SteganoPIN: Two-Faced Human–Machine Interface for Practical Enforcement of PIN Entry Security

Users typically reuse the same personalized identification number (PIN) for multiple systems and in numerous sessions. Direct PIN entries are highly susceptible to shoulder-surfing attacks as attackers can effectively observe PIN entry with concealed cameras. Indirect PIN entry methods proposed as countermeasures are rarely deployed because they demand a heavier cognitive workload for users. To achieve security and usability, we present a practical indirect PIN entry method called SteganoPIN. The human-machine interface of SteganoPIN is two numeric keypads, one covered and the other open, designed to physically block shoulder-surfing attacks. After locating a long-term PIN in the more typical layout, through the covered permuted keypad, a user generates a one-time PIN that can safely be entered in plain view of attackers. Forty-eight participants were involved in investigating the PIN entry time and error rate of SteganoPIN. Our experimental manipulation used a within-subject factorial design with two independent variables: PIN entry system (standard PIN, SteganoPIN) and PIN type (system-chosen PIN, user-chosen PIN). The PIN entry time in SteganoPIN (5.4-5.7 s) was slower but acceptable, and the error rate (0-2.1%) was not significantly different from that of the standard PIN. SteganoPIN is resilient to camera-based shoulder-surfing attacks over multiple authentication sessions. It remains limited to PIN-based authentication.

[1]  Daphna Weinshall,et al.  Cognitive authentication schemes safe against spyware , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[2]  Ted Taekyoung Kwon,et al.  SwitchPIN: Securing smartphone PIN entry with switchable keypads , 2014, 2014 IEEE International Conference on Consumer Electronics (ICCE).

[3]  Jin Hong,et al.  Analysis and Improvement of a PIN-Entry Method Resilient to Shoulder-Surfing and Recording Attacks , 2015, IEEE Transactions on Information Forensics and Security.

[4]  Yingjiu Li,et al.  On Limitations of Designing Usable Leakage-Resilient Password Systems: Attacks, Principles and Usability , 2012, NDSS 2012.

[5]  Robert H. Deng,et al.  Designing leakage-resilient password entry on touchscreen mobile devices , 2013, ASIA CCS '13.

[6]  Taekyoung Kwon,et al.  Covert Attentional Shoulder Surfing: Human Adversaries Are More Powerful Than Expected , 2014, IEEE Transactions on Systems, Man, and Cybernetics: Systems.

[7]  Shujun Li,et al.  Cryptanalysis of the convex hull click human identification protocol , 2010, International Journal of Information Security.

[8]  Susan Wiedenbeck,et al.  Design and evaluation of a shoulder-surfing resistant graphical password scheme , 2006, AVI '06.

[9]  Patrick Olivier,et al.  Multi-touch authentication on tabletops , 2010, CHI.

[10]  Andrea Prati,et al.  Integrating Consumer Smart Cameras into Camera Networks: Opportunities and Obstacles , 2014, Computer.

[11]  G. A. Miller THE PSYCHOLOGICAL REVIEW THE MAGICAL NUMBER SEVEN, PLUS OR MINUS TWO: SOME LIMITS ON OUR CAPACITY FOR PROCESSING INFORMATION 1 , 1956 .

[12]  Hideki Imai,et al.  Human Identification Through Insecure Channel , 1991, EUROCRYPT.

[13]  Ian Oakley,et al.  The phone lock: audio and haptic shoulder-surfing resistant PIN entry methods for mobile devices , 2011, Tangible and Embedded Interaction.

[14]  Ian Oakley,et al.  Counting clicks and beeps: Exploring numerosity based haptic and audio PIN entry , 2012, Interact. Comput..

[15]  Nicolas Christin,et al.  Undercover: authentication usable in front of prying eyes , 2008, CHI.

[16]  Amit K. Roy-Chowdhury,et al.  Distributed Camera Networks , 2011, IEEE Signal Processing Magazine.

[17]  Johnny Long,et al.  No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing , 2008 .

[18]  Heinrich Hußmann,et al.  Towards understanding ATM security: a field study of real world ATM use , 2010, SOUPS.

[19]  Volker Roth,et al.  A PIN-entry method resilient against shoulder surfing , 2004, CCS '04.

[20]  N. Cowan The magical number 4 in short-term memory: A reconsideration of mental storage capacity , 2001, Behavioral and Brain Sciences.

[21]  David A. Wagner,et al.  Cryptanalysis of a Cognitive Authentication Scheme , 2006, IACR Cryptol. ePrint Arch..

[22]  Heinrich Hußmann,et al.  Vibrapass: secure authentication based on shared lies , 2009, CHI.

[23]  Shujun Li,et al.  Breaking undercover: exploiting design flaws and nonuniform human behavior , 2011, SOUPS.

[24]  Ian Oakley,et al.  Spinlock: A Single-Cue Haptic and Audio PIN Input Technique for Authentication , 2011, HAID.

[25]  Heinrich Hußmann,et al.  ColorPIN: securing PIN entry through indirect input , 2010, CHI.