Skip to main content
SpringerLink
Log in
Book cover

Leakage Resilient Password Systems pp 29–51Cite as

CoverPad: A Leakage Resilient Password System on Touch-Screen Mobile Devices

  • Chapter

  • 643 Accesses

Part of the book series: SpringerBriefs in Computer Science ((BRIEFSCOMPUTER))

Abstract

Most prior research on improving leakage resilience of password entry focuses on desktop computers, while specific restrictions on mobile devices such as small screen size are usually not addressed. Meanwhile, additional features of mobile devices such as touch screen are not utilized in the traditional settings. In this chapter, we introduce an LRP scheme, which is named CoverPad, for password entry on touch-screen mobile devices. CoverPad leverages a temporary secure channel between user and touch screen which can be easily realized by placing a hand shielding gesture on the touch screen. The temporary secure channel is used to deliver a hidden message safely to a user for transforming each password symbol before entering it on the touch screen in an open channel. CoverPad is proven to be leakage resilient and it retains most of the benefits of legacy passwords. The usability of CoverPad is evaluated in a rigorous user study with realistic testing conditions including time pressure, distraction, and mental workload.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. Ceiling effect. http://en.wikipedia.org/wiki/Ceiling_effect

  2. Apple. Mac os x. http://www.apple.com/osx/

  3. Baddeley, A.D., Hitch, G.: Working memory. Psychol. Learn. Motiv. 8, 47–89 (1974)

    Article  Google Scholar 

  4. Bai, X., Gu, W., Chellappan, S., Wang, X., Xuan, D., Ma, B.: PAS: predicate-based authentication services against powerful passive adversaries. In: Proceedings of the 2008 annual computer security applications conference, pp. 433–442 (2008)

    Google Scholar 

  5. Begemann, O.: Remote View Controllers in iOS 6. http://oleb.net/blog/2012/10/remote-view-controllers-in-ios-6

  6. Bianchi, A., Oakley, I., Kostakos, V., Kwon, D.S.: The phone lock: audio and haptic shoulder-surfing resistant pin entry methods for mobile devices. In: Proceedings of the 5th international conference on tangible, embedded, and embodied interaction, pp. 197–200 (2011)

    Google Scholar 

  7. Bianchi, A., Oakley, I., Kostakos, V., Kwon, D.S.: Obfuscating authentication through haptics, sound and light. In: Proceedings of the 2011 annual conference on human factors in computing systems, pp. 1105–1110 (2011)

    Google Scholar 

  8. Biddle, R., Chiasson, S., van Oorschot, P.C.: Graphical passwords: learning from the first twelve years. ACM Comput. Surv. 44(4), 19 (2012)

    Article  Google Scholar 

  9. Bonneau, J., Herley, C., van Oorschot, P.C., Stajano, F.: The quest to replace passwords: a framework for comparative evaluation of web authentication schemes. In: Proceedings of IEEE symposium on security and privacy (2012)

    Google Scholar 

  10. Coskun, B., Herley, C.: Can “something you know” be saved? In: Proceedings of the 11th international conference on information security, pp. 421–440 (2008)

    Google Scholar 

  11. Craik, F.I., McDowd, J.M.: Age differences in recall and recognition. J. Exp. Psychol. 13(3), 474–479 (1987)

    Google Scholar 

  12. De Luca, A., Denzel, M., Hussmann, H.: Look into my eyes!: Can you guess my password? In: Proceedings of the 5th symposium on usable privacy and security, pp. 7:1–7:12 (2009)

    Google Scholar 

  13. De Luca, A., Denzel, M., Hussmann, H.: Towards understanding ATM security: a field study of real world ATM use. In: Proceedings of the sixth symposium on usable privacy and security (2010)

    Google Scholar 

  14. De Luca, A., von Zezschwitz, E., Husmann, H.: Vibrapass: secure authentication based on shared lies. In: Proceedings of the 27th international conference on human factors in computing systems, pp. 913–916 (2009)

    Google Scholar 

  15. Ginzburg, L., Sitar, P., Flanagin, G.K.: User authentication system and method. US Patent 7,725,712, SyferLock Technology Corporation (2010)

    Google Scholar 

  16. Google. Google Glass. http://plus.google.com/+projectglass

  17. Hopper, N.J., Blum, M.: Secure human identification protocols. In: Proceedings of the 7th international conference on the theory and application of cryptology and information security: advances in cryptology, pp. 52–66 (2001)

    Google Scholar 

  18. Hotel, H.B.: iPAD—Free for Every Hotel Guest. http://www.hollmann-beletage.at/en/ipad

  19. Imbo, I., Vandierendonck, A.: The role of phonological and executive working memory resources in simple arithmetic strategies. Eur. J. Cogn. Psychol. 19(6), 910–933 (2007)

    Article  Google Scholar 

  20. Imran, A.: iPADs can now be used as public kiosks. http://www.redmondpie.com/ipad-public-kiosks-video/

  21. Jensen, A.R.: Process differences and individual differences in some cognitive tasks. Intelligence 11(2), 107–136 (1987)

    Article  Google Scholar 

  22. Kim, D., Dunphy, P., Briggs, P., Hook, J., Nicholson, J.W., Nicholson, J., Olivier, P.: Multi-touch authentication on tabletops. In: Proceedings of the 28th international conference on human factors in computing systems, pp. 1093–1102 (2010)

    Google Scholar 

  23. Krebs. Would You Have Spotted the Fraud? http://krebsonsecurity.com/2010/01/would-you-have-spotted-the-fraud

  24. Kumar, M., Garfinkel, T., Boneh, D., Winograd, T.: Reducing shoulder-surfing by using gaze-based password entry. In: Proceedings of the 3rd symposium on usable privacy and security, pp. 13–19 (2007)

    Google Scholar 

  25. Li, S., Shum, H.-Y.: Secure human-computer identification (interface) systems against peeping attacks: SecHCI. In: Cryptology ePrint Archive, Report 2005/268 (2005)

    Google Scholar 

  26. Long, J., Wiles, J.: No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing. Syngress, Rockland (2008)

    Google Scholar 

  27. Matsumoto, T., Imai, H.: Human identification through insecure channel. In: Proceedings of the 10th annual international conference on theory and application of cryptographic techniques, pp. 409–421 (1991)

    Google Scholar 

  28. Microsoft. Windows 8. http://windows.microsoft.com

  29. Miller, F.: Telegraphic Code to Insure Privacy and Secrecy in the Transmission of Telegrams. C.M. Cornwell, New York (1882)

    Google Scholar 

  30. Roth, V., Richter, K., Freidinger, R.: A PIN-entry method resilient against shoulder surfing. In: Proceedings of the 11th ACM conference on computer and communications security, pp. 236–245 (2004)

    Google Scholar 

  31. Sasamoto, H., Christin, N., Hayashi, E.: Undercover: authentication usable in front of prying eyes. In: Proceeding of the 26th annual SIGCHI conference on human factors in computing systems, pp. 183–192 (2008)

    Google Scholar 

  32. Shay, R., Kelley, P.G., Komanduri, S., Mazurek, M.L., Ur, B., Vidas, T., Bauer, L., Christin, N., Cranor, L.F.: Correct horse battery staple: exploring the usability of system-assigned passphrases. In: Proceedings of the eighth symposium on usable privacy and security (2012)

    Book  Google Scholar 

  33. Spycop. Hardware Keylogger Detection. http://spycop.com/keyloggerremoval.htm

  34. TCG. Trusted Computing Group. http://www.trustedcomputinggroup.org

  35. Weinshall, D.: Cognitive authentication schemes safe against spyware (short paper). In: Proceedings of the 2006 IEEE symposium on security and privacy, pp. 295–300 (2006)

    Google Scholar 

  36. Wiedenbeck, S., Waters, J., Sobrado, L., Birget, J.-C.: Design and evaluation of a shoulder-surfing resistant graphical password scheme. In: Proceedings of the working conference on advanced visual interfaces, pp. 177–184 (2006)

    Google Scholar 

  37. Yan, Q., Han, J., Li, Y., Deng, R.H.: On limitations of designing leakage-resilient password systems: attacks, principles and usability. In: Proceedings of the 19th annual network and distributed system security symposium (2012)

    Google Scholar 

  38. Yan, Q., Han, J., Li, Y., Zhou, J., Deng, R.H.: Designing leakage-resilient password entry on touchscreen mobile devices. In: Proceedings of the 8th ACM symposium on information, computer and communications security (ASIACCS), pp. 37–48 (2013)

    Google Scholar 

  39. Yan, Q., Han, J., Li, Y., Zhou, J., Deng, R.H.: Leakage-resilient password entry: challenges, design, and evaluation. Comput. Secur. 48(2015), 196–211 (2015)

    Article  Google Scholar 

  40. ZDNet. More iPAD Love: Now Hotels Offer iPAD to Customers. http://www.zdnet.com/blog/apple/more-ipad-love-now-hotels-offer-ipad-to-customers/6850

Download references

Author information

Authors and Affiliations

  1. School of Information Systems, Singapore Management University, Singapore, Singapore

    Yingjiu Li & Robert H. Deng

  2. Google, Zurich, Switzerland

    Qiang Yan

Authors
  1. Yingjiu Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Qiang Yan
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Robert H. Deng
    View author publications

    You can also search for this author in PubMed Google Scholar

Appendix: Statistical Test Results

Appendix: Statistical Test Results

The statistical test results for login time shown in Table 2.3 indicates that the same test condition may have difference impacts on the login time with different schemes, where the statistically significant results are marked with \(\star \).

Table 2.3 The statistical test results for login time (s)
Full size table

The statistical test results on login accuracy are not shown since none of them are significant. This is due to the ceiling effect, as it is shown in Table 2.4, where each cell in this table shows the percentage of the participants who make no mistakes under certain test condition. In the worst case, 50. 0 % participants make no mistakes in all tests, which implies that the tests are not difficult enough to distinguish various test conditions with respect to the login accuracy. The CoverPad variants are easy to use even in the presence of time pressure, distraction, and mental workload. Note that this does not necessarily mean that these factors will not influence the login accuracy of other user authentication schemes.

Table 2.4 Evidence of ceiling effect in statistical tests on login accuracy
Full size table

Rights and permissions

Reprints and permissions

Copyright information

© 2015 The Author(s)

About this chapter

Cite this chapter

Li, Y., Yan, Q., Deng, R.H. (2015). CoverPad: A Leakage Resilient Password System on Touch-Screen Mobile Devices. In: Leakage Resilient Password Systems. SpringerBriefs in Computer Science. Springer, Cham. https://doi.org/10.1007/978-3-319-17503-4_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-17503-4_2

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-17502-7

  • Online ISBN: 978-3-319-17503-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation