Making graphic-based authentication secure against smudge attacks

Most of today's smartphones and tablet computers feature touchscreens as the main way of interaction. By using these touchscreens, oily residues of the users' fingers, smudge, remain on the device's display. As this smudge can be used to deduce formerly entered data, authentication tokens are jeopardized. Most notably, grid-based authentication methods, like the Android pattern scheme are prone to such attacks. Based on a thorough development process using low fidelity and high fidelity prototyping, we designed three graphic-based authentication methods in a way to leave smudge traces, which are not easy to interpret. We present one grid-based and two randomized graphical approaches and report on two user studies that we performed to prove the feasibility of these concepts. The authentication schemes were compared to the widely used Android pattern authentication and analyzed in terms of performance, usability and security. The results indicate that our concepts are significantly more secure against smudge attacks while keeping high input speed.

[1]  Ian Oakley,et al.  The phone lock: audio and haptic shoulder-surfing resistant PIN entry methods for mobile devices , 2011, Tangible and Embedded Interaction.

[2]  Michael K. Reiter,et al.  The Design and Analysis of Graphical Passwords , 1999, USENIX Security Symposium.

[3]  George R. S. Weir,et al.  People and Computers IX: Crafting Interaction: Styles, Metaphors, Modalities and Agents , 1994 .

[4]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[5]  Ian Oakley,et al.  The secure haptic keypad: a tactile password system , 2010, CHI.

[6]  T. Brashers-Krug,et al.  Functional Stages in the Formation of Human Long-Term Motor Memory , 1997, The Journal of Neuroscience.

[7]  Heinrich Hußmann,et al.  Touch me once and i know it's you!: implicit authentication based on touch screen patterns , 2012, CHI.

[8]  T. Wright,et al.  A Picture Memory. , 2003 .

[9]  Antonella De Angeli,et al.  VIP: a visual approach to user authentication , 2002, AVI '02.

[10]  M. Angela Sasse,et al.  Are Passfaces More Usable Than Passwords? A Field Trial Investigation , 2000, BCS HCI.

[11]  Volker Roth,et al.  A PIN-entry method resilient against shoulder surfing , 2004, CCS '04.

[12]  Larry Rudolph,et al.  Passdoodles; a Lightweight Authentication Method , 2004 .

[13]  Stuart E. Schechter,et al.  Can i borrow your phone?: understanding concerns when sharing mobile phones , 2009, CHI.

[14]  Nasir D. Memon,et al.  PassPoints: Design and longitudinal evaluation of a graphical password system , 2005, Int. J. Hum. Comput. Stud..

[15]  Khalid Airowaily,et al.  Oily Residuals Security Threat on Smart Phones , 2011, 2011 First International Conference on Robot, Vision and Signal Processing.

[16]  Heinrich Hußmann,et al.  Vibrapass: secure authentication based on shared lies , 2009, CHI.

[17]  Adam J. Aviv,et al.  Smudge Attacks on Smartphone Touch Screens , 2010, WOOT.

[18]  L. Standing Learning 10000 pictures , 1973 .

[19]  Antonella De Angeli,et al.  Visual passwords , 2009, Commun. ACM.

[20]  Susan Wiedenbeck,et al.  Design and evaluation of a shoulder-surfing resistant graphical password scheme , 2006, AVI '06.