skip to main content
US FlagAn official website of the United States government
dot gov icon
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
https lock icon
Secure .gov websites use HTTPS
A lock ( lock ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Explore Research Products in the PAR
It may take a few hours for recently added research products to appear in PAR search results.


Title: Shoulder Surfing on Mobile Authentication: Perception vis-a-vis Performance from the Attacker's Perspective
Shoulder-surfing studies in the context of mobile user authentication have focused on evaluating the attackers' performance, yet have paid much less attention to their perception of the shoulder-surfing process. Whether and how the shoulder-surfing setting might affect the attackers' perception remains under-explored. This study aims to investigate the perception of shoulder surfers with two different password-based mobile user authentication methods and three different observation angles. Moreover, this work examines the relationship between the attackers' perception and performance in shoulder surfing and the possible moderating effect of the authentication method for the first time. Based on the data collected from an online experiment, our analysis results reveal the effects of authentication methods and observation angles on the attackers' perception in terms of cognitive workload, observation clarity, and repetitive learning advantage. In addition, the results also show that the relationship between the attackers' cognitive workload and performance in shoulder surfing varies with the mobile user authentication method. Our findings not only deepen the understanding of shoulder-surfing attacks from an attacker's perspective, but also facilitate developing countermeasures for shoulder-surfing attacks.  more » « less
Award ID(s):
1917537
PAR ID:
10477475
Author(s) / Creator(s):
; ; ;
Publisher / Repository:
IEEE
Date Published:
ISBN:
979-8-3503-3773-0
Page Range / eLocation ID:
1 to 6
Format(s):
Medium: X
Location:
Charlotte, NC, USA
Sponsoring Org:
National Science Foundation
More Like this
  1. (, Who Are You?! Adventures in Authentication Workshop)
    Password-based mobile user authentication is vulnerable to a variety of security threats. Shoulder-surfing is the key to those security threats. Despite a large body of research on password security with mobile devices, existing studies have focused on shaping the security behavior of mobile users by enhancing the strengths of user passwords or by establishing secure password composition policies. There is little understanding of how an attacker actually goes about observing the password of a target user. This study empirically examines attackers’ behaviors in observing passwordbased mobile user authentication sessions across the three observation attempts. It collects data through a longitudinal user study and analyzes the data collected through a system log. The results reveal several behavioral patterns of attackers. The findings suggest that attackers are strategic in deploying attacks of shoulder-surfing. The findings have implications for enhancing users’ password security and refining organizations’ password composition policies. 
    more » « less
  2. ; ; ; (, IEEE International Conference on Intelligence and Security Informatics (ISI))
    Password-based mobile user authentication is vulnerable to shoulder-surfing. Despite the increasing research on user password entry behavior and mobile security, there is limited understanding of how an adversary identifies a password through shoulder-surfing during mobile authentication. This study empirically examines the behaviors and strategies of password identification through shoulder-surfing with multiple observation attempts and from different observation distances. The results of analyzing data collected from a user study reveal the strategies and dynamics of password identification behaviors. The findings have implications for enhancing users’ password security and improving the design of mobile authentication methods. 
    more » « less
  3. ; (, AMCIS 2023)
    Despite the increasing attention and research effort, how to protect sensitive information from shoulder surfing attacks is still under studied. Existing methods for protecting sensitive textual content on users' screens from shoulder surfing attacks have various limitations, including ineffectiveness, insufficient protection of sensitive information, low usability, and high cognitive workload. To address those limitations, this paper proposes, develops, and evaluates a new solution called "detection and labeling" (D&L), which uses NLP techniques to automatically detect and label sensitive information in the textual content. The labeled and hidden sensitive information is then read to users through their headphones upon their clicking a label. Evaluation results demonstrate that D&L improves protection, enhances usability, reduces users’ cognitive workload, and allows faster browsing speed compared to the baseline methods. 
    more » « less
  4. ; (, AMCIS 2023)
    Despite the increasing attention and research effort, how to protect sensitive information from shoulder surfing attacks is still under studied. Existing methods for protecting sensitive textual content on users' screens from shoulder surfing attacks have various limitations, including ineffectiveness, insufficient protection of sensitive information, low usability, and high cognitive workload. To address those limitations, this paper proposes, develops, and evaluates a new solution called "detection and labeling" (D&L), which uses NLP techniques to automatically detect and label sensitive information in the textual content. The labeled and hidden sensitive information is then read to users through their headphones upon their clicking a label. Evaluation results demonstrate that D&L improves protection, enhances usability, reduces users’ cognitive workload, and allows faster browsing speed compared to the baseline methods. 
    more » « less
  5. ; (, AMCIS 2023)
    Despite the increasing attention and research effort, how to protect sensitive information from shoulder surfing attacks is still under studied. Existing methods for protecting sensitive textual content on users' screens from shoulder surfing attacks have various limitations, including ineffectiveness, insufficient protection of sensitive information, low usability, and high cognitive workload. To address those limitations, this paper proposes, develops, and evaluates a new solution called "detection and labeling" (D&L), which uses NLP techniques to automatically detect and label sensitive information in the textual content. The labeled and hidden sensitive information is then read to users through their headphones upon their clicking a label. Evaluation results demonstrate that D&L improves protection, enhances usability, reduces users’ cognitive workload, and allows faster browsing speed compared to the baseline methods. 
    more » « less
  • Citation Formats
  • MLA
  • APA
  • Chicago
  • BibTeX
  • Save / Share this Record
  • Send to Email