Abstract
Most prior research on improving leakage resilience of password entry focuses on desktop computers, while specific restrictions on mobile devices such as small screen size are usually not addressed. Meanwhile, additional features of mobile devices such as touch screen are not utilized in the traditional settings. In this chapter, we introduce an LRP scheme, which is named CoverPad, for password entry on touch-screen mobile devices. CoverPad leverages a temporary secure channel between user and touch screen which can be easily realized by placing a hand shielding gesture on the touch screen. The temporary secure channel is used to deliver a hidden message safely to a user for transforming each password symbol before entering it on the touch screen in an open channel. CoverPad is proven to be leakage resilient and it retains most of the benefits of legacy passwords. The usability of CoverPad is evaluated in a rigorous user study with realistic testing conditions including time pressure, distraction, and mental workload.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Ceiling effect. http://en.wikipedia.org/wiki/Ceiling_effect
Apple. Mac os x. http://www.apple.com/osx/
Baddeley, A.D., Hitch, G.: Working memory. Psychol. Learn. Motiv. 8, 47–89 (1974)
Bai, X., Gu, W., Chellappan, S., Wang, X., Xuan, D., Ma, B.: PAS: predicate-based authentication services against powerful passive adversaries. In: Proceedings of the 2008 annual computer security applications conference, pp. 433–442 (2008)
Begemann, O.: Remote View Controllers in iOS 6. http://oleb.net/blog/2012/10/remote-view-controllers-in-ios-6
Bianchi, A., Oakley, I., Kostakos, V., Kwon, D.S.: The phone lock: audio and haptic shoulder-surfing resistant pin entry methods for mobile devices. In: Proceedings of the 5th international conference on tangible, embedded, and embodied interaction, pp. 197–200 (2011)
Bianchi, A., Oakley, I., Kostakos, V., Kwon, D.S.: Obfuscating authentication through haptics, sound and light. In: Proceedings of the 2011 annual conference on human factors in computing systems, pp. 1105–1110 (2011)
Biddle, R., Chiasson, S., van Oorschot, P.C.: Graphical passwords: learning from the first twelve years. ACM Comput. Surv. 44(4), 19 (2012)
Bonneau, J., Herley, C., van Oorschot, P.C., Stajano, F.: The quest to replace passwords: a framework for comparative evaluation of web authentication schemes. In: Proceedings of IEEE symposium on security and privacy (2012)
Coskun, B., Herley, C.: Can “something you know” be saved? In: Proceedings of the 11th international conference on information security, pp. 421–440 (2008)
Craik, F.I., McDowd, J.M.: Age differences in recall and recognition. J. Exp. Psychol. 13(3), 474–479 (1987)
De Luca, A., Denzel, M., Hussmann, H.: Look into my eyes!: Can you guess my password? In: Proceedings of the 5th symposium on usable privacy and security, pp. 7:1–7:12 (2009)
De Luca, A., Denzel, M., Hussmann, H.: Towards understanding ATM security: a field study of real world ATM use. In: Proceedings of the sixth symposium on usable privacy and security (2010)
De Luca, A., von Zezschwitz, E., Husmann, H.: Vibrapass: secure authentication based on shared lies. In: Proceedings of the 27th international conference on human factors in computing systems, pp. 913–916 (2009)
Ginzburg, L., Sitar, P., Flanagin, G.K.: User authentication system and method. US Patent 7,725,712, SyferLock Technology Corporation (2010)
Google. Google Glass. http://plus.google.com/+projectglass
Hopper, N.J., Blum, M.: Secure human identification protocols. In: Proceedings of the 7th international conference on the theory and application of cryptology and information security: advances in cryptology, pp. 52–66 (2001)
Hotel, H.B.: iPAD—Free for Every Hotel Guest. http://www.hollmann-beletage.at/en/ipad
Imbo, I., Vandierendonck, A.: The role of phonological and executive working memory resources in simple arithmetic strategies. Eur. J. Cogn. Psychol. 19(6), 910–933 (2007)
Imran, A.: iPADs can now be used as public kiosks. http://www.redmondpie.com/ipad-public-kiosks-video/
Jensen, A.R.: Process differences and individual differences in some cognitive tasks. Intelligence 11(2), 107–136 (1987)
Kim, D., Dunphy, P., Briggs, P., Hook, J., Nicholson, J.W., Nicholson, J., Olivier, P.: Multi-touch authentication on tabletops. In: Proceedings of the 28th international conference on human factors in computing systems, pp. 1093–1102 (2010)
Krebs. Would You Have Spotted the Fraud? http://krebsonsecurity.com/2010/01/would-you-have-spotted-the-fraud
Kumar, M., Garfinkel, T., Boneh, D., Winograd, T.: Reducing shoulder-surfing by using gaze-based password entry. In: Proceedings of the 3rd symposium on usable privacy and security, pp. 13–19 (2007)
Li, S., Shum, H.-Y.: Secure human-computer identification (interface) systems against peeping attacks: SecHCI. In: Cryptology ePrint Archive, Report 2005/268 (2005)
Long, J., Wiles, J.: No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing. Syngress, Rockland (2008)
Matsumoto, T., Imai, H.: Human identification through insecure channel. In: Proceedings of the 10th annual international conference on theory and application of cryptographic techniques, pp. 409–421 (1991)
Microsoft. Windows 8. http://windows.microsoft.com
Miller, F.: Telegraphic Code to Insure Privacy and Secrecy in the Transmission of Telegrams. C.M. Cornwell, New York (1882)
Roth, V., Richter, K., Freidinger, R.: A PIN-entry method resilient against shoulder surfing. In: Proceedings of the 11th ACM conference on computer and communications security, pp. 236–245 (2004)
Sasamoto, H., Christin, N., Hayashi, E.: Undercover: authentication usable in front of prying eyes. In: Proceeding of the 26th annual SIGCHI conference on human factors in computing systems, pp. 183–192 (2008)
Shay, R., Kelley, P.G., Komanduri, S., Mazurek, M.L., Ur, B., Vidas, T., Bauer, L., Christin, N., Cranor, L.F.: Correct horse battery staple: exploring the usability of system-assigned passphrases. In: Proceedings of the eighth symposium on usable privacy and security (2012)
Spycop. Hardware Keylogger Detection. http://spycop.com/keyloggerremoval.htm
TCG. Trusted Computing Group. http://www.trustedcomputinggroup.org
Weinshall, D.: Cognitive authentication schemes safe against spyware (short paper). In: Proceedings of the 2006 IEEE symposium on security and privacy, pp. 295–300 (2006)
Wiedenbeck, S., Waters, J., Sobrado, L., Birget, J.-C.: Design and evaluation of a shoulder-surfing resistant graphical password scheme. In: Proceedings of the working conference on advanced visual interfaces, pp. 177–184 (2006)
Yan, Q., Han, J., Li, Y., Deng, R.H.: On limitations of designing leakage-resilient password systems: attacks, principles and usability. In: Proceedings of the 19th annual network and distributed system security symposium (2012)
Yan, Q., Han, J., Li, Y., Zhou, J., Deng, R.H.: Designing leakage-resilient password entry on touchscreen mobile devices. In: Proceedings of the 8th ACM symposium on information, computer and communications security (ASIACCS), pp. 37–48 (2013)
Yan, Q., Han, J., Li, Y., Zhou, J., Deng, R.H.: Leakage-resilient password entry: challenges, design, and evaluation. Comput. Secur. 48(2015), 196–211 (2015)
ZDNet. More iPAD Love: Now Hotels Offer iPAD to Customers. http://www.zdnet.com/blog/apple/more-ipad-love-now-hotels-offer-ipad-to-customers/6850
Author information
Authors and Affiliations
Appendix: Statistical Test Results
Appendix: Statistical Test Results
The statistical test results for login time shown in Table 2.3 indicates that the same test condition may have difference impacts on the login time with different schemes, where the statistically significant results are marked with \(\star \).
The statistical test results on login accuracy are not shown since none of them are significant. This is due to the ceiling effect, as it is shown in Table 2.4, where each cell in this table shows the percentage of the participants who make no mistakes under certain test condition. In the worst case, 50. 0 % participants make no mistakes in all tests, which implies that the tests are not difficult enough to distinguish various test conditions with respect to the login accuracy. The CoverPad variants are easy to use even in the presence of time pressure, distraction, and mental workload. Note that this does not necessarily mean that these factors will not influence the login accuracy of other user authentication schemes.
Rights and permissions
Copyright information
© 2015 The Author(s)
About this chapter
Cite this chapter
Li, Y., Yan, Q., Deng, R.H. (2015). CoverPad: A Leakage Resilient Password System on Touch-Screen Mobile Devices. In: Leakage Resilient Password Systems. SpringerBriefs in Computer Science. Springer, Cham. https://doi.org/10.1007/978-3-319-17503-4_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-17503-4_2
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-17502-7
Online ISBN: 978-3-319-17503-4
eBook Packages: Computer ScienceComputer Science (R0)