Shoulder Surfing: From An Experimental Study to a Comparative Framework

Abstract Shoulder surfing is an attack vector widely recognized as a real threat - enough to warrant researchers dedicating a considerable effort toward designing novel authentication methods to be shoulder surfing resistant. Despite a multitude of proposed solutions over the years, few have employed empirical evaluations and comparisons between different methods, and our understanding of the shoulder surfing phenomenon remains limited. Barring the challenges in experimental design, the reason for that can be primarily attributed to the lack of objective and comparable vulnerability measures. In this paper, we develop an ensemble of vulnerability metrics, a first endeavour toward a comprehensive assessment of a given method’s susceptibility to observational attacks. In the largest on-site shoulder surfing experiment (n = 274) to date, we verify the model on four conceptually different authentication methods in two observation scenarios. On the example of a novel hybrid authentication method based on associations, we explore the effect of input type on the adversary’s effectiveness. We provide first empirical evidence that graphical passwords are easier to observe; however, that does not necessarily mean that the observed information will allow the attacker to guess the victim’s password easier. An in-depth analysis of individual metrics within the clusters offers insight into many additional aspects of the shoulder surfing attack not explored before. Our comparative framework makes an advancement in evaluation of shoulder surfing and furthers our understanding of observational attacks. The results have important implications for future shoulder surfing studies and the field of Password Security as a whole.

[1]  Sudhir Aggarwal,et al.  Testing metrics for password creation policies by attacking large sets of revealed passwords , 2010, CCS '10.

[2]  Bostjan Brumen,et al.  Rejecting the death of passwords: Advice for the future , 2019, Comput. Sci. Inf. Syst..

[3]  V. A. Yakovlev,et al.  User authentication based on the chess graphical password scheme resistant to shoulder surfing , 2015, Automatic Control and Computer Sciences.

[4]  Jeremiah D. Still,et al.  Swipe Authentication: Exploring Over-the-Shoulder Attack Performance , 2016 .

[5]  Nasir D. Memon,et al.  PassPoints: Design and longitudinal evaluation of a graphical password system , 2005, Int. J. Hum. Comput. Stud..

[6]  Arash Habibi Lashkari,et al.  Shoulder Surfing attack in graphical password authentication , 2009, ArXiv.

[7]  Andrea Gaggioli,et al.  How to Create Memorizable and Strong Passwords , 2012, Journal of medical Internet research.

[8]  Nikita Borisov,et al.  The Tangled Web of Password Reuse , 2014, NDSS.

[9]  Bostjan Brumen Security analysis of Game Changer Password System , 2019, Int. J. Hum. Comput. Stud..

[10]  Lujo Bauer,et al.  Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms , 2011, 2012 IEEE Symposium on Security and Privacy.

[11]  Patrick Olivier,et al.  Graphical passwords & qualitative spatial relations , 2007, SOUPS '07.

[12]  Hung-Min Sun,et al.  A Shoulder Surfing Resistant Graphical Authentication System , 2018, IEEE Transactions on Dependable and Secure Computing.

[13]  A. Ant Ozok,et al.  A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords , 2006, SOUPS '06.

[14]  Hai Tao,et al.  Pass-Go: A Proposal to Improve the Usability of Graphical Passwords , 2008, Int. J. Netw. Secur..

[15]  Taekyoung Kwon,et al.  Covert Attentional Shoulder Surfing: Human Adversaries Are More Powerful Than Expected , 2014, IEEE Transactions on Systems, Man, and Cybernetics: Systems.

[16]  Wenyuan Xu,et al.  Shadow Attacks Based on Password Reuses: A Quantitative Empirical Analysis , 2018, IEEE Transactions on Dependable and Secure Computing.

[17]  Sig Porter,et al.  A password extension for improved human factors , 1982, Comput. Secur..

[18]  Yingjiu Li,et al.  EvoPass: Evolvable graphical password against shoulder-surfing attacks , 2017, Comput. Secur..

[19]  Blase Ur,et al.  Correct horse battery staple: exploring the usability of system-assigned passphrases , 2012, SOUPS.

[20]  Matthew Smith,et al.  Now you see me, now you don't: protecting smartphone authentication from shoulder surfers , 2014, CHI.

[21]  David Griffiths,et al.  Shoulder surfing defence for recall-based graphical passwords , 2011, SOUPS.

[22]  高田哲司,et al.  "Exploring the Design Space of Graphical Passwords on Smartphones"の紹介 , 2013 .

[23]  K. Srinathan,et al.  WYSWYE: shoulder surfing defense for recognition based graphical passwords , 2012, OZCHI.

[24]  Toan Nguyen,et al.  IllusionPIN: Shoulder-Surfing Resistant Authentication Using Hybrid Images , 2017, IEEE Transactions on Information Forensics and Security.

[25]  Konstantin Beznosov,et al.  Does my password go up to eleven?: the impact of password meters on password selection , 2013, CHI.

[26]  Benjamin B. M. Shao,et al.  The usability of passphrases for authentication: An empirical field study , 2007, Int. J. Hum. Comput. Stud..

[27]  Florian Alt,et al.  Understanding Shoulder Surfing in the Wild: Stories from Users and Observers , 2017, CHI.

[28]  Ron Poet,et al.  Preventing shoulder-surfing when selecting pass-images in challenge set , 2011, 2011 International Conference on Innovations in Information Technology.

[29]  Steffen Werner,et al.  Graphical Authentication Resistance to Over-the-Shoulder-Attacks , 2017, CHI Extended Abstracts.

[30]  Michael Weber,et al.  Password entry usability and shoulder surfing susceptibility on different smartphone platforms , 2012, MUM.

[31]  Conor T. McLennan,et al.  An evaluation of the Game Changer Password System: A new approach to password security , 2017, Int. J. Hum. Comput. Stud..

[32]  Volker Roth,et al.  A PIN-entry method resilient against shoulder surfing , 2004, CCS '04.

[33]  Adam J. Aviv,et al.  Towards Baselines for Shoulder Surfing on Mobile Authentication , 2017, ACSAC.

[34]  Antonella De Angeli,et al.  Is a picture really worth a thousand words? Exploring the feasibility of graphical authentication systems , 2005, Int. J. Hum. Comput. Stud..

[35]  Ping Wang,et al.  Targeted Online Password Guessing: An Underestimated Threat , 2016, CCS.

[36]  Volker Roth,et al.  See you next time: a model for modern shoulder surfers , 2016, MobileHCI.

[37]  Wanli Ma,et al.  Password Entropy and Password Quality , 2010, 2010 Fourth International Conference on Network and System Security.

[38]  Daeyoung Kim,et al.  Secure pattern-based authentication against shoulder surfing attack in smart devices , 2015, 2015 Seventh International Conference on Ubiquitous and Future Networks.

[39]  Bin Li,et al.  Mimic computing for password recovery , 2018, Future Gener. Comput. Syst..

[40]  Shashi Mogalla,et al.  An Ancient Indian Board Game as a Tool for Authentication , 2011 .

[41]  Peng Foong Ho,et al.  Preventing Shoulder-Surfing Attack with the Concept of Concealing the Password Objects' Information , 2014, TheScientificWorldJournal.

[42]  Konstantin Beznosov,et al.  Know your enemy: the risk of unauthorized access in smartphones by insiders , 2013, MobileHCI '13.

[43]  Joseph Bonneau,et al.  The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords , 2012, 2012 IEEE Symposium on Security and Privacy.

[44]  G. Bower Analysis of a mnemonic device , 1970 .

[45]  Andreas P. Heiner,et al.  A closer look at recognition-based graphical passwords on mobile devices , 2010, SOUPS.

[46]  Volker Roth,et al.  Pitfalls of Shoulder Surfing Studies , 2015 .

[47]  Florian Alt,et al.  GTmoPass: two-factor authentication on public displays using gaze-touch passwords and personal mobile devices , 2017, PerDis.

[48]  Daniele D. Giusto,et al.  An Association-Based Graphical Password Design Resistant to Shoulder-Surfing Attack , 2005, 2005 IEEE International Conference on Multimedia and Expo.

[49]  Kameswara Rao,et al.  Novel Shoulder-Surfing Resistant Authentication Schemes using Text-Graphical Passwords , 2012 .

[50]  Dimitriadis Evangelos,et al.  The Quest to Replace Passwords : a Framework for Comparative Evaluation of Web Authentication Schemes , 2016 .

[51]  Heinrich Hußmann,et al.  Survival of the Shortest: A Retrospective Analysis of Influencing Factors on Password Composition , 2013, INTERACT.

[52]  Sonia Chiasson,et al.  Bend Passwords: using gestures to authenticate on flexible devices , 2016, Personal and Ubiquitous Computing.