ABSTRACT
The introduction of tabletop interfaces has given rise to the need for the development of secure and usable authentication techniques that are appropriate for the co-located collaborative settings for which they have been designed. Most commonly, user authentication is based on something you know, but this is a particular problem for tabletop interfaces, as they are particularly vulnerable to shoulder surfing given their remit to foster co-located collaboration. In other words, tabletop users would typically authenticate in full view of a number of observers. In this paper, we introduce and evaluate a number of novel tabletop authentication schemes that exploit the features of multi-touch interaction in order to inhibit shoulder surfing. In our pilot work with users, and in our formal user-evaluation, one authentication scheme - Pressure-Grid - stood out, significantly enhancing shoulder surfing resistance when participants used it to enter both PINs and graphical passwords.
Supplemental Material
- D. Baker. Nondisclosing password entry system. U.S. Patent 5,428,349 June 27, 1995.Google Scholar
- E. A. Bier, M. C. Stone, K. Pier, K. Fishkin, T. Baudel, M. Conway,W. Buxton, and T. DeRose. Toolglass and magic lenses: the see-through interface. In CHI '94: Conference companion on Human factors in computing systems, pages 445--446, New York, NY, USA, 1994. ACM. Google ScholarDigital Library
- S. Brostoff and M. A. Sasse. Are passfaces more usable than passwords? a field trial investigation. In Proceedings of HCI 2000, 2000.Google ScholarCross Ref
- L.-W. Chan, T.-T. Hu, J.-Y. Lin, Y.-P. Hung, and J. Hsu. On top of tabletop: A virtual touch panel display. In Horizontal Interactive Human Computer Systems, 2008. TABLETOP 2008. 3rd IEEE International Workshop on, pages 169--176, Oct. 2008.Google ScholarCross Ref
- A. De Luca and B. Frauendienst. A privacy-respectful input method for public terminals. In NordiCHI '08: Proceedings of the 5th Nordic conference on Human-computer interaction, pages 455--458, New York, NY, USA, 2008. ACM. Google ScholarDigital Library
- A. De Luca, E. von Zezschwitz, and H. Hussmann. Vibrapass - secure authentication based on shared lies. In 27th ACM SIGCHI Conference on Human Factors in Computing Systems. ACM, Apr. 2009. Google ScholarDigital Library
- P. Dunphy, J. Nicholson, and P. Olivier. Securing passfaces for description. In SOUPS '08: Proceedings of the 4th symposium on Usable privacy and security, pages 24--35, New York, NY, USA, 2008. ACM. Google ScholarDigital Library
- I. Jermyn, A. Mayer, F. Monrose, M. K. Reiter, and A. D. Rubin. The design and analysis of graphical passwords. In SSYM'99: Proceedings of the 8th conference on USENIX Security Symposium, pages 1--1, Berkeley, CA, USA, 1999. USENIX Association. Google ScholarDigital Library
- B. Malek, M. Orozco, and A. E. Saddik. Novel shoulder-surfing resistant haptic-based graphical password. In EuroHaptics 2006, pages 179--184, jul 2006.Google Scholar
- J. Marshall, T. Pridmore, M. Pound, S. Benford, and B. Koleva. Pressing the flesh: Sensing multiple touch and finger pressure on arbitrary surfaces. In Pervasive Computing, Lecture Notes in Computer Science, pages 38--55. Springer, May 2008. Google ScholarDigital Library
- M. J. Martino, G. L. Meissner, and R. C. J. Paulsen. Identity verification system resistant to compromise by observation of its use. U.S. Patent 5,276,314 January 4, 1994.Google Scholar
- Microsoft Surface. http://www.surface.com.Google Scholar
- K. D. Mitnick and W. L. Simon. The Art of Deception: Controlling the Human Element of Security. John Wiley & Sons, Inc., New York, NY, USA, 2003. Google ScholarDigital Library
- Passfaces Corporation. http://www.passfaces.com.Google Scholar
- T. Pering, M. Sundar, J. Light, and R. Want. Photographic authentication through untrusted terminals. IEEE Pervasive Computing, 2(1):30--36, 2003. Google ScholarDigital Library
- V. Roth, K. Richter, and R. Freidinger. A pin-entry method resilient against shoulder surfing. In CCS '04: Proceedings of the 11th ACM conference on Computer and communications security, pages 236--245, New York, NY, USA, 2004. ACM. Google ScholarDigital Library
- S. Sakurai, Y. KItamura, S. Subramanian, and F. Kishino. Visibility control using revolving polarizer. In Horizontal Interactive Human Computer Systems, 2008. TABLETOP 2008, pages 161--168. IEEE, October 2008.Google ScholarCross Ref
- H. Sasamoto, N. Christin, and E. Hayashi. Undercover: authentication usable in front of prying eyes. In CHI '08: Proceeding of the twenty-sixth annual SIGCHI conference on Human factors in computing systems, pages 183--192, New York, NY, USA, 2008. ACM. Google ScholarDigital Library
- J. Schöning, P. Brandl, F. Daiber, F. Echtler, O. Hilliges, J. Hook, M. Löchtefeld, N. Motamedi, L. Muller, P. Olivier, T. Roth, and U. von Zadow. Multi-touch surfaces: A technical guide. techreport, 2008.Google Scholar
- J. Schöning, M. Rohs, and A. Kr¨uger. Spatial authentication on large interactive multi-touch surfaces. In IEEE Tabetop 2008: Adjunct Proceedings of IEEE Tabletops and Interactie Surfaces, October 2008.Google Scholar
- G. B. D. Shoemaker and K. M. Inkpen. Single display privacyware: augmenting public displays with private information. In CHI '01: Proceedings of the SIGCHI conference on Human factors in computing systems, pages 522--529, New York, NY, USA, 2001. ACM. Google ScholarDigital Library
- P. Sinha, B. Balas, Y. Ostrovsky, and R. Russell. Face recognition by humans: Nineteen results all computer vision researchers should know about. Proceedings of the IEEE, 94(11):1948--1962, January 2007.Google ScholarCross Ref
- R. T. Smith and W. Piekarski. Public and private workspaces on tabletop displays. In AUIC '08: Proceedings of the ninth conference on Australasian user interface, pages 51--54, Darlinghurst, Australia, Australia, 2008. Australian Computer Society, Inc. Google ScholarDigital Library
- L. Standing, J. Conezio, and R. N. Haber. Perception and memory for pictures: Single-trial learning of 2500 visual stimuli. Psychonomic Science, (19):73--74, 1970.Google Scholar
- X. Suo, Y. Zhu, and G. S. Owen. Graphical Passwords: A Survey. In ACSAC '05: Proceedings of the 21st Annual Computer Security Applications Conference, pages 463--472,Washington, DC, USA, 2005. IEEE Computer Society. Google ScholarDigital Library
- T. Takada, T. Onuki, and H. Koike. Awase-e: Recognition-based image authentication scheme using users' personal photographs. In Innovations in Information Technology, 2006, pages 1--5, Nov. 2006.Google ScholarCross Ref
- D. S. Tan, P. Keyani, and M. Czerwinski. Spy-resistant keyboard: more secure password entry on public touch screen displays. In OZCHI '05: Proceedings of the 17th Australia conference on Computer-Human Interaction, pages 1--10, Narrabundah, Australia, Australia, 2005. Computer-Human Interaction Special Interest Group (CHISIG) of Australia. Google ScholarDigital Library
- F. Tari, A. A. Ozok, and S. H. Holden. A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords. In SOUPS '06: Proceedings of the second symposium on Usable privacy and security, pages 56--66, New York, NY, USA, 2006. ACM. Google ScholarDigital Library
- D. Vogel and R. Balakrishnan. Interactive public ambient displays: transitioning from implicit to explicit, public to personal, interaction with multiple users. In UIST '04: Proceedings of the 17th annual ACM symposium on User interface software and technology, pages 137--146, New York, NY, USA, 2004. ACM. Google ScholarDigital Library
- S. Wiedenbeck, J. Waters, L. Sobrado, and J.-C. Birget. Design and evaluation of a shoulder-surfing resistant graphical password scheme. In AVI '06: Proceedings of the working conference on Advanced visual interfaces, pages 177--184, New York, NY, USA, 2006. ACM. Google ScholarDigital Library
- M. Wu and R. Balakrishnan. Multi-finger and whole hand gestural interaction techniques for multi-user tabletop displays. In UIST '03: Proceedings of the 16th annual ACM symposium on User interface software and technology, pages 193--202, New York, NY, USA, 2003. ACM. Google ScholarDigital Library
Index Terms
- Multi-touch authentication on tabletops
Recommendations
WYSWYE: shoulder surfing defense for recognition based graphical passwords
OzCHI '12: Proceedings of the 24th Australian Computer-Human Interaction ConferenceRecognition based graphical passwords are inherently vulnerable to shoulder surfing attacks because of their visual mode of interaction. In this paper, we propose and evaluate two novel shoulder-surfing defense techniques for recognition based graphical ...
A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords
SOUPS '06: Proceedings of the second symposium on Usable privacy and securityPrevious research has found graphical passwords to be more memorable than non-dictionary or "strong" alphanumeric passwords. Participants in a prior study expressed concerns that this increase in memorability could also lead to an increased ...
Towards Baselines for Shoulder Surfing on Mobile Authentication
ACSAC '17: Proceedings of the 33rd Annual Computer Security Applications ConferenceGiven the nature of mobile devices and unlock procedures, unlock authentication is a prime target for credential leaking via shoulder surfing, a form of an observation attack. While the research community has investigated solutions to minimize or ...
Comments