RF-Rhythm:Secure and Usable Two-Factor RFID Authentication Jiawei Li*,Chuyu Wangt,Ang Li*,Dianqi Han*,Yan Zhang*,Jinhang Zuof,Rui Zhangs,Lei Xief, Yanchao Zhang* Arizona State University,f Nanjing University,Carnegie Mellon University,University of Delaware [jwli,anglee,dqhan,yanzhangyz,yczhang}@asu.edu,wangcyu217@gmail.com,jzuo@andrew.cmu.edu,ruizhang @udel.edu, Ixie@nju.edu.cn Abstract-Passive RFID technology is widely used in user requires a nontrivial infrastructure update to existing RFID authentication and access control.We propose RF-Rhythm,a systems.Another plausible solution is exploring commercial secure and usable two-factor RFID authentication system with mobile 2FA solutions such as Duo Mobile [2].which require strong resilience to lost/stolen/cloned RFID cards.In RF-Rhythm, each legitimate user performs a sequence of taps on his/her RFID the RFID user to manually acknowledge an authentication card according to a self-chosen secret melody.Such rhythmic request on his/her enrolled smartphone.This solution needs the taps can induce phase changes in the backscattered signals RFID user to own and always carry a smartphone with good which the RFID reader can detect to recover the user's tapping network connectivity,which may not be feasible in practice. rhythm.In addition to verifying the RFID card's identification information as usual,the backend server compares the extracted We propose RF-Rhythm,a secure and usable two- tapping rhythm with what it acquires in the user enrollment factor RFID authentication system with strong resilience to phase.The user passes authentication checks if and only if both lost/stolen/cloned RFID cards.In RF-Rhythm,each legitimate verifications succeed.We also propose a novel phase-hopping user performs a sequence of taps on his/her RFID card protocol in which the RFID reader emits Continuous Wave(CW) according to a self-chosen secret melody.Such rhythmic taps with random phases for extracting the user's secret tapping can induce phase changes in the backscattered signals,which rhythm.Our protocol can prevent a capable adversary from extracting and then replaying a legitimate tapping rhythm from the RFID reader can detect to recover the user's rhythm.In ad- sniffed RFID signals.Comprehensive user experiments confirm dition to verifying the RFID card's identification information the high security and usability of RF-Rhythm with false-positive as usual,the backend server compares the recovered rhythm and false-negative rates close to zero. with what it acquires in the user enrollment phase.The user passes authentication only if both verifications succeed. I.INTRODUCTION The security,usability,and feasibility of RF-Rhythm lie Passive (battery-less)RFID technology has been widely in many aspects.First,a user can easily select a secret yet used in user authentication and access control.An RFID familiar song segment which is very difficult for others to system consists of a backend server,RFID readers,and RFID guess.Second,different users may interpret the same song cards(tags).An RFID reader sends wireless signals to inter- segment in various ways,resulting in diverse rhythmic tap rogate a nearby RFID card,which returns its identification patterns on the card.This means that even if the adversary information by backscattering the reader's signals.The RFID knows the secret song segment,it may still have great difficulty reader then forwards the received information to the backend performing the correct tapping rhythm on the RFID card. server for comparison with the stored information.If a match Third,RF-Rhythm is naturally resilient to traditional replay is found,the RFID user passes authentication and is permitted and relay attacks on RFID authentication systems.Fourth,the to access critical resources or enter a protected area such as a phase information of backscattered signals is readily available business building,parking garage,car,or even home. on commercial RFID readers,so RF-Rhythm only needs a Lost/stolen/cloned RFID cards pose the most critical threat minor software update to the RFID reader and backend system. to RFID authentication systems.In particular,RFID cards are Finally,RF-Rhythm applies to COTS RFID cards and does not often of small size and can be easily lost or stolen;they need the user to carry any other device. can also be cloned with many cheap existing tools.Since Although rhythm-based authentication has been proposed RFID cards are not password-protected,the adversary can for smartphones [3]and smartwatches [4],we are the first to use a lost/stolen/cloned RFID card to pass authentication and explore it in RFID systems and face two unique challenges. impersonate the legitimate user.An effective countermeasure The first challenge is rhythm detection and classification. can be two-factor authentication which requires the RFID i.e.,how to detect and verify the tapping rhythm from user to present the second piece of identification information. noisy RFID signals.In previous work [3],[4].rhythmic taps One such solution requires the RFID user to additionally are directly performed on mobile devices and are fairly easy input a PIN code on a keypad [1].It not only diminishes to detect from inertial sensors.In contrast,rhythmic taps in the convenience of contactless RFID authentication but also RF-Rhythm are performed on the RFID card and have toRF-Rhythm: Secure and Usable Two-Factor RFID Authentication Jiawei Li∗ , Chuyu Wang† , Ang Li∗ , Dianqi Han∗ , Yan Zhang∗ , Jinhang Zuo‡ , Rui Zhang§ , Lei Xie† , Yanchao Zhang∗ ∗ Arizona State University, † Nanjing University, ‡ Carnegie Mellon University, § University of Delaware {jwli, anglee, dqhan, yanzhangyz, yczhang}@asu.edu, wangcyu217@gmail.com, jzuo@andrew.cmu.edu, ruizhang@udel.edu, lxie@nju.edu.cn Abstract—Passive RFID technology is widely used in user authentication and access control. We propose RF-Rhythm, a secure and usable two-factor RFID authentication system with strong resilience to lost/stolen/cloned RFID cards. In RF-Rhythm, each legitimate user performs a sequence of taps on his/her RFID card according to a self-chosen secret melody. Such rhythmic taps can induce phase changes in the backscattered signals, which the RFID reader can detect to recover the user’s tapping rhythm. In addition to verifying the RFID card’s identification information as usual, the backend server compares the extracted tapping rhythm with what it acquires in the user enrollment phase. The user passes authentication checks if and only if both verifications succeed. We also propose a novel phase-hopping protocol in which the RFID reader emits Continuous Wave (CW) with random phases for extracting the user’s secret tapping rhythm. Our protocol can prevent a capable adversary from extracting and then replaying a legitimate tapping rhythm from sniffed RFID signals. Comprehensive user experiments confirm the high security and usability of RF-Rhythm with false-positive and false-negative rates close to zero. I. INTRODUCTION Passive (battery-less) RFID technology has been widely used in user authentication and access control. An RFID system consists of a backend server, RFID readers, and RFID cards (tags). An RFID reader sends wireless signals to inter￾rogate a nearby RFID card, which returns its identification information by backscattering the reader’s signals. The RFID reader then forwards the received information to the backend server for comparison with the stored information. If a match is found, the RFID user passes authentication and is permitted to access critical resources or enter a protected area such as a business building, parking garage, car, or even home. Lost/stolen/cloned RFID cards pose the most critical threat to RFID authentication systems. In particular, RFID cards are often of small size and can be easily lost or stolen; they can also be cloned with many cheap existing tools. Since RFID cards are not password-protected, the adversary can use a lost/stolen/cloned RFID card to pass authentication and impersonate the legitimate user. An effective countermeasure can be two-factor authentication which requires the RFID user to present the second piece of identification information. One such solution requires the RFID user to additionally input a PIN code on a keypad [1]. It not only diminishes the convenience of contactless RFID authentication but also requires a nontrivial infrastructure update to existing RFID systems. Another plausible solution is exploring commercial mobile 2FA solutions such as Duo Mobile [2], which require the RFID user to manually acknowledge an authentication request on his/her enrolled smartphone. This solution needs the RFID user to own and always carry a smartphone with good network connectivity, which may not be feasible in practice. We propose RF-Rhythm, a secure and usable two￾factor RFID authentication system with strong resilience to lost/stolen/cloned RFID cards. In RF-Rhythm, each legitimate user performs a sequence of taps on his/her RFID card according to a self-chosen secret melody. Such rhythmic taps can induce phase changes in the backscattered signals, which the RFID reader can detect to recover the user’s rhythm. In ad￾dition to verifying the RFID card’s identification information as usual, the backend server compares the recovered rhythm with what it acquires in the user enrollment phase. The user passes authentication only if both verifications succeed. The security, usability, and feasibility of RF-Rhythm lie in many aspects. First, a user can easily select a secret yet familiar song segment which is very difficult for others to guess. Second, different users may interpret the same song segment in various ways, resulting in diverse rhythmic tap patterns on the card. This means that even if the adversary knows the secret song segment, it may still have great difficulty performing the correct tapping rhythm on the RFID card. Third, RF-Rhythm is naturally resilient to traditional replay and relay attacks on RFID authentication systems. Fourth, the phase information of backscattered signals is readily available on commercial RFID readers, so RF-Rhythm only needs a minor software update to the RFID reader and backend system. Finally, RF-Rhythm applies to COTS RFID cards and does not need the user to carry any other device. Although rhythm-based authentication has been proposed for smartphones [3] and smartwatches [4], we are the first to explore it in RFID systems and face two unique challenges. The first challenge is rhythm detection and classification, i.e., how to detect and verify the tapping rhythm from noisy RFID signals. In previous work [3], [4], rhythmic taps are directly performed on mobile devices and are fairly easy to detect from inertial sensors. In contrast, rhythmic taps in RF-Rhythm are performed on the RFID card and have to