GazeTouchPass: Multimodal Authentication Using Gaze and Touch on Mobile Devices

We propose a multimodal scheme, GazeTouchPass, that combines gaze and touch for shoulder-surfing resistant user authentication on mobile devices. GazeTouchPass allows passwords with multiple switches between input modalities during authentication. This requires attackers to simultaneously observe the device screen and the user's eyes to find the password. We evaluate the security and usability of GazeTouchPass in two user studies. Our findings show that GazeTouchPass is usable and significantly more secure than single-modal authentication against basic and even advanced shoulder-surfing attacks

A Shoulder-Surfing Resistant Scheme Embedded in Traditional Passwords

Typing passwords is vulnerable to shoulder-surfing attacks. We proposed a shoulder-surfing resistant scheme embedded in traditional textual passwords in this study. With the proposed scheme, when the password field is on focus, a pattern appears in it as a hint to tell the user how to enter a password. Following the hint, the user needs to skip some characters while typing the password. The characters to be skipped are randomly selected so that an observer will not be able to see the whole password even if the authentication procedure was recorded. We evaluated the proposed scheme in a usability study. Compared to traditional passwords, our scheme achieved a similar level of accuracy while only required marginal additional time to authenticate users. Participants also expressed significantly higher acceptance of the new technique for security-sensitive applications and gave it significantly higher ratings in perceived security, shoulders-surfing resistance, camera-recording resistance, and guess-attack resistance

A Shoulder Surfing Resistant Graphical Authentication System

Authentication based on passwords is used largely in applications for computer security and privacy. However, human actions such as choosing bad passwords and inputting passwords in an insecure way are regarded as ”the weakest link” in the authentication chain. Rather than arbitrary alphanumeric strings, users tend to choose passwords either short or meaningful for easy memorization. With web applications and mobile apps piling up, people can access these applications anytime and anywhere with various devices. This evolution brings great convenience but also increases the probability of exposing passwords to shoulder surfing attacks. Attackers can observe directly or use external recording devices to collect users’ credentials. To overcome this problem, we proposed a novel authentication system PassMatrix, based on graphical passwords to resist shoulder surfing attacks. With a one-time valid login indicator and circulative horizontal and vertical bars covering the entire scope of pass-images, PassMatrix offers no hint for attackers to figure out or narrow down the password even they conduct multiple camera-based attacks. We also implemented a PassMatrix prototype on Android and carried out real user experiments to evaluate its memorability and usability. From the experimental result, the proposed system achieves better resistance to shoulder surfing attacks while maintaining usability

Securing PIN-based Authentication in Smartwatches With just Two Gestures

Smartwatches are becoming increasingly ubiquitous as they offer new capabilities to develop sophisticated applications that make daily life easier and more convenient for consumers. The services provided include applications for mobile payment, ticketing, identification, access control, etc. While this makes modern smartwatches very powerful devices, it also makes them very attractive targets for attackers. Indeed, PINs and Pattern Lock have been widely used in smartwatches for user authentication. However, such authentication methods are not robust against various forms of cybersecurity attacks, such as side channel, phishing, smudge, shoulder surfing, and video recording attacks. Moreover, the recent adoption of hardware-based solutions, like the Trusted Execution Environment (TEE), can mitigate only partially such problems. Thus, the user’s security and privacy are at risk without a strong authentication scheme in place. In this work, we propose 2GesturePIN, a new authentication framework that allows users to authenticate securely to their smartwatches and related sensitive services through solely two gestures. 2GesturePIN leverages the rotating bezel or crown, which are the most intuitive ways to interact with a smartwatch, as a dedicated hardware. 2GesturePIN improves the resilience of the regular PIN authentication method against state-of-the-art cybersecurity attacks while maintaining a high level of usability