research-article

Undercover: authentication usable in front of prying eyes

Authors:

Hirokazu Sasamoto,

Nicolas Christin,

Eiji HayashiAuthors Info & Claims

CHI '08: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems

Pages 183 - 192

https://doi.org/10.1145/1357054.1357085

Published: 06 April 2008 Publication History

Abstract

A number of recent scams and security attacks (phishing, spyware, fake terminals, ...) hinge on a crook's ability to observe user behavior. In this paper, we describe the design, implementation, and evaluation of a novel class of user authentication systems that are resilient to observation attacks.

Our proposal is the first to rely on the human ability to simultaneously process multiple sensory inputs to authenticate, and is resilient to most observation attacks. We build a prototype based on user feedback gained through low fidelity tests. We conduct a within-subjects usability study of the prototype with 38 participants, which we complement with a security analysis.

Our results show that users can authenticate within times comparable to that of graphical password schemes, with relatively low error rates, while being considerably better protected against observation attacks. Our design and evaluation process allows us to outline design principles for observation-resilient authentication systems.

References

[1]

LEGO.com Mindstorm NXT home. http://mindstorms.lego.com.

[2]

R. Anderson. Why cryptosystems fail. In Proc. ACM CCS'93, 215--227, 1993.

Digital Library

[3]

P. Blamey, R. Cowan, J. Alcantara, L. Whitford, and G. Clark. Speech perception using combinations of auditory, visual, and tactile information. J. Rehab. Res. and Dev., 26(1):15--24, 1989.

[4]

G. Calvert, C. Spence, and B. Stein, editors. The Handbook of Multisensory Processes. MIT press, 2004.

[5]

L. Cranor and S. Garfinkel, editors. Security and Usability: Designing Secure Systems That People Can Use. O'Reilly Media, 2005.

Digital Library

[6]

R. Dhamija and A. Perrig. Deja vu: A user study, using images for authentication. In Proc. 9th USENIX Sec. Symp., 2000.

Digital Library

[7]

R. Dhamija, J. D. Tygar, and M. Hearst. Why phishing works. In Proc. ACM CHI'06, 581--590, 2006.

Digital Library

[8]

A. Diederich, H. Colonius, D. Bockhorst, and S. Tabeling. Visual-tactile spatial interaction in saccade generation. Exp. Brain Res., 148(3):328 -- 337, 2003.

[9]

E. Gamzu and E. Ahissar. Importance of temporal cues for tactile spatial-frequency discrimination. J. Neuroscience, 21(18):7416--7427, 2001.

[10]

L. Giesen. ATM fraud: Does it warrant the expense to fight it? Banking Strategies, 82(6), 2006.

[11]

S. Goldwasser, S. Micali, and C. Rackoff. The knowledge complexity of interactive proof-systems. In Proc. ACM STOC'85, 291--304, 1985.

Digital Library

[12]

P. Golle and D. Wagner. Cryptanalysis of a cognitive authentication scheme. In Proc. 2007 IEEE Symp. Sec. Privacy, 66--70, 2007.

Digital Library

[13]

E. Hayashi, N. Christin, R. Dhamija, and A. Perrig. Mental trapdoors for user authentication on small mobile devices. Tech. Rep. CMU-CyLab-07-011, Carnegie Mellon Univ., 2007.

[14]

M. Kumar, T. Garfinkel, D. Boneh, and T. Winograd. Reducing shoulder-surfing by using gaze-based password entry. In Proc. SOUPS'07, 2007.

Digital Library

[15]

B. Malek, M. Orozco, and A. El Saddik. Novel shoulder-surfing resistant haptic-based graphical password. In Proc. EuroHaptics'06, 2006.

[16]

S. Man, D. Hong, and M. Mathews. A shoulder-surfing resistant graphical password scheme. In Proc. Int. Conf. Sec. Mgmt., 105--111, 2003.

[17]

T. Matsumoto, H. Matsumoto, K. Yamada, and S. Hoshino. Impact of artificial gummy fingers on fingerprint systems. In Proc. SPIE, vol. 4677, 275--289, 2002.

[18]

W. Moncur and G. Leplatre. Pictures at the ATM: exploring the usability of multiple graphical passwords. In Proc. ACM CHI'07, 887 -- 894, 2007.

Digital Library

[19]

V. Roth, K. Fischer, and R. Freidinger. A PIN entry method resilient against shoulder surfing. In Proc. ACM CCS'04, 236--245, 2004.

Digital Library

[20]

T. Salthouse. The processing speed theory of adult age differences in cognition. Psych. Rev., 103(3):403--428.

[21]

B. Schneier. Applied Cryptography: Protocols, Algorithms, and Source Code in C. Wiley Computer Publishing, 2nd edition, 1995.

Digital Library

[22]

S. Shukla and F. Nah. Web browsing and spyware intrusion. Comm. ACM, 48(8):85--90, 2005.

Digital Library

[23]

D. Weinshall. Cognitive authentication schemes safe against spyware. In Proc. 2006 IEEE Symp. Sec. Privacy, 295--300, 2006.

Digital Library

[24]

S. Wiedenbeck, J. Waters, L. Sobrado, and J.-C. Birget. Design and evaluation of a shoulder-surfing resistant graphical password scheme. In Proc. AVI'06, 177--184, 2006.

Digital Library

[25]

L. Zhuang, F. Zhou, and J. D. Tygar. Keyboard acoustic emanations revisited. In Proc. ACM CCS'05, 373--382, 2005.

Digital Library

Cited By

Watson KBretin RKhamis MMathis F(2022)The Feet in Human-Centred Security: Investigating Foot-Based User Authentication for Public DisplaysExtended Abstracts of the 2022 CHI Conference on Human Factors in Computing Systems10.1145/3491101.3519838(1-9)Online publication date: 27-Apr-2022
https://dl.acm.org/doi/10.1145/3491101.3519838
Mathis FO'Hagan JKhamis MVaniea K(2022)Virtual Reality Observations: Using Virtual Reality to Augment Lab-Based Shoulder Surfing Research2022 IEEE Conference on Virtual Reality and 3D User Interfaces (VR)10.1109/VR51125.2022.00048(291-300)Online publication date: Mar-2022
https://doi.org/10.1109/VR51125.2022.00048
Song YOakley I(2022)PushPIN: A Pressure-Based Behavioral Biometric Authentication System for SmartwatchesInternational Journal of Human–Computer Interaction10.1080/10447318.2022.204914439:4(893-909)Online publication date: 19-Apr-2022
https://doi.org/10.1080/10447318.2022.2049144
Show More Cited By

Index Terms

Undercover: authentication usable in front of prying eyes

Recommendations

Breaking undercover: exploiting design flaws and nonuniform human behavior
SOUPS '11: Proceedings of the Seventh Symposium on Usable Privacy and Security

This paper reports two attacks on Undercover, a human authentication scheme against passive observers proposed at CHI 2008. The first attack exploits nonuniform human behavior in responding to authentication challenges and the second one is based on ...
On the Security of PAS (Predicate-Based Authentication Service)
ACSAC '09: Proceedings of the 2009 Annual Computer Security Applications Conference

Recently a new human authentication scheme called PAS (predicate-based authentication service) was proposed, which does not require the assistance of any supplementary device. The main security claim of PAS is to resist passive adversaries who can ...
BogusBiter: A transparent protection against phishing attacks

Many anti-phishing mechanisms currently focus on helping users verify whether a Web site is genuine. However, usability studies have demonstrated that prevention-based approaches alone fail to effectively suppress phishing attacks and protect Internet ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CHI '08: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems

April 2008

1870 pages

ISBN:9781605580111

DOI:10.1145/1357054

General Chairs:
Mary Czerwinski
Microsoft Research, USA
,
Arnie Lund
Microsoft, USA
,
Program Chair:
Desney Tan
Microsoft Research, USA

Copyright © 2008 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 06 April 2008

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CHI '08

Sponsor:

CHI '08: CHI Conference on Human Factors in Computing Systems

April 5 - 10, 2008

Florence, Italy

Acceptance Rates

CHI '08 Paper Acceptance Rate 157 of 714 submissions, 22%;

Overall Acceptance Rate 6,199 of 26,314 submissions, 24%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

74
Total Citations
View Citations
1,184
Total Downloads

Downloads (Last 12 months)15
Downloads (Last 6 weeks)3

Reflects downloads up to 16 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Watson KBretin RKhamis MMathis F(2022)The Feet in Human-Centred Security: Investigating Foot-Based User Authentication for Public DisplaysExtended Abstracts of the 2022 CHI Conference on Human Factors in Computing Systems10.1145/3491101.3519838(1-9)Online publication date: 27-Apr-2022
https://dl.acm.org/doi/10.1145/3491101.3519838
Mathis FO'Hagan JKhamis MVaniea K(2022)Virtual Reality Observations: Using Virtual Reality to Augment Lab-Based Shoulder Surfing Research2022 IEEE Conference on Virtual Reality and 3D User Interfaces (VR)10.1109/VR51125.2022.00048(291-300)Online publication date: Mar-2022
https://doi.org/10.1109/VR51125.2022.00048
Song YOakley I(2022)PushPIN: A Pressure-Based Behavioral Biometric Authentication System for SmartwatchesInternational Journal of Human–Computer Interaction10.1080/10447318.2022.204914439:4(893-909)Online publication date: 19-Apr-2022
https://doi.org/10.1080/10447318.2022.2049144
Seyed TYang XTang AGreenberg SGu JZhu BCao X(2022)CipherCard: A Token-Based Approach Against Camera-Based Shoulder Surfing Attacks on Common Touchscreen DevicesHuman-Computer Interaction – INTERACT 201510.1007/978-3-319-22668-2_34(436-454)Online publication date: 10-Mar-2022
https://dl.acm.org/doi/10.1007/978-3-319-22668-2_34
Yuan HLi SRusconi P(2021)CogTool+ACM Transactions on Computer-Human Interaction10.1145/344753428:2(1-38)Online publication date: 17-Apr-2021
https://dl.acm.org/doi/10.1145/3447534
Griswold-Steiner IDiarrassouba NArangath SSerwadda A(2021)User Perceptions of Defensive Techniques Against Keystroke Timing Attacks During Password EntryExtended Abstracts of the 2021 CHI Conference on Human Factors in Computing Systems10.1145/3411763.3451667(1-6)Online publication date: 8-May-2021
https://dl.acm.org/doi/10.1145/3411763.3451667
Zhao BAsghar HKaafar MTrevisan FYuan H(2020)Exploiting Behavioral Side Channels in Observation Resilient Cognitive Authentication SchemesACM Transactions on Privacy and Security10.1145/341484424:1(1-33)Online publication date: 28-Sep-2020
https://dl.acm.org/doi/10.1145/3414844
Shang JWu J(2020)LightDefender: Protecting PIN Input using Ambient Light Sensor2020 IEEE International Conference on Pervasive Computing and Communications (PerCom)10.1109/PerCom45495.2020.9127361(1-10)Online publication date: Mar-2020
https://doi.org/10.1109/PerCom45495.2020.9127361
Chakraborty NMondal S(2020)On designing an unaided authentication service with threat detection and leakage control for defeating opportunistic adversariesFrontiers of Computer Science: Selected Publications from Chinese Universities10.1007/s11704-019-9134-915:2Online publication date: 2-Oct-2020
https://dl.acm.org/doi/10.1007/s11704-019-9134-9
Yuan HLi SRusconi PYuan HLi SRusconi P(2020)Example Applications of CogTool+Cognitive Modeling for Automated Human Performance Evaluation at Scale10.1007/978-3-030-45704-4_6(75-93)Online publication date: 17-Sep-2020
https://doi.org/10.1007/978-3-030-45704-4_6
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents