Designing leakage-resilient password entry on touchscreen mobile devices

Singapore Management Universit

Towards Secure and Usable Leakage-Resilient Password Entry

Password leakage is one of the most common security threats for pervasive password based user authentication. The design of a secure and usable password entry against password leakage remains a challenge since twenty year ago when the first academic proposal attempted to address it. This dissertation focuses on investigating the difficulty in designing leakage-resilient password entry (LRPE) schemes and exploring the feasibility of constructing secure and usable LRPE schemes with the assistance of state-of-the-art technology. The first work in this dissertation reveals the infeasibility of designing practical LRPE schemes in the absence of trusted devices by investigating the inherent tradeoff between security and usability in LRPE design. We start with demonstrating that most of the existing LRPE schemes without using trusted devices are subject to two types of generic attacks - brute force and statistical attacks, whose power has been underestimated in the literature. In order to defend against these two generic attacks, we introduce five design principles that are necessary to achieve leakage resilience in the absence of trusted devices. We show that these attacks cannot be effectively mitigated without significantly sacrificing the usability of LRPE schemes. To better understand the tradeoff between security and usability of LRPE schemes, we further propose a quantitative analysis framework on usability costs of password entry schemes based on experimental psychology. Our analysis shows that a secure LRPE scheme in practical settings always imposes a considerable amount of cognitive workload on its users, which indicates the inherent limitations of such schemes and in turn implies that an LRPE scheme has to incorporate certain trusted device in order to be both secure and usable. Following the first work, we further explore the feasibility of designing practical LRPE schemes by analyzing the existing LRPE schemes that utilize trusted devices. We develop a broad set of design metrics which cover three aspects in evaluating LRPE schemes, including quantitative usability costs with specified security strength, built-in security, and universal accessibility. We apply these design metrics on existing LRPE schemes, revealing that all the schemes have limitations, which may explain why none of them are widely adopted. However, our further analysis indicates that it is possible to overcome these limitations by improving the design according to the proposed metrics. Guided by these design metrics, we propose a secure and usable LRPE scheme leveraging on the touchscreen feature of mobile devices. These devices provide additional features such as touchscreen that are not available in the traditional settings, which makes it possible to achieve both security and usability objectives that are difficult to achieve in the past. Our scheme named CoverPad achieves leakage resilience while retaining most benefits of legacy passwords. The usability of CoverPad is evaluated with an extended user study which includes additional test conditions related to time pressure, distraction, and mental workload. These test conditions simulate common situations for a password entry scheme used on a daily basis, which have not been evaluated in the prior literature. The results of our user study show the impacts of these test conditions on user performance as well as the practicability of the proposed scheme. This dissertation makes contributions on understanding and solving the problem of designing secure and usable LRPE schemes. The proposed design principles, design metrics, analysis and evaluation methodologies are applicable to not only LRPE schemes but also generic user authentication schemes, which provide useful insights for the field of user authentication research. The proposed scheme has been implemented as a prototype, which can be used to effectively defend against password leakage during password entry

Designing leakage-resilient password entry on head-mounted smart wearable glass devices

AXA Research Fun

What you see is not what you get: Leakage-resilient password entry schemes for smart glasses

National Research Foundation (NRF) Singapor

Recent advances in mobile touch screen security authentication methods: a systematic literature review

The security of the smartphone touch screen has attracted considerable attention from academics as well as industry and security experts. The maximum security of the mobile phone touch screen is necessary to protect the user’s stored information in the event of loss. Previous reviews in this research domain have focused primarily on biometrics and graphical passwords while leaving out PIN, gesture/pattern and others. In this paper, we present a comprehensive literature review of the recent advances made in mobile touch screen authentication techniques covering PIN, pattern/gesture, biometrics, graphical password and others. A new comprehensive taxonomy of the various multiple class authentication techniques is presented in order to expand the existing taxonomies on single class authentication techniques. The review reveals that the most recent studies that propose new techniques for providing maximum security to smartphone touch screen reveal multi-objective optimization problems. In addition, open research problems and promising future research directions are presented in the paper. Expert researchers can benefit from the review by gaining new insights into touch screen cyber security, and novice researchers may use this paper as a starting point of their inquir

Authentication schemes for Smart Mobile Devices: Threat Models, Countermeasures, and Open Research Issues

The file attached to this record is the author's final peer reviewed version. The Publisher's final version can be found by following the DOI link.This paper presents a comprehensive investigation of authentication schemes for smart mobile devices. We start by providing an overview of existing survey articles published in the recent years that deal with security for mobile devices. Then, we give a classification of threat models in smart mobile devices in five categories, including, identity-based attacks, eavesdropping-based attacks, combined eavesdropping and identity-based attacks, manipulation-based attacks, and service-based attacks. This is followed by a description of multiple existing threat models. We also provide a classification of countermeasures into four types of categories, including, cryptographic functions, personal identification, classification algorithms, and channel characteristics. According to the characteristics of the countermeasure along with the authentication model iteself, we categorize the authentication schemes for smart mobile devices in four categories, namely, 1) biometric-based authentication schemes, 2) channel-based authentication schemes, 3) factors-based authentication schemes, and 4) ID-based authentication schemes. In addition, we provide a taxonomy and comparison of authentication schemes for smart mobile devices in form of tables. Finally, we identify open challenges and future research directions