Theft-resilient mobile wallets: transparently authenticating NFC users with tapping gesture biometrics

The deployment of NFC technology on mobile phones is gaining momentum, enabling many important applications such as NFC payments, access control for building or public transit ticketing. However, (NFC) phones are prone to loss or theft, which allows the attacker with physical access to the phone to fully compromise the functionality provided by the NFC applications. Authenticating a user of an NFC phone using PINs or passwords provides only a weak level of security, and undermines the efficiency and convenience that NFC applications are supposed to provide. In this paper, we devise a novel gesture-centric NFC bio-metric authentication mechanism that is fully transparent to the user. Simply "tapping" the phone with the NFC reader - a natural gesture already performed by the user prior to making the NFC transaction - would unlock the NFC functionality. An unauthorized user cannot unlock the NFC functionality because tapping serves as a "hard-to-mimic" biometric gesture unique to each user. We show how the NFC tapping biometrics can be extracted in a highly robust manner using multiple - motion, position and ambient - phone's sensors and machine learning classifiers. The use of multiple sensors not only improves the authentication accuracy but also makes active attacks harder since multiple sensor events need to be mimicked simultaneously. Our work significantly enhances the security of NFC transactions without adding any extra burden on the users.