Abstract
In the domain of password security, research has made significant progress in handling different kinds of threats which require human intelligence factor to fix the vulnerabilities. In spite of having strong theoretical establishments, most of these defense mechanisms cannot be used in practice as humans have limitations in processing complex information. The little bit of good news is that very few research proposals in this field have shown the promises to be deployable in practice. This paper focuses on such one method - proposed by Roth et al. back in 2004, which provides adequate user-friendliness to enter Personal Identification Number (PIN) securely in the presence of human shoulder surfers. Surprisingly, the background algorithm of this method for validating users’ responses runs in linear time on a search space of cardinality 5 and hence, the validation process does not put much load on the authenticating device. Therefore, such human identification protocol can also be integrated into the IoT infrastructure for conducting a more secured login from the client-side. Having such advantages, though remained secure for almost ten years after its release in 2004, recently, few proposals revealed some serious vulnerable aspects of the Roth et al. ’s proposal. In this paper, we have taken an attempt to save this user-friendly form of authentication. Firstly, we have made a critical discussion on the importance of the targeted PIN entry method in the domain of usable security and then given a brief overview of the identified limitations of this protocol. Followed by this, a few initiatives have been taken to fix the identified vulnerabilities of Roth et al. ’s proposal by revising its working principle, while the login procedure and the usability standard of this method stay unaffected.
Highlights
Despite its several limitations, the password seems to be the predominant form of user verification for the foreseeable future [7]
When it seemed almost impossible to design a method guaranteeing a strong balance between usability and security aspects, in 2004, Roth et al.’s proposal brought the first ray of hope for addressing this conflict [30]. They proposed two solutions − Immediate Oracle Choice (IOC) variation and Delayed Oracle Choice (DOC) variation, for addressing their targeted threat model and their proposal almost reaches to the goal − β = 0.1 and t = 10
With the brief introduction to the essential facts related to the IOC BW method, we will discuss the identified drawbacks (ID) of this login setup
Summary
The password seems to be the predominant form of user verification for the foreseeable future [7]. They often failed to meet an acceptable usability standard [40] Despite such long-standing conflicts between security and usability aspects, in 2004, Roth et al proposed a highly usable authentication procedure which could resist the threat of observational attack [30]. Contribution 1: We have performed an extensive literature survey by identifying different variations of recording attacks and its weaker forms for capturing H s login credentials and spotted the notable existing defense strategies for handling such threats. The outcome of this contribution gives an indication on how hard it is to design a usable-secure authentication technique for preventing such kind of threats and how proposed method by Roth et al is an exception in meeting such a criterion.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
