skip to main content
10.1145/2556288.2557097acmconferencesArticle/Chapter ViewAbstractPublication PageschiConference Proceedingsconference-collections
research-article

Now you see me, now you don't: protecting smartphone authentication from shoulder surfers

Published: 26 April 2014 Publication History

Abstract

In this paper, we present XSide, an authentication mechanism that uses the front and the back of smartphones to enter stroke-based passwords. Users can switch sides during input to minimize the risk of shoulder surfing. We performed a user study (n = 32) to explore how switching sides during authentication affects usability and security of the system. The results indicate that switching the sides increases security while authentication speed stays relatively fast (≤ 4 seconds). The paper furthermore provides insights on accuracy of eyes-free input (as used in XSide) and shows how 3D printed prototype cases can improve the back-of-device interaction experience.

References

[1]
Angulo, J., and Wästlund, E. Exploring touch-screen biometrics for user Identification on smart phones. In Privacy and Identity Management for Life. Springer, 2012, 130--143.
[2]
Aviv, A., Gibson, K., Mossop, E., Blaze, M., and Smith, J. Smudge attacks on smartphone touch screens. In Proc. USENIX 2010, USENIX Association (2010), 1--7.
[3]
Bianchi, A., Oakley, I., Kostakos, V., and Kwon, D. S. The phone lock: audio and haptic shoulder-surfing resistant pin entry methods for mobile devices. In Proc. TEI 2011, ACM (2011), 197--200.
[4]
Biddle, R., Chiasson, S., and Van Oorschot, P. C. Graphical passwords: Learning from the first twelve years. ACM CSUR 2012 44, 4 (2012), 19.
[5]
Carr, S. Public Space. Cambridge Univ Pr, 1992.
[6]
Chiang, H.-Y., and Chiasson, S. Improving user authentication on mobile devices: a touchscreen graphical password. In Proc. MobileHCI 2013, ACM (2013), 251--260.
[7]
Cunningham, A. Hands-on with LGs G2 smartphone (and the buttons on the back). http://arstechnica.com/gadgets/2013/08/handson-with-lgs-g2-smartphone-and-the-buttons-onthe-back/, Aug. 2013. Accessed: September 8, 2013.
[8]
De Luca, A., Denzel, M., and Hussmann, H. Look into my eyes!: Can you guess my password? In Proc. SOUPS 2009, ACM (2009), 7.
[9]
De Luca, A., Hang, A., Brudy, F., Lindner, C., and Hussmann, H. Touch me once and i know it's you!: implicit authentication based on touch screen patterns. In Proc. CHI 2012, ACM (2012), 987--996.
[10]
De Luca, A., von Zezschwitz, E., Nguyen, N. D. H., Maurer, M.-E., Rubegni, E., Scipioni, M. P., and Langheinrich, M. Back-of-device authentication on smartphones. In Proc. CHI 2013, ACM (2013), 2389--2398.
[11]
Fleishman, E. A., and Parker Jr, J. F. Factors in the retention and relearning of perceptual-motor skill. Journal of Experimental Psychology 64, 3 (1962), 215.
[12]
Gao, H., Guo, X., Chen, X., Wang, L., and Liu, X. Yagp: Yet another graphical password strategy. In Proc. ACSAC 2008, IEEE (2008), 121--129.
[13]
Hafiz, M. D., Abdullah, A. H., Ithnin, N., and Mammi, H. K. Towards identifying usability and security features of graphical password in knowledge based authentication technique. In Proc. AICMS 08, IEEE (2008), 396--403.
[14]
Hayashi, E., Dhamija, R., Christin, N., and Perrig, A. Use your illusion: secure authentication usable anywhere. In Proc. SOUPS 2008, ACM (2008), 35--45.
[15]
Jermyn, I., Mayer, A., Monrose, F., Reiter, M. K., Rubin, A. D., et al. The design and analysis of graphical passwords. In Proc. USENIX 1999, Washington DC (1999), 1--14.
[16]
Karlson, A. K., Brush, A. B., and Schechter, S. Can I borrow your phone?: Understanding concerns when sharing mobile phones. In Proc. CHI 2009, ACM (2009), 1647--1650.
[17]
Kennedy, D., and Osuga, R. Transparent double-sided touchscreen display Android smartphone prototype. http://www.diginfo.tv/v/12-0099-r-en.php, May 2012. Accessed: September 9, 2013.
[18]
Kim, S.-H., Kim, J.-W., Kim, S.-Y., and Cho, H.-G. A new shoulder-surfing resistant password for mobile environments. In Proc. ICUIMC 2011, ACM (2011), 27.
[19]
Li, Z., Sun, Q., Lian, Y., and Giusto, D. D. An association-based graphical password design resistant to shoulder-surfing attack. In Proc. ICME 2005, IEEE (2005), 245--248.
[20]
Renaud, K., and De Angeli, A. Visual passwords: cure-all or snake-oil? Communications of the ACM 52, 12 (2009), 135--140.
[21]
Schaub, F., Deyhle, R., and Weber, M. Password entry usability and shoulder surfing susceptibility on different smartphone platforms. In Proc. MUM 2012, ACM (2012), 13:1--13:10.
[22]
Standing, L. Learning 10000 pictures. The Quarterly journal of experimental psychology 25, 2 (1973), 207--222.
[23]
Tao, H., and Adams, C. Pass-go: A proposal to improve the usability of graphical passwords. IJ Network Security 7, 2 (2008), 273--292.
[24]
von Zezschwitz, E., Dunphy, P., and De Luca, A. Patterns in the wild: a field study of the usability of pattern and pin-based authentication on mobile devices. In Proc. MobileHCI 2013, ACM (2013), 261--270.
[25]
von Zezschwitz, E., Koslow, A., De Luca, A., and Hussmann, H. Making graphic-based authentication secure against smudge attacks. In Proc. IUI 2013, ACM (2013), 277--286.
[26]
Wiedenbeck, S., Waters, J., Sobrado, L., and Birget, J.-C. Design and evaluation of a shoulder-surfing resistant graphical password scheme. In Proc. AVI 2006, ACM (2006), 177--184.
[27]
Wolin, A., Eoff, B., and Hammond, T. Shortstraw: A simple and effective corner finder for polylines. In Proc. Eurographics 2008 (2008), 3340.
[28]
Zakaria, N. H., Griffiths, D., Brostoff, S., and Yan, J. Shoulder surfing defence for recall-based graphical passwords. In Proc. SOUPS 2011, ACM (2011), 6.
[29]
Zhao, H., and Li, X. S3pas: A scalable shoulder-surfing resistant textual-graphical password authentication scheme. In AINAW 2007, vol. 2, IEEE (2007), 467--472.

Cited By

View all
  • (2023)“Someone Definitely Used 0000”: Strategies, Performance, and User Perception of Novice Smartphone-Unlock PIN-GuessersProceedings of the 2023 European Symposium on Usable Security10.1145/3617072.3617113(158-174)Online publication date: 16-Oct-2023
  • (2023)Performance and Usability Evaluation of Brainwave Authentication Techniques with Consumer DevicesACM Transactions on Privacy and Security10.1145/357935626:3(1-36)Online publication date: 13-Mar-2023
  • (2023)RePaLM: A Data-Driven AI Assistant for Making Stronger Pattern ChoicesHuman-Computer Interaction – INTERACT 202310.1007/978-3-031-42286-7_4(59-69)Online publication date: 28-Aug-2023
  • Show More Cited By

Index Terms

  1. Now you see me, now you don't: protecting smartphone authentication from shoulder surfers

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    CHI '14: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
    April 2014
    4206 pages
    ISBN:9781450324731
    DOI:10.1145/2556288
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 26 April 2014

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. authentication
    2. back-of-device interaction
    3. security

    Qualifiers

    • Research-article

    Conference

    CHI '14
    Sponsor:
    CHI '14: CHI Conference on Human Factors in Computing Systems
    April 26 - May 1, 2014
    Ontario, Toronto, Canada

    Acceptance Rates

    CHI '14 Paper Acceptance Rate 465 of 2,043 submissions, 23%;
    Overall Acceptance Rate 6,199 of 26,314 submissions, 24%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)53
    • Downloads (Last 6 weeks)1
    Reflects downloads up to 20 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2023)“Someone Definitely Used 0000”: Strategies, Performance, and User Perception of Novice Smartphone-Unlock PIN-GuessersProceedings of the 2023 European Symposium on Usable Security10.1145/3617072.3617113(158-174)Online publication date: 16-Oct-2023
    • (2023)Performance and Usability Evaluation of Brainwave Authentication Techniques with Consumer DevicesACM Transactions on Privacy and Security10.1145/357935626:3(1-36)Online publication date: 13-Mar-2023
    • (2023)RePaLM: A Data-Driven AI Assistant for Making Stronger Pattern ChoicesHuman-Computer Interaction – INTERACT 202310.1007/978-3-031-42286-7_4(59-69)Online publication date: 28-Aug-2023
    • (2023)Hollow-Pass: A Dual-View Pattern Password Against Shoulder-Surfing AttacksCyber Security, Cryptology, and Machine Learning10.1007/978-3-031-34671-2_18(251-272)Online publication date: 21-Jun-2023
    • (2023)“They see me scrollin”—Lessons Learned from Investigating Shoulder Surfing Behavior and Attack Mitigation StrategiesHuman Factors in Privacy Research10.1007/978-3-031-28643-8_10(199-218)Online publication date: 10-Mar-2023
    • (2022)”Ask this from the person who has private stuff”: Privacy Perceptions, Behaviours and Beliefs Beyond W.E.I.R.DProceedings of the 2022 CHI Conference on Human Factors in Computing Systems10.1145/3491102.3501883(1-17)Online publication date: 29-Apr-2022
    • (2022)The Feet in Human-Centred Security: Investigating Foot-Based User Authentication for Public DisplaysExtended Abstracts of the 2022 CHI Conference on Human Factors in Computing Systems10.1145/3491101.3519838(1-9)Online publication date: 27-Apr-2022
    • (2022)User-centred multimodal authentication: securing handheld mobile devices using gaze and touch inputBehaviour & Information Technology10.1080/0144929X.2022.206959741:10(2061-2083)Online publication date: 6-May-2022
    • (2022)Bu-Dash: a universal and dynamic graphical password scheme (extended version)International Journal of Information Security10.1007/s10207-022-00642-222:2(381-401)Online publication date: 4-Dec-2022
    • (2022)Bu-Dash: A Universal and Dynamic Graphical Password SchemeHCI for Cybersecurity, Privacy and Trust10.1007/978-3-031-05563-8_14(209-227)Online publication date: 26-Jun-2022
    • Show More Cited By

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media