By focusing on immersive interaction among users, the burgeoning Metaverse can be viewed as a natural extension of existing social media. Similar to traditional online social networks, there are numerous security and privacy issues in the Metaverse (e.g., attacks on user authentication and impersonation). In this paper, we develop a holistic research agenda for zero-trust user authentication in social virtual reality (VR), an early prototype of the Metaverse. Our proposed research includes four concrete steps: investigating biometrics-based authentication that is suitable for continuously authenticating VR users, leveraging federated learning (FL) for protecting user privacy in biometric data, improving the accuracy of continuous VR authentication with multimodal data, and boosting the usability of zero-trust security with adaptive VR authentication. Our preliminary study demonstrates that conventional FL algorithms are not well suited for biometrics-based authentication of VR users, leading to an accuracy of less than 10%. We discuss the root cause of this problem, the associated open challenges, and several future directions for realizing our research vision.

翻译：通过聚焦用户间的沉浸式交互，蓬勃发展的元宇宙可被视为现有社交媒体的自然延伸。与传统在线社交网络类似，元宇宙中存在大量安全与隐私问题（例如针对用户认证和身份冒充的攻击）。本文提出了一个面向社交虚拟现实（VR）——这一元宇宙早期原型——的零信任用户认证整体研究议程。我们提出的研究包含四个具体步骤：探索适用于VR用户持续认证的生物特征认证机制，利用联邦学习保护生物特征数据中的用户隐私，通过多模态数据提升持续VR认证的准确性，以及借助自适应VR认证增强零信任安全的可用性。初步研究表明，传统联邦学习算法并不适用于VR用户的生物特征认证，其准确率不足10%。我们讨论了这一问题的根本原因、相关的开放性挑战，以及实现这一研究愿景的若干未来方向。