Shoulder Surfing Research Articles

A Comparison Between Position-Based and Image-Based Multi-Layer Graphical user Authentication System

System security is very important, especially in the age that we live in. One of the ways to secure data is by creating a password that makes it difficult for unauthorized user to gain access to the system. However, what makes it difficult for the system to be attacked is directly dependent on approach used to create it, and how secured it is. Text based approach is the oldest authentication approach. It requires that the user supplies textual password in order to gain access to the system. However, this approach has shown a significant drawback and several vulnerabilities, one of which is the difficulty in recalling or remembering textual passwords. Several other attacks that textual passwords are vulnerable to include brute force attacks, shoulder spying, dictionary attacks etc. The introduction of graphical schemes made things a lot better. Graphical passwords make use of images. However, most graphical schemes are vulnerable to shoulder surfing attacks. In this research work, we developed two systems; A position-based multi-layer graphical user authentication system and an Image-based multi-layer graphical user authentication system. The reason behind this research work is to compare the two systems, and evaluate them based on three major performance metrics: (1) Security, (2) Reliability (3) Individual preference.

USER AUTHENTICATION USING EYE-BLINK PASSWORD

Personal identification numbers (PINS) are used to authenticate a user for security purpose. In order to authenticate himself the user should physically input the PIN, which might be susceptible to password cracking via shoulder surfing or thermal tracking. Authenticating a PIN with hands-off eye blinks PIN entry techniques, on the opposite hand, offers a safer password entry option by not leaving any physical footprints behind. User authentication using eye-blink password refers to finding the attention blinks in sequential image frames, and generation of PIN. This paper presents an application with three layer authentication system that are face detection, PIN entry by eye blink and OTP (One Time Password) to avoid thermal tracking attacks and shoulder surfing.

CLOUDMOAP: Multilayer Security by Online Encryption and Auditing Process in Cloud

Each image is divided into squares by this module, from which the user selects one to serve as the pass-square. A 7 x 11 grid is used to split a picture. The password space increases as the discretized image size decreases. Yet, an excessively focused division might make it harder to operate the user interface on palm-sized mobile devices and cause problems with object detection. As 60 pixels is the optimal size for precisely selecting certain items on touch displays, a division was set at 60-pixel intervals in both the horizontal and vertical axes in our solution. Index Terms— Online Encryption, Hash Code, Shoulder Surfing, Randomized Image Selection, Cipher Key, Data Security.

A Captcha-Based Graphical Password with Strong Password Space and Usability Study

stract: Security for authentication is required to give a superlative secure users’ personal information. This paper presents a model of the Graphical password scheme under the impact of security and ease of use for user authentication. We integrate the concept of recognition with re-called and cued- recall based schemes to offer superior security compared to existing schemes. Click Symbols (CS) Alphabet combine into one entity: Alphanumeric (A) and Visual (V) symbols (CS-AV) is Captcha-based password scheme, we integrate it with recall- based n×n grid points, where a user can draw the shape or pattern by the intersection of the grid points as a way to enter a graphical password. Next scheme, the combination of CS-AV with grid cells allows very large password space (2.4 × 104 bits of entropy) and provides reasonable usability results by determining an empirical study of memorable password space. Proposed schemes support most applicable platform for input devices and promising strong resistance to shoulder surfing attacks on a mobile device which can be occurred during unlocking (pattern) the smartphone

Seamless Security on Mobile Devices Textual Password Quantification Model Based Usability Evaluation of Secure Rotary Entry Pad Authentication

Mobile devices are vulnerable to shoulder surfing and smudge attacks, which should occur when a user enters a PIN for authentication purposes. This attack can be avoided by implementing a rotary entry pad mechanism. Despite this, several studies have found that using a rotary entry pad reduces user usability. This study uses a Design Research Methodology approach. It will implement a rotary entry pad authentication in the Android operating system as an authentication method to protect the device against Shoulder Surfing Attacks and Smudge Attacks. Furthermore, it combined JSON Web Token (JWT) to secure the authentication process from the client to the server. At the end of implementation, it compared with other studies in terms of usability and evaluated it using the TQ-Model, which showed that the usability aspect has improved. Regarding security, we conducted a shoulder surfing attack simulation to assess the efficacy of guessing PINs. The results showed that only a limited number of attempts were successful, with two out of five samples failing to guess any numbers and only one sample successfully guessing six 10-digit PIN combinations out of 10 to the power of 10. The security test results show that shoulder surfing attacks are more difficult to perform after implementing the rotary entry pad. The evaluation showed that the JSpinpad performed better, with seven parameters showing improvement, one parameter showing a decline, and ten parameters remaining unchanged.

PressPIN: Enabling Secure PIN Authentication on Mobile Devices via Structure-Borne Sounds

PIN authentication is widely used on mobile devices due to its usability and simplicity. However, it is known to be susceptible to shoulder surfing attacks, where an adversary spies the user’s PIN by direct human observation or camera-based recording. This paper proposes PressPIN, a novel enhanced PIN authenticator on mobile devices by sensing pressures from the user’s finger. Since pressure-sensitive touch screens are unavailable on most phones, we leverage the structure-borne propagation of sounds to estimate the pressure on the screen. When the user inputs the PINs, the pressure is extracted from each number to form the <inline-formula><tex-math notation="LaTeX">$n$</tex-math></inline-formula> -bit pressure code, where <inline-formula><tex-math notation="LaTeX">$n$</tex-math></inline-formula> corresponds to the length of the PIN sequence. The pressure code is difficult to be inferred by snooping or videotaping, and increases the entropy of passwords. In this way, PressPIN provides a low-cost, user-friendly, and more secure solution resistant to shoulder surfing attacks. Our extensive experiments with 30 participants and three types of smartphones demonstrate that PressPIN can authenticate legitimate users with high accuracy (e.g., as high as 96.7% within two trials), and is robust to various types of attacks (e.g., only 2.5% attack success rate even when the adversary can observe the legitimate user’s PIN sequence and finger pressing clearly). Additionally, PressPIN requires no additional hardware (e.g., the pressure sensor) and can be readily integrated into existing authentication systems of mobile devices.

Multi-Factor Biometric Authentication Framework to User for Securing Digital Transaction

The recent growth of digital transactions over the internet is high. This is the newest topic which is to be implemented as well as need to study related with the security. The development of technology we need to improve and build the safe authentication scheme over the internet. The safe authentication scheme is protecting the user valuable information against security threats. While performing digital transactions over the internet, the protection is turn into high importance and demand for authentication is more necessary than before. In the traditional authentication there are so many problems such as username, password &amp; so on. Also, intruders will crack various ways of hacking user information, passwords including brute force attack, shoulder surfing, dictionary attacks, etc.&#x0D; This paper is useful to performing a secure authentication scheme using different fusion techniques for digital transactions. The propose system approach here combines user details as like user name, password, OTP and biometrics (traits as like fingerprint, face &amp; iris) fusion verification for a more valid user authentication. Our proposed point of view has been initiating to improve security benefits for various forms of invasion &amp; authentication layers turn on password-based attacks.

A Review of EEG-Based User Authentication: Trends and Future Research Directions

The employment of Electroencephalography (EEG) in the User Authentication (UA) scientific research has recently unlocked state-of-the-art experimentation, aiming at identifying and authenticating individuals given their brainiac activity within specific contexts of use. Indeed, utilizing EEG signals that are derived from brainiac activities can be used for tackling existing UA security threats such as shoulder surfing, thus providing a novel solution to contemporary security problems in traditional knowledge-based user authentication. In this survey, we aim to complete previous literature surveys by providing a systematic classification and presentation of existing research that is based on the following pillars: a) the user experimental setup, with an emphasis on the applied EEG-acquisition protocols (e.g., rest, external stimuli driven, mental and hybrid); b) the artificial intelligence techniques employed and finally c) the security and privacy preservation aspects. The reviewed papers cover a broad area of experiment protocols and various algorithms used for EEG signal classification. Moreover, most cited works include results from more than one experiments with different approaches and configurations. This leads to a discussion on best practices for EEG-based User Authentication and conclusions suggesting future research directions that consists, among others, of considering homomorphically encrypted biometric templates for information leakage prevention through federated learning approaches in decentralized architectures. We anticipate that the present literature review will provide a roadmap for future research by considering efficiently and effective EEG-based User Authentication methods while at the same time preserving privacy.

Continuous Mobile User Authentication Using a Hybrid CNN-Bi-LSTM Approach

Internet of Things (IoT) devices incorporate a large amount of data in several fields, including those of medicine, business, and engineering. User authentication is paramount in the IoT era to assure connected devices’ security. However, traditional authentication methods and conventional biometrics-based authentication approaches such as face recognition, fingerprints, and password are vulnerable to various attacks, including smudge attacks, heat attacks, and shoulder surfing attacks. Behavioral biometrics is introduced by the powerful sensing capabilities of IoT devices such as smart wearables and smartphones, enabling continuous authentication. Artificial Intelligence (AI)-based approaches introduce a bright future in refining large amounts of homogeneous biometric data to provide innovative user authentication solutions. This paper presents a new continuous passive authentication approach capable of learning the signatures of IoT users utilizing smartphone sensors such as a gyroscope, magnetometer, and accelerometer to recognize users by their physical activities. This approach integrates the convolutional neural network (CNN) and recurrent neural network (RNN) models to learn signatures of human activities from different users. A series of experiments are conducted using the MotionSense dataset to validate the effectiveness of the proposed method. Our technique offers a competitive verification accuracy equal to 98.4%. We compared the proposed method with several conventional machine learning and CNN models and found that our proposed model achieves higher identification accuracy than the recently developed verification systems. The high accuracy achieved by the proposed method proves its effectiveness in recognizing IoT users passively through their physical activity patterns.

STEGANOGRAPHY BASED MULTI LEVEL PASSWORD AUTHENTICATION SYSTEM IN BANKING SECTOR

Nowadays password selection is very important verification process. Various password authentication techniques are implemented in many applications. Traditional text-based password schemes are suffered from shoulder surfing problem, easily guessed by others. Password is easily identified by others. Graphical password, steganography-based password authentication technologies creating strong security for user password. The process of information hiding is known as steganography. It is used to shield the user password or hide the credential information. Then, graphical password authentication is authentication which increases the accuracy level. The proposed work described the secureness of web login application. Water marking based graphical password is best for accessing the web accounts. Image level authentication is easily understandable by authorized user. This paper majorly described, what requirement is needed by todays technologies, and focused to minimum password gesture attacks.

Multimodal Behavioral Biometric Authentication in Smartphones for Covid-19 Pandemic

The usage of mobile phones has increased multi-fold in recent decades, mostly because of their utility in most aspects of daily life, such as communications, entertainment, and financial transactions. In use cases where users’ information is at risk from imposter attacks, biometrics-based authentication systems such as fingerprint or facial recognition are considered the most trustworthy in comparison to PIN, password, or pattern-based authentication systems in smartphones. Biometrics need to be presented at the time of power-on, they cannot be guessed or attacked through brute force and eliminate the possibility of shoulder surfing. However, fingerprints or facial recognition-based systems in smartphones may not be applicable in a pandemic situation like Covid-19, where hand gloves or face masks are mandatory to protect against unwanted exposure of the body parts. This paper investigates the situations in which fingerprints cannot be utilized due to hand gloves and hence presents an alternative biometric system using the multimodal Touchscreen swipe and Keystroke dynamics pattern. We propose a HandGlove mode of authentication where the system will automatically be triggered to authenticate a user based on Touchscreen swipe and Keystroke dynamics patterns. Our experimental results suggest that the proposed multimodal biometric system can operate with high accuracy. We experiment with different classifiers like Isolation Forest Classifier, SVM, k-NN Classifier, and fuzzy logic classifier with SVM to obtain the best authentication accuracy of 99.55% with 197 users on the Samsung Galaxy S20. We further study the problem of untrained external factors which can impact the user experience of authentication system and propose a model based on fuzzy logic to extend the functionality of the system to improve under novel external effects. In this experiment, we considered the untrained external factor of ‘sanitized hands’ with which the user tries to authenticate and achieved 93.5% accuracy in this scenario. The proposed multimodal system could be one of the most sought approaches for biometrics-based authentication in smartphones in a COVID-19 pandemic situation.

Bu-Dash: a universal and dynamic graphical password scheme (extended version)

Passwordless authentication is a trending theme in cyber security, while biometrics gradually replace knowledge-based schemes. However, Personal Identification Numbers, passcodes, and graphical passwords are still considered as the primary means for authentication. Passwords must be memorable to be usable; therefore, users tend to choose easy to guess secrets, compromising security. The Android Pattern Unlock is a popular graphical password scheme that can be easily attacked by exploiting human behavioristic traits. Despite its vulnerabilities, the popularity of the scheme has led researchers to propose adjustments and variations that enhance security but maintain its familiar user interface. Nevertheless, prior work demonstrated that improving security while preserving usability remains frequently a hard task. In this paper we propose a novel graphical password scheme built on the foundations of the well-accepted Android Pattern Unlock method, which is usable, inclusive, universal, and robust against shoulder surfing and (basically) smudge attacks. Our scheme, named Bu-Dash, features a dynamic user interface that mutates every time a user swipes the screen. Our pilot studies illustrate that Bu-Dash attracts positive user acceptance rates, it is secure, and maintains high usability levels. We define complexity metrics that can be used to further diversify user input, and we conduct complexity and security assessments.

TIM: Secure and usable authentication for smartphones

With the widespread popularity of smartphones and mobile applications, they have gradually penetrated and are widely used in our daily lives, e.g., we use them for online shopping and mobile banking. This has led to an increased demand for securing data processed and stored by smartphones. User authentication is an entry guard for ensuring secure access to smartphones, which aims at verifying a user’s identity. Typically, such a method is text-based authentication. However, the existing text-based authentication solutions bring in the trade-off issue between security and usability. The main reason is short text-based passwords are easy to remember but not secure enough as they are vulnerable to password guessing or shoulder surfing attacks. In contrast, long text-based passwords can ensure security, but they raise usability issues due to the difficulty of memorising, recalling, and inputting passwords. Moreover, the graphical password solutions suffer from shoulder surfing attacks.In this article, we propose an image-based authentication solution for smartphone users to reduce the risk of mounting a shoulder surfing attack. The proposed solution requires users to select and move predefined images to the designated position for passing the authentication check. In a laboratory experiment with 62 participants, we asked them to test the robustness of TIM to resist the existing attacks, and compare the usability with other image-based solutions. An analysis of collected results indicates that the proposed solution can resist password guessing and shoulder surfing attacks. Consequently, more than 85% of participants believed that the proposed solution could mitigate both password guessing and shoulder surfing attacks. Further, 71% of participants think that TIM is more usable compared to the existing solutions. While 50% of them preferred to choose TIM, more than 50% of participants claim that the learning curve of TIM is very short and the configuration is easy.

A smartphone authentication system based on touch gesture dynamics

A smartphone authentication system based on touch gesture dynamics

Securing Graphical Password Techniques from Shoulder Surfing and Camera Based Attacks

Authentication is a procedure that checks for validity and may be carried out in a variety of methods, including tokens, biometrics, and passwords with text and graphics. Usability is the primary driver of graphical passwords. However, shoulder surfing and camera-based attacks are the main potential disadvantage of this strategy. Shoulder surfing is a sort of social engineering method used in computer security to peek over the victim’s shoulder and steal information, including personal identification numbers (PINs), passwords, and other private information. This attack can be carried out either up close by peering straight over the victim’s shoulder or from a further distance, perhaps by utilizing a pair of binoculars or other comparable equipment. Crowded areas are when an assailant is most likely to shoulder surf the victim. These days, it’s fairly typical to enter passwords by looking. The fundamental process for gaze-based password entering is same as regular password entry, with the exception that the user stares at each desired character or triggered location in sequence rather of typing a key or touching the screen, much like when they are eye-typing. Therefore, in my project, I have made an effort to avoid these limitations by utilizing a powerful encryption technique like the Vernam Cipher

A portable hardware security module and cryptographic key generator

It has been noted with concern that the ability of a password to keep an information system secure is diminishing. Increasingly sophisticated attack vectors and low memorability associated with complicated passwords are among the leading reasons limiting security provisioned by passwords. Cryptographic keys suffer from issues including lack of memorability, vulnerable storage mechanisms, key retrieval attacks, lockouts due to key loss and risk of using the same key for multiple services. This study proposes a novel Hardware Security Module (HSM) as a basis for the generation/ re-creation of cryptographic keys. The designed hardware module entirely eliminates the stored cryptographic keys thus eliminating attacks against stored keys. The HSM derives the cryptographic key from sub-components behaving similar to multi-factor authentication, where each factor is an independent authenticator. The proposed scheme enhances security by incorporating physical security into digital security, i.e. as long as either the crypto provider device remains secure or the human component remains secure, the system security remains intact. The scheme proposes a strategy based on defense in depth to secure the HSM, its user, the related service from attacks ranging from simple shoulder surfing to sophisticated Man-in-the-Middle attacks. The proposed HSM is based on commodity hardware components thus having limited cost implications.

An Investigation of Shoulder Surfing Attacks on Touch-Based Unlock Events

This paper contributes to our understanding of user-centered attacks on smartphones. In particular, we investigate the likelihood of so-called shoulder surfing attacks during touch-based unlock events and provide insights into users' views and perceptions. To do so, we ran a two-week in-the-wild study (N=12) in which we recorded images with a 180-degree field of view lens that was mounted on the smartphone's front-facing camera. In addition, we collected contextual information and allowed participants to assess the situation. We found that only a small fraction of shoulder surfing incidents that occur during authentication are actually perceived as threatening. Furthermore, our findings suggest that our notions of (un)safe places need to be rethought. Our work is complemented by a discussion of implications for future user-centered attack-aware systems. This work can serve as a basis for usable security researchers to better design systems against user-centered attacks.

OneButtonPIN: A Single Button Authentication Method for Blind or Low Vision Users to Improve Accessibility and Prevent Eavesdropping

A Personal Identification Number (PIN) is a widely adopted authentication method used by smartphones, ATMs, etc. PINs offer strong security and can be reset when compromised (unlike biometric authentication). However, PINs can be inaccessible for blind or low vision (BLV) users due to screen readers voicing PINs to bystanders or potential shoulder surfing attack risks---bystanders could watch the PIN being entered without the user noticing. To address this, we present OneButtonPIN, an interface to improve PIN entry accessibility and security for BLV users. Here, a single on-screen button, when pressed and held, triggers a haptic vibration sequence. A digit is entered by counting the vibrations and releasing the button. We explored introducing random timings to the vibration sequence to increase security. A week-long evaluation with 9 BLV participants and a security study with 10 sighted participants acting as shoulder surfers demonstrated OneButtonPIN's usability and resilience against eavesdropping.

Draw-a-Deep Pattern: Drawing Pattern-Based Smartphone User Authentication Based on Temporal Convolutional Neural Network

Present-day smartphones provide various conveniences, owing to high-end hardware specifications and advanced network technology. Consequently, people rely heavily on smartphones for a myriad of daily-life tasks, such as work scheduling, financial transactions, and social networking, which require a strong and robust user authentication mechanism to protect personal data and privacy. In this study, we propose draw-a-deep-pattern (DDP)—a deep learning-based end-to-end smartphone user authentication method using sequential data obtained from drawing a character or freestyle pattern on the smartphone touchscreen. In our model, a recurrent neural network (RNN) and a temporal convolution neural network (TCN), both of which are specialized in sequential data processing, are employed. The main advantages of the proposed DDP are (1) it is robust to the threats to which current authentication systems are vulnerable, e.g., shoulder surfing attack and smudge attack, and (2) it requires few parameters for training; therefore, the model can be consistently updated in real-time, whenever new training data are available. To verify the performance of the DDP model, we collected data from 40 participants in one of the most unfavorable environments possible, wherein all potential intruders know how the authorized users draw the characters or symbols (shape, direction, stroke, etc.) of the drawing pattern used for authentication. Of the two proposed DDP models, the TCN-based model yielded excellent authentication performance with average values of 0.99%, 1.41%, and 1.23% in terms of AUROC, FAR, and FRR, respectively. Furthermore, this model exhibited improved authentication performance and higher computational efficiency than the RNN-based model in most cases. To contribute to the research/industrial communities, we made our dataset publicly available, thereby allowing anyone studying or developing a behavioral biometric-based user authentication system to use our data without any restrictions.

Forensic Analysis of Electronic Mail Messages

E-mail has revolutionized business, academic, and personal communication. The advantages of e-mail include speedy delivery, ease of communication, cost effectiveness, geographical independence, and the portability of mailboxes. The last two are the biggest advantages over snail mail. However, with e-mail comes the threat of a genuine user being compromised through key loggers, social engineering, shoulder surfing, password guessing and other similar, though less technical, methods. This passive espionage can have a direct impact on the genuine user in terms of denial of information, loss of money, loss of time, mental harassment and an attack of personal privacy. To enable digital forensic analysis of e-mails, we propose behavioral biometric based authentication, which is analogous to a signature in paper documents. Keyword: E-mail, forensics, threats, digital analysis, security cyber crimes