Password entry usability and shoulder surfing susceptibility on different smartphone platforms

Virtual keyboards of different smartphone platforms seem quite similar at first glance, but the transformation from a physical to a virtual keyboard on a small-scale display results in user experience variations that cause significant differences in usability as well as shoulder surfing susceptibility, i.e., the risk of a bystander observing what is being typed. In our work, we investigate the impact of both aspects on the security of text-based password entry on mobile devices. In a between subjects study with 80 participants, we analyzed usability and shoulder surfing susceptibility of password entry on different mobile platforms (iOS, Android, Windows Phone, Symbian, MeeGo). Our results show significant differences in the usability of password entry (required password entry time, typing accuracy) and susceptibility to shoulder surfing. Our results provide insights for security-aware design of on-screen keyboards and for password composition strategies tailored to entry on smartphones.

[1]  Lorrie Faith Cranor,et al.  Human selection of mnemonic phrase-based passwords , 2006, SOUPS '06.

[2]  J. Yan,et al.  Password memorability and security: empirical results , 2004, IEEE Security & Privacy Magazine.

[3]  Shumin Zhai,et al.  The performance of touch screen soft buttons , 2009, CHI.

[4]  Nicolas Christin,et al.  Undercover: authentication usable in front of prying eyes , 2008, CHI.

[5]  Michael K. Reiter,et al.  The Design and Analysis of Graphical Passwords , 1999, USENIX Security Symposium.

[6]  Xiaolin Li,et al.  S3PAS: A Scalable Shoulder-Surfing Resistant Textual-Graphical Password Authentication Scheme , 2007, 21st International Conference on Advanced Information Networking and Applications Workshops (AINAW'07).

[7]  Vladimir I. Levenshtein,et al.  Binary codes capable of correcting deletions, insertions, and reversals , 1965 .

[8]  Tal Garfinkel,et al.  Reducing shoulder-surfing by using gaze-based password entry , 2007, SOUPS '07.

[9]  Joseph Bonneau,et al.  The Password Thicket: Technical and Market Failures in Human Authentication on the Web , 2010, WEIS.

[10]  Desney S. Tan,et al.  Spy-resistant keyboard: more secure password entry on public touch screen displays , 2005, OZCHI.

[11]  Benjamin B. M. Shao,et al.  The usability of passphrases for authentication: An empirical field study , 2007, Int. J. Hum. Comput. Stud..

[12]  Umut Topkara,et al.  Have the cake and eat it too - infusing usability into text-password based authentication systems , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[13]  Andreas P. Heiner,et al.  A closer look at recognition-based graphical passwords on mobile devices , 2010, SOUPS.

[14]  Lujo Bauer,et al.  Of passwords and people: measuring the effect of password-composition policies , 2011, CHI.

[15]  Robert Biddle,et al.  User Study, Analysis, and Usable Security of Passwords Based on Digital Objects , 2011, IEEE Transactions on Information Forensics and Security.

[16]  Jaehyun Park,et al.  Touch key design for target selection on a mobile phone , 2008, Mobile HCI.

[17]  David Griffiths,et al.  Shoulder surfing defence for recall-based graphical passwords , 2011, SOUPS.

[18]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[19]  Volker Roth,et al.  A PIN-entry method resilient against shoulder surfing , 2004, CCS '04.

[20]  James R. Lewis,et al.  Psychometric Evaluation of the PSSUQ Using Data from Five Years of Usability Studies , 2002, Int. J. Hum. Comput. Interact..

[21]  Alain Forget,et al.  Improving text passwords through persuasion , 2008, SOUPS '08.

[22]  Patrick Olivier,et al.  Multi-touch authentication on tabletops , 2010, CHI.

[23]  M. Angela Sasse,et al.  The true cost of unusable password policies: password use in the wild , 2010, CHI.

[24]  James R. Lewis,et al.  IBM computer usability satisfaction questionnaires: Psychometric evaluation and instructions for use , 1995, Int. J. Hum. Comput. Interact..

[25]  Alain Forget,et al.  Memorability of persuasive passwords , 2008, CHI Extended Abstracts.

[26]  A. Ant Ozok,et al.  A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords , 2006, SOUPS '06.

[27]  Frank Stajano,et al.  The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes , 2012, 2012 IEEE Symposium on Security and Privacy.