Assentication: User Deauthentication and Lunchtime Attack Mitigation with Seated Posture Biometric

Biometric techniques are often used as an extra security factor in authenticating human users. Numerous biometrics have been proposed and evaluated, each with its own set of benefits and pitfalls. Static biometrics (such as fingerprints) are geared for discrete operation, to identify users, which typically involves some user burden. Meanwhile, behavioral biometrics (such as keystroke dynamics) are well suited for continuous, and sometimes more unobtrusive, operation. One important application domain for biometrics is deauthentication, a means of quickly detecting absence of a previously authenticated user and immediately terminating that user’s active secure sessions. Deauthentication is crucial for mitigating so called Lunchtime Attacks, whereby an insider adversary takes over (before any inactivity timeout kicks in) authenticated state of a careless user who walks away from her computer. Motivated primarily by the need for an unobtrusive and continuous biometric to support effective deauthentication, we introduce PoPa, a new hybrid biometric based on a human user’s seated posture pattern. PoPa captures a unique combination of physiological and behavioral traits. We describe a low cost fully functioning prototype that involves an office chair instrumented with 16 tiny pressure sensors. We also explore (via user experiments) how PoPa can be used in a typical workplace to provide continuous authentication (and deauthentication) of users. We experimentally assess viability of PoPa in terms of uniqueness by collecting and evaluating posture patterns of a cohort of users. Results show that PoPa exhibits very low false positive, and even lower false negative, rates. In particular, users can be identified with, on average, 91.0% accuracy. Finally, we compare pros and cons of PoPa with those of several prominent biometric based deauthentication techniques.

💡 Research Summary

The paper introduces PoPa (Posterior Posture Authentication), a novel continuous authentication and de‑authentication mechanism designed to mitigate “Lunchtime Attacks” – scenarios where an insider takes over an unattended but still‑logged‑in workstation. Traditional static biometrics (fingerprints, iris) are only useful at login time, while many behavioral biometrics (keystroke dynamics, gait, gaze tracking) either require user interaction, suffer from privacy concerns, or fail when the user is idle. PoPa addresses these gaps by exploiting the unique pressure pattern generated when a person sits in a typical office chair.

System Design
A commodity office chair is instrumented with sixteen ultra‑thin flexible pressure sensors (eight on the seat, eight on the backrest). Sensors sample at roughly 10 Hz and transmit raw pressure maps to a local processing unit. After noise filtering and normalization, twelve statistical features are extracted (e.g., pressure centroid, max/min pressure, variance, temporal change rate). These feature vectors feed a machine‑learning classifier; the authors evaluate Support Vector Machines, k‑Nearest Neighbors, and Random Forests, finding Random Forest to achieve the best performance (≈91 % identification accuracy, ≤2 % Equal Error Rate).

Data Collection & Evaluation
Thirty participants contributed data over five consecutive days, each day providing two hours of normal office activity (document editing, web browsing, video calls, etc.). The dataset was split into per‑user training and testing sets, enabling assessment of two key properties: uniqueness (the ability to distinguish different users) and permanence (stability over time). Results show an average true‑positive rate of 91 % for correctly recognizing the same user, with false‑positive rates below 3 %. When the same users were re‑recorded after one week, accuracy remained above 88 %, indicating that posture patterns are sufficiently stable for practical deployment.

Security Analysis
Three attack models are considered: (1) an adversary sits in the same chair and attempts to mimic the victim’s posture; (2) the chair is moved or swapped, altering sensor geometry; (3) an attacker intercepts and forges sensor data. Because pressure distributions contain fine‑grained spatial differences and evolve continuously, PoPa can detect anomalies within 5 seconds, triggering immediate de‑authentication. The system also incorporates missing‑value imputation and outlier detection to handle sensor faults or environmental vibrations.

Comparison with Existing Techniques
The authors benchmark PoPa against six representative continuous authentication approaches: facial recognition, eye‑gaze tracking, keystroke dynamics, wearable accelerometer (ZEBRA), ECG/EEG‑based methods, and the non‑biometric FADEWICH system that uses wireless signal attenuation. PoPa scores favorably on several dimensions:

• Privacy: No camera or audio data is captured.
• User Burden: Completely transparent; no extra device or explicit action required.
• Cost: Approx. USD 30 for the sensor array, far cheaper than high‑resolution cameras or multi‑modal biometric rigs.
• Accuracy & Latency: 91 % identification, de‑authentication within 2–4 seconds, comparable or superior to the alternatives.

Limitations are acknowledged: the solution assumes a relatively fixed chair; shared‑chair environments require secure provisioning of sensor data; and any major chair replacement would necessitate re‑enrollment.

Future Work
Planned extensions include (a) sensor count optimization to further reduce hardware cost, (b) multimodal fusion of pressure with seat vibration or temperature for higher robustness, (c) privacy‑preserving model updates using differential privacy, and (d) large‑scale pilot deployments in corporate settings to evaluate user acceptance and operational overhead.

Conclusion
PoPa demonstrates that seated‑posture pressure is a viable, low‑cost, non‑intrusive biometric for continuous authentication. By providing real‑time presence verification without compromising privacy or requiring user effort, it offers a practical defense against Lunchtime Attacks in office environments, filling a notable gap left by existing static and behavioral biometric solutions.