SPOSS: Secure Pin-Based-Authentication Obviating Shoulder Surfing

Classical PIN based authentication schemes are susceptible to shoulder surfing attacks and hence attacker may obtain secret credentials of legitimate user very easily. Some of the existing schemes that provide resistance against shoulder surfing attacks either require multiple rounds for entering single digit or some have dependency on external hardware or some of the schemes require complex computation to be done mentally in order to enter the PIN. Another possible security threat could be stealing the credentials if password file is compromised. In this paper, we propose a new PIN entry mechanism known as SPOSS which provides resilience against not only human-based shoulder surfing but also against recording attack (for one session) in which attacker may impose a recording device like camera to record the whole login session for future reference. SPOSS also provides security against password file compromise attack. Additionally, user authentication can be ensured by single round only without doing any complex computation and without any dependency of external hardware. Experimental analysis shows that proposed scheme achieves a good balance between usability and security parameters.

[1]  Dugald Ralph Hutchings,et al.  Order and entropy in picture passwords , 2008, Graphics Interface.

[2]  G. A. Miller THE PSYCHOLOGICAL REVIEW THE MAGICAL NUMBER SEVEN, PLUS OR MINUS TWO: SOME LIMITS ON OUR CAPACITY FOR PROCESSING INFORMATION 1 , 1956 .

[3]  Maro G. Machizawa,et al.  Neural activity predicts individual differences in visual working memory capacity , 2004, Nature.

[4]  Samrat Mondal,et al.  An Improved Methodology towards Providing Immunity against Weak Shoulder Surfing Attack , 2014, ICISS.

[5]  Tal Garfinkel,et al.  Reducing shoulder-surfing by using gaze-based password entry , 2007, SOUPS '07.

[6]  Ian Oakley,et al.  The phone lock: audio and haptic shoulder-surfing resistant PIN entry methods for mobile devices , 2011, Tangible and Embedded Interaction.

[7]  Xiaolin Li,et al.  S3PAS: A Scalable Shoulder-Surfing Resistant Textual-Graphical Password Authentication Scheme , 2007, 21st International Conference on Advanced Information Networking and Applications Workshops (AINAW'07).

[8]  Ninghui Li,et al.  A Study of Probabilistic Password Models , 2014, 2014 IEEE Symposium on Security and Privacy.

[9]  Ronald L. Rivest,et al.  Honeywords: making password-cracking detectable , 2013, CCS.

[10]  Douglas Stebila,et al.  Usability and Security of Gaze-Based Graphical Grid Passwords , 2013, Financial Cryptography Workshops.

[11]  J. Yan,et al.  Password memorability and security: empirical results , 2004, IEEE Security & Privacy Magazine.

[12]  Alexander De Luca,et al.  Evaluation of eye-gaze interaction methods for security enhanced PIN-entry , 2007, OZCHI '07.

[13]  Alain Forget,et al.  Influencing users towards better passwords: persuasive cued click-points , 2008 .

[14]  Robert Biddle,et al.  Graphical passwords: Learning from the first twelve years , 2012, CSUR.

[15]  Sudhir Aggarwal,et al.  Password Cracking Using Probabilistic Context-Free Grammars , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[16]  Samrat Mondal,et al.  Color Pass: An intelligent user interface to resist shoulder surfing attack , 2014, Proceedings of the 2014 IEEE Students' Technology Symposium.

[17]  Dan Boneh,et al.  Kamouflage: Loss-Resistant Password Management , 2010, ESORICS.

[18]  T. Perkovic,et al.  SSSL: Shoulder Surfing Safe Login , 2009, SoftCOM 2009 - 17th International Conference on Software, Telecommunications & Computer Networks.

[19]  Teemupekka Virtanen,et al.  Fooling Fingerprint Scanners - Biometric Vulnerabilities of the Precise Biometrics 100 SC Scanner , 2003 .

[20]  Volker Roth,et al.  A PIN-entry method resilient against shoulder surfing , 2004, CCS '04.