Abstract
Shoulder-surfing attacks are pervading in today’s digital environment. With the widespread usage of mobile devices in public and uncontrolled settings, intentional or unintentional observation of user authentication processes is quite frequent. Scientists in the security domain have spent considerable effort in developing shoulder-surfing-resistant authentication mechanisms. In this study, a pass-graph methodology that benefits from randomity and alternative pass-graphs derivation is proposed with the name of Randomized Pass Points. The proposed authentication methodology is scrutinized for its resistance to brute force and shoulder-surfing attacks. Evaluations prove that the proposed alternative is stronger than that of the 8-digit 71-character-set password methodology against brute force attacks and it necessitates at least 5 valid log-ins to be captured by the attacker to derive the pass-graph under given assumptions in shoulder-surfing attack.
Similar content being viewed by others
Data availability
Detailed data on the experiments and the survey can be requested from the corresponding author via e-mail.
References
Alsuhibany SA (2020) Usability and shoulder surfing vulnerability of pattern passwords on mobile devices using camouflage patterns. J Ambient Intell Humaniz Comput 11(4):1645–1655
Amer MMM, Kam YHS, Elkhedrawi AH (2022) Improving memorability using Emojis in a shoulder surfing resistant authentication method. F1000Research 11(362):362
Bianchi A, Oakley I, Kostakos V, Kwon DS (2010) The phone lock: audio and haptic shoulder-surfing resistant PIN entry methods for mobile devices. In: Proceedings of the fifth international conference on tangible, embedded, and embodied interaction, pp 197–200
Binbeshr F, Kiah MM, Por LY, Zaidan AA (2021) A systematic review of PIN-entry methods resistant to shoulder-surfing attacks. Comput Secur 101:102116
Blonder G (1996) Graphical passwords, United States Patent 5559961
Burks AW (1970) Von Neumann’s self-reproducing automata. In: Burks AW (ed) Essays on cellular automata. University of Illinois Press, Champaign, pp 3–64
Chen YL, Ku WC, Yeh YC, Liao DM (2013) A simple text-based shoulder surfing resistant graphical password scheme. In: 2013 international symposium on next-generation electronics. IEEE, pp 161–164
Eiband M et al (2016) My scrawl hides it all: protecting text messages against shoulder surfing with handwritten fonts. Proceedings of the 2016 CHI conference extended abstracts on human factors in computing systems
Farzand H, Bhardwaj K, Marky K, Khamis M (2021) The interplay between personal relationships & shoulder surfing mitigation. In: Mensch und Computer 2021, pp 338–343
Jermyn IH, Mayer A, Monrose F, Reiter MK, Rubin AD (1999) The design and analysis of graphical passwords. USENIX Association, Berkeley
Khedr WI (2018) Improved keylogging and shoulder-surfing resistant visual two-factor authentication protocol. J Inf Secur Appl 39:41–57
Kumar M, Garfinkel T, Boneh D, Winograd T (2007) Reducing shoulder-surfing by using gaze-based password entry. In: Proceedings of the 3rd symposium on usable privacy and security, pp 13–19
Luo J-N, Yang M-H (2016) A mobile authentication system resists to shoulder-surfing attacks. Multimed Tools Appl 75(22):14075–14087
Li Z, Sun Q, Lian Y, Giusto DD (2005) An association-based graphical password design resistant to shoulder-surfing attack. In: 2005 IEEE international conference on multimedia and expo. IEEE, pp 245–248
Malek B, Orozco M, El Saddik A (2006) Novel shoulder-surfing resistant haptic-based graphical password. Proc. EuroHaptics, vol 6
Man, S., Hong, D., & Matthews, M. M. (2003, June). A Shoulder-Surfing Resistant Graphical Password Scheme-Wiw. In Security and Management (pp. 105–111)
Minoofam SAH, Dehshibi MM, Bastanfard A, Eftekhari P (2012) Ad-hoc Ma’qeli script generation using block cellular automata. J Cell Autom 7(4):321–334
Papadopoulos A, Nguyen T, Durmus E, Memon N (2017) IllusionPIN: shoulder-surfing resistant authentication using hybrid images. IEEE Trans Inf Forensics Secur 12(12):2875–2889. https://doi.org/10.1109/TIFS.2017.2725199
Perković T, Čagalj M, Rakić N (2010) SSSL: shoulder surfing safe login. J Commun Softw Syst 6(2):65–73
Rajanna V, Polsley S, Taele P, Hammond T (2017) A gaze gesture-based user authentication system to counter shoulder-surfing attacks. In: Proceedings of the 2017 CHI conference extended abstracts on human factors in computing systems, pp 1978–1986
Roth V, Richter K, Freidinger R (2004) A PIN-entry method resilient against shoulder surfing. In: Proceedings of the 11th ACM conference on computer and communications security, pp 236–245
Sun HM, Chen ST, Yeh JH, Cheng CY (2018) A shoulder surfing resistant graphical authentication system. IEEE Trans Dependable Secure Comput 15(2):180–193. https://doi.org/10.1109/TDSC.2016.2539942
Varshney S, Umar MS, Nazir A (2020) A secure shoulder surfing resistant hybrid graphical user authentication scheme. In: Cybernetics, cognition and machine learning applications. Springer, Singapore, pp 79–87
Wang Z, Liao L, Meng R, Yang CN, Zhou Z, Yang H (2022) Verification grid and map slipping based graphical password against shoulder-surfing attacks. Secur Commun Netw 2022
Wiedenbeck S, Waters J, Sobrado L, Birget JC (2006) Design and evaluation of a shoulder-surfing resistant graphical password scheme. In: Proceedings of the working conference on advanced visual interfaces, pp 177–184
Wu TS, Lee ML, Lin HY, Wang CY (2014) Shoulder-surfing-proof graphical password authentication scheme. Int J Inf Secur 13(3):245–254
Yu X et al (2017) EvoPass: Evolvable graphical password against shoulder-surfing attacks. Comput Secur 70:179–198
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Limitations
User test and survey results in this study should be considered as indicators no scientific proofs, since the number of participants were limited due to available resources.
Conflict of interest
The authors declare that they have no conflict of interest.
Additional information
Publisher's note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Bostan, H., Bostan, A. Shoulder surfing resistant graphical password schema: Randomized Pass Points (RPP). Multimed Tools Appl 82, 43517–43541 (2023). https://doi.org/10.1007/s11042-023-15227-x
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11042-023-15227-x