13,521 research outputs found
EyeSpot: leveraging gaze to protect private text content on mobile devices from shoulder surfing
As mobile devices allow access to an increasing amount of private data, using them in public can potentially leak sensitive information through shoulder surfing. This includes personal private data (e.g., in chat conversations) and business-related content (e.g., in emails). Leaking the former might infringe on users’ privacy, while leaking the latter is considered a breach of the EU’s General Data Protection Regulation as of May 2018. This creates a need for systems that protect sensitive data in public. We introduce EyeSpot, a technique that displays content through a spot that follows the user’s gaze while hiding the rest of the screen from an observer’s view through overlaid masks. We explore different configurations for EyeSpot in a user study in terms of users’ reading speed, text comprehension, and perceived workload. While our system is a proof of concept, we identify crystallized masks as a promising design candidate for further evaluation with regard to the security of the system in a shoulder surfing scenario
Assentication: User Deauthentication and Lunchtime Attack Mitigation with Seated Posture Biometric
Biometric techniques are often used as an extra security factor in
authenticating human users. Numerous biometrics have been proposed and
evaluated, each with its own set of benefits and pitfalls. Static biometrics
(such as fingerprints) are geared for discrete operation, to identify users,
which typically involves some user burden. Meanwhile, behavioral biometrics
(such as keystroke dynamics) are well suited for continuous, and sometimes more
unobtrusive, operation. One important application domain for biometrics is
deauthentication, a means of quickly detecting absence of a previously
authenticated user and immediately terminating that user's active secure
sessions. Deauthentication is crucial for mitigating so called Lunchtime
Attacks, whereby an insider adversary takes over (before any inactivity timeout
kicks in) authenticated state of a careless user who walks away from her
computer. Motivated primarily by the need for an unobtrusive and continuous
biometric to support effective deauthentication, we introduce PoPa, a new
hybrid biometric based on a human user's seated posture pattern. PoPa captures
a unique combination of physiological and behavioral traits. We describe a low
cost fully functioning prototype that involves an office chair instrumented
with 16 tiny pressure sensors. We also explore (via user experiments) how PoPa
can be used in a typical workplace to provide continuous authentication (and
deauthentication) of users. We experimentally assess viability of PoPa in terms
of uniqueness by collecting and evaluating posture patterns of a cohort of
users. Results show that PoPa exhibits very low false positive, and even lower
false negative, rates. In particular, users can be identified with, on average,
91.0% accuracy. Finally, we compare pros and cons of PoPa with those of several
prominent biometric based deauthentication techniques
On the Usability of Next-Generation Authentication: A Study on Eye Movement and Brainwave-based Mechanisms
Passwords remain a widely-used authentication mechanism, despite their
well-known security and usability limitations. To improve on this situation,
next-generation authentication mechanisms, based on behavioral biometric
factors such as eye movement and brainwave have emerged. However, their
usability remains relatively under-explored. To fill this gap, we conducted an
empirical user study (n=32 participants) to evaluate three brain-based and
three eye-based authentication mechanisms, using both qualitative and
quantitative methods. Our findings show good overall usability according to the
System Usability Scale for both categories of mechanisms, with average SUS
scores in the range of 78.6-79.6 and the best mechanisms rated with an
"excellent" score. Participants particularly identified brainwave
authentication as more secure yet more privacy-invasive and effort-intensive
compared to eye movement authentication. However, the significant number of
neutral responses indicates participants' need for more detailed information
about the security and privacy implications of these authentication methods.
Building on the collected evidence, we identify three key areas for
improvement: privacy, authentication interface design, and verification time.
We offer recommendations for designers and developers to improve the usability
and security of next-generation authentication mechanisms
- …