PPG as a Bridge: Cross-Device Authentication for Smart Wearables with Photoplethysmography

As smart wearable devices become increasingly powerful and pervasive, protecting user privacy on these devices has emerged as a critical challenge. While existing authentication mechanisms are available for interaction-rich devices such as smartwatches, enabling on-device authentication (ODA) on interaction-limited wearables including rings, earphones, glasses, and wristbands remains difficult. Moreover, as users increasingly own multiple smart devices, relying on device-specific authentication methods becomes redundant and burdensome. To address these challenges, we present PPGTransID, a ubiquitous and unobtrusive cross-device authentication (CDA) approach that leverages the real-time physiological consistency of photoplethysmography (PPG) signals across the human body. PPGTransID utilizes widely available PPG sensors on wearable devices to capture users’ physiological signals and compares them with remote PPG (rPPG) signals extracted from a smartphone camera, where robust face-based authentication is already established. In doing so, PPGTransID securely transfers the reliable authentication status of the smartphone to nearby wearable devices without requiring additional user interaction. An evaluation with 33 participants shows that PPGTransID achieves a balanced accuracy of 95.5 percent and generalizes across multiple wearable form factors. Robustness experiments with 10 participants demonstrate resilience to variations in lighting, camera placement, and user behavior, while a real-time usability study with 14 participants confirms reliable performance with minimal interaction burden.

💡 Research Summary

The paper introduces PPGTransID, a cross‑device authentication (CDA) framework that leverages the physiological consistency of photoplethysmography (PPG) signals measured simultaneously on a smartphone and on co‑worn smart wearables. When a user unlocks the phone with an existing facial authentication method (e.g., FaceID), the front‑facing camera continues to record a short facial video. From this video, a remote PPG (rPPG) waveform is extracted using state‑of‑the‑art algorithms (TN‑rPPG, ME‑rPPG). At the same time, the wearable’s built‑in optical PPG sensor records a local blood‑volume pulse. After synchronized preprocessing (band‑pass filtering, normalization, time alignment), the two waveforms are compared using correlation and Dynamic Time Warping (DTW) to produce a similarity score. An XGBoost binary classifier, trained on these scores, decides whether the wearable is being worn by the same authenticated user. The model is lightweight (0.46 M parameters) and runs in roughly 9 ms, enabling real‑time operation on the phone or an edge server.

The authors evaluated the system across four wearable form factors—smart band, smart glasses, smart ring, and commercial earphones—using 33 participants. Overall balanced accuracy (BAC) reached 95.5 % without any per‑device enrollment or calibration. Robustness tests with 10 participants showed that variations in ambient lighting (100–800 lx), camera placement (fixed, handheld, angled), and user motion (static, scrolling, head movement) caused less than 2 % degradation in accuracy. Security experiments simulated replay attacks, signal forgery, and cross‑user signal mixing; the system maintained >93 % BAC, demonstrating strong resistance to typical CDA threats.

A real‑time usability study with 14 participants compared two scenarios: (1) baseline authentication immediately after phone unlock, and (2) authentication while the user was scrolling on the phone. Both scenarios yielded BACs above 96 %, and 85 % of participants reported that the process was unobtrusive and did not interfere with normal device use.

Key contributions include: (1) a novel, unobtrusive CDA method that uses physiological rather than proximity or motion cues, (2) extensive multi‑form‑factor evaluation showing high accuracy and generalization, (3) thorough security analysis against defined attack models, and (4) a practical implementation on consumer hardware (iPhone 15 and a laptop) with favorable user experience.

Limitations are acknowledged: the approach requires wearables equipped with optical PPG sensors, needs a minimum signal window of about 5–6 seconds (which may introduce latency for very brief interactions), and may suffer reduced signal‑to‑noise ratio in low‑variability heart‑rate states (e.g., deep rest). Future work is suggested to explore ultra‑low‑power compression for transmission, multimodal fusion with ECG or acoustic cues, and continuous, asynchronous authentication mechanisms to further reduce latency and broaden applicability.

In summary, PPGTransID demonstrates that real‑time PPG consistency between a trusted token device (smartphone) and peripheral wearables can securely transfer authentication status without extra user interaction, offering a scalable solution for secure, user‑friendly access control across the growing ecosystem of smart wearables.