H4Plock: Supporting Mobile User Authentication through Gestural Input and Tactile Output
Loading...
Permanent Link
Author/Creator
Author/Creator ORCID
Date
2015-07-22
Type of Work
Department
Program
Citation of Original Publication
Ali, Abdullah; Kuber, Ravi; Aviv, Adam J.; H4Plock: Supporting Mobile User Authentication through Gestural Input and Tactile Output; Symposium On Usable Privacy and Security (2015); https://cups.cs.cmu.edu/soups/2015/posters/soups2015_posters-final5.pdf
Rights
This item is likely protected under Title 17 of the U.S. Copyright Law. Unless on a Creative Commons license, for uses protected by Copyright Law, contact the copyright holder or the author.
Public Domain Mark 1.0
This work was written as part of one of the author's official duties as an Employee of the United States Government and is therefore a work of the United States Government. In accordance with 17 U.S.C. 105, no copyright protection is available for such works under U.S. Law.
Public Domain Mark 1.0
This work was written as part of one of the author's official duties as an Employee of the United States Government and is therefore a work of the United States Government. In accordance with 17 U.S.C. 105, no copyright protection is available for such works under U.S. Law.
Subjects
Abstract
We have developed a novel authentication mechanism, H4Plock (pronounced “Hap-lock”), that leverages gestural input and tactile feedback to defend against casual observation attacks. Users enter up to four on-screen gestures based on receiving tactile prompts, in the form of vibrations, from the mobile device. These prompts inform the user as to which gestures should be entered. The style of vibrations, e.g., short versus long, indicate the specific gestures that should be entered from a previously chosen primary or secondary passcode. As a result, the sequence of gestures will vary on each authentication attempt, reducing the capability of an attacker to “shoulder surf” and accurately recreate the authentication process. We developed a protype of the application and conducted an IRB approved pilot study. Findings show that 94% of participants were able to properly authenticate using H4Plock, with 73% successfully accessing the system after a gap of five days without rehearsal. We also examined the security of the H4Plock where participants were asked to recreate passcodes through a video replay, simulating a shoulder surfing attack scenario. Even after direct observations, only 25% of the pascodes could be successfully recreated.