touchscreens weren’t designed when a one bit or zero bit are transmit- ware and firmware of the device’s for communication purposes, and we ted. To determine this number, the step touchscreen, the software stack, and only had operating-system level access must be performed once per device, its operating system); and to the touchscreen hardware, this per data rate, during initialization. The • receiver (the software component approach posed several challenges. The hardware token repeatedly transmits a demodulating the sequence of touch touchscreen responded differently to bit sequence that’s known to the receiver.

April–june 2013 PERVASIVE computing 11

PC-12-02-Smartphones.indd 11 3/21/13 10:57 AM SmartPhones SmartPhones

Top view

Bottom view

Figure 2. A wearable battery-powered hardware token that transmits a short message from the ring to a touchscreen-enabled device.

Upon receiving a sequence of touch signals without the hardware token Further improvement in the transmis- events corresponding to that known bit directly contacting the screen. Note sion rate, reliability, and security would sequence, the receiver software synchro- that, in this case, contact times lon- result in immense opportunities to create nizes with the transmitter, then counts ger than a typical touch are required, a unified user identification and authen- the number of touch events in each one but such longer contact times can be tication scheme around personal tokens and zero bit to calculate the average expected during swiping motions. rather than passwords (see Figure 3). number of expected events in each. Our results showed that the detection Akin to SIM cards today, which are During the actual communication, rate increased with the duration of the identification tokens for devices in a cel- assuming all possible messages are swipe—at first sharply, from approxi- lular network, wearable tokens could known, the software decoder then mately 68 percent for 300 millisecond provide identification for people.4 Con- computes the correlation between the swipes to approximately 92 percent for ceptually, SIM cards were an adequate touch event sequence and all possible 500 ms swipes, but then it gradually solution for people accessing a network messages using the expected number approached 100 percent as the swipe through a single device. However, of events. The message that yields the duration increases to 1,400 ms. with access to diverse devices—such as highest correlation value is selected as Encouraged by the function genera- smartphones, laptops, tablets, and cars, the originally transmitted bit sequence. tor’s results, we prototyped a battery- which might be shared among multiple powered wearable token. This current users—it’s becoming more important Evaluation token achieved detection rates of 82 to understand which user is interacting Our initial performance evaluation to 90 percent when transmitting 2-to- with the device at any given time. shows that the communication chan- 5-bit long sequences at the data rate of In addition, with future shared data nel can deliver a short bit sequence at a 4–5 bits/s. As Figure 2 shows, the token, plans (shared across devices), data low data rate. We connected a function in a form of a wearable ring, consists usage from any device could be charged generator’s output—that is, modulated of a custom-built amplifier and a pro- to a user-specific (rather than device- electrical signals with bit sequences of grammable microcontroller with a flash specific) account. This type of billing different lengths and data rates—to memory for holding the bit sequence. model could be realized with our pro- an Android tablet’s touchscreen. The The overall detection rate could prob- posed techniques, using the signet ring receiver correctly retrieved the originally ably be improved through better circuit as a separate identification token—a transmitted 2-to-3-bit-long sequences design, ring surface engineering, and portable SIM-ring—worn by users. more than 99 percent of the time, with retransmission of the transmitted bit Beyond networking, the ring could a data rate of 4 bits per second. As sequence. also allow payment functions and the data rate or bit sequence’s length replace credit cards (becoming a credit increased, the detection rate gradually Applications ring). It could authenticate monetary decreased. Our work thus far demonstrates the fea- transactions on mobile phones and In another set of experiments in sibility of communicating short codes ATM machines and could even be used which the output of the function gen- from personal tokens to touch receiv- to access a smart home, unlocking the erator was connected to a human finger ers. This technique could be directly door for authorized access and load- swiping across touchscreen’s surface, applied to parental-control applica- ing user-specific preferences on certain we examined whether the receiver could tions, multiuser games, and weak devices, such as the entertainment sys- detect the presence of the electrical authentication for mobile devices. tem or home appliances.

12 PERVASIVE computing www.computer.org/pervasive

PC-12-02-Smartphones.indd 12 3/21/13 10:57 AM SmartPhones

ully realizing these applications will Top view F likely require further refinement of the touch communication techniques. Although communication is feasible, even with an off-the-shelf touchscreen system (albeit at very low bit rates), there Bottom view appears to be ample opportunity to Device increase data rates by gaining access to authentication lower-level measurements via the touch- Multiuser games Vehicular security screen microcontroller firmware. If trans- mission through the skin isn’t desired, other alternatives exist that have simpler design options and require less energy. One approach would be to vary the Further improvement in the transmis- effective capacitance between the ring sion rate, reliability, and security would and screen by inserting another capaci- Signet ring Parental control result in immense opportunities to create tor at this point, whose area or thickness Home security a unified user identification and authen- could be modulated. Using a larger form tication scheme around personal tokens factor ring with a surface that creates rather than passwords (see Figure 3). multiple contact points with the screen Akin to SIM cards today, which are (exploiting multitouch capabilities) identification tokens for devices in a cel- could further improve the data rate. lular network, wearable tokens could Integrating identification and authen- Payment credit ring provide identification for people.4 Con- tication functions into a wearable item, Medical security ceptually, SIM cards were an adequate such as a ring or wristband, should Portable SIM card solution for people accessing a network reduce the probability of losing the through a single device. However, device (compared to smartphones) and Figure 3. Potential capacitive-touch-communication applications. with access to diverse devices—such as thus reduce the security risks related to smartphones, laptops, tablets, and cars, unauthorized use. In applications with which might be shared among multiple higher security requirements (where Acknowledgment -password-proposal-one-ring- users—it’s becoming more important theft and loss still present a serious con- to-rule-them-all. to understand which user is interacting cern), these tokens could be one part in We thank Akash Baid, Simon Gao, Richard Howard, Janne Lindqvist, Predrag Spasojevic, Jeffrey Walling, 5. C. Cornelius et al., “Who Wears Me? with the device at any given time. a multifactor authentication system. Or Bioimpedance as a Passive Biometric,” In addition, with future shared data perhaps the ring could integrate bio- and Ivan Seskar for their contributions toward devel- Proc. 3rd USENIX Workshop on Health Security and Privacy, 2012. plans (shared across devices), data metric signature techniques5 with the oping personal touch tokens. usage from any device could be charged token, activating its transmission capa- 6. H. Melchior, M. Fisher, and F. Arams, References to a user-specific (rather than device- bility only when the token recognizes “Photodetectors for Optical Commu- nication Systems,” Proc. IEEE, vol. 58, specific) account. This type of billing the owner’s signature. 1. C. Foresman, “Apple Facing Class- no. 10, 1970, pp. 1466–1486. model could be realized with our pro- Furthermore, the current design could Action Lawsuit Over Kids’ In-App Pur- chases,” Ars Technica, 15 Apr. 2011; posed techniques, using the signet ring be enhanced with a feedback channel http://arstechnica.com/apple/2011/04/ as a separate identification token—a using a photodetector.6 The ring could apple-facing-class-action-lawsuit-over- Tam Vu is a PhD candi- portable SIM-ring—worn by users. receive information from the mobile kids-in-app-purchases. date at Rutgers University. Beyond networking, the ring could device through this visual channel, 2. T. Vu et al., “Distinguishing Users with Contact him at tamvu@cs. also allow payment functions and where the device encodes the informa- Capacitive Touch Communication,” Proc. rutgers.edu. replace credit cards (becoming a credit tion in the pixel intensities of the screen 18th Ann. Int’l Conf. Mobile Comput- ing and Networking (MobiCom 12), ring). It could authenticate monetary location where the token is touched. ACM, 2012, pp. 197–208. transactions on mobile phones and This would enable a challenge-response ATM machines and could even be used protocol, which could greatly enhance 3. W. Westerman and J.G. Elias, Capaci- Marco Gruteser is an asso- tive Sensing Arrangement, US patent to access a smart home, unlocking the the security of an authentication system. 2006/0232,567,2006. ciate professor in the Wireless door for authorized access and load- Such improvements should enable Information Network Labo- ing user-specific preferences on certain these tokens to become a pervasive user 4. C. Newton, “Google’s Password Pro- ratory (Winlab) at Rutgers posal: One Ring to Rule Them All,” devices, such as the entertainment sys- identification technology that replaces Cnet News, 18 Jan. 2013; http://news. University. Contact him at tem or home appliances. cumbersome logins with a simple touch. cnet.com/8301-1023_3-57564788-93/ [email protected].

April–june 2013 PERVASIVE computing 13

PC-12-02-Smartphones.indd 13 3/21/13 10:57 AM