Password-based mobile user authentication is vulnerable to a variety of security threats. Shoulder-surfing is the key to those security threats. Despite a large body of research on password security with mobile devices, existing studies have focused on shaping the security behavior of mobile users by enhancing the strengths of user passwords or by establishing secure password composition policies. There is little understanding of how an attacker actually goes about observing the password of a target user. This study empirically examines attackers’ behaviors in observing passwordbased mobile user authentication sessions across the three observation attempts. It collects data through a longitudinal user study and analyzes the data collected through a system log. The results reveal several behavioral patterns of attackers. The findings suggest that attackers are strategic in deploying attacks of shoulder-surfing. The findings have implications for enhancing users’ password security and refining organizations’ password composition policies.
more »
« less
This content will become publicly available on October 2, 2024
Shoulder Surfing on Mobile Authentication: Perception vis-a-vis Performance from the Attacker's Perspective
Shoulder-surfing studies in the context of mobile user authentication have focused on evaluating the attackers' performance, yet have paid much less attention to their perception of the shoulder-surfing process. Whether and how the shoulder-surfing setting might affect the attackers' perception remains under-explored. This study aims to investigate the perception of shoulder surfers with two different password-based mobile user authentication methods and three different observation angles. Moreover, this work examines the relationship between the attackers' perception and performance in shoulder surfing and the possible moderating effect of the authentication method for the first time. Based on the data collected from an online experiment, our analysis results reveal the effects of authentication methods and observation angles on the attackers' perception in terms of cognitive workload, observation clarity, and repetitive learning advantage. In addition, the results also show that the relationship between the attackers' cognitive workload and performance in shoulder surfing varies with the mobile user authentication method. Our findings not only deepen the understanding of shoulder-surfing attacks from an attacker's perspective, but also facilitate developing countermeasures for shoulder-surfing attacks.
more »
« less
- Award ID(s):
- 1917537
- NSF-PAR ID:
- 10477475
- Publisher / Repository:
- IEEE
- Date Published:
- Page Range / eLocation ID:
- 1 to 6
- Format(s):
- Medium: X
- Location:
- Charlotte, NC, USA
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
Password-based mobile user authentication is vulnerable to shoulder-surfing. Despite the increasing research on user password entry behavior and mobile security, there is limited understanding of how an adversary identifies a password through shoulder-surfing during mobile authentication. This study empirically examines the behaviors and strategies of password identification through shoulder-surfing with multiple observation attempts and from different observation distances. The results of analyzing data collected from a user study reveal the strategies and dynamics of password identification behaviors. The findings have implications for enhancing users’ password security and improving the design of mobile authentication methods.more » « less
-
Pattern unlock is a popular screen unlock scheme that protects the sensitive data and information stored in mobile devices from unauthorized access. However, it is also susceptible to various attacks, including guessing attacks, shoulder surfing attacks, smudge attacks, and side-channel attacks, which can achieve a high success rate in breaking the patterns. In this paper, we propose a new two-factor screen unlock scheme that incorporates surface electromyography (sEMG)-based biometrics with patterns for user authentication. sEMG signals are unique biometric traits suitable for person identification, which can greatly improve the security of pattern unlock. During a screen unlock session, sEMG signals are recorded when the user draws the pattern on the device screen. Time-domain features extracted from the recorded sEMG signals are then used as the input of a one-class classifier to identify the user is legitimate or not. We conducted an experiment involving 10 subjects to test the effectiveness of the proposed scheme. It is shown that the adopted time-domain sEMG features and one-class classifiers achieve good authentication performance in terms of the F 1 score and Half of Total Error Rate (HTER). The results demonstrate that the proposed scheme is a promising solution to enhance the security of pattern unlock.more » « less
-
Despite the increasing attention and research effort, how to protect sensitive information from shoulder surfing attacks is still under studied. Existing methods for protecting sensitive textual content on users' screens from shoulder surfing attacks have various limitations, including ineffectiveness, insufficient protection of sensitive information, low usability, and high cognitive workload. To address those limitations, this paper proposes, develops, and evaluates a new solution called "detection and labeling" (D&L), which uses NLP techniques to automatically detect and label sensitive information in the textual content. The labeled and hidden sensitive information is then read to users through their headphones upon their clicking a label. Evaluation results demonstrate that D&L improves protection, enhances usability, reduces users’ cognitive workload, and allows faster browsing speed compared to the baseline methods.more » « less
-
Despite the increasing attention and research effort, how to protect sensitive information from shoulder surfing attacks is still under studied. Existing methods for protecting sensitive textual content on users' screens from shoulder surfing attacks have various limitations, including ineffectiveness, insufficient protection of sensitive information, low usability, and high cognitive workload. To address those limitations, this paper proposes, develops, and evaluates a new solution called "detection and labeling" (D&L), which uses NLP techniques to automatically detect and label sensitive information in the textual content. The labeled and hidden sensitive information is then read to users through their headphones upon their clicking a label. Evaluation results demonstrate that D&L improves protection, enhances usability, reduces users’ cognitive workload, and allows faster browsing speed compared to the baseline methods.more » « less
