Abstract
With the revolution of smart devices that have become the basis of our daily lives, the majority of users rely on them to save their personal and sensitive information. As a result, users are increasingly interested in authentication processes, which is a challenge for designers to provide a secure and usable authentication process. The pattern password is one of the most selected authentication methods, since the recent development in alternative authentication interfaces for smart phones, tablets and touch screens laptops. Although drawing a pattern seems easier than typing a password, it has a major security drawback which is the shoulder-surfing attack. Therefore, this paper proposes a shoulder-surfing resistance approach for mobile devices using Camouflage Patterns method which allows choosing a very short password, while insuring that the password remains hidden amongst a large number of nodes draws. Based on this approach, three techniques are introduced and implemented using an Android platform. An experimental study is conducted for evaluating the security and usability aspects. The results showed that the proposed approach is reasonably resistant against shoulder-surfing attacks and usable for users. Accordingly, this approach is recommended for designers in order to provide very simple and yet very complicated passwords, to be observed by the attacker, at the same time.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Alsuhibany SA, Almutairi SG (2016) Making PIN and password entry secure against shoulder surfing using camouflage characters. Int J Comput Sci Inf Security 14:328
Andriotis P, Tryfonas T, Oikonomou G, Yildiz C (2013) A pilot study on the security of pattern screen-lock methods and soft side channel attacks. In Proceedings of the sixth ACM conference on Security and privacy in wireless and mobile networks, pp 1–6
Anwar M, Imran A (2015) A comparative study of graphical and alphanumeric passwords for mobile device authentication. In MAICS, pp 13–18
Aviv AJ, Fichter D (2014) Understanding visual perceptions of usability and security of Android’s graphical password pattern. In Proceedings of the 30th Annual Computer Security Applications Conference, pp 286–295
Aviv AJ, Budzitowski D, Kuber R (2015) Is Bigger Better? Comparing User-Generated Passwords on 3 × 3 vs. 4 × 4 Grid Sizes for Android’s Pattern Unlock. In Proceedings of the 31st Annual Computer Security Applications Conference, pp 301–310‏
Biddle R, Chiasson S, Van Oorschot PC (2012) Graphical passwords: learning from the first twelve years. ACM Comput Surv 44:19
Brostoff S, Inglesant P, Sasse MA (2010) Evaluating the usability and security of a graphical one-time PIN system. In Proceedings of the 24th BCS Interaction Specialist Group Conference, pp 88–97
Chalkias K, Alexiadis A, Stephanides G (2006) A multi-grid graphical password scheme. In: Proceedings of the 6th International Conference on Artificial Intelligence and Digital Communications, Thessaloniki, Greece, pp 1–11
Chiang HY, Chiasson S (2013) Improving user authentication on mobile devices: a touchscreen graphical password. In: Proceedings of the 15th international conference on Human-computer interaction with mobile devices and services, pp 251–260
Chiasson S, Van Oorschot PC, Biddle R (2007) Graphical password authentication using cued click points. In European Symposium on Research in Computer Security, pp 359–374
Davis D, Monrose F, Reiter MK (2004) On User Choice in Graphical Password Schemes. In USENIX Security Symposium, 13:11–11
De Luca A, Hang A, Brudy F, Lindner C, Hussmann H (2012) Touch me once and i know it’s you!: implicit authentication based on touch screen patterns. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp 987–996
Gao H, Guo X, Chen X, Wang L, Liu X (2008) Yagp: Yet another graphical password strategy. In Computer Security Applications Conference, pp. 121–129
Gao H, Ren Z, Chang X, Liu X, Aickelin U (2010) A new graphical password scheme resistant to shoulder-surfing. In International Conference on Cyberworlds, pp 194–199
Higashikawa S, Kosugi T, Kitajima S, Mambo M (2018) Shoulder-surfing resistant authentication using pass pattern of pattern lock. IEICE Trans Inf Syst 101:45–52
Ishizuka M, Takada T (2014) CCC: shoulder surfing resistant authentication system by using vibration. IPSJ Interaction, pp 501–503
Mohammedi M, Omar M, Bouabdallah A (2018) Secure and lightweight remote patient authentication scheme with biometric inputs for mobile healthcare environments. J Ambient Intell Humaniz Comput 9(5):1527–1539
Nicholson J (2009) Design of a Multi-Touch shoulder surfing resilient graphical password. B.Sc in Information Systems. Newcastle University, Newcastle
Oakley I, Bianchi A (2012) Multi-touch passwords for mobile device access. In Proceedings of the 2012 ACM Conference on Ubiquitous Computing, pp 611–612
Ruan O, Wang Q, Wang Z (2019) Provably leakage-resilient three-party password-based authenticated key exchange. J Ambient Intell Humaniz Comput 10:163–173
Schaub F, Deyhle R, Weber M (2012) Password entry usability and shoulder surfing susceptibility on different smartphone platforms. In Proceedings of the 11th international conference on mobile and ubiquitous multimedia, p. 13
Schaub F, Walch M, Könings B, Weber M (2013) Exploring the design space of graphical passwords on smartphones. In Proceedings of the Ninth Symposium on Usable Privacy and Security, p. 11
Song Y, Cho G, Oh S, Kim H, Huh JH (2015) On the effectiveness of pattern lock strength meters: Measuring the strength of real world pattern locks. In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems, pp 2343–2352
Sun C, Wang Y, Zheng J (2014) Dissecting pattern unlock: the effect of pattern strength meter on pattern selection. J Inf Security Appl 19:308–320
Tari F, Ozok A, Holden SH (2006) A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords. In Proceedings of the second symposium on Usable privacy and security, pp 56–66
Thorpe J, van Oorschot PC (2007) Human-Seeded Attacks and Exploiting Hot-Spots in Graphical Passwords. In USENIX Security Symposium, 8:1–8
Uellenbeck S, Dürmuth M, Wolf C, Holz T (2013) Quantifying the security of graphical passwords: the case of android unlock patterns. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security pp 161–172
Von Zezschwitz E, De Luca A, Janssen P, Hussmann H (2015) Easy to draw, but hard to trace?: On the observability of grid-based (un) lock patterns. In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems, pp 2339–2342
Wiedenbeck S, Waters J, Sobrado L, Birget JC (2006) Design and evaluation of a shoulder-surfing resistant graphical password scheme. In Proceedings of the working conference on Advanced visual interfaces, pp 177–184
Zakaria NH, Griffiths D, Brostoff S, Yan J (2011) Shoulder surfing defence for recall-based graphical passwords. In Proceedings of the Seventh Symposium on Usable Privacy and Security, p. 6
Acknowledgements
The author gratefully acknowledges Qassim University, represented by the Deanship of Scientific Research, on the material support for this research under the number (3596-coc-2018-1-14-S) during the academic year 1439 AH/2018 AD.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Alsuhibany, S.A. Usability and shoulder surfing vulnerability of pattern passwords on mobile devices using camouflage patterns. J Ambient Intell Human Comput 11, 1645–1655 (2020). https://doi.org/10.1007/s12652-019-01269-3
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12652-019-01269-3