Unsure How to Authenticate on Your VR Headset?: Come on, Use Your Head!

Abstract

For security-sensitive Virtual Reality (VR) applications that require the end-user to enter authenticatioan credentials within the virtual space, a VR user's inability to see (potentially malicious entities in) the physical world can be discomforting, and in the worst case could potentially expose the VR user to visual attacks. In this paper, we show that the head, hand and (or) body movement patterns exhibited by a user freely interacting with a VR application contain user-specific information that can be leveraged for user authentication. For security-sensitive VR applications, we argue that such functionality can be used as an added layer of security that minimizes the need for entering the PIN. Based on a dataset of 23 users who interacted with our VR application for two sessions over a period of one month, we obtained mean equal error rates as low as 7% when we authenticated users based on their head and body movement patterns.