Swipe Authentication: Exploring Over-the-Shoulder Attack Performance

  • Ashley A. Cain
  • Liya Chiu
  • Felicia Santiago
  • Jeremiah D. Still
Conference paper
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 501)


Swipe passwords are a popular method for authenticating on mobile phones. In public, these passwords may become visible to attackers who engage in shoulder surfing. There is a need for strategies that protect swipe passwords from over-the-shoulder attacks (OSAs). We empirically explored the impact of providing gesture visual feedback on OSA performance during successful and unsuccessful swipe login attempts on mobile phones. We found evidence that entry visual feedback facilitates OSAs. As users are biased towards symmetrical swipe patterns, we investigated their impact on attack performance. We found that symmetrical swipe patterns were less vulnerable than asymmetrical patterns, possibly due to the speed of entry. As users tend toward simple patterns, we investigated the impact that nonadjacent, diagonal knight moves have on OSAs. We found that knight moves significantly decreased OSA performance. We recommend users turn off gesture entry visual feedback and use knight moves for greater password security.


Swipe passwords Gesture-based passwords Over-the-shoulder attack 



We thank Cameron Weigel, Tim Dovedot, Christina Vo, Auriana Shokrpour, Ashley Palma, and Michelle Gomez for contributing to this research.


  1. 1.
    Schlöglhofer, R., Sametinger, J.: Secure and usable authentication on mobile devices. In: Proceedings of the 10th International Conference on Advances in Mobile Computing & Multimedia, pp. 257–262. ACM (2012)Google Scholar
  2. 2.
    Niu, Y., Chen, H.: Gesture authentication with touch input for mobile devices. In: Security and Privacy in Mobile Information and Communication Systems, pp. 13–24. Springer, Berlin (2012)Google Scholar
  3. 3.
    Aloul, F., Zahidi, S., El-Hajj, W.: Multi factor authentication using mobile phones. Int. J. Math. Comput. Sci. 4(2), 65–80 (2009)Google Scholar
  4. 4.
    Van Bruggen, D., Liu, S., Kajzer, M., Striegel, A., Crowell, C.R., D’Arcy, J.: Modifying smartphone user locking behavior. In: Proceedings of the Ninth Symposium on Usable Privacy and Security, pp. 10–24. ACM (2013)Google Scholar
  5. 5.
    Paivio, A.: Imagery and verbal processes. Psychology Press, Hove (2013)Google Scholar
  6. 6.
    Shadmehr, R., Brashers-Krug, T.: Functional stages in the formation of human long-term motor memory. J. Neurosci. 17(1), 409–419 (1997)Google Scholar
  7. 7.
    Liu, X., Qiu, J., Ma, L., Gao, H., Ren, Z.: A novel cued-recall graphical password scheme. In: 2011 Sixth International Conference on Image and Graphics (ICIG), pp. 949–956. IEEE (2011)Google Scholar
  8. 8.
    Suo, X.: A design and analysis of graphical password. M.S. thesis, College of Arts and Sciences, Geogia State University (2006)Google Scholar
  9. 9.
    Brennen, V.A.: Cryptography Dictionary, vol. 2005, 1.0.0 edn. (2004)Google Scholar
  10. 10.
    Andriotis, P., Tryfonas, T., Oikonomou, G., Yildiz, C.: A pilot study on the security of pattern screen-lock methods and soft side channel attacks. In: Proceedings of the Sixth ACM Conference on Security and Privacy in Wireless and Mobile Networks, pp. 1–6. ACM (2013)Google Scholar
  11. 11.
    Sae-Bae, N., Memon, N., Isbister, K., Ahmed, K.: Multitouch gesture-based authentication. Inf. Forensics Secur. IEEE Trans. 9(4), 568–582 (2014)CrossRefGoogle Scholar
  12. 12.
    Sherman, M., Clark, G., Yang, Y., Sugrim, S., Modig, A., Lindqvist, J., Roos, T.: User-generated free-form gestures for authentication: security and memorability. In: Proceedings of the 12th Annual International Conference on Mobile Systems, Applications, and Services, pp. 176–189. ACM (2014)Google Scholar
  13. 13.
    Jermyn, I., Mayer, A.J., Monrose, F., Reiter, M.K., Rubin, A.D.: The design and analysis of graphical passwords. In: Usenix Security (1999)Google Scholar
  14. 14.
    Zakaria, N.H., Griffiths, D., Brostoff, S., Yan, J.: Shoulder surfing defense for recall-based graphical passwords. In: Proceedings of the Seventh Symposium on Usable Privacy and Security, pp. 6–18. ACM (2011)Google Scholar
  15. 15.
    Liu, X., Ren, Z., Chang, X., Gao, H., Aickelin, U.: Poster: draw a line on your PDA to authenticate (2010)Google Scholar
  16. 16.
    Uellenbeck, S., Dürmuth, M., Wolf, C., Holz, T.: Quantifying the security of graphical passwords: the case of android unlock patterns. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 161–172. ACM (2013)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Ashley A. Cain
    • 1
  • Liya Chiu
    • 2
  • Felicia Santiago
    • 2
  • Jeremiah D. Still
    • 1
  1. 1.Department of PsychologyOld Dominion UniversityNorfolkUSA
  2. 2.Department of PsychologySan Jose State UniversitySan JoseUSA

Personalised recommendations