Figure - available from: Security and Communication Networks
This content is subject to copyright. Terms and conditions apply.
Source publication
Authentication in mobile devices is inherently vulnerable to attacks and has the weakness of being susceptible to shoulder-surfing attack. Shoulder-surfing attack is a type of attack that uses direct observation techniques such as looking over someone’s shoulder to get information. This paper aims to introduce a novel way of concealing the password...
Citations
... In the second round 20 of the participants from the non-computing fields will act as ordinary users, and 20 participants from the computing fields will act as shoulder surfing attackers. Similar to other studies by (Alsuhibany, 2021) and (Abass et al., 2022) that used participants as shoulder surfers. ...
Passwords, which are the primary component of the authentication process, play a significant role in information and computer security. Using an alphanumeric username and password is the most common computer authentication technique, although it has a number of limitations (e.g. Guessing Attack, Brute force Attack, Shoulder surfing attack etc.). To address the weaknesses of traditional techniques graphical password systems have been developed as potential alternatives. Unfortunately, both the traditional passwords & graphical passwords are vulnerable to shoulder surfing attack. To address this issue, a number of shoulder-surfing resistant schemes were developed using a variety of techniques, but the trade-off between Usability and Security remains difficult to achieve. In this study, the authors introduced hybrid approach that combines words extracted from English Language Idiomatic Expressions and pictures to authenticate users in two phases, which lead to a scheme that is usable and secure. The usability and security was evaluated by experimental studies conducted with 60 users. The result of the scheme was compared to that of the other similar schemes. The results shows that the proposed technique has the lowest shoulder surfing success rate (1.6%) compared to the benchmarked approaches and has high user acceptance.
... However, some of the existing methods lack usability assessment [8], [9], [10] while some other methods may introduce accessibility issues due to their requirement for special hardware (e.g., [11]). A few empirical shoulder-surfing studies in the context of mobile user authentication have compared a PIN and an augmented PIN [12], PINs and pattern lock variations [13], PINs and graphical passwords [14], textual and graphical passwords [15], and different textual password variations [7], [16]. The process of password entry makes it vulnerable to shoulder-surfing attacks [17]. ...
... These methods extract features from the user's keystroke-based behaviors, such as the time of typing events, the locations of keys, sizes of fingertips, and motion data captured by built-in motion sensors [26], [49], [51]. On a separate note, studies have explored shoulder-surfing resistance strategies, such as manipulating the password focus-area display (e.g., skipping a few characters [7] and inserting camouflage digits [16]), rearranging the keypad display (e.g., randomizing the order of PIN display using Mersenne twister [51]), and adding an additional layer of knowledge (e.g., assigning an emoticon to an associated key [38]) to confuse the attacker's effort in identifying a real password. However, these strategies do not involve keystroke-based features and are thus not considered in this study. ...
... Most password methods (e.g., [8], [30], [33]) have not been empirically evaluated with respect to their shoulder-surfing resistance. The majority of empirical studies are focused on the performance of user authentication (e.g., equal error rate [9] and success rate [6], [16], [41]) instead. Among the extant shoulder-surfing studies, only a few have compared password methods, but they focused on the comparisons between different types of password methods, such as pattern lock variations versus PINs [13], graphical passwords versus PINs [14], and textual versus graphical passwords [15]. ...
The pervasive use of mobile devices exposes users to an elevated risk of shoulder-surfing attacks. Despite the prior work on shoulder-surfing resistance of mobile user authentication methods, there is a lack of empirical studies on textual password authentication methods, particularly the hybrid passwords that integrate textual passwords with biometrics. To fill the literature gap, this research compares two hybrid password methods, touch-gesture- and keystroke-based passwords, with respect to their shoulder-surfing resistance performance. We select a touch-gesture-based password method that deploys multiple shoulder-surfing resistance strategies and a keystroke-based password method that leverages keystroke dynamics. To gain a holistic understanding of these password methods, we examine them under a variety of shoulder-surfing settings by varying interaction mode, observation angle, entry error, and observation effort. Going beyond effectiveness metrics, we also introduce efficiency metrics to assess shoulder-surfing resistance performance more comprehensively. We hypothesize and test the effects of shoulder-surfing settings by conducting both a longitudinal lab experiment and an online experiment with diversified participants. The results of both studies demonstrate the superior performance of the touch-gesture-based password method to the keystroke-based counterpart. The results also provide evidence for the effects of interaction mode, observation angle, and observation effort on shoulder-surfing resistance of hybrid passwords. Our findings offer suggestions for the design and strategies for strengthening the security of password authentication methods.
... is makes passwords vulnerable to guessing attacks and library crashing attacks. Once the attacker succeeds, a large amount of user private information will be leaked with unpredictable consequences [12][13][14]. For the purpose of protecting information security, it is critical to study password guessing methods. ...
Password guessing is an important issue in user security and privacy protection. Using generative adversarial network (GAN) to guess passwords is a new strategy emerging in recent years, which exploits the discriminator’s evaluation of passwords to guide the update of the generator so that password guessing sets can be produced. However, the sampling process of discrete data from a categorical distribution is not differentiable so that backpropagation does not work well. In this paper, we propose a novel password guessing model named G-Pass, which consists of two main components. The first is a new network structure, which modifies the generator from the convolutional neural network (CNN) to long short-term memory- (LSTM-) based network and employs multiple convolutional layers in the discriminator to provide more informative signals for generator updating. The second is Gumbel-Softmax with temperature control for training GAN on passwords. Experimental results show the proposed G-Pass outperforms PassGAN in password quality and cracking rate. Moreover, by dynamically adjusting one parameter during the training process, a trade-off between sample diversity and quality can be achieved with our proposed model.
... Unfortunately, an attacker is able to remotely steal the banking data stored in an NFC bank card or an NFC smartphone, without the knowledge of the client [6]. In addition, the user's password or the Personal Identification Number (PIN) can be stolen through various attacks such as: spyware [7], shoulder-surfing [8], side channel [9], brute force [10], replay [11], smudge [12], camera recording [13], video recording [14] and multiple registration [15]. ...
In order to authenticate a user on an Automated Teller Machine (ATM) using Near Field Communication (NFC) technology embedded on smartphones, we recently proposed a new approach called Dynamic Array PIN Protocol (DAP) that allows a user to enter his PIN code in a secure manner. We proved that the DAP protocol is resistant to 13 different attacks. Furthermore, by comparing it to several existing solutions, we demonstrated that DAP is much better and more cost effective. However, after a thorough analysis, we discovered that the DAP protocol is vulnerable to multiple eavesdropping video or camera records attack. Consequently, in this paper, we aim to address this vulnerability by proposing a new security solution that improves the DAP protocol.
... Unfortunately, an attacker is able to remotely steal the banking data stored in an NFC bank card or an NFC smartphone, without the knowledge of the client [6]. In addition, the user's password or the Personal Identification Number (PIN) can be stolen through various attacks such as: spyware [7], shoulder-surfing [8], side channel [9], brute force [10], replay [11], smudge [12], camera recording [13], video recording [14] and multiple registration [15]. ...
In order to authenticate a user on an Automated Teller Machine (ATM) using Near Field Communication (NFC) technology embedded on smartphones, we recently proposed a new approach called Dynamic Array PIN Protocol (DAP) that allows a user to enter his PIN code in a secure manner. We proved that the DAP protocol is resistant to 13 different attacks. Furthermore, by comparing it to several existing solutions, we demonstrated that DAP is much better and more cost effective. However, after a thorough analysis, we discovered that the DAP protocol is vulnerable to multiple eavesdropping video or camera records attack. Consequently, in this paper, we aim to address this vulnerability by proposing a new security solution that improves the DAP protocol.
... It might be worth mentioning that the delay in M2 entry time is happening because the user must first check his email to get the AK key, then he must enter the password according to the dynamic virtual keyboard. This result is not enough to conclude that the M2 model is the best approach against shoulder-surfing, so it should be evaluated with other models [28] [29] that are designed to fight against shoulder surfing. By comparing all models, it's obvious that the defence model M2 is the best defensive model with a success rate of shoulder surfing attack equal to 3.36%. ...
La inclusión financiera en el Perú está en aumento, pues ya el 56 % de los adultos tiene productos financieros. Esto ha incrementado el uso de cajeros automáticos y los riesgos asociados a ellos, como el shoulder surfing. Buscando mitigar el riesgo de este ataque, se hizo una prueba de concepto de interfaz touchless que permite a los usuarios ingresar su PIN de manera segura, proponiendo un ejemplo para que sea usado por entidades bancarias o fabricantes de cajeros automáticos. Para esto, se generaron secuencias desordenadas aleatoriamente con los números del 0 al 9 sin que estos se repitan. Luego, se implementan sensores infrarrojos para ingresar los números del PIN. Se realizaron pruebas de mitigación y usabilidad con un grupo de 16 personas. La primera prueba mostró resultados alentadores, pues a los atacantes se le dificulta identificar los dígitos ingresados por los usuarios y solo lograron registrar el 25 % correctamente. Asimismo, en las pruebas de usabilidad se obtuvo un promedio general de usabilidad de 78.4375, situando a la interfaz en un rango B +, por encima del umbral de 68 puntos. Considerando esto, se concluye que la propuesta cumple con el objetivo de permitir al usuario ingresar su PIN de manera segura ante ataques de shoulder surfing.
