Baseline Measurements of Shoulder Surfing Analysis and Comparability for Smartphone Unlock Authentication

Abstract

In this research, we explore a novel approach to measuring the susceptibility of smarthphone unlock authentication to shoulder surfing attacks. We have created a series of video recordings where researchers enter authentication sequences into mobile devices (e.g. PINs, graphical patterns with lines, and graphical patterns without lines) in a controlled setting. These videos are designed to simulate shoulder surfing settings under varied attack conditions. Camera angles have been selected to mimic the locations where observational attacks make take place. Participants have taken the survey and played the role of attackers, viewing video-recorded footage of PIN and graphical pattern authentication input with various camera angles, hand positions, phone seizes and authentication length and strength. In this study, we recruited 94 midshipman participants as well as 1164 more respondents via Amazon Mechanical Turk, an online service to recruit survey participants. Based on the collected data, for example, measurements of the success rate of an attack and the recording methodology developed, we provide insight into the factors of mobile unlock authentication which best and least resist shoulder surfing attacks, as well as examine scenarios where weaknesses may occur. There are significant differences in success rates between the different authentication types. For PINs with a single view, the average success rate is 23.04 . The pattern with lines authentication has more than triple the success rate with a single view at 72.44 . The goal of this research is to identify more effective guidance for mobile device users to avoid observational attacks. We also aim to advance the methodologies used to measure the shoulder surfing attacks surfaces where baselines of comparisons to preexisting systems (e.g. PINs and patterns) are not standardized.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
May 22, 2017
Accession Number
AD1036628

Entities

People

  • John T Davin

Tags

DTIC Thesaurus Topics

  • Authentication
  • Computers
  • Cybersecurity
  • Measurement
  • Mobile Devices
  • Mobile Phones
  • Security
  • Shoulder
  • Smartphones
  • Validation
  • Video
  • Video Recording
  • World Wide Web

Fields of Study

  • Computer science

Readers

  • Agent-Based Social Robotics and Mobile-Assisted Learning in Virtual Environments.
  • Electrical Engineering
  • Psychometric Testing or Psychological Assessment.