Use the Force: Evaluating Force-Sensitive Authentication for Mobile Devices

Modern, off-the-shelf smartphones provide a rich set of possible touchscreen interactions, but knowledge-based authentication schemes still rely on simple digit or character input. Previous studies examined the shortcomings of such schemes based on unlock patterns, PINs, and passcodes. In this paper, we propose to integrate pressure-sensitive touchscreen interactions into knowledge-based authentication schemes. By adding a (practically) invisible, pressuresensitive component, users can select stronger PINs that are harder to observe for a shoulder surfer. We conducted a within-subjects design lab study (n = 50) to compare our approach termed force-PINs with standard four-digit and six-digit PINs regarding their usability performance and a comprehensive security evaluation. In addition, we conducted a field study that demonstrated lower authentication overhead. Finally, we found that force-PINs let users select higher entropy PINs that are more resilient to shoulder surfing attacks with minimal impact on the usability performance.

[1]  Serge Egelman,et al.  The Anatomy of Smartphone Unlocking: A Field Study of Android Lock Screens , 2016, CHI.

[2]  Rakesh Bobba,et al.  On the Memorability of System-generated PINs: Can Chunking Help? , 2015, SOUPS.

[3]  Alexander De Luca,et al.  Is secure and usable smartphone authentication asking too much? , 2015, Computer.

[4]  Heinrich Hußmann,et al.  SwiPIN: Fast and Secure PIN-Entry on Smartphones , 2015, CHI.

[5]  Matthew Smith,et al.  Now you see me, now you don't: protecting smartphone authentication from shoulder surfers , 2014, CHI.

[6]  Dimitriadis Evangelos,et al.  The Quest to Replace Passwords : a Framework for Comparative Evaluation of Web Authentication Schemes , 2016 .

[7]  B. Malek,et al.  Novel Shoulder-Surfing Resistant Haptic-based Graphical Password , 2006 .

[8]  Ian Oakley,et al.  Counting clicks and beeps: Exploring numerosity based haptic and audio PIN entry , 2012, Interact. Comput..

[9]  Ravi Kuber,et al.  Tactile vs Graphical Authentication , 2010, EuroHaptics.

[10]  Urs Hengartner,et al.  A Comparative Evaluation of Implicit Authentication Schemes , 2014, RAID.

[11]  Yang Li,et al.  Experimental analysis of touch-screen gesture designs in mobile environments , 2011, CHI.

[12]  Heinrich Hußmann,et al.  I Feel Like I'm Taking Selfies All Day!: Towards Understanding Biometric Authentication on Smartphones , 2015, CHI.

[13]  Alexander De Luca,et al.  It's a Hard Lock Life: A Field Study of Smartphone (Un)Locking Behavior and Risk Perception , 2014, SOUPS.

[14]  Ian Oakley,et al.  The phone lock: audio and haptic shoulder-surfing resistant PIN entry methods for mobile devices , 2011, Tangible and Embedded Interaction.

[15]  Ron Poet,et al.  Passhint: memorable and secure authentication , 2014, CHI.

[16]  Jun Ho Huh,et al.  On the Effectiveness of Pattern Lock Strength Meters: Measuring the Strength of Real World Pattern Locks , 2015, CHI.

[17]  Ian Oakley,et al.  Haptics for tangible interaction: a vibro-tactile prototype , 2011, Tangible and Embedded Interaction.

[18]  Konstantin Beznosov,et al.  On the Impact of Touch ID on iPhone Passcodes , 2015, SOUPS.

[19]  Florian Alt,et al.  Improving Accuracy, Applicability and Usability of Keystroke Biometrics on Mobile Touchscreen Devices , 2015, CHI.

[20]  Ian Oakley,et al.  Spinlock: A Single-Cue Haptic and Audio PIN Input Technique for Authentication , 2011, HAID.

[21]  Marc Langheinrich,et al.  Back-of-device authentication on smartphones , 2013, CHI.

[22]  Lujo Bauer,et al.  Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms , 2012, 2012 IEEE Symposium on Security and Privacy.

[23]  Ross J. Anderson,et al.  A Birthday Present Every Eleven Wallets? The Security of Customer-Chosen Banking PINs , 2012, Financial Cryptography.

[24]  Adam J. Aviv,et al.  Smudge Attacks on Smartphone Touch Screens , 2010, WOOT.