A Shoulder Surfing Resistant Graphical

of 14
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
  A Shoulder Surfing Resistant GraphicalAuthentication System Hung-Min Sun, Shiuan-Tung Chen, Jyh-Haw Yeh and Chia-Yun Cheng Abstract  —Authentication based on passwords is used largely in applications for computer security and privacy. However, humanactions such as choosing bad passwords and inputting passwords in an insecure way are regarded as ”the weakest link” in theauthentication chain. Rather than arbitrary alphanumeric strings, users tend to choose passwords either short or meaningful for easymemorization. With web applications and mobile apps piling up, people can access these applications anytime and anywhere withvarious devices. This evolution brings great convenience but also increases the probability of exposing passwords to shoulder surfingattacks. Attackers can observe directly or use external recording devices to collect users’ credentials. To overcome this problem, weproposed a novel authentication system PassMatrix, based on graphical passwords to resist shoulder surfing attacks. With a one-timevalid login indicator and circulative horizontal and vertical bars covering the entire scope of pass-images, PassMatrix offers no hint forattackers to figure out or narrow down the password even they conduct multiple camera-based attacks. We also implemented aPassMatrix prototype on Android and carried out real user experiments to evaluate its memorability and usability. From theexperimental result, the proposed system achieves better resistance to shoulder surfing attacks while maintaining usability. Index Terms  —Graphical Passwords, Authentication, Shoulder Surfing Attack.  1 I NTRODUCTION T EXTUAL  passwords have been the most widely usedauthentication method for decades. Comprised of num- bers and upper- and lower-case letters, textual passwordsare considered strong enough to resist against brute forceattacks. However, a strong textual password is hard tomemorize and recollect [1]. Therefore, users tend to choosepasswords that are either short or from the dictionary, ratherthan random alphanumeric strings. Even worse, it is nota rare case that users may use only one username andpassword for multiple accounts [2]. According to an articlein Computer world, a security team at a large companyran a network password cracker and surprisingly crackedapproximately 80% of the employees’ passwords within 30seconds [3]. Textual passwords are often insecure due to thedifficulty of maintaining strong ones.Various graphical password authentication schemes [4],[5], [6], [7] were developed to address the problems andweaknesses associated with textual passwords. Based onsome studies such as those in [8], [9], humans have a better ability to memorize images with long-term memory(LTM) than verbal representations. Image-based passwordswere proved to be easier to recollect in several user studies[10], [11], [12]. As a result, users can set up a complexauthentication password and are capable of recollecting itafter a long time even if the memory is not activated period-ically. However, most of these image-based passwords arevulnerable to shoulder surfing attacks (SSAs). This type of attack either uses direct observation, such as watching oversomeone’s shoulder or applies video capturing techniquesto get passwords, PINs, or other sensitive personal informa-tion [13], [14], [15].The human actions such as choosing bad passwords fornew accounts and inputting passwords in an insecure wayfor later logins are regarded as the weakest link in the au-thentication chain [16]. Therefore, an authentication schemeshould be designed to overcome these vulnerabilities.In this paper, we present a secure graphical authentica-tion system named PassMatrix that protects users from be-coming victims of shoulder surfing attacks when inputtingpasswords in public through the usage of one-time loginindicators. A login indicator is randomly generated for eachpass-image and will be useless after the session terminates.Theloginindicatorprovidesbettersecurityagainstshouldersurfing attacks, since users use a dynamic pointer to pointout the position of their passwords rather than clicking onthe password object directly. 1.1 Motivation As the mobile marketing statistics compilation by Danyl, themobile shipments had overtaken PC shipments in 2011, andthe number of mobile users also overtaken desktop usersat 2014, which closed to 2 billion [17]. However, shouldersurfing attacks have posed a great threat to users’ privacyand confidentiality as mobile devices are becoming indis-pensable in modern life. People may log into web servicesand apps in public to access their personal accounts withtheirsmartphones,tabletsorpublicdevices,likebankATM.Shoulder-surfing attackers can observe how the passwordswere entered with the help of reflecting glass windows, orlet alone monitors hanging everywhere in public places.Passwords are exposed to risky environments, even if thepasswords themselves are complex and secure. A secureauthentication system should be able to defend againstshoulder surfing attacks and should be applicable to allkinds of devices. Authentication schemes in the literaturesuch as those in [6], [18], [19], [20], [21], [22], [23], [24],[25] are resistant to shoulder-surfing, but they have eitherusability limitations or small password space. Some of themare not suitable to be applied in mobile devices and most of  IEEE Transactions on Dependable and Secure Computing (Volume:PP , Issue: 99 ),09 March 2016  them can be easily compromised to shoulder surfing attacksifattackersusevideocapturingtechniqueslikeGoogleGlass[15], [26]. The limitations of usability include issues such astaking more time to log in, passwords being too difficult torecall after a period of time, and the authentication method being too complicated for users without proper educationand practice.In 2006, Wiedenbeck et al. proposed PassPoints [7] inwhich the user picks up several points ( 3  to  5 ) in animage during the password creation phase and re-enterseach of these pre-selected click-points in a correct orderwithin its tolerant square during the login phase. Com-paring to traditional PIN and textual passwords, the Pass-Points scheme substantially increases the password spaceand enhances password memorability. Unfortunately, thisgraphical authentication scheme is vulnerable to shouldersurfing attacks. Hence, based on the PassPoints, we add theidea of using one-time session passwords and distractorsto develop our PassMatrix authentication system that isresistant to shoulder surfing attacks. 1.2 Organization This paper is organized as follows. Section 2 provides the backgrounds of related techniques about graphical authen-tication schemes and Section 3 describes attack models. Theproposed PassMatrix is presented in Section 4. The userstudy and its results are available in Section 5 and Section6 respectively. A security analysis is discussed in Section 7.Section 8 concludes the paper. 2 B ACKGROUND AND  R ELATED  W ORK In the past several decades, a lot of research on passwordauthentication has been done in the literature. Among all of these proposed schemes, this paper focuses mainly on thegraphical-based authentication systems. To keep this paperconcise, we will give a brief review of the most relatedschemes that were mentioned in the previous section. Manyother schemes such as those in [27], [28], [29], [30], [31]may have good usability, they are not graphical-based andneed additional support from extra hardware such as audio,multi-touch monitor, vibration sensor, or gyroscope, etc.In the early days, the graphical capability of handhelddevices was weak; the color and pixel it could show waslimited. Under this limitation, the Draw-a-Secret (DAS) [6]technique was proposed by Jermyn et al. in 1999, where theuser is required to re-draw a pre-defined picture on a 2Dgrid. We directly extract the figure from [6] and show it inFigure 1(b). If the drawing touches the same grids in thesame sequence, then the user is authenticated. Since then,the graphical capability of handheld devices has steadilyand ceaselessly improved with the advances in science andtechnology. In 2005, Susan Wiedenbeck et al. introduced agraphical authentication scheme PassPoints [7], and at thattime, handheld devices could already show high resolutioncolor pictures. Using the PassPoint scheme, the user hasto click on a set of pre-defined pixels on the predestinedphoto, as shown in Figure 1(a) (this figure is extractedfrom [7]), with a correct sequence and within their tolerantsquares during the login stage. Moreover, Marcos et al.also extended the DAS based on finger-drawn doodles andpseudosignatures in recent mobile device [32], [33]. This au-thentication system is based on features which are extractedfrom the dynamics of the gesture drawing process (e.g.,speed or acceleration). These features contain behavioral biometric characteristic. In other words, the attacker wouldhave to imitate not only what the user draws, but alsohow the user draws it. However, these three authenticationschemes are still all vulnerable to shoulder surfing attacksas they may reveal the graphical passwords directly to someunknown observers in public. Fig. 1. (a) Pixel squares selected by users as authentication passwordsin PassPoints [7]. (b) Authentication password drew by users and theraw bits recorded by the system database [6]. In addition to graphical authentication schemes, therewas some research on the extension of conventional per-sonal identification number (PIN) entry authentication sys-tems. In 2004, Roth et al. [34] presented an approach forPIN entry against shoulder surfing attacks by increasingthe noise to observers. In their approach, the PIN digitsare displayed in either black or white randomly in eachround. The user must respond to the system by identifyingthe color for each password digit. After the user has madea series of binary choices (black or white), the system canfigure out the PIN number the user intended to enter byintersecting the user’s choices. This approach could confusethe observers if they just watch the screen without any helpof video capturing devices. However, if observers are ableto capture the whole authentication process, the passwordscan be cracked easily.In order to defend the shoulder surfing attacks withvideo capturing, FakePointer [35] was introduced in  2008  by T. Takada. We use Figure 2 (from [35]) below to showthe usage of FakePointer. In addition to the PIN number,the user will get a new ”answer indicator” each time forthe authentication process at a bank ATM. In other words,the user has two secrets for authentication: a PIN as a fixedsecret and an answer indicator as a disposable secret. Theanswer indicator is a sequence of   n  shapes if the PIN has n  digits. At each login session, the FakePointer interfacewill present the user an image of a numeric keypad with 10numbers (similar to the numeric keypad for phones), witheach key (number) on top of a randomly picked shape. Thenumeric keys, but not the shapes, can be moved circularlyusing the left or right arrow keys. During authentication,the user must repeatedly move numeric keys circularly asshown in the leftmost figure in Figure 2, until the first digitof the PIN overlaps the first shape of the answer indicatoron the keypad and then confirm a selection by pressingthe space key. This operation is repeated until all the PINdigits are entered and confirmed. This approach is quiterobust even when the attacker captures the whole authen-tication process. However, there is still room to improve IEEE Transactions on Dependable and Secure Computing (Volume:PP , Issue: 99 ),09 March 2016  the password space. For example, if the device used forauthentication isa smartphone, a tabletor a computerratherthan a bank ATM, the password space can be enlargedsubstantially since the PIN could be any combination of alphanumeric characters rather than just numeric digits. Fig. 2. FakePointer, where a user can move a numeric key layoutcircularly using right and left arrow keys. [35] Wiedenback et al. [36] described a graphical passwordentry scheme in 2006, as shown in Figure 3(b) (the figureis extracted from [36]). This scheme is resistant to shouldersurfing attacks using a convex hull method. The user needsto recognize a set of pass-icons on the screen and clicksinside the convex hull formed by all these pass-icons. Inorder to make the password hard to guess, a large numberof other different icons can be inserted into the screento increase the password space. However, a large numberof objects will crowd the display and may make objectsindistinguishable.In 2010, David Kim et al. [25] proposed a visual authen-tication scheme for tabletop interfaces called ”Color Rings”,as shown in Figure 3(a) (the figure is extracted from [25]),where the user is assigned  i  authentication (key) icons,which are collectively assigned one of the four color-rings:red, green, blue, or pink. During login,  i  grids of icons areprovided, with  72  icons being displayed per grid. There isonly one key icon presented in each grid. The user mustdrag all four rings (ideally with index finger and thumbfrom two hands) concurrently and place them in the grid.The distinct key icon should be captured by the correct colorring while the rest of rings just make decoy selections. Theuser confirms a selection by dropping the rings in position.The rings are large enough to include more than one iconand can thus obfuscate the direct observer. Unfortunately,these kinds of passwords can be cracked by intersectingthe user’s selections in each login because the color of theassigned ring is fixed and a ring can include at most sevenicons. Thus, the attacker only requires a limited number of trials to guess the user’s password. Fig. 3. (a) Color Rings method [25]. (b) Convex Hull method [36]. 3 P ROBLEM  S TATEMENT , A TTACK  M ODEL AND A SSUMPTIONS 3.1 Problem Statement With the increasing amount of mobile devices and webservices, users can access their personal accounts to sendconfidential business emails, upload photos to albums inthe cloud or remit money from their e-bank account anytimeand anywhere. While logging into these services in public,they may expose their passwords to unknown parties un-consciously. People with malicious intent could watch thewhole authentication procedure through omnipresent videocameras and surveillance equipment, or even a reflectedimage on a window [37]. Once the attacker obtains thepassword, they could access personal accounts and thatwould definitely pose a great threat to one’s assets. Shouldersurfing attacks have gained more and more attention in thepast decade. The following lists the research problems wewould like to address in this study:1) The problem of how to perform authentication inpublic so that shoulder surfing attacks can be allevi-ated.2) The problem of how to increase password spacethan that of the traditional PIN.3) The problem of how to efficiently search exact pass-word objects during the authentication phase.4) The problem of requiring users to memorize extrainformation or to perform extra computation duringauthentication.5) The problem of limited usability of authenticationschemes that can be applied to some devices only. 3.2 Attack Model 3.2.1 Shoulder Surfing Attacks  Based on previous research [20], [21], [25], [34], [35], users’actions such as typing from their keyboard, or clicking onthe pass-images or pass-points in public may reveal theirpasswords to people with bad intention. In this paper, basedon the means the attackers use, we categorize shoulder-surfing attacks into three types as below:1) Type-I: Naked eyes.2) Type-II: Video captures the entire authenticationprocess only once.3) Type-III: Video captures the entire authenticationprocess more than once.The latter types of attacks require more effort and tech-niques from attackers. Thus, if an authentication scheme isable to resist against these attacks, it is also secure againstprevious types of attacks. Some of the proposed authentica-tion schemes [4], [5], [6], [7], [25], [38], including traditionaltext-password and PIN, are vulnerable to shoulder surfingType-I attacks and thus are also subject to Type-II and Type-III attacks. These schemes reveal passwords to attackers assoon as users enter their passwords by directly pressingor clicking on specific items on the screen. Other schemessuch as those in [19], [34] can resist against Type-I but arevulnerable to Type-II and Type-III attacks since the attackerscan crack passwords by intersecting their video capturesfrom multiple steps of the entire authentication process. IEEE Transactions on Dependable and Secure Computing (Volume:PP , Issue: 99 ),09 March 2016  3.2.2 Smudge Attacks  According to a previous study [39], authentication schemesthat require users to touch or fling on computer monitorsor display screens during the login phase are vulnerable tosmudgeattacks.Theattackercanobtaintheuser’spasswordeasily by observing the smudge left on the touch screen (seeFigure 4 which is directly extracted from [39]). Fig. 4. (a) Android pattern screen lock in which a user draws a personalunlock pattern that connects at least four dots on screen [39]. (b) Theresidue from fingerprints left on the screen [39]. 3.3 Assumptions Inthispaper,wedonotdiscussthehabitualmovementsandthe preference of users that the attacker may take advantageof to figure out the potential passwords. In addition, wehave four assumptions in this study:1) Any communication between the client device andthe server is protected by SSL so that packets orinformationwillnotbeeavesdroppedorintercepted by attackers during transmission.2) The server and the client devices in our authentica-tion system are trustworthy.3) The keyboard and the entire screen of mobile de-vicesaredifficulttoprotect,butasmallarea(around 1 . 5  cm 2 ) is easy to be protected from maliciouspeople who might shoulder surf passwords.4) Users are able to register an account in a placethat is safe from observers with bad intention orsurveillancecamerasthatarenotunderproperman-agement. 4 P ASS M ATRIX To overcome (1) the security weakness of the traditionalPIN method, (2) the easiness of obtaining passwords byobservers in public, and (3) the compatibility issues todevices, we introduced a graphical authentication systemcalled PassMatrix. In PassMatrix, a password consists of only one pass-square per pass-image for a sequence of  n  images. The number of images (i.e.,  n ) is user-defined.Figure 5 demonstrates the proposed scheme, in which thefirst pass-square is located at (4, 8) in the first image, thesecond pass-square is on the top of the smoke in the secondimage at (7, 2), and the last pass-square is at (7, 10) in thethird image.In PassMatrix, users choose one square per image for asequence of   n  images rather than  n  squares in one image asthat in the PassPoints [7] scheme. Based on the user study of Cued Click Points (CCP) [40] proposed by Chiasson et al., Fig. 5. A password contains three images (n=3) with a pass square ineach. The pass squares are shown as the orange-filled area in eachimage. the CCP method does a good job in helping users recollectand remember their passwords. If the user clicks on anincorrect region within the image, a different image will be shown to give the user a warning feedback. However,aiming at alleviating shoulder surfing attacks, we do notrecommend this approach since the feedback that is givento users might also be obtained by attackers.Due to the fact that people do not register a new accountor set up a new screen lock frequently, we assume that thesesetup events can be done in a safe environment rather thanin public places. Thus, users can pick up pass-squares bysimply touching at or clicking on them during the registra-tion phase. 4.1 Overview PassMatrix is composed of the following components (seeFigure 6): ã  Image Discretization Module ã  Horizontal and Vertical Axis Control Module ã  Login Indicator generator Module ã  Communication Module ã  Password Verification Module ã  Database Fig. 6. Overview of the PassMatrix system. Image Discretization Module.  This module divides eachimage into squares, from which users would choose one asthe pass-square. As shown in Figure 5, an image is dividedinto a  7  ×  11  grid. The smaller the image is discretized,the larger the password space is. However, the overlyconcentrated division may result in recognition problem of  IEEE Transactions on Dependable and Secure Computing (Volume:PP , Issue: 99 ),09 March 2016
Related Search
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks