research-article

Towards Baselines for Shoulder Surfing on Mobile Authentication

Authors:

Ravi KuberAuthors Info & Claims

ACSAC '17: Proceedings of the 33rd Annual Computer Security Applications Conference

Pages 486 - 498

https://doi.org/10.1145/3134600.3134609

Published: 04 December 2017 Publication History

Abstract

Given the nature of mobile devices and unlock procedures, unlock authentication is a prime target for credential leaking via shoulder surfing, a form of an observation attack. While the research community has investigated solutions to minimize or prevent the threat of shoulder surfing, our understanding of how the attack performs on current systems is less well studied. In this paper, we describe a large online experiment (n = 1173) that works towards establishing a baseline of shoulder surfing vulnerability for current unlock authentication systems. Using controlled video recordings of a victim entering in a set of 4- and 6-length PINs and Android unlock patterns on different phones from different angles, we asked participants to act as attackers, trying to determine the authentication input based on the observation. We find that 6-digit PINs are the most elusive attacking surface where a single observation leads to just 10.8% successful attacks (26.5% with multiple observations). As a comparison, 6-length Android patterns, with one observation, were found to have an attack rate of 64.2% (79.9% with multiple observations). Removing feedback lines for patterns improves security to 35.3% (52.1% with multiple observations). This evidence, as well as other results related to hand position, phone size, and observation angle, suggests the best and worst case scenarios related to shoulder surfing vulnerability which can both help inform users to improve their security choices, as well as establish baselines for researchers.

References

[1]

Abdullah Ali, Adam J Aviv, and Ravi Kuber. 2016. Developing and evaluating a gestural and tactile mobile interface to support user authentication. IConference 2016 Proceedings (2016).

[2]

Panagiotis Andriotis, Theo Tryfonas, and George Oikonomou. 2014. Complexity metrics and user strength perceptions of the pattern-lock graphical authentication method. In Human Aspects of Information Security, Privacy, and Trust. Springer, 115--126.

Digital Library

[3]

Panagiotis Andriotis, Theo Tryfonas, George Oikonomou, and Can Yildiz. 2013. A pilot study on the security of pattern screen-lock methods and soft side channel attacks. In Proceedings of the sixth ACM conference on Security and privacy in wireless and mobile networks (WiSec'13). 1--6.

Digital Library

[4]

Adam J. Aviv, Devon Budzitowski, and Ravi Kuber. 2015. Is Bigger Better? Comparing User-Generated Passwords on 3x3 vs. 4x4 Grid Sizes for Android's Pattern Unlock. In Proceedings of the 31st Annual Computer Security Applications Conference (ACSAC 2015). ACM, New York, NY, USA, 301--310.

Digital Library

[5]

Adam J. Aviv and Dane Fichter. 2014. Understanding Visual Perceptions of Usability and Security of Android's Graphical Password Pattern. In Proceedings of the 30th Annual Computer Security Applications Conference (ACSAC '14). ACM, New York, NY, USA, 286--295.

Digital Library

[6]

Adam J Aviv, Katherine Gibson, Evan Mossop, Matt Blaze, and Jonathan M Smith. 2010. Smudge Attacks on Smartphone Touch Screens. In Proceedings of the 2010 Workshop on Offensive Technology (WOOT'10). 1--7.

Digital Library

[7]

Chandrasekhar Bhagavatula, Blase Ur, Kevin Iacovino, Su Mon Kywe, Lorrie Faith Cranor, and Marios Savvides. 2015. Biometric Authentication on iPhone and Android: Usability, Perceptions, and Influences on Adoption. (2015).

[8]

Andrea Bianchi and Ian Oakley. 2014. Multiplexed input to protect against casual observers. In Proceedings of HCI Korea. Hanbit Media, Inc., 7--11.

Digital Library

[9]

Joseph Bonneau, Sören Preibusch, and Ross Anderson. 2012. A Birthday Present Every Eleven Wallets? The Security of Customer-Chosen Banking PINs. 25--40.

[10]

Ivan Cherapau, Ildar Muslukhov, Nalin Asanka, and Konstantin Beznosov. 2015. On the impact of touch id on iphone passcodes. In Eleventh Symposium On Usable Privacy and Security (SOUPS 2015). 257--276.

[11]

Alexander De Luca, Martin Denzel, and Heinrich Hussmann. 2009. Look into My Eyes!: Can You Guess My Password?. In Proceedings of the 5th Symposium on Usable Privacy and Security (SOUPS '09). ACM, New York, NY, USA, Article 7, 12 pages.

Digital Library

[12]

Alexander De Luca, Alina Hang, Frederik Brudy, Christian Lindner, and Heinrich Hussmann. 2012. Touch Me Once and I Know It's You!: Implicit Authentication Based on Touch Screen Patterns. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '12). ACM, New York, NY, USA, 987--996.

Digital Library

[13]

Alexander De Luca, Marian Harbach, Emanuel von Zezschwitz, Max-Emanuel Maurer, Bernhard Ewald Slawik, Heinrich Hussmann, and Matthew Smith. 2014. Now You See Me, Now You Don'T: Protecting Smartphone Authentication from Shoulder Surfers. In Proceedings of the 32Nd Annual ACM Conference on Human Factors in Computing Systems (CHI '14). ACM, New York, NY, USA, 2937--2946.

Digital Library

[14]

Alexander De Luca, Katja Hertzschuch, and Heinrich Hussmann. 2010. Color-PIN: Securing PIN Entry Through Indirect Input. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '10). ACM, New York, NY, USA, 1103--1106.

Digital Library

[15]

Alexander De Luca, Emanuel Von Zezschwitz, and Heinrich Hußmann. 2009. Vibrapass: secure authentication based on shared lies. In Proceedings of the SIGCHI conference on human factors in computing systems. ACM, 913--916.

Digital Library

[16]

Rachel Eardley, Anne Roudaut, Steve Gill, and Stephen J. Thompson. 2017. Understanding Grip Shifts: How Form Factors Impact Hand Movements on Mobile Phones. In Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems (CHI '17). ACM, New York, NY, USA, 4680--4691.

Digital Library

[17]

Serge Egelman, Sakshi Jain, Rebecca S. Portnoff, Kerwell Liao, Sunny Consolvo, and David Wagner. 2014. Are You Ready to Lock?. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS '14). ACM, New York, NY, USA, 750--761.

Digital Library

[18]

Cyrus Farivar. Jun 8, 2015. Apple to require 6-digit passcodes on newer iPhones, iPads under iOS 9:Stronger passcode ups the ante: there will be one million possible permutations. (Jun 8, 2015). http://arstechnica.com/apple/2015/06/apple-to-require-6-digit-passcodes-on-newer-iphones-ipads-under-ios-9/.

[19]

Alain Forget, Sonia Chiasson, and Robert Biddle. 2010. Shoulder-surfing Resistance with Eye-gaze Entry in Cued-recall Graphical Passwords. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '10). ACM, New York, NY, USA, 1107--1110.

Digital Library

[20]

H. Gao, Z. Ren, X. Chang, X. Liu, and U. Aickelin. 2010. A New Graphical Password Scheme Resistant to Shoulder-Surfing. In 2010 International Conference on Cyberworlds. 194--199.

Digital Library

[21]

Marian Harbach, Alexander De Luca, and Serge Egelman. 2016. The Anatomy of Smartphone Unlocking: A Field Study of Android Lock Screens. In Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems (CHI '16). ACM, New York, NY, USA, 4806--4817.

Digital Library

[22]

Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Richard Shay, Timothy Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Julio Lopez. 2012. Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms. 523--537.

Digital Library

[23]

Sung-Hwan Kim, Jong-Woo Kim, Seon-Yeong Kim, and Hwan-Gue Cho. 2011. A new shoulder-surfing resistant password for mobile environments. In Proceedings of the 5th International Conference on Ubiquitous Information Management and Communication. ACM, 27.

Digital Library

[24]

Katharina Krombholz, Thomas Hupperich, and Thorsten Holz. 2017. May the Force Be with You: The Future of Force-Sensitive Authentication. IEEE Internet Computing 21, 3 (2017), 64--69.

Digital Library

[25]

Manu Kumar, Tal Garfinkel, Dan Boneh, and Terry Winograd. 2007. Reducing Shoulder-surfing by Using Gaze-based Password Entry. In Proceedings of the 3rd Symposium on Usable Privacy and Security (SOUPS '07). ACM, New York, NY, USA, 13--19.

Digital Library

[26]

Taekyoung Kwon, Sooyeon Shin, and Sarang Na. 2014. Covert attentional shoulder surfing: Human adversaries are more powerful than expected. IEEE Transactions on Systems, Man, and Cybernetics: Systems 44, 6 (2014), 716--727.

[27]

Behzad Malek, Mauricio Orozco, and Abdulmotaleb El Saddik. 2006. Novel shoulder-surfing resistant haptic-based graphical password. In Proc. EuroHaptics, Vol. 6.

[28]

Shushuang Man, Dawei Hong, and Manton M Matthews. 2003. A Shoulder-Surfing Resistant Graphical Password Scheme-WIW. (2003), 105--111 pages.

[29]

William Melicher, Darya Kurilova, Sean M. Segreti, Pranshu Kalvani, Richard Shay, Blase Ur, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Michelle L. Mazurek. 2016. Usability and Security of Text Passwords on Mobile Devices. In Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems (CHI '16).

Digital Library

[30]

Volker Roth, Kai Richter, and Rene Freidinger. 2004. A PIN-entry method resilient against shoulder surfing. In Proceedings of the 11th ACM conference on Computer and communications security. ACM, 236--245.

Digital Library

[31]

Alireza Sahami Shirazi, Peyman Moghadam, Hamed Ketabdar, and Albrecht Schmidt. 2012. Assessing the vulnerability of magnetic gestural authentication to video-based shoulder surfing attacks. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 2045--2048.

Digital Library

[32]

Florian Schaub, Ruben Deyhle, and Michael Weber. 2012. Password Entry Usability and Shoulder Surfing Susceptibility on Different Smartphone Platforms. In Proceedings of the 11th International Conference on Mobile and Ubiquitous Multimedia (MUM '12). ACM, New York, NY, USA, Article 13, 10 pages.

Digital Library

[33]

Florian Schaub, Marcel Walch, Bastian Könings, and Michael Weber. 2013. Exploring the design space of graphical passwords on smartphones. In Proceedings of the Ninth Symposium on Usable Privacy and Security. ACM, 11.

Digital Library

[34]

Michael Sherman, Gradeigh Clark, Yulong Yang, Shridatt Sugrim, Arttu Modig, Janne Lindqvist, Antti Oulasvirta, and Teemu Roos. 2014. User-generated free-form gestures for authentication: Security and memorability. In Proceedings of the 12th annual international conference on Mobile systems, applications, and services. ACM, 176--189.

Digital Library

[35]

Stephen J Tipton, Daniel J White II, Christopher Sershon, and Young B Choi. 2014. iOS security and privacy: Authentication methods, permissions, and potential pitfalls with touch id. International Journal of Computer and Information Technology 3, 03 (2014).

[36]

Sebastian Uellenbeck, Markus Dürmuth, Christopher Wolf, and Thorsten Holz. 2013. Quantifying the Security of Graphical Passwords: The Case of Android Unlock Patterns. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security (CCS '13). ACM, New York, NY, USA, 161--172.

Digital Library

[37]

Toan Van Nguyen, Napa Sae-Bae, and Nasir Memon. 2017. DRAW-A-PIN: Authentication using finger-drawn PIN on touch devices. Computers & Security 66 (2017), 115--128.

Digital Library

[38]

Emanuel Von Zezschwitz, Alexander De Luca, Bruno Brunkow, and Heinrich Hussmann. 2015. SwiPIN: Fast and secure pin-entry on smartphones. In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems. ACM, 1403--1406.

Digital Library

[39]

Emanuel von Zezschwitz, Alexander De Luca, Philipp Janssen, and Heinrich Hussmann. 2015. Easy to Draw, but Hard to Trace?: On the Observability of Grid-based (Un)Lock Patterns. In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems (CHI '15). ACM, New York, NY, USA, 2339--2342.

Digital Library

[40]

Emanuel von Zezschwitz, Paul Dunphy, and Alexander De Luca. 2013. Patterns in the Wild: A Field Study of the Usability of Pattern and PIN-based Authentication on Mobile Devices. In Proceedings of the 15th International Conference on Human-computer Interaction with Mobile Devices and Services (MobileHCI '13). 261--270.

Digital Library

[41]

Emanuel von Zezschwitz, Malin Eiband, Daniel Buschek, Sascha Oberhuber, Alexander De Luca, Florian Alt, and Heinrich Hussmann. 2016. On Quantifying the Effective Password Space of Grid-based Unlock Gestures. In Proceedings of the 15th International Conference on Mobile and Ubiquitous Multimedia (MUM '16). ACM, New York, NY, USA, 201--212.

Digital Library

[42]

Matt Weir, Sudhir Aggarwal, Michael Collins, and Henry Stern. 2010. Testing metrics for password creation policies by attacking large sets of revealed passwords. 162--175.

Digital Library

[43]

Susan Wiedenbeck, Jim Waters, Leonardo Sobrado, and Jean-Camille Birget. 2006. Design and Evaluation of a Shoulder-surfing Resistant Graphical Password Scheme. In Proceedings of the Working Conference on Advanced Visual Interfaces (AVI '06). ACM, New York, NY, USA, 177--184.

Digital Library

[44]

Oliver Wiese and Volker Roth. 2015. Pitfalls of Shoulder Surfing Studies. In NDSS Workshop on Usable Security. 1--6.

[45]

Nur Haryani Zakaria, David Griffiths, Sacha Brostoff, and Jeff Yan. 2011. Shoulder surfing defence for recall-based graphical passwords. In Proceedings of the Seventh Symposium on Usable Privacy and Security. ACM, 6.

Digital Library

[46]

Ziming Zhao, Gail-Joon Ahn, Jeong-Jin Seo, and Hongxin Hu. 2013. On the security of picture gesture authentication. In 22nd USENIX Security Symposium (USENIX Security 13). 383--398.

Digital Library

Cited By

Dietz FMecke LRiesner DAlt F(2024)Delusio - Plausible Deniability For Face RecognitionProceedings of the ACM on Human-Computer Interaction10.1145/36764948:MHCI(1-13)Online publication date: 24-Sep-2024
https://dl.acm.org/doi/10.1145/3676494
Chefrour DSedira YChabbi S(2024)An Intersection Attack on the CirclePIN Smartwatch Authentication MechanismIEEE Internet of Things Journal10.1109/JIOT.2023.333396411:7(12485-12494)Online publication date: 1-Apr-2024
https://doi.org/10.1109/JIOT.2023.3333964
Nisar HCheong JYap V(2024)EEG-Based Biometrics for User Identification Using Deep Learning Method2024 IEEE 8th International Conference on Signal and Image Processing Applications (ICSIPA)10.1109/ICSIPA62061.2024.10686270(1-6)Online publication date: 3-Sep-2024
https://doi.org/10.1109/ICSIPA62061.2024.10686270
Show More Cited By

Index Terms

Towards Baselines for Shoulder Surfing on Mobile Authentication
1. Security and privacy
  1. Human and societal aspects of security and privacy
    1. Social aspects of security and privacy
  2. Security services
    1. Authentication
      1. Graphical / visual passwords

Recommendations

A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords
SOUPS '06: Proceedings of the second symposium on Usable privacy and security

Previous research has found graphical passwords to be more memorable than non-dictionary or "strong" alphanumeric passwords. Participants in a prior study expressed concerns that this increase in memorability could also lead to an increased ...
Baseline Measurements of Shoulder Surfing Analysis and Comparability for Smartphone Unlock Authentication
CHI EA '17: Proceedings of the 2017 CHI Conference Extended Abstracts on Human Factors in Computing Systems

In this paper, we describe a novel approach to measure the susceptibility of smartphone unlock authentication to shoulder surfing attacks. In our methodology, participants play the role of attackers, viewing video-recorded footage of PIN and graphical ...
Design and evaluation of a shoulder-surfing resistant graphical password scheme
AVI '06: Proceedings of the working conference on Advanced visual interfaces

When users input their passwords in a public place, they may be at risk of attackers stealing their password. An attacker can capture a password by direct observation or by recording the individual's authentication session. This is referred to as ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '17: Proceedings of the 33rd Annual Computer Security Applications Conference

December 2017

618 pages

ISBN:9781450353458

DOI:10.1145/3134600

Copyright © 2017 ACM.

Publication rights licensed to ACM. ACM acknowledges that this contribution was authored or co-authored by an employee, contractor or affiliate of the United States government. As such, the Government retains a nonexclusive, royalty-free right to publish or reproduce this article, or to allow others to do so, for Government purposes only.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 December 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

ACSAC 2017

ACSAC 2017: 2017 Annual Computer Security Applications Conference

December 4 - 8, 2017

FL, Orlando, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

39
Total Citations
View Citations
562
Total Downloads

Downloads (Last 12 months)32
Downloads (Last 6 weeks)4

Reflects downloads up to 01 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Dietz FMecke LRiesner DAlt F(2024)Delusio - Plausible Deniability For Face RecognitionProceedings of the ACM on Human-Computer Interaction10.1145/36764948:MHCI(1-13)Online publication date: 24-Sep-2024
https://dl.acm.org/doi/10.1145/3676494
Chefrour DSedira YChabbi S(2024)An Intersection Attack on the CirclePIN Smartwatch Authentication MechanismIEEE Internet of Things Journal10.1109/JIOT.2023.333396411:7(12485-12494)Online publication date: 1-Apr-2024
https://doi.org/10.1109/JIOT.2023.3333964
Nisar HCheong JYap V(2024)EEG-Based Biometrics for User Identification Using Deep Learning Method2024 IEEE 8th International Conference on Signal and Image Processing Applications (ICSIPA)10.1109/ICSIPA62061.2024.10686270(1-6)Online publication date: 3-Sep-2024
https://doi.org/10.1109/ICSIPA62061.2024.10686270
Avgustis IIbnelkaïd SIivari N(2024)Occupying Another’s Digital Space: Privacy of Smartphone Users as a Situated PracticeComputer Supported Cooperative Work (CSCW)10.1007/s10606-024-09492-zOnline publication date: 23-Feb-2024
https://doi.org/10.1007/s10606-024-09492-z
Alt FHassib MDistler V(2023)Human-centered Behavioral and Physiological SecurityProceedings of the 2023 New Security Paradigms Workshop10.1145/3633500.3633504(48-61)Online publication date: 18-Sep-2023
https://dl.acm.org/doi/10.1145/3633500.3633504
Noah NMayer PDas S(2023)A Proposal to Study Shoulder-Surfing Resistant Authentication for Augmented and Virtual Reality: Replication Study in the USCompanion Publication of the 2023 Conference on Computer Supported Cooperative Work and Social Computing10.1145/3584931.3607007(317-322)Online publication date: 14-Oct-2023
https://dl.acm.org/doi/10.1145/3584931.3607007
Zhou LWang KLai JZhang D(2023)A Comparison of a Touch-Gesture- and a Keystroke-Based Password Method: Toward Shoulder-Surfing Resistant Mobile User AuthenticationIEEE Transactions on Human-Machine Systems10.1109/THMS.2023.323632853:2(303-314)Online publication date: Apr-2023
https://doi.org/10.1109/THMS.2023.3236328
Wang KZhou LZhang DLai J(2023)Shoulder Surfing on Mobile Authentication: Perception vis-a-vis Performance from the Attacker's Perspective2023 IEEE International Conference on Intelligence and Security Informatics (ISI)10.1109/ISI58743.2023.10297219(1-6)Online publication date: 2-Oct-2023
https://doi.org/10.1109/ISI58743.2023.10297219
Su YJiang GDu YChen YLiu HRen YDai HWang YLi SChen Y(2023) P 2 Auth: Two-Factor Authentication Leveraging PIN and Keystroke-Induced PPG Measurements 2023 IEEE 43rd International Conference on Distributed Computing Systems (ICDCS)10.1109/ICDCS57875.2023.00074(726-737)Online publication date: Jul-2023
https://doi.org/10.1109/ICDCS57875.2023.00074
Smith-Creasey MSmith-Creasey M(2023)Traditional AuthenticationContinuous Biometric Authentication Systems10.1007/978-3-031-49071-2_2(5-34)Online publication date: 29-Oct-2023
https://doi.org/10.1007/978-3-031-49071-2_2
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents