SwipePass

Pattern lock-based authentication has been widely adopted in modern smartphones. However, this scheme relies essentially on passwords, making it vulnerable to various side-channel attacks such as the smudge attack and the shoulder-surfing attack. In this paper, we propose a second-factor authentication system named SwipePass, which authenticates a smartphone user by examining the distinct physiological and behavioral characteristics embedded in the user's pattern lock process. By emitting and receiving modulated audio using the built-in modules of the smartphone, SwipePass can sense the entire unlocking process and extract discriminative features to authenticate the user from the signal variations associated with hand dynamics. Moreover, to alleviate the burden of data collection in the user enrollment phase, we conduct an in-depth analysis of users' behaviors under different conditions and propose two augmentation techniques to significantly improve identification accuracy even when only a few training samples are available. Finally, we design a robust authentication model based on CNN-LSTM and One-Class SVM for user identification and spoofer detection. We implement SwipePass on three off-the-shelf smartphones and conduct extensive evaluations in different real-world scenarios. Experiments involving 36 participants show that SwipePass achieves an average identification accuracy of 96.8% while maintaining a false accept rate below 0.45% against various attacks.