Scrambling Keypad for Secure Pin Entry to Defeat Shoulder Surfing and Inference Attacks

Abstract

Personal identification number (PIN) is a common user authentication method widely used especially for automated teller machines and point-of-sales devices. The user's PIN entry is susceptible to shoulder-surfing and inference attacks, where the attacker can obtain the PIN by looking over the user's shoulder. The conventional keypad with a fixed layout makes it easy for the attacker to infer the PIN entered by casual observation. This paper proposes a method of authentication to address these challenges. The paper develops a prototype numeric keypad with a layout akin to the conventional keypad, with the keys randomized for each PIN entry. The shuffle algorithm, Durstenfeld shuffle algorithm, is implemented in an application developed using JavaScript, which is a prototype-based object-oriented programming application that conforms to the ECMAScript specification. The prototype is implemented on three computing platforms for evaluation. The test proves the effectiveness of the system to mitigate shoulder-surfing and inference attacks.