13,702 research outputs found
Efficiency and Device Versatility of Graphical and Textual Passwords
We present the design, execution, and results of a user study of entry speed and error rate of a variety of password schemes used on a variety of computing platforms. A standard text-based password, a personal identification number (PIN), and three different graphical password systems were designed and deployed for use and evaluation on each of a desktop computer, a touchscreen tablet, and a touchscreen phone. We demonstrate cases on the mobile devices in which the graphical approaches exhibited faster rates of entry than the complementary textual password approach. We make a case for the study of the device versatility of authentication mechanisms and discuss potential improvements to graphical approaches to achieve greater levels of efficiency
SemanticLock: An authentication method for mobile devices using semantically-linked images
We introduce SemanticLock, a single factor graphical authentication solution
for mobile devices. SemanticLock uses a set of graphical images as password
tokens that construct a semantically memorable story representing the user`s
password. A familiar and quick action of dragging or dropping the images into
their respective positions either in a \textit{continous flow} or in
\textit{discrete} movements on the the touchscreen is what is required to use
our solution.
The authentication strength of the SemanticLock is based on the large number
of possible semantic constructs derived from the positioning of the image
tokens and the type of images selected. Semantic Lock has a high resistance to
smudge attacks and it equally exhibits a higher level of memorability due to
its graphical paradigm.
In a three weeks user study with 21 participants comparing SemanticLock
against other authentication systems, we discovered that SemanticLock
outperformed the PIN and matched the PATTERN both on speed, memorability, user
acceptance and usability. Furthermore, qualitative test also show that
SemanticLock was rated more superior in like-ability. SemanticLock was also
evaluated while participants walked unencumbered and walked encumbered carrying
"everyday" items to analyze the effects of such activities on its usage
Towards Baselines for Shoulder Surfing on Mobile Authentication
Given the nature of mobile devices and unlock procedures, unlock
authentication is a prime target for credential leaking via shoulder surfing, a
form of an observation attack. While the research community has investigated
solutions to minimize or prevent the threat of shoulder surfing, our
understanding of how the attack performs on current systems is less well
studied. In this paper, we describe a large online experiment (n=1173) that
works towards establishing a baseline of shoulder surfing vulnerability for
current unlock authentication systems. Using controlled video recordings of a
victim entering in a set of 4- and 6-length PINs and Android unlock patterns on
different phones from different angles, we asked participants to act as
attackers, trying to determine the authentication input based on the
observation. We find that 6-digit PINs are the most elusive attacking surface
where a single observation leads to just 10.8% successful attacks, improving to
26.5\% with multiple observations. As a comparison, 6-length Android patterns,
with one observation, suffered 64.2% attack rate and 79.9% with multiple
observations. Removing feedback lines for patterns improves security from
35.3\% and 52.1\% for single and multiple observations, respectively. This
evidence, as well as other results related to hand position, phone size, and
observation angle, suggests the best and worst case scenarios related to
shoulder surfing vulnerability which can both help inform users to improve
their security choices, as well as establish baselines for researchers.Comment: Will appear in Annual Computer Security Applications Conference
(ACSAC
Seamless and Secure VR: Adapting and Evaluating Established Authentication Systems for Virtual Reality
Virtual reality (VR) headsets are enabling a wide range of new
opportunities for the user. For example, in the near future users
may be able to visit virtual shopping malls and virtually join
international conferences. These and many other scenarios pose
new questions with regards to privacy and security, in particular
authentication of users within the virtual environment. As a first
step towards seamless VR authentication, this paper investigates
the direct transfer of well-established concepts (PIN, Android
unlock patterns) into VR. In a pilot study (N = 5) and a lab
study (N = 25), we adapted existing mechanisms and evaluated
their usability and security for VR. The results indicate that
both PINs and patterns are well suited for authentication in
VR. We found that the usability of both methods matched the
performance known from the physical world. In addition, the
private visual channel makes authentication harder to observe,
indicating that authentication in VR using traditional concepts
already achieves a good balance in the trade-off between usability
and security. The paper contributes to a better understanding of
authentication within VR environments, by providing the first
investigation of established authentication methods within VR,
and presents the base layer for the design of future authentication
schemes, which are used in VR environments only
GazeTouchPass: Multimodal Authentication Using Gaze and Touch on Mobile Devices
We propose a multimodal scheme, GazeTouchPass, that combines gaze and touch for shoulder-surfing resistant user authentication on mobile devices. GazeTouchPass allows passwords with multiple switches between input modalities during authentication. This requires attackers to simultaneously observe the device screen and the user's eyes to find the password. We evaluate the security and usability of GazeTouchPass in two user studies. Our findings show that GazeTouchPass is usable and significantly more secure than single-modal authentication against basic and even advanced shoulder-surfing attacks
GTmoPass: Two-factor Authentication on Public Displays Using Gaze-touch Passwords and Personal Mobile Devices
As public displays continue to deliver increasingly private and personalized content, there is a need to ensure that only the legitimate users can access private information in sensitive contexts. While public displays can adopt similar authentication concepts like those used on public terminals (e.g., ATMs), authentication in public is subject to a number of risks. Namely, adversaries can uncover a user's password through (1) shoulder surfing, (2) thermal attacks, or (3) smudge attacks. To address this problem we propose GTmoPass, an authentication architecture that enables Multi-factor user authentication on public displays. The first factor is a knowledge-factor: we employ a shoulder-surfing resilient multimodal scheme that combines gaze and touch input for password entry. The second factor is a possession-factor: users utilize their personal mobile devices, on which they enter the password. Credentials are securely transmitted to a server via Bluetooth beacons. We describe the implementation of GTmoPass and report on an evaluation of its usability and security, which shows that although authentication using GTmoPass is slightly slower than traditional methods, it protects against the three aforementioned threats
EyeSpot: leveraging gaze to protect private text content on mobile devices from shoulder surfing
As mobile devices allow access to an increasing amount of private data, using them in public can potentially leak sensitive information through shoulder surfing. This includes personal private data (e.g., in chat conversations) and business-related content (e.g., in emails). Leaking the former might infringe on users’ privacy, while leaking the latter is considered a breach of the EU’s General Data Protection Regulation as of May 2018. This creates a need for systems that protect sensitive data in public. We introduce EyeSpot, a technique that displays content through a spot that follows the user’s gaze while hiding the rest of the screen from an observer’s view through overlaid masks. We explore different configurations for EyeSpot in a user study in terms of users’ reading speed, text comprehension, and perceived workload. While our system is a proof of concept, we identify crystallized masks as a promising design candidate for further evaluation with regard to the security of the system in a shoulder surfing scenario
- …