CoverPad: A Leakage Resilient Password System on Touch-Screen Mobile Devices

Most prior research on improving leakage resilience of password entry focuses on desktop computers, while specific restrictions on mobile devices such as small screen size are usually not addressed. Meanwhile, additional features of mobile devices such as touch screen are not utilized in the traditional settings. In this chapter, we introduce an LRP scheme, which is named CoverPad, for password entry on touch-screen mobile devices. CoverPad leverages a temporary secure channel between user and touch screen which can be easily realized by placing a hand shielding gesture on the touch screen. The temporary secure channel is used to deliver a hidden message safely to a user for transforming each password symbol before entering it on the touch screen in an open channel. CoverPad is proven to be leakage resilient and it retains most of the benefits of legacy passwords. The usability of CoverPad is evaluated in a rigorous user study with realistic testing conditions including time pressure, distraction, and mental workload.

[1]  Robert H. Deng,et al.  Designing leakage-resilient password entry on touchscreen mobile devices , 2013, ASIA CCS '13.

[2]  Patrick Olivier,et al.  Multi-touch authentication on tabletops , 2010, CHI.

[3]  Harry Shum,et al.  Secure Human-Computer Identification (Interface) Systems against Peeping Attacks: SecHCI , 2005, IACR Cryptol. ePrint Arch..

[4]  Hideki Imai,et al.  Human Identification Through Insecure Channel , 1991, EUROCRYPT.

[5]  Ian Oakley,et al.  The phone lock: audio and haptic shoulder-surfing resistant PIN entry methods for mobile devices , 2011, Tangible and Embedded Interaction.

[6]  André Vandierendonck,et al.  The role of phonological and executive working memory resources in simple arithmetic strategies , 2007 .

[7]  Robert Biddle,et al.  Graphical passwords: Learning from the first twelve years , 2012, CSUR.

[8]  Tal Garfinkel,et al.  Reducing shoulder-surfing by using gaze-based password entry , 2007, SOUPS '07.

[9]  Susan Wiedenbeck,et al.  Design and evaluation of a shoulder-surfing resistant graphical password scheme , 2006, AVI '06.

[10]  Nicolas Christin,et al.  Undercover: authentication usable in front of prying eyes , 2008, CHI.

[11]  Yingjiu Li,et al.  On Limitations of Designing Usable Leakage-Resilient Password Systems: Attacks, Principles and Usability , 2012, NDSS 2012.

[12]  A. Baddeley,et al.  Evidence for two attentional components in visual working memory. , 2014, Journal of experimental psychology. Learning, memory, and cognition.

[13]  Manuel Blum,et al.  Secure Human Identification Protocols , 2001, ASIACRYPT.

[14]  Ian Oakley,et al.  Obfuscating authentication through haptics, sound and light , 2011, CHI EA '11.

[15]  Volker Roth,et al.  A PIN-entry method resilient against shoulder surfing , 2004, CCS '04.

[16]  Cormac Herley,et al.  Can "Something You Know" Be Saved? , 2008, ISC.

[17]  Frank Stajano,et al.  The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes , 2012, 2012 IEEE Symposium on Security and Privacy.

[18]  Heinrich Hußmann,et al.  Look into my Eyes! Can you guess my Password? , 2009 .

[19]  Blase Ur,et al.  Correct horse battery staple: exploring the usability of system-assigned passphrases , 2012, SOUPS.

[20]  Daphna Weinshall,et al.  Cognitive authentication schemes safe against spyware , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[21]  Robert H. Deng,et al.  Leakage-resilient password entry: Challenges, design, and evaluation , 2015, Comput. Secur..

[22]  Scott A. Rotondo Trusted Computing Group , 2011, Encyclopedia of Cryptography and Security.

[23]  Johnny Long,et al.  No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing , 2008 .

[24]  Heinrich Hußmann,et al.  Towards understanding ATM security: a field study of real world ATM use , 2010, SOUPS.

[25]  Heinrich Hußmann,et al.  Vibrapass: secure authentication based on shared lies , 2009, CHI.

[26]  F. Craik,et al.  Age differences in recall and recognition , 1987 .

[27]  A. Jensen,et al.  Process differences and individual differences in some cognitive tasks , 1987 .