Walking gait

A person's gait, or the motions of his feet and body as he walks, could be used as a very reliable authentication method for offline security systems.

Technology to implement such an authentication system is currently being developed by the Data61 team of the Commonwealth Scientific and Industrial Research Organisation (CSIRO), an agency of the Australian government.

This technology uses accelerometers to capture a way a person moves, in terms of motion and velocity.

New technology deals with short battery life

Other researchers developed similar gait-based authentication methods since as early as 2004 [1, 2, 3], but they all had one main disadvantage. This was power consumption, which reduced an authentication's device lifetime.

CSIRO's research focused on combining previous gait-based biometrics with a new technique called kinetic energy harvesting (KEH).

This KEH system translates a person’s motion into electrical energy and improves battery life for the authentication device/sensor users need to wear on their body.

Gait-KEH system achieves 95% accuracy

Researchers say that tests of this new Gait-KEH system achieved 95% authentication accuracy and reduced power consumption by 78%.

A trial on 20 users showed the system's accuracy for both indoor and outdoor environments, such as carpet, asphalt, or grass. Furthermore, when users were asked to mimic another person's walk — called an impostor attack — the system detected 87% of impostors.

There are tangible benefits to using gait-based systems for authentication. For starters, the system adapts and learns in a continuous loop.

If a person changes the way he walks over a long period of time, the system can detect these changes and incorporate them into its authentication system.

Second, as the system's accuracy improves, it will be harder to break. Biometrics solutions such as iris scans, fingerprint or facial recognition can be defeated, sometimes via tricks as simple as flashing an image in front of a sensor. Due to amounts of data, a gait-based system collects, and the fine motions of someone's walk, they would be harder to trick or hack.

Gait systems are perfect for continuous user authentication models

Researchers argue the system could be used right now as a way to authenticate patients who receive certain benefits in the healthcare sector.

As the system evolves, the Gait-KEH system could spread to other domains, such as defense, finances, and others. Sensors could be placed inside badges and continuously authenticate employees as they move around the company's facilities.

This feature of continuous authentication is something that cannot be covered by facial recognition scanners due to blind spots in coverage or objects covering a person's face.

An intruder may trick a gait-based system over a short distance, but his natural walk would eventually give him away.

Biometrics should never be used as the sole authentication method

Nonetheless, the same general theory should be applied with Gait-KEH as with other biometrics systems. Gait-KEH should never be deployed as a standalone authentication measure but used in conjunction with other biometrics systems, and/or classic authentication methods such as passwords or PINs.

"While [biometrics] are all convenient means of authentication they should not be the sole means of validating who the user is," Don Duncan, Security Engineer for NuData Security told Bleeping Computer via email. "With physical biometrics, this should be complemented with other levels of authentication and not the sole mechanism for validation."

More details about CSIRO's research can be found in a paper entitled KEH-Gait: Towards a Mobile Healthcare User Authentication System by Kinetic Energy Harvesting.

In previous research, another team of scientists tested a gait-based authentication system that relied on embedding sensors into floors, and not worn by human subjects.

Related Articles:

Google Chrome Has a Built-In Password Generator. Here's how to use it!

Smarter People Don’t Have Better Passwords, Study Finds

Twitter Admits Recording Plaintext Passwords in Internal Logs, Just Like GitHub

GitHub Accidentally Recorded Some Plaintext Passwords in Its Internal Logs

PDF Files Can Be Abused to Steal Windows Credentials