I (don\u27t) see what you typed there! Shoulder-surfing resistant password entry on gamepads

Using gamepad-driven devices like games consoles is an activity frequently shared with others. Thus, shoulder-surfing is a serious threat. To address this threat, we present the first investigation of shoulder-surfing resistant text password entry on gamepads by (1) identifying the requirements of this context; (2) assessing whether shoulder-surfing resistant authentication schemes proposed in non-gamepad contexts can be viably adapted to meet these requirements; (3) proposing ``Colorwheels\u27\u27, a novel shoulder-surfing resistant authentication scheme specifically geared towards this context; (4) using two different methodologies proposed in the literature for evaluating shoulder-surfing resistance to compare ``Colorwheels\u27\u27, on-screen keyboards (the de facto standard in this context), and an existing shoulder-surfing resistant scheme which we identified during our assessment and adapted for the gamepad context; (5) evaluating all three schemes regarding their usability. Having applied different methodologies to measure shoulder-surfing resistance, we discuss their strengths and pitfalls and derive recommendations for future research

PassWalk: Spatial Authentication Leveraging Lateral Shift and Gaze on Mobile Headsets

Peer reviewe

Investigation of the shoulder surfing risk in relation to mobile working

Reading in a public place and realising that the newspaper or book is also of interest to a casual observer is not a new phenomenon. While the term ‘Shoulder surfing’ is used in the context of this situation in the days of mobile computing, its antecedence in times of reading physical media. However, the development of both mobile computing and widely available internet connectivity means that the variety of documents available for casual observation has increased. This research demonstrated that sensitive material is viewed, and therefore displayed, in public places where they could be seen by unauthorised viewers, or shoulder surfers. Experimentation demonstrated that with the development of mobile technology not only are these documents visible to a casual observer, they can be duplicated by a smartphone camera and thereby leaked. This risk should, therefore, be considered by any organisation whose staff work on potentially sensitive information outside the protected corporate environment

RepliCueAuth: Validating the Use of a lab-based Virtual Reality Setup for Evaluating Authentication System

Evaluating novel authentication systems is often costly and time-consuming. In this work, we assess the suitability of using Virtual Reality (VR) to evaluate the usability and security of real-world authentication systems. To this end, we conducted a replication study and built a virtual replica of CueAuth [52], a recently introduced authentication scheme, and report on results from: (1) a lab-based in-VR usability study (N=20) evaluating user performance; (2) an online security study (N=22) evaluating system’s observation resistance through virtual avatars; and (3) a comparison between our results and those previously reported in the real-world evaluation. Our analysis indicates that VR can serve as a suitable test-bed for human-centred evaluations of real-world authentication schemes, but the used VR technology can have an impact on the evaluation. Our work is a first step towards augmenting the design and evaluation spectrum of authentication systems and offers ground work for more research to follow

Secure and Usable User Authentication

Authentication is a ubiquitous task in users\u27 daily lives. The dominant form of user authentication are text passwords. They protect private accounts like online banking, gaming, and email, but also assets in organisations. Yet, many issues are associated with text passwords, leading to challenges faced by both, users and organisations. This thesis contributes to the body of research enabling secure and usable user authentication, benefiting both, users and organisations. To that end, it addresses three distinct challenges. The first challenge addressed in this thesis is the creation of correct, complete, understandable, and effective password security awareness materials. To this end, a systematic process for the creation of awareness materials was developed and applied to create a password security awareness material. This process comprises four steps. First, relevant content for an initial version is aggregated (i.e. descriptions of attacks on passwords and user accounts, descriptions of defences to these attacks, and common misconceptions about password and user account security). Then, feedback from information security experts is gathered to ensure the correctness and completeness of the awareness material. Thereafter, feedback from lay-users is gathered to ensure the understandability of the awareness material. Finally, a formal evaluation of the awareness material is conducted to ensure its effectiveness (i.e. whether the material improves participant\u27s ability to assess the security of passwords as well as password-related behaviour and decreases the prevalence of common misconceptions about password and user account security). The results of the evaluation show the effectiveness of the awareness material: it significantly improved the participants\u27 ability to assess the security of password-related behaviour as well as passwords and significantly decreased the prevalence of misconceptions about password and user account security. The second challenge addressed in this thesis is shoulder-surfing resistant text password entry with gamepads (as an example of very constrained input devices) in shared spaces. To this end, the very first investigation of text password entry with gamepads is conducted. First, the requirements of authentication in the gamepad context are described. Then, these requirements are applied to assess schemes already deployed in the gamepad context and shoulder-surfing resistant authentication schemes from the literature proposed for non-gamepad contexts. The results of this assessment show that none of the currently deployed and only four of the proposals in the literature fulfil all requirements. Furthermore, the results of the assessment also indicate a need for an empirical evaluation in order to exactly gauge the shoulder-surfing threat in the gamepad context and compare alternatives to the incumbent on-screen keyboard. Based on these results, two user studies (one online study and one lab study) are conducted to investigate the shoulder-surfing resistance and usability of three authentication schemes in the gamepad context: the on-screen keyboard (as de-facto standard in this context), the grid-based scheme (an existing proposal from the literature identified as the most viable candidate adaptable to the gamepad context during the assessment), and Colorwheels (a novel shoulder-surfing resistant authentication scheme specifically designed for the gamepad context). The results of these two user studies show that on-screen keyboards are highly susceptible to opportunistic shoulder-surfing, but also show the most favourable usability properties among the three schemes. Colorwheels offers the most robust shoulder-surfing resistance and scores highest with respect to participants\u27 intention to use it in the future, while showing more favourable usability results than the grid-based scheme. The third challenge addressed in this thesis is secure and efficient storage of passwords in portfolio authentication schemes. Portfolio authentication is used to counter capture attacks such as shoulder-surfing or eavesdropping on network traffic. While usability studies of portfolio authentication schemes showed promising results, a verification scheme which allows secure and efficient storage of the portfolio authentication secret had been missing until now. To remedy this problem, the (t,n)-threshold verification scheme is proposed. It is based on secret sharing and key derivation functions. The security as well as the efficiency properties of two variants of the scheme (one based on Blakley secret sharing and one based on Shamir secret sharing) are evaluated against each other and against a naive approach. These evaluations show that the two (t,n)-threshold verification scheme variants always exhibit more favourable properties than the naive approach and that when deciding between the two variants, the exact application scenario must be considered. Three use cases illustrate as exemplary application scenarios the versatility of the proposed (t,n)-threshold verification scheme. By addressing the aforementioned three distinct challenges, this thesis demonstrates the breadth of the field of usable and secure user authentication ranging from awareness materials, to the assessment and evaluation of authentication schemes, to applying cryptography to craft secure password storage solutions. The research processes, results, and insights described in this thesis represent important and meaningful contributions to the state of the art in the research on usable and secure user authentication, offering benefits for users, organisations, and researchers alike

Review of Networking and Tangible Security Techniques for Domestic IoT Devices and Initial Ideas

The number of connected devices including Internet of Things (IoTs) on the Internet is growing fast. According to recent Gartner research, the estimated number of IoT devices is 5.8 billion in 2020 (Gartner, 2019). The countries that are leading the way to IoT deployment include North America, Western Europe and China (Kandaswamy and Furlonger, 2018). By 2024, the number of Machine-2-Machine (M2M) connections between these devices are expected to reach 27 billion in 2024 (Kandaswamy and Furlonger, 2018). This growth in M2M connectivity is expected to result from wide range of application areas such as smart cities, smart infrastructure, smart energy among many others (Hassija et al., 2019).This wide spread of IoTs has sparked significant research interest to understand various implications (Airehrour et al., 2016; Neshenko et al., 2019; Hassija et al., 2019). IoTs enable the integration between many objects in our daily life (Aazam et al., 2016; Alaba et al., 2017) such as sensors, objects, wearable devices and other types of machines. IoT devices are capable of communicating directly with one another and sharing data without direct human intervention (Crabtree et al., 2018). These “things” could be any traditional objects such as home appliance (e.g. microwave, fridge) or tiny sensor (e.g. humidity or health sensors). The devices are capable of constant collections of various sensitive and personal data about many aspect of our lives due to its pervasive deployment (Ren et al., 2019).This paper provides an overview of the literature relating to securing IoT with an emphasis on usability from a user perspective as well as approaches to securing access to these devices over the Internet. Although IoT deployment occurs in various settings, i.e. industrial IoT deployment, we mainly focus in this paper on private residential home deployment (i.e. consumer IoTs). We assume that in such settings, users are mostly not experts in security IoT or the underlying networking principles.This paper is organized as follows: section II discusses various protocols and networking security tools (e.g. firewall and Virtual Private Network (VPN)). Section II-D discusses various approaches to simplify cyber-security by using user-centred approaches. In section III, we present a number of existing including enterprise-grade solutions that could be adopted to secure remote access to IoT devices in domestic settings

GestureMeter: Evaluating Gesture Password Selection on Smartphones with Strength Meter

Department of Human Factors EngineeringGestures are potential authentication method for touchscreen devices and common tasks such as phone lock. While many studies have indicated gesture passwords can achieve high usability, evaluating their security remains a grey area. Key challenges stem from the small sample sizes in current gesture password studies and the requirement to use similarity-based recognition metrics which prevent the application of traditional entropy assessment methods. To overcome these problems, we perform a large-scale study online (N=2594). With the resulting data set, we develop a novel multi-stage discretization method and n-gram Markov models that enable us to assess the partial guessing entropy of gesture passwords and to create a novel clustering-based dictionary attack. We report then while partial guessing entropy appears to be greater than other common phone lock methods (e.g., Pin, pattern), gestures are highly susceptible to dictionary attack. To improve the security of gesture passwords, we develop a novel gesture password strength meter. Password strength meters has been previously proposed as an effective password policy that can improve the security of other authentication techniques such as passwords or pattern. Using the meter, we propose various mandated compliances in which users are restricted to meet certain level of strength: default (none), weak, fair, and strong. We validate the effectiveness of gesture strength meter designs on security by performing a follow up online study and applying the security framework and attacks established in the first study. The default policy improves the gesture password security with small cost in usability. This thesis concludes that gesture password meters can be an effective technique for improving the security of gesture authentication systems that deserve further study.clos

Invisible Shield: Gesture-Based Mobile Authentication

Intelligent mobile devices have become the focus of the electronics industry in recent years. These devices, e.g., smartphones and internet connected handheld devices, enable quick and efficient access of users to both business and personal data, but also allow the same data to be easily accessed by an intruder if the device is lost or stolen. Existing mobile security solutions attempt to solve this problem by forcing a user to authenticate to a device before being granted access to any data. However, such checks are often easily bypassed or hacked due to their simplistic nature. In this work, we demonstrate Invisible Shield, a gesture-based authentication scheme for mobile devices that is far more resilient to attack than existing security solutions and requires neither additional nor visible effort from user perspective. In this work, we design methods that efficiently record and preprocess gesture data. Two classification problems, "one vs. many" and "one vs. all," are then mathematically formulated and examined using the gesture data collected from 20 individuals. Classification algorithms specialized for each case are developed, achieving a classification accuracy as high as 90.7% in the former case, and an equal error rate as low as 7.7% in the latter using real Android systems. Finally, the system resource requirements of different classification algorithms are compared