Your head movement could secure your VR headset, Miami researcher says
Miami computer engineer’s research redefines how we think about identity and security in immersive environments
•
Published
Seated: student Ian Dewey and professor Xianglong Feng. Standing: students Zhaowen Chen, Camden Amata, Evan Patterson. The team tests a VR headset.
Your head movement could secure your VR headset, Miami researcher says
Miami computer engineer’s research redefines how we think about identity and security in immersive environments
•
Published
A Miami University researcher is developing a new way to secure virtual and augmented reality (XR) devices by tracking how users naturally move their head and eyes – patterns that are unique to each person and impossible to fake. This research addresses critical vulnerabilities in current authentication methods with a solution that is low cost, easy to implement, proactive, and hard to mimic. For fields that handle private or sensitive data – healthcare, education, corporate training, manufacturing, defense, and entertainment – improved security measures are invaluable.
Xianglong Feng, assistant professor of Computer Science and Software Engineering, said current security methods like passwords and two-factor authentication only verify identity at login. “Once the device is unlocked, anyone who picks it up can access private content,” Feng said.
XR refers to virtual reality (VR), augmented reality (AR), and mixed reality (MR) technology used to create immersive and interactive experiences for users. XR headsets collect extensive personal data, including bioinformation, location, and other sensitive content. In cases of emergencies or brief absences, users might leave a headset somewhere without logging out, leaving user data susceptible to unauthorized access and misuse. Feng’s technology could help lessen that risk.
“With XR devices becoming part of daily life and collecting sensitive personal data, it became clear that traditional password or even biometric logins like fingerprints are not enough,” Feng said. “I wanted to design a smarter, continuous, and low-cost security layer that adapts to the user naturally and unobtrusively.”
Feng recently received a nearly $200,000 grant from the National Science Foundation to support this research.
Feng’s research focuses on creating personalized authentication to continuously verify the user’s identity based on their natural behaviors, referred to by Feng as “unnoticeable user behavior.” These are the subtle, unconscious ways people move when using XR devices, like how someone’s head turns to look at something or how their eyes scan through content. This allows the algorithms to recognize the individual user and spot when a different person tries to use the device.
Feng said the project developed from his earlier work predicting user viewing behavior in VR environments using machine learning. Feng realized the same behavioral data, like head movement patterns and viewing preferences, could be used not just for improving user experience but also for enhancing security.
Unlike traditional security measures that require advanced hardware at an additional cost and don’t provide long-lasting security post-login, Feng’s personalized authentication method will rely on data already collected from XR headsets’ built-in sensors, such as how users move and position their heads. Only some additional software will be needed. This makes it a more cost-effective solution and compatible with most existing XR platforms for a secure post-login. The security will also be adaptive and continuous, making it much harder for sensitive information – confidential data, classified documents, proprietary content, and age-restricted content – to be accessed by outside users.
Feng’s team is designing the computer programs for this method and conducting real-world testing using public XR datasets, as well as data collected from Miami students through their Engineering capstone projects.
“This research redefines how we think about identity and security in immersive environments,” Feng said.
This new method will provide continuous, low-cost protection without interrupting a user’s experience while also working with existing hardware already present in most XR systems. “Beyond security, this work also lays the foundation for our future research, where AI-driven behavioral analysis could be applied to health monitoring and other forms of biometric sensing in everyday life,” Feng said.
Xianglong Feng, assistant professor of Computer Science and Software Engineering, said current security methods like passwords and two-factor authentication only verify identity at login. “Once the device is unlocked, anyone who picks it up can access private content,” Feng said.
XR refers to virtual reality (VR), augmented reality (AR), and mixed reality (MR) technology used to create immersive and interactive experiences for users. XR headsets collect extensive personal data, including bioinformation, location, and other sensitive content. In cases of emergencies or brief absences, users might leave a headset somewhere without logging out, leaving user data susceptible to unauthorized access and misuse. Feng’s technology could help lessen that risk.
“With XR devices becoming part of daily life and collecting sensitive personal data, it became clear that traditional password or even biometric logins like fingerprints are not enough,” Feng said. “I wanted to design a smarter, continuous, and low-cost security layer that adapts to the user naturally and unobtrusively.”
Feng recently received a nearly $200,000 grant from the National Science Foundation to support this research.
Feng’s research focuses on creating personalized authentication to continuously verify the user’s identity based on their natural behaviors, referred to by Feng as “unnoticeable user behavior.” These are the subtle, unconscious ways people move when using XR devices, like how someone’s head turns to look at something or how their eyes scan through content. This allows the algorithms to recognize the individual user and spot when a different person tries to use the device.
Feng said the project developed from his earlier work predicting user viewing behavior in VR environments using machine learning. Feng realized the same behavioral data, like head movement patterns and viewing preferences, could be used not just for improving user experience but also for enhancing security.
Unlike traditional security measures that require advanced hardware at an additional cost and don’t provide long-lasting security post-login, Feng’s personalized authentication method will rely on data already collected from XR headsets’ built-in sensors, such as how users move and position their heads. Only some additional software will be needed. This makes it a more cost-effective solution and compatible with most existing XR platforms for a secure post-login. The security will also be adaptive and continuous, making it much harder for sensitive information – confidential data, classified documents, proprietary content, and age-restricted content – to be accessed by outside users.
Feng’s team is designing the computer programs for this method and conducting real-world testing using public XR datasets, as well as data collected from Miami students through their Engineering capstone projects.
“This research redefines how we think about identity and security in immersive environments,” Feng said.
This new method will provide continuous, low-cost protection without interrupting a user’s experience while also working with existing hardware already present in most XR systems. “Beyond security, this work also lays the foundation for our future research, where AI-driven behavioral analysis could be applied to health monitoring and other forms of biometric sensing in everyday life,” Feng said.
Established in 1809, Miami University is located in Oxford, Ohio, with regional campuses in Hamilton and Middletown, a learning center in West Chester, and a European study center in Luxembourg. Interested in learning more about the College of Engineering and Computing? Visit the website for more information.