Towards Baselines for Shoulder Surfing on Mobile Authentication

Thumbnail Image

Files

3134600.3134609.pdf (2.07 MB)

Links to Files

https://dl.acm.org/doi/10.1145/3134600.3134609

Permanent Link

http://hdl.handle.net/11603/19836
 https://doi.org/10.1145/3134600.3134609

Collections

UMBC Information Systems Department
UMBC Faculty Collection
UMBC Student Collection

Author/Creator

Author/Creator ORCID

Date

2017-12

Type of Work

conference papers and proceedings
Text

Department

Program

Citation of Original Publication

Aviv, Adam J.; Davin, John T.; Wolf, Flynn; Kuber, Ravi; Towards Baselines for Shoulder Surfing on Mobile Authentication; ACSAC 2017: Proceedings of the 33rd Annual Computer Security Applications Conference, December 2017, Pages 486–498; https://dl.acm.org/doi/10.1145/3134600.3134609;

Rights

This item is likely protected under Title 17 of the U.S. Copyright Law. Unless on a Creative Commons license, for uses protected by Copyright Law, contact the copyright holder or the author.
Public Domain Mark 1.0
This work was written as part of one of the author's official duties as an Employee of the United States Government and is therefore a work of the United States Government. In accordance with 17 U.S.C. 105, no copyright protection is available for such works under U.S. Law.

Subjects

Abstract

Given the nature of mobile devices and unlock procedures, unlock authentication is a prime target for credential leaking via shoulder surfing, a form of an observation attack. While the research community has investigated solutions to minimize or prevent the threat of shoulder surfing, our understanding of how the attack performs on current systems is less well studied. In this paper, we describe a large online experiment (n = 1173) that works towards establishing a baseline of shoulder surfing vulnerability for current unlock authentication systems. Using controlled video recordings of a victim entering in a set of 4- and 6-length PINs and Android unlock patterns on different phones from different angles, we asked participants to act as attackers, trying to determine the authentication input based on the observation. We find that 6-digit PINs are the most elusive attacking surface where a single observation leads to just 10.8% successful attacks (26.5% with multiple observations). As a comparison, 6-length Android patterns, with one observation, were found to have an attack rate of 64.2% (79.9% with multiple observations). Removing feedback lines for patterns improves security to 35.3% (52.1% with multiple observations). This evidence, as well as other results related to hand position, phone size, and observation angle, suggests the best and worst case scenarios related to shoulder surfing vulnerability which can both help inform users to improve their security choices, as well as establish baselines for researchers.