research-article

Making graphic-based authentication secure against smudge attacks

Authors:
Emanuel von Zezschwitz

University of Munich (LMU), Munich, Bavaria, Germany

University of Munich (LMU), Munich, Bavaria, Germany
View Profile

,
Anton Koslow

University of Munich (LMU), Munich, Bavaria, Germany

University of Munich (LMU), Munich, Bavaria, Germany
View Profile

,
Alexander De Luca

University of Munich (LMU), Munich, Bavaria, Germany

University of Munich (LMU), Munich, Bavaria, Germany
View Profile

,
Heinrich Hussmann

University of Munich (LMU), Munich, Bavaria, Germany

University of Munich (LMU), Munich, Bavaria, Germany
View Profile

IUI '13: Proceedings of the 2013 international conference on Intelligent user interfacesMarch 2013Pages 277–286https://doi.org/10.1145/2449396.2449432

Published:19 March 2013Publication History

IUI '13: Proceedings of the 2013 international conference on Intelligent user interfaces

Pages 277–286

ABSTRACT

Most of today's smartphones and tablet computers feature touchscreens as the main way of interaction. By using these touchscreens, oily residues of the users' fingers, smudge, remain on the device's display. As this smudge can be used to deduce formerly entered data, authentication tokens are jeopardized. Most notably, grid-based authentication methods, like the Android pattern scheme are prone to such attacks.

Based on a thorough development process using low fidelity and high fidelity prototyping, we designed three graphic-based authentication methods in a way to leave smudge traces, which are not easy to interpret. We present one grid-based and two randomized graphical approaches and report on two user studies that we performed to prove the feasibility of these concepts. The authentication schemes were compared to the widely used Android pattern authentication and analyzed in terms of performance, usability and security. The results indicate that our concepts are significantly more secure against smudge attacks while keeping high input speed.

References

Adams, A., and Sasse, M. Users are not the enemy. Communications of the ACM 42, 12 (1999), 40--46. Google ScholarDigital Library
Airowaily, K., and Alrubaian, M. Oily residuals security threat on smart phones. In Robot, Vision and Signal Processing (RVSP), 2011 First International Conference on, IEEE (2011), 300--302. Google ScholarDigital Library
Aviv, A., Gibson, K., Mossop, E., Blaze, M., and Smith, J. Smudge attacks on smartphone touch screens. In Proceedings of the 4th USENIX conference on Offensive technologies, USENIX Association (2010), 1--7. Google ScholarDigital Library
Bianchi, A., Oakley, I., Kostakos, V., and Kwon, D. The phone lock: audio and haptic shoulder-surfing resistant pin entry methods for mobile devices. In Proceedings of the fifth international conference on Tangible, embedded, and embodied interaction, ACM (2011), 197--200. Google ScholarDigital Library
Bianchi, A., Oakley, I., and Kwon, D. S. The secure haptic keypad: a tactile password system. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI '10, ACM (New York, NY, USA, 2010), 1089--1092. Google ScholarDigital Library
Brostoff, S., and Sasse, M. Are passfaces more usable than passwords? a field trial investigation. PEOPLE AND COMPUTERS (2000), 405--424.Google Scholar
De Angeli, A., Coutts, M., Coventry, L., Johnson, G., Cameron, D., and Fischer, M. Vip: a visual approach to user authentication. In Proceedings of the Working Conference on Advanced Visual Interfaces, ACM (2002), 316--323. Google ScholarDigital Library
De Luca, A., Hang, A., Brudy, F., Lindner, C., and Hussmann, H. Touch me once and i know it's you!: implicit authentication based on touch screen patterns. In Proceedings of the 2012 ACM annual conference on Human Factors in Computing Systems, ACM (2012), 987--996. Google ScholarDigital Library
De Luca, A., Von Zezschwitz, E., and Hußmann, H. Vibrapass: secure authentication based on shared lies. In Proceedings of the 27th international conference on Human factors in computing systems, ACM (2009), 913--916. Google ScholarDigital Library
Jermyn, I., Mayer, A., Monrose, F., Reiter, M., Rubin, A., et al. The design and analysis of graphical passwords. In Proceedings of the 8th USENIX Security Symposium, Washington DC (1999), 1--14. Google ScholarDigital Library
Karlson, A., Brush, A., and Schechter, S. Can i borrow your phone?: understanding concerns when sharing mobile phones. In Proceedings of the 27th international conference on Human factors in computing systems, ACM (2009), 1647--1650. Google ScholarDigital Library
Madigan, S. Picture memory. Imagery, memory and cognition (1983), 65--89.Google Scholar
Renaud, K., and De Angeli, A. Visual passwords: cure-all or snake-oil? Commun. ACM 52, 12 (Dec. 2009), 135--140. Google ScholarDigital Library
Roth, V., Richter, K., and Freidinger, R. A pin-entry method resilient against shoulder surfing. In Proceedings of the 11th ACM conference on Computer and communications security, ACM (2004), 236--245. Google ScholarDigital Library
Shadmehr, R., and Brashers-Krug, T. Functional stages in the formation of human long-term motor memory. The Journal of Neuroscience 17, 1 (1997), 409--419.Google ScholarCross Ref
Standing, L. Learning 10000 pictures. The Quarterly journal of experimental psychology 25, 2 (1973), 207--222.Google Scholar
Varenhorst, C., et al. Passdoodles: A lightweight authentication method. Research Science Institute (2004).Google Scholar
Wiedenbeck, S., Waters, J., Birget, J., Brodskiy, A., and Memon, N. Passpoints: Design and longitudinal evaluation of a graphical password system. International Journal of Human-Computer Studies 63, 1 (2005), 102--127. Google ScholarDigital Library
Wiedenbeck, S., Waters, J., Sobrado, L., and Birget, J. Design and evaluation of a shoulder-surfing resistant graphical password scheme. In Proceedings of the working conference on Advanced visual interfaces, ACM (2006), 177--184. Google ScholarDigital Library

Index Terms

Making graphic-based authentication secure against smudge attacks
1. Human-centered computing

Recommendations

A Secure and Efficient Deniable Authentication Protocol
ICIE '09: Proceedings of the 2009 WASE International Conference on Information Engineering - Volume 02

A deniable authentication can be used to provide secure negotiation on the Internet. Although many deniable authentication protocols have been proposed, most of them are interactive or vulnerable to various cryptanalytic attacks. To find a secure and ...
Read More
Secure Deniable Authentication Protocol Based on ElGamal Cryptography
ISA '08: Proceedings of the 2008 International Conference on Information Security and Assurance (isa 2008)

In 2006, Shao et al. showed that Wang et al.'s deniable authentication protocol based on ElGamal cryptography is insecure to a person-in-the-middle attack; that is, in the whole process, the receiver cannot be aware of the existence of this adversary as ...
Read More
Cryptanalysis and security enhancement of a 'more efficient & secure dynamic ID-based remote user authentication scheme'

Remote user authentication is a method, in which remote server verifies the legitimacy of a user over an insecure communication channel. Currently, smart card-based remote user authentication schemes have been widely adopted due to their low ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
IUI '13: Proceedings of the 2013 international conference on Intelligent user interfaces
March 2013
470 pages
ISBN:9781450319652
DOI:10.1145/2449396
General Chair:
Jihie Kim
University of Southern California, USA
,
Program Chairs:
Jeffrey Nichols
IBM Research -- Almaden, USA
,
Pedro Szekely
University of Southern California, USA
Copyright © 2013 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 19 March 2013
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
attacks
authentication
mobile
security
smudge
Qualifiers
- research-article
Conference

Acceptance Rates
IUI '13 Paper Acceptance Rate43of192submissions,22%Overall Acceptance Rate746of2,811submissions,27%
More
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 51
  Total Citations
  View Citations
- 707
  Total Downloads
- Downloads (Last 12 months)26
- Downloads (Last 6 weeks)1
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Making graphic-based authentication secure against smudge attacks

IUI '13: Proceedings of the 2013 international conference on Intelligent user interfaces

ABSTRACT

References

Cited By

Index Terms

Recommendations

A Secure and Efficient Deniable Authentication Protocol

Secure Deniable Authentication Protocol Based on ElGamal Cryptography

Cryptanalysis and security enhancement of a 'more efficient & secure dynamic ID-based remote user authentication scheme'