Top

Published in:

2022 | OriginalPaper | Chapter

Bu-Dash: A Universal and Dynamic Graphical Password Scheme

Authors : Panagiotis Andriotis, Myles Kirby, Atsuhiro Takasu

Published in: HCI for Cybersecurity, Privacy and Trust

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Biometric authentication gradually replaces knowledge-based methods on mobile devices. However, Personal Identification Numbers, passcodes, and graphical password schemes such as the Android Pattern Unlock (APU) are often the primary means for authentication, or they constitute an auxiliary (or backup) method to be used in case biometrics fail. Passcodes need to be memorable to be usable, hence users tend to choose easy to guess passwords, compromising security. The APU is a great example of a popular and usable graphical password scheme which can be easily compromised, by exploiting common and predominant human behavioristic traits. Despite its vulnerabilities, the scheme’s popularity has led researchers to propose adjustments and variations that enhance security but maintain its familiar user interface. Nevertheless, prior work demonstrated that improving security while preserving usability remains frequently a hard task. In this paper we propose a novel graphical password scheme built on the foundations of the well-accepted APU method, which is usable, inclusive, universal, and robust against shoulder surfing and smudge attacks. Our scheme, named Bu-Dash, features a dynamic user interface that mutates every time a user swipes the screen. Our pilot studies illustrate that Bu-Dash attracts positive user acceptance rates and maintains acceptable usability levels.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter Towards the Improvement of UI/UX of a Human-AI Adversarial Authorship System

next chapter A Preliminary Investigation of Authentication of Choice in Health-Related Mobile Applications

https://www.playstation.com/en-gb/legal/copyright-and-trademark-notice/.

We utilized Google’s “Material Icons” as the password building blocks in this research work: https://fonts.google.com/icons.

We refer to viewers of the popular series “Squid Game”.

Andriotis, P., Oikonomou, G., Mylonas, A., Tryfonas, T.: A study on usability and security features of the Android pattern lock screen. Inf. Comput. Secur. 24(1), 53–72 (2016). https://doi.org/10.1108/ICS-01-2015-0001CrossRef

Andriotis, P., Tryfonas, T., Oikonomou, G.: Complexity metrics and user strength perceptions of the pattern-lock graphical authentication method. In: Tryfonas, T., Askoxylakis, I. (eds.) HAS 2014. LNCS, vol. 8533, pp. 115–126. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-07620-1_11CrossRef

Andriotis, P., Tryfonas, T., Oikonomou, G., Yildiz, C.: A pilot study on the security of pattern screen-lock methods and soft side channel attacks. In: Proceedings of the Sixth ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2013, pp. 1–6. ACM, New York (2013). https://doi.org/10.1145/2462096.2462098

Aviv, A.J., Budzitowski, D., Kuber, R.: Is bigger better? Comparing user-generated passwords on \(3 \times 3\) vs. \(4 \times 4\) grid sizes for Android’s pattern unlock. In: Proceedings of the 31st Annual Computer Security Applications Conference, ACSAC 2015, pp. 301–310. Association for Computing Machinery, New York (2015). https://doi.org/10.1145/2818000.2818014

Aviv, A.J., Davin, J.T., Wolf, F., Kuber, R.: Towards baselines for shoulder surfing on mobile authentication. In: Proceedings of the 33rd Annual Computer Security Applications Conference, ACSAC 2017, pp. 486–498. Association for Computing Machinery, New York (2017). https://doi.org/10.1145/3134600.3134609

Aviv, A.J., Gibson, K., Mossop, E., Blaze, M., Smith, J.M.: Smudge attacks on smartphone touch screens. In: Proceedings of the 4th USENIX Conference on Offensive Technologies, WOOT 2010, pp. 1–7. USENIX Association (2010)

Bonneau, J.: The science of guessing: analyzing an anonymized corpus of 70 million passwords. In: 2012 IEEE Symposium on Security and Privacy, pp. 538–552 (2012). https://doi.org/10.1109/SP.2012.49

Chen, Y.L., Ku, W.C., Yeh, Y.C., Liao, D.M.: A simple text-based shoulder surfing resistant graphical password scheme. In: 2013 International Symposium on Next-Generation Electronics, pp. 161–164 (2013). https://doi.org/10.1109/ISNE.2013.6512317

Cho, G., Huh, J.H., Cho, J., Oh, S., Song, Y., Kim, H.: SysPal: system-guided pattern locks for Android. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 338–356 (2017). https://doi.org/10.1109/SP.2017.61

10.

Dai, L., Zhang, K., Zheng, X.S., Martin, R.R., Li, Y., Yu, J.: Visual complexity of shapes: a hierarchical perceptual learning model. Vis. Comput. 38, 419–432 (2021)CrossRef

11.

De Angeli, A., Coventry, L., Johnson, G., Renaud, K.: Is a picture really worth a thousand words? Exploring the feasibility of graphical authentication systems. Int. J. Hum.-Comput. Stud. 63(1), 128–152 (2005). https://doi.org/10.1016/j.ijhcs.2005.04.020. https://www.sciencedirect.com/science/article/pii/S1071581905000704. HCI research in privacy and security

12.

De Luca, A., et al.: Now you see me, now you don’t: protecting smartphone authentication from shoulder surfers. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI 2014, pp. 2937–2946. Association for Computing Machinery, New York (2014). https://doi.org/10.1145/2556288.2557097

13.

Forman, T., Aviv, A.: Double patterns: a usable solution to increase the security of Android unlock patterns. In: ACSAC 2020, pp. 219–233. Association for Computing Machinery, New York (2020). https://doi.org/10.1145/3427228.3427252

14.

Gugenheimer, J., De Luca, A., Hess, H., Karg, S., Wolf, D., Rukzio, E.: ColorSnakes: using colored decoys to secure authentication in sensitive contexts. In: Proceedings of the 17th International Conference on Human-Computer Interaction with Mobile Devices and Services, MobileHCI 2015, pp. 274–283. Association for Computing Machinery, New York (2015). https://doi.org/10.1145/2785830.2785834

15.

Kabir, M.M., Hasan, N., Tahmid, M.K.H., Ovi, T.A., Rozario, V.S.: Enhancing smartphone lock security using vibration enabled randomly positioned numbers. In: Proceedings of the International Conference on Computing Advancements, ICCA 2020. Association for Computing Machinery, New York (2020). https://doi.org/10.1145/3377049.3377099

16.

Khan, H., Hengartner, U., Vogel, D.: Evaluating attack and defense strategies for smartphone PIN shoulder surfing, pp. 1–10. Association for Computing Machinery, New York (2018). https://doi.org/10.1145/3173574.3173738

17.

Kim, S.H., Kim, J.W., Kim, S.Y., Cho, H.G.: A new shoulder-surfing resistant password for mobile environments. In: Proceedings of the 5th International Conference on Ubiquitous Information Management and Communication, ICUIMC 2011. Association for Computing Machinery, New York (2011). https://doi.org/10.1145/1968613.1968647

18.

Ku, W.C., Liao, D.M., Chang, C.J., Qiu, P.J.: An enhanced capture attacks resistant text-based graphical password scheme. In: 2014 IEEE/CIC International Conference on Communications in China (ICCC), pp. 204–208 (2014). https://doi.org/10.1109/ICCChina.2014.7008272

19.

Kwon, T., Na, S.: SwitchPIN: securing smartphone pin entry with switchable keypads. In: 2014 IEEE International Conference on Consumer Electronics (ICCE), pp. 23–24 (2014). https://doi.org/10.1109/ICCE.2014.6775892

20.

Kwon, T., Na, S.: TinyLock: affordable defense against smudge attacks on smartphone pattern lock systems. Compute. Secur. 42, 137–150 (2014). https://doi.org/10.1016/j.cose.2013.12.001. https://www.sciencedirect.com/science/article/pii/S0167404813001697

21.

Kwon, T., Na, S.: SteganoPIN: two-faced human-machine interface for practical enforcement of pin entry security. IEEE Trans. Hum.-Mach. Syst. 46(1), 143–150 (2016). https://doi.org/10.1109/THMS.2015.2454498CrossRef

22.

Lee, M.K.: Security notions and advanced method for human shoulder-surfing resistant pin-entry. IEEE Trans. Inf. Forensics Secur. 9(4), 695–708 (2014). https://doi.org/10.1109/TIFS.2014.2307671CrossRef

23.

Loge, M., Duermuth, M., Rostad, L.: On user choice for android unlock patterns. In: European Workshop on Usable Security, ser. EuroUSEC, vol. 16 (2016)

24.

Markert, P., Bailey, D.V., Golla, M., Dürmuth, M., Aviv, A.J.: This pin can be easily guessed: analyzing the security of smartphone unlock pins. In: 2020 IEEE Symposium on Security and Privacy (SP), pp. 286–303 (2020). https://doi.org/10.1109/SP40000.2020.00100

25.

Munyendo, C.W., Grant, M., Philipp Markert, P., Forman, T.J., Aviv, A.J.: Using a blocklist to improve the security of user selection of Android patterns. In: Seventeenth Symposium on Usable Privacy and Security (SOUPS 2021). USENIX Association, August 2021. https://www.usenix.org/conference/soups2021/presentation/munyendo

26.

Schneegass, S., Steimle, F., Bulling, A., Alt, F., Schmidt, A.: SmudgeSafe: geometric image transformations for smudge-resistant user authentication. In: Proceedings of the 2014 ACM International Joint Conference on Pervasive and Ubiquitous Computing, UbiComp 2014, pp. 775–786. Association for Computing Machinery, New York (2014). https://doi.org/10.1145/2632048.2636090

27.

Song, Y., Cho, G., Oh, S., Kim, H., Huh, J.H.: On the effectiveness of pattern lock strength meters: measuring the strength of real world pattern locks, pp. 2343–2352. Association for Computing Machinery, New York (2015). https://doi.org/10.1145/2702123.2702365

28.

Sun, C., Wang, Y., Zheng, J.: Dissecting pattern unlock: the effect of pattern strength meter on pattern selection. J. Inf. Secur. Appl. 19(4), 308–320 (2014). https://doi.org/10.1016/j.jisa.2014.10.009. https://www.sciencedirect.com/science/article/pii/S2214212614001458

29.

Tupsamudre, H., Banahatti, V., Lodha, S., Vyas, K.: Pass-O: a proposal to improve the security of pattern unlock scheme. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, ASIA CCS 2017, pp. 400–407. Association for Computing Machinery, New York (2017). https://doi.org/10.1145/3052973.3053041

30.

Uellenbeck, S., Dürmuth, M., Wolf, C., Holz, T.: Quantifying the security of graphical passwords: the case of Android unlock patterns. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013, pp. 161–172. Association for Computing Machinery, New York (2013). https://doi.org/10.1145/2508859.2516700

31.

Vaddepalli, S., Nivas, S., Chettoor Jayakrishnan, G., Sirigireddy, G., Banahatti, V., Lodha, S.: Passo - new circular patter lock scheme evaluation. In: 22nd International Conference on Human-Computer Interaction with Mobile Devices and Services, MobileHCI 2020. Association for Computing Machinery, New York (2020). https://doi.org/10.1145/3406324.3417167

32.

Wang, D., Gu, Q., Huang, X., Wang, P.: Understanding human-chosen PINs: characteristics, distribution and security. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, ASIA CCS 2017, pp. 372–385. Association for Computing Machinery, New York (2017). https://doi.org/10.1145/3052973.3053031

33.

Ye, G., et al.: A video-based attack for Android pattern lock. ACM Trans. Priv. Secur. 21(4) (2018). https://doi.org/10.1145/3230740

34.

von Zezschwitz, E., De Luca, A., Brunkow, B., Hussmann, H.: SwiPIN: fast and secure PIN-entry on smartphones, pp. 1403–1406. Association for Computing Machinery, New York (2015). https://doi.org/10.1145/2702123.2702212

35.

von Zezschwitz, E., et al.: On quantifying the effective password space of grid-based unlock gestures. In: Proceedings of the 15th International Conference on Mobile and Ubiquitous Multimedia, MUM 2016, pp. 201–212. Association for Computing Machinery, New York (2016). https://doi.org/10.1145/3012709.3012729

36.

Zimmermann, V., Gerber, N.: The password is dead, long live the password – a laboratory study on user perceptions of authentication schemes. Int. J. Hum.-Comput. Stud. 133, 26–44 (2020). https://doi.org/10.1016/j.ijhcs.2019.08.006. https://www.sciencedirect.com/science/article/pii/S1071581919301119

Title: Bu-Dash: A Universal and Dynamic Graphical Password Scheme
Authors: Panagiotis Andriotis
Myles Kirby
Atsuhiro Takasu
Publisher: Springer International Publishing
Book: HCI for Cybersecurity, Privacy and Trust
Print ISBN: 978-3-031-05562-1

Electronic ISBN: 978-3-031-05563-8

Copyright Year: 2022
DOI: https://doi.org/10.1007/978-3-031-05563-8_14

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"