341 research outputs found
Identifying the Strengths and Weaknesses of Over-the-Shoulder Attack Resistant Prototypical Graphical Authentication Schemes
Authentication verifies usersâ identities to protect against costly attacks. Graphical authentication schemes utilize pictures as passcodes rather than strings of characters. Pictures have been found to be more memorable than the strings of characters used in alphanumeric passwords. However, graphical passcodes have been criticized for being susceptible to Over-the-Shoulder Attacks (OSA). To overcome this concern, many graphical schemes have been designed to be resistant to OSA. Security to this type of attack is accomplished by grouping targets among distractors, translating the selection of targets elsewhere, disguising targets, and using gaze-based input.
Prototypical examples of graphical schemes that use these strategies to bolster security against OSAs were directly compared in within-subjects runoffs in studies 1 and 2. The first aim of this research was to discover the current usability limitations of graphical schemes. The data suggested that error rates are a common issue among graphical passcodes attempting to resist OSAs. Studies 3 and 4 investigated the memorability of graphical passcodes when users need to remember multiple passcodes or longer passcodes. Longer passcodes provide advantages to security by protecting against brute force attacks, and multiple passcodes need to be investigated as users need to authenticate for numerous accounts. It was found that participants have strong item retention for passcodes of up to eight images and for up to eight accounts. Also these studies leveraged context to facilitate memorability. Context slightly improved the memorability of graphical passcodes when participants needed to remember credentials for eight accounts. These studies take steps toward understanding the readiness of graphical schemes as an authentication option
Towards Baselines for Shoulder Surfing on Mobile Authentication
Given the nature of mobile devices and unlock procedures, unlock
authentication is a prime target for credential leaking via shoulder surfing, a
form of an observation attack. While the research community has investigated
solutions to minimize or prevent the threat of shoulder surfing, our
understanding of how the attack performs on current systems is less well
studied. In this paper, we describe a large online experiment (n=1173) that
works towards establishing a baseline of shoulder surfing vulnerability for
current unlock authentication systems. Using controlled video recordings of a
victim entering in a set of 4- and 6-length PINs and Android unlock patterns on
different phones from different angles, we asked participants to act as
attackers, trying to determine the authentication input based on the
observation. We find that 6-digit PINs are the most elusive attacking surface
where a single observation leads to just 10.8% successful attacks, improving to
26.5\% with multiple observations. As a comparison, 6-length Android patterns,
with one observation, suffered 64.2% attack rate and 79.9% with multiple
observations. Removing feedback lines for patterns improves security from
35.3\% and 52.1\% for single and multiple observations, respectively. This
evidence, as well as other results related to hand position, phone size, and
observation angle, suggests the best and worst case scenarios related to
shoulder surfing vulnerability which can both help inform users to improve
their security choices, as well as establish baselines for researchers.Comment: Will appear in Annual Computer Security Applications Conference
(ACSAC
Shoulder-Surfing Resistant Authentication for Augmented Reality
Augmented Reality (AR) Head-Mounted Displays (HMD) are increasingly used in industry to digitize processes and enhance user experience by enabling real-time interaction with both physical and virtual objects. In this context, HMD provide access to sensitive data and applications which demand authenticating users before granting access. Furthermore, these devices are often used in shared spaces. Thus, shoulder-surfing attacks need to be addressed. As users can remember pictures more easily than text, we applied the recognition-based graphical password scheme âThingsâ from previous work on an AR HMD while placing the pictures for each authentication attempt in a random order. We implemented this scheme for the HMD Microsoft HoloLens and conducted a user study evaluating Things\u27s usability. All participants could be successfully authenticated and the System Usability Scale (SUS) score is with 74 categorized as above average. We discuss as future work how to improve the SUS scores, e.g., by using different grid designs and input methods
GazeLockPatterns: Comparing Authentication Using Gaze and Touch for Entering Lock Patterns
In this work, we present a comparison between Androidâs lock patterns for mobile devices (TouchLockPatterns) and an implementation of lock patterns that uses gaze input (GazeLockPatterns). We report on results of a between subjects study (N=40) to show that for the same layout of authentication interface, people employ comparable strategies for pattern composition. We discuss the pros and cons of adapting lock patterns to gaze-based user interfaces. We conclude by opportunities for future work, such as using data collected during authentication for calibrating eye trackers
A Human-Cognitive Perspective of Usersâ Password Choices in Recognition-Based Graphical Authentication
Graphical password composition is an important part of graphical user authentication which affects the strength of the chosen password. Considering that graphical authentication is associated with visual search, perception, and information retrieval, in this paper we report on an eye-tracking study (N = 109) that aimed to investigate the effects of usersâ cognitive styles toward the strength of the created passwords and shed light into whether and how the visual strategy of the users during graphical password composition is associated with the passwordsâ strength. For doing so, we adopted Witkinâs Field Dependence-Independence theory, which underpins individual differences in visual information and cognitive processing, as graphical password composition tasks are associated with visual search. The analysis revealed that users with different cognitive processing characteristics followed different patterns of visual behavior during password composition which affected the strength of the created passwords. The findings underpin the need of considering human-cognitive characteristics as a design factor in graphical password schemes. The paper concludes by discussing implications for improving recognition-based graphical passwords through adaptation and personalization techniques based on individual cognitive characteristics
Seamless and Secure VR: Adapting and Evaluating Established Authentication Systems for Virtual Reality
Virtual reality (VR) headsets are enabling a wide range of new
opportunities for the user. For example, in the near future users
may be able to visit virtual shopping malls and virtually join
international conferences. These and many other scenarios pose
new questions with regards to privacy and security, in particular
authentication of users within the virtual environment. As a first
step towards seamless VR authentication, this paper investigates
the direct transfer of well-established concepts (PIN, Android
unlock patterns) into VR. In a pilot study (N = 5) and a lab
study (N = 25), we adapted existing mechanisms and evaluated
their usability and security for VR. The results indicate that
both PINs and patterns are well suited for authentication in
VR. We found that the usability of both methods matched the
performance known from the physical world. In addition, the
private visual channel makes authentication harder to observe,
indicating that authentication in VR using traditional concepts
already achieves a good balance in the trade-off between usability
and security. The paper contributes to a better understanding of
authentication within VR environments, by providing the first
investigation of established authentication methods within VR,
and presents the base layer for the design of future authentication
schemes, which are used in VR environments only
A Shoulder-Surfing Resistant Scheme Embedded in Traditional Passwords
Typing passwords is vulnerable to shoulder-surfing attacks. We proposed a shoulder-surfing resistant scheme embedded in traditional textual passwords in this study. With the proposed scheme, when the password field is on focus, a pattern appears in it as a hint to tell the user how to enter a password. Following the hint, the user needs to skip some characters while typing the password. The characters to be skipped are randomly selected so that an observer will not be able to see the whole password even if the authentication procedure was recorded. We evaluated the proposed scheme in a usability study. Compared to traditional passwords, our scheme achieved a similar level of accuracy while only required marginal additional time to authenticate users. Participants also expressed significantly higher acceptance of the new technique for security-sensitive applications and gave it significantly higher ratings in perceived security, shoulders-surfing resistance, camera-recording resistance, and guess-attack resistance
Just Gaze and Wave: Exploring the Use of Gaze and Gestures for Shoulder-surfing Resilient Authentication
Eye-gaze and mid-air gestures are promising for resisting various types of side-channel attacks during authentication. However, to date, a comparison of the different authentication modalities is missing. We investigate multiple authentication mechanisms that leverage gestures, eye gaze, and a multimodal combination of them and study their resilience to shoulder surfing. To this end, we report on our implementation of three schemes and results from usability and security evaluations where we also experimented with fixed and randomized layouts. We found that the gaze-based approach outperforms the other schemes in terms of input time, error rate, perceived workload, and resistance to observation attacks, and that randomizing the layout does not improve observation resistance enough to warrant the reduced usability. Our work further underlines the significance of replicating previous eye tracking studies using today's sensors as we show significant improvement over similar previously introduced gaze-based authentication systems
- âŠ