ABSTRACT
We evaluate the efficacy of shoulder surfing defenses for PIN-based authentication systems. We find tilting the device away from the observer, a widely adopted defense strategy, provides limited protection. We also evaluate a recently proposed defense incorporating an "invisible pressure component" into PIN entry. Contrary to earlier claims, our results show this provides little defense against malicious insider attacks. Observations during the study uncover successful attacker strategies for reconstructing a victim's PIN when faced with a tilt defense. Our evaluations identify common misconceptions regarding shoulder surfing defenses, and highlight the need to educate users on how to safeguard their credentials from these attacks.
- Ahmed Sabbir Arif, Ali Mazalek, and Wolfgang Stuerzlinger. 2014. The use of pseudo pressure in authenticating smartphone users. In 11th International Conference on Mobile and Ubiquitous Systems: Computing, Networking and Services. ICST. Google ScholarDigital Library
- Andrea Bianchi, Ian Oakley, Vassilis Kostakos, and Dong Soo Kwon. 2011. The phone lock: audio and haptic shoulder-surfing resistant PIN entry methods for mobile devices. In 5th International Conference on Tangible, Embedded, and Embodied Interaction. ACM. Google ScholarDigital Library
- John T. Davin, Adam J. Aviv, Flynn Wolf, and Ravi Kuber. 2017. Baseline Measurements of Shoulder Surfing Analysis and Comparability for Smartphone Unlock Authentication. In CHI Conference Extended Abstracts on Human Factors in Computing Systems. ACM. Google ScholarDigital Library
- Alexander De Luca, Alina Hang, Frederik Brudy, Christian Lindner, and Heinrich Hussmann. 2012. Touch me once and i know it's you!: implicit authentication based on touch screen patterns. In 30th Annual ACM Conference on Human Factors in Computing Systems. ACM. Google ScholarDigital Library
- Alexander De Luca, Marian Harbach, Emanuel von Zezschwitz, Max-Emanuel Maurer, Bernhard Ewald Slawik, Heinrich Hussmann, and Matthew Smith. 2014. Now you see me, now you don't: protecting smartphone authentication from shoulder surfers. In 32nd Annual ACM Conference on Human Factors in Computing Systems. ACM. Google ScholarDigital Library
- Alexander De Luca, Emanuel Von Zezschwitz, Ngo Dieu Huong Nguyen, Max-Emanuel Maurer, Elisa Rubegni, Marcello Paolo Scipioni, and Marc Langheinrich. 2013. Back-of-device authentication on smartphones. In 31st Annual ACM Conference on Human Factors in Computing Systems. ACM. Google ScholarDigital Library
- Malin Eiband, Mohamed Khamis, Emanuel von Zezschwitz, Heinrich Hussmann, and Florian Alt. 2017. Understanding shoulder surfing in the wild: Stories from users and observers. In 35th Annual ACM Conference on Human Factors in Computing Systems. ACM. Google ScholarDigital Library
- Paul Emarath. 2013. Spaces in New Homes, National Association of Home Builders. (2013). https://www.nahb.org/en/research/housing-economics/ special-studies/spaces-in-new-homes-2013.aspxGoogle Scholar
- Barney G Glaser and Anselm L Strauss. 2009. The discovery of grounded theory: Strategies for qualitative research. Transaction publishers.Google Scholar
- Jan Gugenheimer, Alexander De Luca, Hayato Hess, Stefan Karg, Dennis Wolf, and Enrico Rukzio. 2015. Colorsnakes: Using colored decoys to secure authentication in sensitive contexts. In 17th International Conference on Human-Computer Interaction with Mobile Devices and Services. ACM. Google ScholarDigital Library
- Marian Harbach, Alexander De Luca, and Serge Egelman. 2016. The Anatomy of Smartphone Unlocking: A Field Study of Android Lock Screens. In Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems. ACM. Google ScholarDigital Library
- Marian Harbach, Emanuel Von Zezschwitz, Andreas Fichtner, Alexander De Luca, and Matthew Smith. 2014. It's a hard lock life: A field study of smartphone (un) locking behavior and risk perception. In 10th Symposium on Usable Privacy and Security. https://www.usenix.org/system/files/conference/ soups2014/soups14-paper-harbach.pdfGoogle Scholar
- Sture Holm. 1979. A simple sequentially rejective multiple test procedure. Scandinavian journal of statistics (1979), 65--70.Google Scholar
- Hassan Khan, Aaron Atwater, and Urs Hengartner. 2014. Itus: an implicit authentication framework for android. In 20th Annual International Conference on Mobile Computing and Networking. ACM. Google ScholarDigital Library
- Hassan Khan, Urs Hengartner, and Daniel Vogel. 2016. Targeted Mimicry Attacks on Touch Input Based Implicit Authentication Schemes. In 14th Annual International Conference on Mobile Systems, Applications, and Services. ACM. Google ScholarDigital Library
- Katharina Krombholz, Thomas Hupperich, and Thorsten Holz. 2016. Use the Force: Evaluating Force-Sensitive Authentication for Mobile Devices. In 12th Symposium on Usable Privacy and Security. https://www.usenix.org/system/files/conference/ soups2016/soups2016-paper-krombholz.pdfGoogle Scholar
- Anindya Maiti, Kirsten Crager, Murtuza Jadliwala, Jibo He, Kevin Kwiat, and Charles Kamhoua. 2017. Randompad: Usability of randomized mobile keypads for defeating inference attacks. In Proceedings of the IEEE EuroS&P Workshop on Innovations in Mobile Privacy & Security (IMPS). IEEE.Google Scholar
- Behzad Malek, Mauricio Orozco, and Abdulmotaleb El Saddik. 2006. Novel shoulder-surfing resistant haptic-based graphical password. In EuroHaptics.Google Scholar
- Ildar Muslukhov, Yazan Boshmaf, Cynthia Kuo, Jonathan Lester, and Konstantin Beznosov. 2013. Know your enemy: the risk of unauthorized access in smartphones by insiders. In 15th International Conference on Human-computer Interaction with Mobile Devices and Services. ACM. Google ScholarDigital Library
- Florian Schaub, Ruben Deyhle, and Michael Weber. 2012. Password entry usability and shoulder surfing susceptibility on different smartphone platforms. In 11th International Conference on Mobile and Ubiquitous Multimedia. ACM. Google ScholarDigital Library
- Muhammad Shahzad, Alex X Liu, and Arjmand Samuel. 2013. Secure unlocking of mobile touch screen devices by simple gestures: you can see it but you can not do it. In 19th Annual International Conference on Mobile Computing & Networking. ACM. Google ScholarDigital Library
- Emanuel Von Zezschwitz, Alexander De Luca, Bruno Brunkow, and Heinrich Hussmann. 2015a. SwiPIN: Fast and secure pin-entry on smartphones. In 33rd Annual ACM Conference on Human Factors in Computing Systems. ACM. Google ScholarDigital Library
- Emanuel Von Zezschwitz, Alexander De Luca, Philipp Janssen, and Heinrich Hussmann. 2015b. Easy to draw, but hard to trace?: On the observability of grid-based (un) lock patterns. In 33rd Annual ACM Conference on Human Factors in Computing Systems. ACM. Google ScholarDigital Library
- Oliver Wiese and Volker Roth. 2015. Pitfalls of Shoulder Surfing Studies. In NDSS Workshop on Usable Security. https://www.internetsociety.org/doc/ pitfalls-shoulder-surfing-studiesGoogle Scholar
- Oliver Wiese and Volker Roth. 2016. See you next time: a model for modern shoulder surfers. In 18th International Conference on Human-Computer Interaction with Mobile Devices and Services. ACM. Google ScholarDigital Library
- Christian Winkler, Jan Gugenheimer, Alexander De Luca, Gabriel Haas, Philipp Speidel, David Dobbelstein, and Enrico Rukzio. 2015. Glass Unlock: Enhancing Security of Smartphone Unlocking Through Leveraging a Private Near-eye Display. In 33rd Annual ACM Conference on Human Factors in Computing Systems. ACM. Google ScholarDigital Library
- Qiang Yan, Jin Han, Yingjiu Li, Jianying Zhou, and Robert H Deng. 2013. Designing leakage-resilient password entry on touchscreen mobile devices. In 8th ACM SIGSAC Symposium on Information, Computer and Communications Security. ACM. Google ScholarDigital Library
- Guixin Ye, Zhanyong Tang, Dingyi Fang, Xiaojiang Chen, Kwang In Kim, Ben Taylor, and Zheng Wang. 2017. Cracking Android pattern lock in five attempts. In Network and Distributed System Security Symposium. https://www.internetsociety.org/doc/ cracking-android-pattern-lock-five-attemptsGoogle ScholarCross Ref
- Nur Haryani Zakaria, David Griffiths, Sacha Brostoff, and Jeff Yan. 2011. Shoulder surfing defence for recall-based graphical passwords. In 7th Symposium on Usable Privacy and Security. ACM. Google ScholarDigital Library
Index Terms
- Evaluating Attack and Defense Strategies for Smartphone PIN Shoulder Surfing
Recommendations
Understanding Shoulder Surfing in the Wild: Stories from Users and Observers
CHI '17: Proceedings of the 2017 CHI Conference on Human Factors in Computing SystemsResearch has brought forth a variety of authentication systems to mitigate observation attacks. However, there is little work about shoulder surfing situations in the real world. We present the results of a user survey (N=174) in which we investigate ...
Towards Baselines for Shoulder Surfing on Mobile Authentication
ACSAC '17: Proceedings of the 33rd Annual Computer Security Applications ConferenceGiven the nature of mobile devices and unlock procedures, unlock authentication is a prime target for credential leaking via shoulder surfing, a form of an observation attack. While the research community has investigated solutions to minimize or ...
A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords
SOUPS '06: Proceedings of the second symposium on Usable privacy and securityPrevious research has found graphical passwords to be more memorable than non-dictionary or "strong" alphanumeric passwords. Participants in a prior study expressed concerns that this increase in memorability could also lead to an increased ...
Comments