Theoretical Security Evaluation of the Human Semantic Authentication Protocol

Using a secret password or a PIN (Personal Identification Number) code is a common way to authenticate a user. Unfortunately this protection does not resist an attacker that can eavesdrop on the user (shoulder surfing attack). The Human Semantic Authentication (HSA) protocol proposes a solution against this attack. The main idea is to have concept passwords and to propose images that the user must correctly select in order to authenticate. A concept can be represented by different pictures, so one observation is not enough to retrieve the secret. In this paper, the security/efficiency trade-off in the HSA protocol is evaluated. A probabilistic approach is used. Under the assumption that the picture/concept database is known to the attacker, we show that HSA is barely more resistant to shoulder surfing attacks than a PIN code. More precisely we show that the probability to retrieve the secret concept password increases rapidly with the number of observations. Moreover the constraints on the size of the picture/concept database are very difficult to satisfy in practice.

[1]  Ying Zhu,et al.  Graphical passwords: a survey , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[2]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[3]  Adam J. Aviv,et al.  Practicality of accelerometer side channels on smartphones , 2012, ACSAC '12.

[4]  Michael K. Reiter,et al.  The Design and Analysis of Graphical Passwords , 1999, USENIX Security Symposium.

[5]  Zhen Ling,et al.  My Google Glass Sees Your Passwords! , 2014 .

[6]  Nicolas Christin,et al.  Use Your Illusion: secure authentication usable anywhere , 2008, SOUPS '08.

[7]  Nasir D. Memon,et al.  PassPoints: Design and longitudinal evaluation of a graphical password system , 2005, Int. J. Hum. Comput. Stud..

[8]  M. Angela Sasse,et al.  Are Passfaces More Usable Than Passwords? A Field Trial Investigation , 2000, BCS HCI.

[9]  Steve Hanna,et al.  A survey of mobile malware in the wild , 2011, SPSM '11.

[10]  Hai Tao,et al.  Pass-Go: A Proposal to Improve the Usability of Graphical Passwords , 2008, Int. J. Netw. Secur..

[11]  Zhi Xu,et al.  TapLogger: inferring user inputs on smartphone touchscreens using on-board motion sensors , 2012, WISEC '12.

[12]  Pascal Salembier,et al.  Experimental studies of a graphical authentication system based on semantic categorisation , 2016, IHM.

[13]  Peter Mayer,et al.  Are graphical authentication mechanisms as strong as passwords? , 2013, 2013 Federated Conference on Computer Science and Information Systems.

[14]  Adrian Perrig,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Déjà Vu: A User Study Using Images for Authentication , 2000 .

[15]  Jun Han,et al.  ACCessory: password inference using accelerometers on smartphones , 2012, HotMobile '12.

[16]  Ross J. Anderson,et al.  PIN skimmer: inferring PINs through the camera and microphone , 2013, SPSM '13.