ABSTRACT
Virtual keyboards of different smartphone platforms seem quite similar at first glance, but the transformation from a physical to a virtual keyboard on a small-scale display results in user experience variations that cause significant differences in usability as well as shoulder surfing susceptibility, i.e., the risk of a bystander observing what is being typed. In our work, we investigate the impact of both aspects on the security of text-based password entry on mobile devices. In a between subjects study with 80 participants, we analyzed usability and shoulder surfing susceptibility of password entry on different mobile platforms (iOS, Android, Windows Phone, Symbian, MeeGo). Our results show significant differences in the usability of password entry (required password entry time, typing accuracy) and susceptibility to shoulder surfing. Our results provide insights for security-aware design of on-screen keyboards and for password composition strategies tailored to entry on smartphones.
Supplemental Material
Available for Download
Supplemental material.
- R. Biddle. Memorability of Persuasive Passwords. In CHI '08 extended abstracts. ACM, 2008. Google ScholarDigital Library
- R. Biddle, M. Mannan, P. C. van Oorschot, and T. Whalen. User Study, Analysis, and Usable Security of Passwords Based on Digital Objects. IEEE Trans. Info. Forensics and Security, 6(3):970--979, 2011. Google ScholarDigital Library
- J. Bonneau, C. Herley, P. C. V. Oorschot, and F. Stajano. The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes. In Symp. on Security and Privacy. IEEE, 2012. Google ScholarDigital Library
- J. Bonneau and S. Preibusch. The password thicket: technical and market failures in human authentication on the web. In WEIS'10, 2010.Google Scholar
- P. Dunphy, A. P. Heiner, and N. Asokan. A closer look at recognition-based graphical passwords on mobile devices. In SOUPS '10. ACM, 2010. Google ScholarDigital Library
- D. Florencio and C. Herley. A large-scale study of web password habits. In WWW'07. ACM, 2007. Google ScholarDigital Library
- A. Forget, S. Chiasson, P. C. van Oorschot, and R. Biddle. Improving text passwords through persuasion. In SOUPS'08. ACM, 2008. Google ScholarDigital Library
- P. G. Inglesant and M. A. Sasse. The true cost of unusable password policies. In CHI '10. ACM, 2010. Google ScholarDigital Library
- I. Jermyn, A. Mayer, F. Monrose, M. K. Reiter, and A. D. Rubin. The design and analysis of graphical passwords. In USENIX Security Symp., 1999. Google ScholarDigital Library
- S. Jeyaraman and U. Topkara. Have the cake and eat it too - Infusing usability into text-password based authentication systems. In 21st Annual Computer Security Applications Conf. (ACSAC'05). IEEE, 2005. Google ScholarDigital Library
- M. Keith, B. Shao, and P. Steinbart. The usability of passphrases for authentication: An empirical field study. Int. J. Hum.-Comp. Studies, 65(1), 2007. Google ScholarDigital Library
- D. Kim, P. Dunphy, P. Briggs, J. Hook, J. Nicholson, J. Nicholson, and P. Olivier. Multi-touch authentication on tabletops. In CHI '10. ACM, 2010. Google ScholarDigital Library
- S. Komanduri, R. Shay, P. G. Kelley, M. L. Mazurek, L. Bauer, N. Christin, L. F. Cranor, and S. Egelman. Of passwords and people: measuring the effect of password-composition policies. In CHI '11. ACM, 2011. Google ScholarDigital Library
- M. Kumar, T. Garfinkel, D. Boneh, and T. Winograd. Reducing Shoulder-surfing by Using Gaze-based Password Entry. In SOUPS'07. ACM, 2007. Google ScholarDigital Library
- C. Kuo, S. Romanosky, and L. F. Cranor. Human selection of mnemonic phrase-based passwords. In SOUPS '06. ACM, 2006. Google ScholarDigital Library
- S. C. Lee and S. Zhai. The Performance of Touch Screen Soft Buttons. In CHI '09. ACM Press, 2009. Google ScholarDigital Library
- V. I. Levenshtein. Binary codes capable of correcting deletions, insertions and reversals. Soviet Physics Doklady, 10(8):707--710, 1966.Google Scholar
- J. R. Lewis. IBM Computer Usability Satisfaction Questionnaires: Psychometric Evaluation and Instructions for Use. Intl. J. Hum.-Comp. Int., 7(1), 1995. Google ScholarDigital Library
- J. R. Lewis. Psychometric evaluation of the PSSUQ using data from five years of usability studies. Intl. J. Hum.-Comp. Int., 14(3), 2002.Google Scholar
- J. Nicholson. Design of a Multi-Touch Shoulder Surfing Resilient Graphical Password. Dissertation, Newcastle University, 2009.Google Scholar
- Y. S. Park, S. H. Han, J. Park, and Y. Cho. Touch Key Design for Target Selection on a Mobile Phone. In MobileHCI '08. ACM, 2008. Google ScholarDigital Library
- V. Roth, K. Richter, and R. Freidinger. A PIN-entry method resilient against shoulder surfing. In CCS'04. ACM, 2004. Google ScholarDigital Library
- H. Sasamoto, N. Christin, and E. Hayashi. Undercover: authentication usable in front of prying eyes. In CHI '08. ACM, 2008. Google ScholarDigital Library
- D. S. Tan, P. Keyani, and M. Czerwinski. Spy-resistant keyboard: more secure password entry on public touch screen displays. In OZCHI '05, 2005. Google ScholarDigital Library
- F. Tari, A. A. Ozok, and S. H. Holden. A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords. In SOUPS'06. ACM, 2006. Google ScholarDigital Library
- J. Yan, A. Blackwell, R. Anderson, and A. Grant. Password memorability and security: Empirical results. Security & Privacy, IEEE, 2(5):25--31, 2004. Google ScholarDigital Library
- N. H. Zakaria, D. Griffiths, S. Brostoff, and J. Yan. Shoulder surfing defence for recall-based graphical passwords. In SOUPS'11. ACM, 2011. Google ScholarDigital Library
- H. Zhao and X. Li. S3PAS: A Scalable Shoulder-Surfing Resistant Textual-Graphical Password Authentication Scheme. In AINAW'07 Workshops. IEEE, 2007. Google ScholarDigital Library
Index Terms
- Password entry usability and shoulder surfing susceptibility on different smartphone platforms
Recommendations
Reducing shoulder-surfing by using gaze-based password entry
SOUPS '07: Proceedings of the 3rd symposium on Usable privacy and securityShoulder-surfing -- using direct observation techniques, such as looking over someone's shoulder, to get passwords, PINs and other sensitive personal information -- is a problem that has been difficult to overcome. When a user enters information using a ...
A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords
SOUPS '06: Proceedings of the second symposium on Usable privacy and securityPrevious research has found graphical passwords to be more memorable than non-dictionary or "strong" alphanumeric passwords. Participants in a prior study expressed concerns that this increase in memorability could also lead to an increased ...
A PIN-entry method resilient against shoulder surfing
CCS '04: Proceedings of the 11th ACM conference on Computer and communications securityMagnetic stripe cards are in common use for electronic payments and cash withdrawal. Reported incidents document that criminals easily pickpocket cards or skim them by swiping them through additional card readers. Personal identification numbers (PINs) ...
Comments