Abstract
Secure login methods based on human cognitive skills can be classified into two categories based on information available to a passive attacker: (i) the attacker fully observes the entire input and output of a login procedure, (ii) the attacker only partially observes the input and output. Login methods secure in the fully observable model imply very long secrets and/or complex calculations. In this paper, we study three simple PIN-entry methods designed for the partially observable attacker model. A notable feature of the first method is that the user needs to perform a very simple mathematical operation, whereas, in the other two methods, the user performs a simple table lookup. Our usability study shows that all the methods have reasonably low login times and minimal error rates. These results, coupled with low-cost hardware requirements (only earphones), are a significant improvement over existing approaches for this model [9,10]. We also show that side-channel timing attacks present a real threat to the security of login schemes based on human cognitive skills.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Backes, M., Drmuth, M., Unruh, D.: Compromising Reflections - or - How to Read LCD Monitors Around the Corner. In: IEEE Symposium on Security and Privacy (May 2008)
Brooke, J.: SUS: A Quick and Dirty Usability Scale. In: Usability Evaluation in Industry (1996)
Cover, T., Hart, P.: Nearest Neighbor Pattern Classification. IEEE Transactions on Information Theory 13, 21–27 (1967)
Golle, P., Wagner, D.: Cryptanalysis of a Cognitive Authentication Scheme (Extended Abstract). In: Proc. IEEE Symposium on Security and Privacy (2007)
Hopper, N., Blum, M.: Secure Human Identification Protocols. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, p. 52. Springer, Heidelberg (2001)
Kocher, P.C.: Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)
O’Rourke, N., Hatcher, L., Stepanski, E.J.: A Step-by-Step Approach to Using SAS for Univariate and Multivariate Statistics, 2nd edn. SAS Institute Inc. (2005)
The Science Behind Passfaces, http://www.realuser.com/
Kuber, R., Yu, W.: Authentication Using Tactile Feedback. In: Interactive Experiences, HCI, London, UK (2006)
Sasamoto, H., Christin, N., Hayashi, E.: Undercover: Authentication Usable in Front of Prying Eyes. In: ACM Conference on Human Factors in Computing Systems (2008)
Tari, F., Ant Ozok, A., Holden, S.H.: A Comparison of Perceived and Real Shoulder-surfing Risks Between Alphanumeric and Graphical Passwords. In: SOUPS (2006)
Weinshall, D.: Cognitive Authentication Schemes Safe Against Spyware (Short Paper). In: Proc. IEEE Symposium on Security and Privacy (2006)
Wilfong, G.T.: Method and Appartus for Secure PIN Entry. Lucent Technologies, Inc., Murray Hill, NJ, U. S. Patent, Ed. United States (1999)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Perković, T., Čagalj, M., Saxena, N. (2010). Shoulder-Surfing Safe Login in a Partially Observable Attacker Model. In: Sion, R. (eds) Financial Cryptography and Data Security. FC 2010. Lecture Notes in Computer Science, vol 6052. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-14577-3_29
Download citation
DOI: https://doi.org/10.1007/978-3-642-14577-3_29
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-14576-6
Online ISBN: 978-3-642-14577-3
eBook Packages: Computer ScienceComputer Science (R0)