PassChords: secure multi-touch authentication for blind people

Blind mobile device users face security risks such as inaccessible authentication methods, and aural and visual eavesdropping. We interviewed 13 blind smartphone users and found that most participants were unaware of or not concerned about potential security threats. Not a single participant used optional authentication methods such as a password-protected screen lock. We addressed the high risk of unauthorized user access by developing PassChords, a non-visual authentication method for touch surfaces that is robust to aural and visual eavesdropping. A user enters a PassChord by tapping several times on a touch surface with one or more fingers. The set of fingers used in each tap defines the password. We give preliminary evidence that a four-tap PassChord has about the same entropy, a measure of password strength, as a four-digit personal identification number (PIN) used in the iPhone's Passcode Lock. We conducted a study with 16 blind participants that showed that PassChords were nearly three times as fast as iPhone's Passcode Lock with VoiceOver, suggesting that PassChords are a viable accessible authentication method for touch screens.

[1]  Wayne Jansen,et al.  Guidelines on Cell Phone and PDA Security: Recommendations of the National Institute of Standards and Technology , 2008 .

[2]  Sajad Shirali-Shahreza,et al.  Accessibility of CAPTCHA methods , 2011, AISec '11.

[3]  Michael K. Reiter,et al.  The Design and Analysis of Graphical Passwords , 1999, USENIX Security Symposium.

[4]  M. Jakobsson Why Mobile Security is not Like Traditional Security , 2010 .

[5]  J. J. Higgins,et al.  The aligned rank transform for nonparametric factorial analyses using only anova procedures , 2011, CHI.

[6]  Steven Furnell,et al.  Authentication of users on mobile telephones - A survey of attitudes and practices , 2005, Comput. Secur..

[7]  Ravi Kuber,et al.  Toward tactile authentication for blind users , 2010, ASSETS '10.

[8]  Jonathan Lazar,et al.  Developing usable CAPTCHAs for blind users , 2007, Assets '07.

[9]  Richard E. Ladner,et al.  Input finger detection for nonvisual touch screen text entry in Perkinput , 2012, Graphics Interface.

[10]  Sebastian Möller,et al.  On the need for different security methods on mobile phones , 2011, Mobile HCI.

[11]  Markus Jakobsson,et al.  Implicit authentication for mobile devices , 2009 .

[12]  Adrian Perrig,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Déjà Vu: A User Study Using Images for Authentication , 2000 .

[13]  Sean White,et al.  RhythmLink: securely pairing I/O-constrained devices by tapping , 2011, UIST.

[14]  Vassilis Kostakos,et al.  Human-in-the-loop: rethinking security in mobile and pervasive systems , 2008, CHI Extended Abstracts.

[15]  Ray A. Perlner,et al.  Electronic Authentication Guideline , 2014 .

[16]  Nasir D. Memon,et al.  PassPoints: Design and longitudinal evaluation of a graphical password system , 2005, Int. J. Hum. Comput. Stud..

[17]  Richard E. Ladner,et al.  Freedom to roam: a study of mobile device adoption and accessibility for people with visual and motor disabilities , 2009, Assets '09.

[18]  Qinghan Xiao,et al.  Security issues in biometric authentication , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[19]  Arie Yeredor,et al.  Dictionary attacks using keyboard acoustic emanations , 2006, CCS '06.

[20]  Rakesh Agrawal,et al.  Keyboard acoustic emanations , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[21]  Jeffrey P. Bigham,et al.  Evaluating existing audio CAPTCHAs and an interface optimized for non-visual use , 2009, CHI.

[22]  Jacob O. Wobbrock,et al.  TapSongs: tapping rhythm-based passwords on a single binary sensor , 2009, UIST '09.

[23]  Julie Thorpe,et al.  On predictive models and user-drawn graphical passwords , 2008, TSEC.

[24]  Yongdae Kim,et al.  Timing attacks on PIN input devices , 2010, CCS '10.

[25]  N. Asokan,et al.  Usable Mobile Security , 2012, ICDCIT.

[26]  Ying Zhu,et al.  Graphical passwords: a survey , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).