A Shoulder Surfing Resistant Graphical Authentication System

Abstract

Introduction

TEXTUAL passwords have been the most widely used authentication method for decades. Comprised of numbers and upper- and lower-case letters, textual passwords are considered strong enough to resist against brute force attacks. However, a strong textual password is hard to memorize and recollect [1]. Therefore, users tend to choose passwordsthatareeithershortorfromthedictionary,rather than random alphanumeric strings. Even worse, it is not a rare case that users may use only one username and password for multiple accounts [2]. According to an article in Computer world, a security team at a large company ran a network password cracker and surprisingly cracked approximately 80% of the employees’ passwords within 30 seconds [3]. Textual passwords are often insecure due to the difficulty of maintaining strong ones. Various graphical password authentication schemes [4], [5], [6], [7] were developed to address the problems and weaknesses associated with textual passwords. Based on some studies such as those in [8], [9], humans have a better ability to memorize images with long-term memory (LTM) than verbal representations. Image-based passwords were proved to be easier to recollect in several user studies [10], [11], [12]. As a result, users can set up a complex authentication password and are capable of recollecting it after a long time even if the memory is not activated periodically. However, most of these image-based passwords are vulnerable to shoulder surfing attacks (SSAs). This type of attack either uses direct observation, such as watching over someone’s shoulder or applies video capturing techniques to get passwords, PINs, or other sensitive personal information [13], [14], [15]. The human actions such as choosing bad passwords for new accounts and inputting passwords in an insecure way for later logins are regarded as the weakest link in the authentication chain [16]. Therefore, an authentication schemeshould be designed to overcome these vulnerabilities. In this paper, we present a secure graphical authentication system named PassMatrix that protects users from becoming victims of shoulder surfing attacks when inputting passwords in public through the usage of one-time login indicators. A login indicator is randomly generated for each pass-image and will be useless after the session terminates. The login indicator provides better security against shoulder surfing attacks, since users use a dynamic pointer to point out the position of their passwords rather than clicking on the password object directly.

Motivation

As the mobile marketing statistics compilation by Danyl,the mobile shipments had overtaken PC shipments in 2011, and the number of mobile users also overtaken desktop users at 2014, which closed to 2 billion [17]. However, shoulder surfing attacks have posed a great threat to users’ privacy and confidentiality as mobile devices are becoming indispensable in modern life. People may log into web services and apps in public to access their personal accounts with theirsmartphones,tabletsorpublicdevices,likebankATM. Shoulder-surfing attackers can observe how the passwords were entered with the help of reflecting glass windows, or let alone monitors hanging everywhere in public places. Passwords are exposed to risky environments, even if the passwords themselves are complex and secure. A secure authentication system should be able to defend against shoulder surfing attacks and should be applicable to all kinds of devices. Authentication schemes in the literature such as thoseare resistant to shoulder-surfing, but they have either usability limitations or small password space. Some of them are not suitable to be applied in mobile devices and most of them can be easily compromised to shoulder surfing attacks ifattackersusevideocapturingtechniqueslikeGoogleGlass [15], [26]. The limitations of usability include issues such as taking more time to log in, passwords being too difficult to recall after a period of time, and the authentication method being too complicated for users without proper education and practice. In 2006, Wiedenbeck et al. proposed PassPoints [7] in which the user picks up several points (3 to 5) in an image during the password creation phase and re-enters each of these pre-selected click-points in a correct order within its tolerant square during the login phase. Comparing to traditional PIN and textual passwords, the PassPoints scheme substantially increases the password space and enhances password memorability. Unfortunately, this graphical authentication scheme is vulnerable to shoulder surfing attacks. Hence, based on the PassPoints, we add the idea of using one-time session passwords and distractors to develop our PassMatrix authentication system that is resistant to shoulder surfing attacks.

Related Work

In the past several decades, a lot of research on password authentication has been done in the literature. Among all of these proposed schemes, this paper focuses mainly on the graphical-based authentication systems. To keep this paper concise, we will give a brief review of the most related schemes that were mentioned in the previous section. Many other schemes such as those may have good usability, they are not graphical-based and need additional support from extra hardware such as audio, multi-touch monitor, vibration sensor, or gyroscope, etc.

In the early days, the graphical capability of handheld devices was weak; the color and pixel it could show waslimited. Under this limitation, the Draw-a-Secret (DAS) [6] technique was proposed by Jermyn et al. in 1999, where the user is required to re-draw a pre-defined picture on a 2D grid. We directly extract the figure from [6] and show it in Fig. 1b. If the drawing touches the same grids in the same sequence, then the user is authenticated. Since then, the graphical capability of handheld devices has steadily and ceaselessly improved with the advances in science and technology. In 2005, Wiedenbeck et al. introduced a graphical authentication scheme PassPoints [7], and at that time, handheld devices could already show high resolution color pictures. Using the PassPoint scheme, the user has to click on a set of predefined pixels on the predestined photo, as shown in Fig. 1a (this figure is extracted from [7]), with a correct sequence and within their tolerant squares during the login stage. Moreover, Martinez-Diaz et al. also extended the DAS based on finger-drawn doodles and pseudosignatures in recent mobile device [32], [33].

This authentication system is based on features which are extracted from the dynamics of the gesture drawing process (e.g., speed or acceleration). These features contain behavioral biometric characteristic. In other words, the attacker would have to imitate not only what the user draws, but also how the user draws it. However, these three authentication schemes are still all vulnerable to shoulder surfing attacks as they may reveal the graphical passwords directly to some unknown observers in public. In addition to graphical authentication schemes, there was some research on the extension of conventional personal identification number (PIN) entry authentication systems. In 2004, Roth et al. [34] presented an approach for PIN entry against shoulder surfing attacks by increasing the noise to observers. In their approach, the PIN digits are displayed in either black or white randomly in each round. The user must respond to the system by identifying the color for each password digit. After the user has made a series of binary choices (black or white), the system can figure out the PIN number the user intended to enter by intersecting the user’s choices. This approach could confuse the observers if they just watch the screen without any help of video capturing devices. However, if observers are able to capture the whole authentication process, the passwords can be cracked easily. In order to defend the shoulder surfing attacks with video capturing, FakePointer [35] was introduced in 2008 by Takada. We use Fig. 2 (from [35]) below to show the usage of FakePointer. In addition to the PIN number, the user will get a new “answer indicator” each time for the authentication process at a bank ATM. In other words, the user has two secrets for authentication: a PIN as a fixed secret and an answer indicator as a disposable secret. The answer indicator is a sequence of n shapes if the PIN has n digits. At each login session, the FakePointer interface will present the user an image of a numeric keypad with 10 numbers (similar to the numeric keypad for phones), with each key (number) on top of a randomly picked shape.

The numeric keys, but not the shapes, can be moved circularly using the left or right arrow keys. During authentication, the user must repeatedly move numeric keys circularly as shown in the leftmost figure in Fig. 2, until the first digit of the PIN overlaps the first shape of the answer indicator on the keypad and then confirm a selection by pressing the space key. This operation is repeated until all the PIN digits are entered and confirmed. This approach is quite robust even when the attacker captures the whole authentication process. However, there is still room to improve the password space. For example, if the device used for authentication is a smartphone, a tablet or a computer rather than a bank ATM, the password space can be enlarged substantially since the PIN could be any combination of alphanumeric characters rather than just numeric digits. Wiedenback et al. [36] described a graphical password entry scheme in 2006, as shown in Fig. 3b (the figure is extracted from [36]). This scheme is resistant to shoulder surfing attacks using a convex hull method.

The user needs to recognize a set of pass-icons on the screen and clicks inside the convex hull formed by all these pass-icons. In order to make the password hard to guess, a large number of other different icons can be inserted into the screen to increase the password space. However, a large number of objects will crowd the display and may make objects indistinguishable. In 2010, David Kim et al. [25] proposed a visual authentication scheme for tabletop interfaces called “Color Rings”, as shown in Fig. 3a (the figure is extracted from [25]), where the user is assigned i authentication (key) icons, which are collectively assigned one of the four color-rings: red, green, blue, or pink. During login, i grids of icons are provided, with 72 icons being displayed per grid. There is only one key icon presented in each grid. The user must drag all four rings (ideally with index finger and thumb from two hands) concurrently and place them in the grid. The distinct key icon should be captured by the correct color ring while the rest of rings just make decoy selections. The user confirms a selection by dropping the rings in position. The rings are large enough to include more than one icon and can thus obfuscate the direct observer. Unfortunately, these kinds of passwords can be cracked by intersecting the user’s selections in each login because the color of the assigned ring is fixed and a ring can include at most seven icons. Thus, the attacker only requires a limited number of trials to guess the user’s password.

Conclusion

A Shoulder Surfing Resistant Graphical Authentication System,With the increasing trend of web services and apps, users are able to access these applications anytime and any where with various devices. In order to protect users’ digital property, authentication is required every time they try To access their personal account and data. However, conducting the authentication process in public might result in potential shoulder surfing attacks. Even a complicated password can be cracked easily through shoulder surfing. Using traditional textual passwords or PIN method, users need to type their passwords to authenticate themselves and thus these passwords can be revealed easily if someone peeks over shoulder or uses video recording devices such as cell phones. To overcome this problem, we proposed a shoulder surfing resistant authentication system based on graphical passwords, named Pass Matrix. Using a one-time login indicator per image, users can point out the location of their pass-square without directly clicking or touching it, which is an action vulnerable to shoulder surfing attacks. Because of the design of the horizontal and vertical bars that cover the entire pass-image, it offers no clue for attackers to narrow down the password space even if they have more than one login records of that account. Furthermore, we implemented a Pass Matrix prototype on Android and carried out user experiments to evaluate the memorability and usability. The experimental result showed that users can log into the system with an average of 1:64 tries (Median=1),and the Total Accuracy of all login trials is 93:33% even two weeks after registration. The total time consumed to log into Pass Matrix with an average of 3:2 pass-images is between31:31 and 37:11 .