ABSTRACT
Most of today's smartphones and tablet computers feature touchscreens as the main way of interaction. By using these touchscreens, oily residues of the users' fingers, smudge, remain on the device's display. As this smudge can be used to deduce formerly entered data, authentication tokens are jeopardized. Most notably, grid-based authentication methods, like the Android pattern scheme are prone to such attacks.
Based on a thorough development process using low fidelity and high fidelity prototyping, we designed three graphic-based authentication methods in a way to leave smudge traces, which are not easy to interpret. We present one grid-based and two randomized graphical approaches and report on two user studies that we performed to prove the feasibility of these concepts. The authentication schemes were compared to the widely used Android pattern authentication and analyzed in terms of performance, usability and security. The results indicate that our concepts are significantly more secure against smudge attacks while keeping high input speed.
- Adams, A., and Sasse, M. Users are not the enemy. Communications of the ACM 42, 12 (1999), 40--46. Google ScholarDigital Library
- Airowaily, K., and Alrubaian, M. Oily residuals security threat on smart phones. In Robot, Vision and Signal Processing (RVSP), 2011 First International Conference on, IEEE (2011), 300--302. Google ScholarDigital Library
- Aviv, A., Gibson, K., Mossop, E., Blaze, M., and Smith, J. Smudge attacks on smartphone touch screens. In Proceedings of the 4th USENIX conference on Offensive technologies, USENIX Association (2010), 1--7. Google ScholarDigital Library
- Bianchi, A., Oakley, I., Kostakos, V., and Kwon, D. The phone lock: audio and haptic shoulder-surfing resistant pin entry methods for mobile devices. In Proceedings of the fifth international conference on Tangible, embedded, and embodied interaction, ACM (2011), 197--200. Google ScholarDigital Library
- Bianchi, A., Oakley, I., and Kwon, D. S. The secure haptic keypad: a tactile password system. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI '10, ACM (New York, NY, USA, 2010), 1089--1092. Google ScholarDigital Library
- Brostoff, S., and Sasse, M. Are passfaces more usable than passwords? a field trial investigation. PEOPLE AND COMPUTERS (2000), 405--424.Google Scholar
- De Angeli, A., Coutts, M., Coventry, L., Johnson, G., Cameron, D., and Fischer, M. Vip: a visual approach to user authentication. In Proceedings of the Working Conference on Advanced Visual Interfaces, ACM (2002), 316--323. Google ScholarDigital Library
- De Luca, A., Hang, A., Brudy, F., Lindner, C., and Hussmann, H. Touch me once and i know it's you!: implicit authentication based on touch screen patterns. In Proceedings of the 2012 ACM annual conference on Human Factors in Computing Systems, ACM (2012), 987--996. Google ScholarDigital Library
- De Luca, A., Von Zezschwitz, E., and Hußmann, H. Vibrapass: secure authentication based on shared lies. In Proceedings of the 27th international conference on Human factors in computing systems, ACM (2009), 913--916. Google ScholarDigital Library
- Jermyn, I., Mayer, A., Monrose, F., Reiter, M., Rubin, A., et al. The design and analysis of graphical passwords. In Proceedings of the 8th USENIX Security Symposium, Washington DC (1999), 1--14. Google ScholarDigital Library
- Karlson, A., Brush, A., and Schechter, S. Can i borrow your phone?: understanding concerns when sharing mobile phones. In Proceedings of the 27th international conference on Human factors in computing systems, ACM (2009), 1647--1650. Google ScholarDigital Library
- Madigan, S. Picture memory. Imagery, memory and cognition (1983), 65--89.Google Scholar
- Renaud, K., and De Angeli, A. Visual passwords: cure-all or snake-oil? Commun. ACM 52, 12 (Dec. 2009), 135--140. Google ScholarDigital Library
- Roth, V., Richter, K., and Freidinger, R. A pin-entry method resilient against shoulder surfing. In Proceedings of the 11th ACM conference on Computer and communications security, ACM (2004), 236--245. Google ScholarDigital Library
- Shadmehr, R., and Brashers-Krug, T. Functional stages in the formation of human long-term motor memory. The Journal of Neuroscience 17, 1 (1997), 409--419.Google ScholarCross Ref
- Standing, L. Learning 10000 pictures. The Quarterly journal of experimental psychology 25, 2 (1973), 207--222.Google Scholar
- Varenhorst, C., et al. Passdoodles: A lightweight authentication method. Research Science Institute (2004).Google Scholar
- Wiedenbeck, S., Waters, J., Birget, J., Brodskiy, A., and Memon, N. Passpoints: Design and longitudinal evaluation of a graphical password system. International Journal of Human-Computer Studies 63, 1 (2005), 102--127. Google ScholarDigital Library
- Wiedenbeck, S., Waters, J., Sobrado, L., and Birget, J. Design and evaluation of a shoulder-surfing resistant graphical password scheme. In Proceedings of the working conference on Advanced visual interfaces, ACM (2006), 177--184. Google ScholarDigital Library
Index Terms
- Making graphic-based authentication secure against smudge attacks
Recommendations
A Secure and Efficient Deniable Authentication Protocol
ICIE '09: Proceedings of the 2009 WASE International Conference on Information Engineering - Volume 02A deniable authentication can be used to provide secure negotiation on the Internet. Although many deniable authentication protocols have been proposed, most of them are interactive or vulnerable to various cryptanalytic attacks. To find a secure and ...
Secure Deniable Authentication Protocol Based on ElGamal Cryptography
ISA '08: Proceedings of the 2008 International Conference on Information Security and Assurance (isa 2008)In 2006, Shao et al. showed that Wang et al.'s deniable authentication protocol based on ElGamal cryptography is insecure to a person-in-the-middle attack; that is, in the whole process, the receiver cannot be aware of the existence of this adversary as ...
Cryptanalysis and security enhancement of a 'more efficient & secure dynamic ID-based remote user authentication scheme'
Remote user authentication is a method, in which remote server verifies the legitimacy of a user over an insecure communication channel. Currently, smart card-based remote user authentication schemes have been widely adopted due to their low ...
Comments