Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Use the Force - Evaluating Force-Sensitive Authentication for Mobile Devices

399 views

Published on

Modern, off-the-shelf smartphones provide a rich set of possible touchscreen interactions, but knowledge-based authentication schemes still rely on simple digit or character input. Previous studies examined the shortcomings of such schemes based on unlock patterns, PINs, and passcodes.

In this paper, we propose to integrate pressure-sensitive touchscreen interactions into knowledge-based authentication schemes. By adding a (practically) invisible, pressuresensitive component, users can select stronger PINs that are harder to observe for a shoulder surfer. We conducted a within-subjects design lab study (n = 50) to compare our approach termed force-PINs with standard four-digit and six-digit PINs regarding their usability performance and a comprehensive security evaluation. In addition, we conducted a field study that demonstrated lower authentication overhead. Finally, we found that force-PINs let users select higher entropy PINs that are more resilient to shoulder surfing attacks with minimal impact on the usability performance.

Published in: Engineering
  • Be the first to comment

  • Be the first to like this

Use the Force - Evaluating Force-Sensitive Authentication for Mobile Devices

  1. 1. Use the Force Evaluating Force-Sensitive Authentication for Mobile Devices Katharina Krombholz, Thomas Hupperich, Thorsten Holz SBA Research Ruhr-Universit¨at Bochum Presented by: Wilfried Mayer, SBA Research
  2. 2. What’s the Force? 2
  3. 3. What’s the content? Lab Study Security Evaluation Field Study 3
  4. 4. Lab Study - Design • • 50 participants / 3 methods / 3 attempts • Self-defined PIN / Random order of methods • Authentication speed & Error rate • Additional questionnaire 4
  5. 5. Lab Study - Results 5
  6. 6. Lab Study - Perceived Usability & Security 6
  7. 7. Lab Study - Force 7
  8. 8. “I like the additional dimension. It is invisible and therefore makes my PIN more secure.” (P5) 8
  9. 9. Security Evaluation - Theoretical Entropy method combinations entropy 104 13.28 bit 106 19.93 bit 204 [−104 ] 17.28 bit 9
  10. 10. Security Evaluation - Practical Entropy theoretical 13.28 bit practical 11.42 bit1 1 Bonneau et al. 10
  11. 11. Security Evaluation - Force patterns 11
  12. 12. Security Evaluation - Practical Entropy 11.42 bit D / S 3.41 bit 12
  13. 13. Security Evaluation - Shoulder Surfing Experiment Direct observation • Trustworthy experimenter watches while lab • 50 PINs, 21 sequences guessed, 0 force-patterns Filmed patterns • Two volunteers watch recorded videos of PINs • 50 PINs, 39 sequences guessed, 0 force-patterns 13
  14. 14. “I think it might take a while to fully get used to it, as this concept is new to me.” (P23) 14
  15. 15. Field Study - Design • • 10 participants / Min. 300 attempts / 2 weeks • Restrictions in iOS - Single daily reminder • Designed like iOS lock screen • Additional debriefing interview 15
  16. 16. Field Study - Results (Time) 16
  17. 17. Field Study - Results (Error Rate) 17
  18. 18. • Task overhead ◦ Initially higher ◦ Decreases with training • Improves security ◦ Entropy ◦ Perceived security ◦ Shoulder surfing 18
  19. 19. May the Force be with you 19
  20. 20. Questions kkrombholz@sba-research.org 20
  21. 21. Participant characteristics 21
  22. 22. Participant characteristics 22

×