H4Plock: Supporting Mobile User Authentication through Gestural Input and Tactile Output

Author/Creator ORCID

Date

2015-07-22

Department

Program

Citation of Original Publication

Ali, Abdullah; Kuber, Ravi; Aviv, Adam J.; H4Plock: Supporting Mobile User Authentication through Gestural Input and Tactile Output; Symposium On Usable Privacy and Security (2015); https://cups.cs.cmu.edu/soups/2015/posters/soups2015_posters-final5.pdf

Rights

This item is likely protected under Title 17 of the U.S. Copyright Law. Unless on a Creative Commons license, for uses protected by Copyright Law, contact the copyright holder or the author.
Public Domain Mark 1.0
This work was written as part of one of the author's official duties as an Employee of the United States Government and is therefore a work of the United States Government. In accordance with 17 U.S.C. 105, no copyright protection is available for such works under U.S. Law.

Subjects

Abstract

We have developed a novel authentication mechanism, H4Plock (pronounced “Hap-lock”), that leverages gestural input and tactile feedback to defend against casual observation attacks. Users enter up to four on-screen gestures based on receiving tactile prompts, in the form of vibrations, from the mobile device. These prompts inform the user as to which gestures should be entered. The style of vibrations, e.g., short versus long, indicate the specific gestures that should be entered from a previously chosen primary or secondary passcode. As a result, the sequence of gestures will vary on each authentication attempt, reducing the capability of an attacker to “shoulder surf” and accurately recreate the authentication process. We developed a protype of the application and conducted an IRB approved pilot study. Findings show that 94% of participants were able to properly authenticate using H4Plock, with 73% successfully accessing the system after a gap of five days without rehearsal. We also examined the security of the H4Plock where participants were asked to recreate passcodes through a video replay, simulating a shoulder surfing attack scenario. Even after direct observations, only 25% of the pascodes could be successfully recreated.