DOI QR코드

DOI QR Code

Security Analysis of Partially Hidden Password Systems Resistant to Shoulder Surfing Attacks

  • Seong, Jin-Taek (Department of Convergence Software, Mokpo National University)
  • Received : 2020.01.09
  • Accepted : 2020.01.20
  • Published : 2020.02.28

Abstract

As more users use mobile devices, shoulder surfing attacks have emerged as an important issue in security. According to research report, in fact, the result showed that about 30% of smartphone users are hit by shoulder surfing attacks. To this end, in this paper, we consider a shoulder surfing attack and propose a partially hidden password system to resistant to its attack. In order to help readers understand, we describe the proposed password system in more detail using one simple example. The core idea behind the proposed system is to place the user's password randomly in the specified grid instead of entering a password directly. As a result, even if an attacker makes a shoulder surfing attack to observe the password, the user can hide the preset password and defend against the attack. We also show how the security of the password system proposed in this paper is improved. In addition, even if there are consecutive shoulder surfing attacks, the security of the proposed password system is robust.

Keywords

Acknowledgement

Supported by : National Research Foundation of Korea (NRF)

This paper was supported by the National Research Foundation of Korea (NRF) grant funded by the Korea government (NRF-2017R1C1B5075823).

References

  1. M. Harbach, A. De Luca, and S. Egelman, "The Anatomy of Smartphone Unlocking: A Field Study of Android Lock Screens," Proceedings of the 2016 CHI conference on Human Factors in Computing Systems, pp. 4806-4817, 2016.
  2. M. Harbach, E. V. Zezschwitz, A. Fichtner, A. De Luca, and M. Smith, "It's a hard lock life: A field study of smartphone (un)locking behavior and risk perception," Proceedings of 10th Symposium on Usable Privacy and Security, Menlo Park, CA, Jul. 2014.
  3. A. S. Arif, A. Mazalek, and W. Stuerzlinger, "The use of pseudo pressure in authenticating smartphone users," Proceedings in 11th International Conference on Mobile and Ubiquitous Systems: Computing, Networking and Services, London, UK, Dec. 2014.
  4. A. De Luca, M. Harbach, E. V. Zezschwitz, M. Maurer, B. Ewald Slawik, H. Hussmann, and M. Smith, "Now you see me, now you don't: protecting smartphone authentication from shoulder surfers," Proceedings in 32nd Annual ACM Conference on Human Factors in Computing Systems, Toronto, CA, Apr. 2014.
  5. K. Krombholz, T. Hupperich, and T. Holz, "Use the Force: Evaluating Force-Sensitive Authentication for Mobile Devices," Proceedings in 12th Symposium on Usable Privacy and Security, Denver, CO, Jun. 2016.
  6. J.-W. Kim, S.-H. Kim, S.-Y. Park, and H.-G. Cho, "Hangul Password System for Preventing Shoulder-Surfing," The Journal of the Korea Contents Association, vol. 11, no. 4, pp. 33-41, Apr. 2011. https://doi.org/10.5392/JKCA.2011.11.4.033
  7. M. Eiband, M. Khamis, E. V. Zezschwitz, H. Hussmann, and F. Alt, "Understanding shoulder surfing in the wild: Stories from users and observers," Proceedings in 35th Annual ACM Conference on Human Factors in Computing Systems, Denver CO. May 2017.
  8. E. V. Zezschwitz, A. De Luca, B. Brunkow, and H. Hussmann, "SwiPIN: Fast and secure pin-entry on smartphones," Proceedings in 33rd Annual ACM Conference on Human Factors in Computing Systems, Seoul, Korea, Apr. 2015.
  9. V. Roth, K. Richter, and R. Freidinger, "A PIN-entry method resilient against shoulder surfing," Proceedings of ACM Conference Computer and Communications Security, pp. 236-245, 2004.
  10. M. K. Lee, "Security notions and advanced method for human shoulder-surfing resistant PIN-entry," IEEE Transactions on Information Forensics and Security, vol. 9, no. 4, pp.695-708, Apr. 2014. https://doi.org/10.1109/TIFS.2014.2307671
  11. A. D. Luca, K. Hertzshuch, and H. Hussmann, "ColorPin-securing PIN Entry through indirect input," Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 1103-1106, 2010.
  12. G. E. Blonder, "Graphical passwords", United States Patent 5559961, 1996.
  13. P. Dunphy, J. Nicholson and P. Olivier, "Securing passfaces for description," Proceedings of the 4th symposium on Usable privacy and security, pp. 24-35, Jul. 2008.
  14. I. Jermyn, A. Mayer, F. Monrose, K. Reiter, and A. D. Rubin, "The design and analysis of graphical passwords," Proceedings of the 8th conference on USENIX Security Symposium, Aug. 1999.
  15. H. Zhao and X. Li, "S3PAS: A Scalable Shoulder-Surfing Resistant Textual-Graphical Password Authentication Scheme," Proceedings of 21st International Conference on Advanced Information Networking and Applications Workshops, May. 2007.
  16. A. De Luca, E. V. Zezschwitz, N. D. H. Nguyen, M. Maurer, E. Rubegni, M. P. Scipioni, and M. Langheinrich, "Back-of-device authentication on smartphones," Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, May 2013.
  17. J. Gugenheimer, A. De Luca, H. Hess, S. Karg, D. Wolf, and E. Rukzio, "Colorsnakes: Using colored decoys to secure authentication in sensitive contexts," Proceedings of the 17th International Conference on Human-Computer Interaction with Mobile Devices and Services, Aug. 2015.
  18. A. Maiti, K. Crager, M. Jadliwala, J. He, K. Kwiat, and C. Kamhoua, "RandomPad: Usability of randomized mobile keypads for defeating inference attacks," Proceedings of the IEEE Euro S&P Workshop on Innovations in Mobile Privacy & Security, Jan. 2017
  19. Q. Yan, J. Han, Y. Li, J. Zhou, and R. H Deng, "Designing leakage-resilient password entry on touchscreen mobile devices," Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security, pp. 37-48, May 2013.
  20. N. H. Zakaria, D. Griffiths, S. Brostoff, and J. Yan, "Shoulder surfing defence for recall-based graphical passwords," Proceedings of the Seventh Symposium on Usable Privacy and Security, Jul. 2011.
  21. O. Wiese and V. Roth, "See you next time: a model for modern shoulder surfers," Proceedings of the 18th International Conference on Human-Computer Interaction with Mobile Devices and Services, Sep. 2016.
  22. B. Malek, M. Orozco, and A. El Saddik, "Novel shoulder-surfing resistant haptic-based graphical password," International Journal of Information Security, vol. 13, no. 3, pp. 245-254, Jun. 2014. https://doi.org/10.1007/s10207-013-0216-7
  23. A. Bianchi, I. Oakley, V. Kostakos, and D. S. Kwon, "The phone lock: audio and hapticshoulder-surfing resistant PIN entry methods for mobile devices," Proceedings of the fifth international conference on Tangible, embedded, and embodied interaction, Jan. 2011.