David Kim
Paul Dunphy
Jonathan Hook
Patrick Olivier
ABSTRACT
The introduction of tabletop interfaces has given rise to the need for the development of secure and usable authentication techniques that are appropriate for the co-located collaborative settings for which they have been designed. Most commonly, user authentication is based on something you know, but this is a particular problem for tabletop interfaces, as they are particularly vulnerable to shoulder surfing given their remit to foster co-located collaboration. In other words, tabletop users would typically authenticate in full view of a number of observers. In this paper, we introduce and evaluate a number of novel tabletop authentication schemes that exploit the features of multi-touch interaction in order to inhibit shoulder surfing. In our pilot work with users, and in our formal user-evaluation, one authentication scheme - Pressure-Grid - stood out, significantly enhancing shoulder surfing resistance when participants used it to enter both PINs and graphical passwords.
Supplemental Material
- D. Baker. Nondisclosing password entry system. U.S. Patent 5,428,349 June 27, 1995.Google Scholar
- E. A. Bier, M. C. Stone, K. Pier, K. Fishkin, T. Baudel, M. Conway,W. Buxton, and T. DeRose. Toolglass and magic lenses: the see-through interface. In CHI '94: Conference companion on Human factors in computing systems, pages 445--446, New York, NY, USA, 1994. ACM. Google ScholarDigital Library
- S. Brostoff and M. A. Sasse. Are passfaces more usable than passwords? a field trial investigation. In Proceedings of HCI 2000, 2000.Google ScholarCross Ref
- L.-W. Chan, T.-T. Hu, J.-Y. Lin, Y.-P. Hung, and J. Hsu. On top of tabletop: A virtual touch panel display. In Horizontal Interactive Human Computer Systems, 2008. TABLETOP 2008. 3rd IEEE International Workshop on, pages 169--176, Oct. 2008.Google ScholarCross Ref
- A. De Luca and B. Frauendienst. A privacy-respectful input method for public terminals. In NordiCHI '08: Proceedings of the 5th Nordic conference on Human-computer interaction, pages 455--458, New York, NY, USA, 2008. ACM. Google ScholarDigital Library
- A. De Luca, E. von Zezschwitz, and H. Hussmann. Vibrapass - secure authentication based on shared lies. In 27th ACM SIGCHI Conference on Human Factors in Computing Systems. ACM, Apr. 2009. Google ScholarDigital Library
- P. Dunphy, J. Nicholson, and P. Olivier. Securing passfaces for description. In SOUPS '08: Proceedings of the 4th symposium on Usable privacy and security, pages 24--35, New York, NY, USA, 2008. ACM. Google ScholarDigital Library
- I. Jermyn, A. Mayer, F. Monrose, M. K. Reiter, and A. D. Rubin. The design and analysis of graphical passwords. In SSYM'99: Proceedings of the 8th conference on USENIX Security Symposium, pages 1--1, Berkeley, CA, USA, 1999. USENIX Association. Google ScholarDigital Library
- B. Malek, M. Orozco, and A. E. Saddik. Novel shoulder-surfing resistant haptic-based graphical password. In EuroHaptics 2006, pages 179--184, jul 2006.Google Scholar
- J. Marshall, T. Pridmore, M. Pound, S. Benford, and B. Koleva. Pressing the flesh: Sensing multiple touch and finger pressure on arbitrary surfaces. In Pervasive Computing, Lecture Notes in Computer Science, pages 38--55. Springer, May 2008. Google ScholarDigital Library
- M. J. Martino, G. L. Meissner, and R. C. J. Paulsen. Identity verification system resistant to compromise by observation of its use. U.S. Patent 5,276,314 January 4, 1994.Google Scholar
- Microsoft Surface. http://www.surface.com.Google Scholar
- K. D. Mitnick and W. L. Simon. The Art of Deception: Controlling the Human Element of Security. John Wiley & Sons, Inc., New York, NY, USA, 2003. Google ScholarDigital Library
- Passfaces Corporation. http://www.passfaces.com.Google Scholar
- T. Pering, M. Sundar, J. Light, and R. Want. Photographic authentication through untrusted terminals. IEEE Pervasive Computing, 2(1):30--36, 2003. Google ScholarDigital Library
- V. Roth, K. Richter, and R. Freidinger. A pin-entry method resilient against shoulder surfing. In CCS '04: Proceedings of the 11th ACM conference on Computer and communications security, pages 236--245, New York, NY, USA, 2004. ACM. Google ScholarDigital Library
- S. Sakurai, Y. KItamura, S. Subramanian, and F. Kishino. Visibility control using revolving polarizer. In Horizontal Interactive Human Computer Systems, 2008. TABLETOP 2008, pages 161--168. IEEE, October 2008.Google ScholarCross Ref
- H. Sasamoto, N. Christin, and E. Hayashi. Undercover: authentication usable in front of prying eyes. In CHI '08: Proceeding of the twenty-sixth annual SIGCHI conference on Human factors in computing systems, pages 183--192, New York, NY, USA, 2008. ACM. Google ScholarDigital Library
- J. Schöning, P. Brandl, F. Daiber, F. Echtler, O. Hilliges, J. Hook, M. Löchtefeld, N. Motamedi, L. Muller, P. Olivier, T. Roth, and U. von Zadow. Multi-touch surfaces: A technical guide. techreport, 2008.Google Scholar
- J. Schöning, M. Rohs, and A. Kr¨uger. Spatial authentication on large interactive multi-touch surfaces. In IEEE Tabetop 2008: Adjunct Proceedings of IEEE Tabletops and Interactie Surfaces, October 2008.Google Scholar
- G. B. D. Shoemaker and K. M. Inkpen. Single display privacyware: augmenting public displays with private information. In CHI '01: Proceedings of the SIGCHI conference on Human factors in computing systems, pages 522--529, New York, NY, USA, 2001. ACM. Google ScholarDigital Library
- P. Sinha, B. Balas, Y. Ostrovsky, and R. Russell. Face recognition by humans: Nineteen results all computer vision researchers should know about. Proceedings of the IEEE, 94(11):1948--1962, January 2007.Google ScholarCross Ref
- R. T. Smith and W. Piekarski. Public and private workspaces on tabletop displays. In AUIC '08: Proceedings of the ninth conference on Australasian user interface, pages 51--54, Darlinghurst, Australia, Australia, 2008. Australian Computer Society, Inc. Google ScholarDigital Library
- L. Standing, J. Conezio, and R. N. Haber. Perception and memory for pictures: Single-trial learning of 2500 visual stimuli. Psychonomic Science, (19):73--74, 1970.Google Scholar
- X. Suo, Y. Zhu, and G. S. Owen. Graphical Passwords: A Survey. In ACSAC '05: Proceedings of the 21st Annual Computer Security Applications Conference, pages 463--472,Washington, DC, USA, 2005. IEEE Computer Society. Google ScholarDigital Library
- T. Takada, T. Onuki, and H. Koike. Awase-e: Recognition-based image authentication scheme using users' personal photographs. In Innovations in Information Technology, 2006, pages 1--5, Nov. 2006.Google ScholarCross Ref
- D. S. Tan, P. Keyani, and M. Czerwinski. Spy-resistant keyboard: more secure password entry on public touch screen displays. In OZCHI '05: Proceedings of the 17th Australia conference on Computer-Human Interaction, pages 1--10, Narrabundah, Australia, Australia, 2005. Computer-Human Interaction Special Interest Group (CHISIG) of Australia. Google ScholarDigital Library
- F. Tari, A. A. Ozok, and S. H. Holden. A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords. In SOUPS '06: Proceedings of the second symposium on Usable privacy and security, pages 56--66, New York, NY, USA, 2006. ACM. Google ScholarDigital Library
- D. Vogel and R. Balakrishnan. Interactive public ambient displays: transitioning from implicit to explicit, public to personal, interaction with multiple users. In UIST '04: Proceedings of the 17th annual ACM symposium on User interface software and technology, pages 137--146, New York, NY, USA, 2004. ACM. Google ScholarDigital Library
- S. Wiedenbeck, J. Waters, L. Sobrado, and J.-C. Birget. Design and evaluation of a shoulder-surfing resistant graphical password scheme. In AVI '06: Proceedings of the working conference on Advanced visual interfaces, pages 177--184, New York, NY, USA, 2006. ACM. Google ScholarDigital Library
- M. Wu and R. Balakrishnan. Multi-finger and whole hand gestural interaction techniques for multi-user tabletop displays. In UIST '03: Proceedings of the 16th annual ACM symposium on User interface software and technology, pages 193--202, New York, NY, USA, 2003. ACM. Google ScholarDigital Library
Index Terms
- Multi-touch authentication on tabletops
Recommendations
WYSWYE: shoulder surfing defense for recognition based graphical passwords
OzCHI '12: Proceedings of the 24th Australian Computer-Human Interaction ConferenceRecognition based graphical passwords are inherently vulnerable to shoulder surfing attacks because of their visual mode of interaction. In this paper, we propose and evaluate two novel shoulder-surfing defense techniques for recognition based graphical ...
A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords
SOUPS '06: Proceedings of the second symposium on Usable privacy and securityPrevious research has found graphical passwords to be more memorable than non-dictionary or "strong" alphanumeric passwords. Participants in a prior study expressed concerns that this increase in memorability could also lead to an increased ...
Towards Baselines for Shoulder Surfing on Mobile Authentication
ACSAC '17: Proceedings of the 33rd Annual Computer Security Applications ConferenceGiven the nature of mobile devices and unlock procedures, unlock authentication is a prime target for credential leaking via shoulder surfing, a form of an observation attack. While the research community has investigated solutions to minimize or ...
Comments