Recent years have witnessed the fast penetration of Virtual Reality (VR) and Augmented Reality (AR) systems into our daily life, the security and privacy issues of the VR/AR applications have been attracting considerable attention. Most VR/AR systems adopt head-mounted devices (i.e., smart headsets) to interact with users and the devices usually store the users' private data. Hence, authentication schemes are desired for the head-mounted devices. Traditional knowledge-based authentication schemes for general personal devices have been proved vulnerable to shoulder-surfing attacks, especially considering the headsets may block the sight of the users. Although the robustness of the knowledge-based authentication can be improved by designing complicated secret codes in virtual space, this approach induces a compromise of usability. Another choice is to leverage the users' biometrics; however, it either relies on highly advanced equipments which may not always be available in commercial headsets or introduce heavy cognitive load to users. In this paper, we propose a vibration-based authentication scheme, VibHead, for smart headsets. Since the propagation of vibration signals through human heads presents unique patterns for different individuals, VibHead employs a CNN-based model to classify registered legitimate users based the features extracted from the vibration signals. We also design a two-step authentication scheme where the above user classifiers are utilized to distinguish the legitimate user from illegitimate ones. We implement VibHead on a Microsoft HoloLens equipped with a linear motor and an IMU sensor which are commonly used in off-the-shelf personal smart devices. According to the results of our extensive experiments, with short vibration signals ($\leq 1s$), VibHead has an outstanding authentication accuracy; both FAR and FRR are around 5%.

翻译：摘要：近年来，虚拟现实（VR）与增强现实（AR）系统快速融入日常生活，其应用中的安全与隐私问题受到广泛关注。多数VR/AR系统采用头戴式设备（即智能头戴设备）与用户交互，且这类设备通常存储用户的私有数据。因此，针对头戴式设备的安全认证方案成为迫切需求。传统基于知识的通用个人设备认证方案已被证明易受肩窥攻击，尤其是在头戴设备可能遮挡用户视线的情况下。尽管通过设计虚拟空间中的复杂密码可提升基于知识认证的鲁棒性，但这会降低可用性。另一种方案是借助用户生物特征，但该方法或依赖商用头戴设备中未必配备的高精尖硬件，或给用户带来过重的认知负荷。本文提出面向智能头戴设备的振动认证方案VibHead。由于振动信号通过人体头部传播时呈现个体特异性模式，VibHead采用基于CNN的模型，从振动信号中提取特征以分类注册合法用户。我们进一步设计两阶段认证方案，利用上述用户分类器区分合法用户与非法用户。我们在配备线性电机和IMU传感器的Microsoft HoloLens上实现VibHead（该类传感器在商用个人智能设备中广泛使用）。大量实验结果表明，采用短时长振动信号（$\leq 1s$）时，VibHead认证精度优异，其误识率（FAR）与误拒率（FRR）均约为5%。