Beruflich Dokumente
Kultur Dokumente
AbstractAuthentication based on passwords is used largely in applications for computer security and privacy. However, human
actions such as choosing bad passwords and inputting passwords in an insecure way are regarded as the weakest link in the
authentication chain. Rather than arbitrary alphanumeric strings, users tend to choose passwords either short or meaningful for easy
memorization. With web applications and mobile apps piling up, people can access these applications anytime and anywhere with
various devices. This evolution brings great convenience but also increases the probability of exposing passwords to shoulder surfing
attacks. Attackers can observe directly or use external recording devices to collect users credentials. To overcome this problem, we
proposed a novel authentication system PassMatrix, based on graphical passwords to resist shoulder surfing attacks. With a one-time
valid login indicator and circulative horizontal and vertical bars covering the entire scope of pass-images, PassMatrix offers no hint for
attackers to figure out or narrow down the password even they conduct multiple camera-based attacks. We also implemented a
PassMatrix prototype on Android and carried out real user experiments to evaluate its memorability and usability. From the
experimental result, the proposed system achieves better resistance to shoulder surfing attacks while maintaining usability.
1 I NTRODUCTION
them can be easily compromised to shoulder surfing attacks also extended the DAS based on finger-drawn doodles and
if attackers use video capturing techniques like Google Glass pseudosignatures in recent mobile device [32], [33]. This au-
[15], [26]. The limitations of usability include issues such as thentication system is based on features which are extracted
taking more time to log in, passwords being too difficult to from the dynamics of the gesture drawing process (e.g.,
recall after a period of time, and the authentication method speed or acceleration). These features contain behavioral
being too complicated for users without proper education biometric characteristic. In other words, the attacker would
and practice. have to imitate not only what the user draws, but also
In 2006, Wiedenbeck et al. proposed PassPoints [7] in how the user draws it. However, these three authentication
which the user picks up several points (3 to 5) in an schemes are still all vulnerable to shoulder surfing attacks
image during the password creation phase and re-enters as they may reveal the graphical passwords directly to some
each of these pre-selected click-points in a correct order unknown observers in public.
within its tolerant square during the login phase. Com-
paring to traditional PIN and textual passwords, the Pass-
Points scheme substantially increases the password space
and enhances password memorability. Unfortunately, this
graphical authentication scheme is vulnerable to shoulder
surfing attacks. Hence, based on the PassPoints, we add the
idea of using one-time session passwords and distractors
to develop our PassMatrix authentication system that is
resistant to shoulder surfing attacks. Fig. 1. (a) Pixel squares selected by users as authentication passwords
in PassPoints [7]. (b) Authentication password drew by users and the
raw bits recorded by the system database [6].
1.2 Organization
In addition to graphical authentication schemes, there
This paper is organized as follows. Section 2 provides the was some research on the extension of conventional per-
backgrounds of related techniques about graphical authen- sonal identification number (PIN) entry authentication sys-
tication schemes and Section 3 describes attack models. The tems. In 2004, Roth et al. [34] presented an approach for
proposed PassMatrix is presented in Section 4. The user PIN entry against shoulder surfing attacks by increasing
study and its results are available in Section 5 and Section the noise to observers. In their approach, the PIN digits
6 respectively. A security analysis is discussed in Section 7. are displayed in either black or white randomly in each
Section 8 concludes the paper. round. The user must respond to the system by identifying
the color for each password digit. After the user has made
a series of binary choices (black or white), the system can
2 BACKGROUND AND R ELATED W ORK figure out the PIN number the user intended to enter by
In the past several decades, a lot of research on password intersecting the users choices. This approach could confuse
authentication has been done in the literature. Among all of the observers if they just watch the screen without any help
these proposed schemes, this paper focuses mainly on the of video capturing devices. However, if observers are able
graphical-based authentication systems. To keep this paper to capture the whole authentication process, the passwords
concise, we will give a brief review of the most related can be cracked easily.
schemes that were mentioned in the previous section. Many In order to defend the shoulder surfing attacks with
other schemes such as those in [27], [28], [29], [30], [31] video capturing, FakePointer [35] was introduced in 2008
may have good usability, they are not graphical-based and by T. Takada. We use Figure 2 (from [35]) below to show
need additional support from extra hardware such as audio, the usage of FakePointer. In addition to the PIN number,
multi-touch monitor, vibration sensor, or gyroscope, etc. the user will get a new answer indicator each time for
In the early days, the graphical capability of handheld the authentication process at a bank ATM. In other words,
devices was weak; the color and pixel it could show was the user has two secrets for authentication: a PIN as a fixed
limited. Under this limitation, the Draw-a-Secret (DAS) [6] secret and an answer indicator as a disposable secret. The
technique was proposed by Jermyn et al. in 1999, where the answer indicator is a sequence of n shapes if the PIN has
user is required to re-draw a pre-defined picture on a 2D n digits. At each login session, the FakePointer interface
grid. We directly extract the figure from [6] and show it in will present the user an image of a numeric keypad with 10
Figure 1(b). If the drawing touches the same grids in the numbers (similar to the numeric keypad for phones), with
same sequence, then the user is authenticated. Since then, each key (number) on top of a randomly picked shape. The
the graphical capability of handheld devices has steadily numeric keys, but not the shapes, can be moved circularly
and ceaselessly improved with the advances in science and using the left or right arrow keys. During authentication,
technology. In 2005, Susan Wiedenbeck et al. introduced a the user must repeatedly move numeric keys circularly as
graphical authentication scheme PassPoints [7], and at that shown in the leftmost figure in Figure 2, until the first digit
time, handheld devices could already show high resolution of the PIN overlaps the first shape of the answer indicator
color pictures. Using the PassPoint scheme, the user has on the keypad and then confirm a selection by pressing
to click on a set of pre-defined pixels on the predestined the space key. This operation is repeated until all the PIN
photo, as shown in Figure 1(a) (this figure is extracted digits are entered and confirmed. This approach is quite
from [7]), with a correct sequence and within their tolerant robust even when the attacker captures the whole authen-
squares during the login stage. Moreover, Marcos et al. tication process. However, there is still room to improve
IEEE Transactions on Dependable and Secure Computing (Volume:PP , MARCH 2016)
the password space. For example, if the device used for 3 P ROBLEM S TATEMENT, ATTACK M ODEL AND
authentication is a smartphone, a tablet or a computer rather A SSUMPTIONS
than a bank ATM, the password space can be enlarged
3.1 Problem Statement
substantially since the PIN could be any combination of
alphanumeric characters rather than just numeric digits. With the increasing amount of mobile devices and web
services, users can access their personal accounts to send
confidential business emails, upload photos to albums in
the cloud or remit money from their e-bank account anytime
and anywhere. While logging into these services in public,
they may expose their passwords to unknown parties un-
consciously. People with malicious intent could watch the
whole authentication procedure through omnipresent video
cameras and surveillance equipment, or even a reflected
image on a window [37]. Once the attacker obtains the
Fig. 2. FakePointer, where a user can move a numeric key layout password, they could access personal accounts and that
circularly using right and left arrow keys. [35]
would definitely pose a great threat to ones assets. Shoulder
surfing attacks have gained more and more attention in the
Wiedenback et al. [36] described a graphical password past decade. The following lists the research problems we
entry scheme in 2006, as shown in Figure 3(b) (the figure would like to address in this study:
is extracted from [36]). This scheme is resistant to shoulder
1) The problem of how to perform authentication in
surfing attacks using a convex hull method. The user needs
public so that shoulder surfing attacks can be allevi-
to recognize a set of pass-icons on the screen and clicks
ated.
inside the convex hull formed by all these pass-icons. In
2) The problem of how to increase password space
order to make the password hard to guess, a large number
than that of the traditional PIN.
of other different icons can be inserted into the screen
3) The problem of how to efficiently search exact pass-
to increase the password space. However, a large number
word objects during the authentication phase.
of objects will crowd the display and may make objects
4) The problem of requiring users to memorize extra
indistinguishable.
information or to perform extra computation during
In 2010, David Kim et al. [25] proposed a visual authen- authentication.
tication scheme for tabletop interfaces called Color Rings, 5) The problem of limited usability of authentication
as shown in Figure 3(a) (the figure is extracted from [25]), schemes that can be applied to some devices only.
where the user is assigned i authentication (key) icons,
which are collectively assigned one of the four color-rings:
3.2 Attack Model
red, green, blue, or pink. During login, i grids of icons are
provided, with 72 icons being displayed per grid. There is 3.2.1 Shoulder Surfing Attacks
only one key icon presented in each grid. The user must Based on previous research [20], [21], [25], [34], [35], users
drag all four rings (ideally with index finger and thumb actions such as typing from their keyboard, or clicking on
from two hands) concurrently and place them in the grid. the pass-images or pass-points in public may reveal their
The distinct key icon should be captured by the correct color passwords to people with bad intention. In this paper, based
ring while the rest of rings just make decoy selections. The on the means the attackers use, we categorize shoulder-
user confirms a selection by dropping the rings in position. surfing attacks into three types as below:
The rings are large enough to include more than one icon
1) Type-I: Naked eyes.
and can thus obfuscate the direct observer. Unfortunately,
2) Type-II: Video captures the entire authentication
these kinds of passwords can be cracked by intersecting
process only once.
the users selections in each login because the color of the
3) Type-III: Video captures the entire authentication
assigned ring is fixed and a ring can include at most seven
process more than once.
icons. Thus, the attacker only requires a limited number of
trials to guess the users password. The latter types of attacks require more effort and tech-
niques from attackers. Thus, if an authentication scheme is
able to resist against these attacks, it is also secure against
previous types of attacks. Some of the proposed authentica-
tion schemes [4], [5], [6], [7], [25], [38], including traditional
text-password and PIN, are vulnerable to shoulder surfing
Type-I attacks and thus are also subject to Type-II and Type-
III attacks. These schemes reveal passwords to attackers as
soon as users enter their passwords by directly pressing
or clicking on specific items on the screen. Other schemes
such as those in [19], [34] can resist against Type-I but are
Fig. 3. (a) Color Rings method [25]. (b) Convex Hull method [36].
vulnerable to Type-II and Type-III attacks since the attackers
can crack passwords by intersecting their video captures
from multiple steps of the entire authentication process.
IEEE Transactions on Dependable and Secure Computing (Volume:PP , MARCH 2016)
4 PASS M ATRIX
To overcome (1) the security weakness of the traditional
PIN method, (2) the easiness of obtaining passwords by
observers in public, and (3) the compatibility issues to
devices, we introduced a graphical authentication system
called PassMatrix. In PassMatrix, a password consists of
only one pass-square per pass-image for a sequence of
n images. The number of images (i.e., n) is user-defined.
Figure 5 demonstrates the proposed scheme, in which the
Fig. 6. Overview of the PassMatrix system.
first pass-square is located at (4, 8) in the first image, the
second pass-square is on the top of the smoke in the second
image at (7, 2), and the last pass-square is at (7, 10) in the Image Discretization Module. This module divides each
third image. image into squares, from which users would choose one as
In PassMatrix, users choose one square per image for a the pass-square. As shown in Figure 5, an image is divided
sequence of n images rather than n squares in one image as into a 7 11 grid. The smaller the image is discretized,
that in the PassPoints [7] scheme. Based on the user study of the larger the password space is. However, the overly
Cued Click Points (CCP) [40] proposed by Chiasson et al., concentrated division may result in recognition problem of
IEEE Transactions on Dependable and Secure Computing (Volume:PP , MARCH 2016)
4.2 PassMatrix
PassMatrixs authentication consists of a registration phase
and an authentication phase as described below:
is displayed in a size of 420 660 pixels and is discretized Password memorability/recollection: How well do
into 60 60 pixel squares. Thus, users have 7 11 squares users remember their password and can they log into
to select in each image (see Figure 11(c)). After a user selects the system successfully after a period of time since
three to five images with one pass-square per image, the registration?
password will be stored as a list of coordinates in a database Usability: We measured the users experience on
table (i.e., the locations of those selected pass-squares in the PassMatrix, which includes the total time consumed
7 11 grid). The password space depends on the number of for both registration and authentication, the success-
images set by users. For instance, if a user creates an account ful login rate if they know their passwords, and the
with four images, the password space is (7 11)4 . number of times users use the bar control functions
to shift the elements to the right position during the
authentication phase.
In order to analyze the memorability, we asked the
experiment participants to register a PassMatrix account
first and then come back to log into their account two weeks
later. We marked a login attempt as a failure if the number
of retries exceeded 5 times.
To analyze the usability, we recorded the time each par-
ticipant spent on both registration and login to see whether
the PassMatrixs authentication is time-consuming. We also
recorded the number of times participants fling their finger
to shift the horizontal and vertical bars to measure the
Fig. 12. (a) A visual way for users to obtain a one-time valid login indi- effort they have to make during the authentication phase.
cator. (b) The permutations of alphanumerics in horizontal and vertical Furthermore, to calculate the successful login rate, we asked
bars are randomly generated for each image. (c) Users can shift the the participants to log into PassMatrix three times right
bars to the correct position so that the login indicator aligns with the
after they register an account in the first session and re-log
pass-square.
into the system another three times in the second session
The first step in the login phase is getting the one- (two weeks later). We can use these statistic data from
time valid login indicator from the system. There are many each participant to evaluate how well users operate on the
ways to obtain the indicator and weve illustrated several systems authentication interface. The detailed procedure is
examples in Section 4.1. In our implementation, we adopted described in Section 5.2.4 and the results will be shown in
the simplest way: grasping the hand with a little space left Section 6.
in the center and then touching the screen of smart phones
(see Figure 12(a)). To protect against shoulder surfing, the 5.2.2 Environment
indicator is not shown until the hand touches the screen and We deployed and installed PassMatrix.apk on Samsung
will vanish immediately when the hand leaves the screen. Nexus S with Android version 2.3.6 and a display size of
The number of elements on both the horizontal and 480 800 pixels. MySQL 5.0.51 and PHP were installed on
vertical bars depends on the discretization degree of the a server with Intel(R) Core(TM) 2 Quad CPU, 3GB RAM
images. In our implementation, there are 7 letters (from and Ubuntu 8.04.4 OS.
A to G) and 11 numbers (from 1 to 11) on the horizontal
bar and on the vertical bar, respectively. They are used 5.2.3 Participants
to align the one-time indicator with the pass-square in 30 novice users (11 females and 19 males), who are un-
each pass-image during the authentication phase. In order familiar with PassMatrix or even graphical authentication
to obfuscate and thus hide the alignment patterns from schemes, were recruited from our university to participate
observers, we randomly shuffled the elements on both bars in this study. At the time of this study, the participants are
IEEE Transactions on Dependable and Secure Computing (Volume:PP , MARCH 2016)
24.53 years old on average (StdDev=3.14), in which three only after the whole password input process is
of them are post-doctors and the majority of the rest are completed, not in between each pass-image.
graduate students. All participants are either in Computer 4) Login phase: After practicing, participants were re-
Science, Information System Management or other informa- quested to log into their account formally in a login
tion technology majors. 76.67% of them have a background mode.
of information security. As Figure 13(b) shows, 73 % of 5) Participants were also asked to answer a short de-
participants have less than one year or no experience at all mographic questionnaire about some simple per-
of using smart phones, whereas 20% of participants have sonal data and their personal experience on mobile
more than one but less than two years of experience and phones or authentication systems.
the final 7% are veteran users with more than two years 6) Each participant was then given an answer sheet,
of experience. The survey showed that in the past, they containing the information of a third persons two
went through authentication processes on an average of 12.6 previous login records. Participants were asked to
times a day in public (see Figure 13(a)). figure out the third persons pass-squares from
these two given login records. An incentive gift
was provided if they are able to successfully crack
the password in ten tries (i.e., ten guesses on the
answer sheet). Two weeks were given to crack the
password.
6.2 Usability
Successf ul attempts
T otal Accuracy = (2)
T otal attempts We counted the number of shifts and the elapsed time per
pass-image in our experiment to measure the usability of
our PassMatrix in practice.
TABLE 1
The accuracy of practice/authentication(login) in two sessions
TABLE 3
First session Second session The mean, median and standard deviation of total time in the
registration phase
First Total First Total
Practice Phase 60.00% 100% - - Registration(1st)
Login Phase 86.67% 100% 66.67% 93.33% Mean Median S.D
Total Time(s) 106.6 90.5 55.58
Table 1 shows the First Accuracy and the Total Accuracy
of the practice and login phases in both sessions with 30
participants. On average, 3.2 pass-images were selected by Table 3 shows the elapsed time that participants con-
each participant. The result shows that both the First and sumed in the registration phase. The registration took 1
Total Accuracies in the first session are higher than those in minute and 46 seconds on average. Though it seems the
the second session. In the first session, 26 out of 30 (86.67%) average registration time is a bit lengthy in records, 73.33%
participants were able to log into the system successfully of participants felt that the registration process is actu-
with just one try and all of them were authenticated within ally not time consuming and 10% of them said that they
six tries (i.e., the Total Accuracy is 100%). After more than spent most of their registration time in finding pass-squares
two weeks (for an average of 16.3 days), the First Accuracy that are meaningful to them. Based on the survey data
in the second session was down to 66.67%, but the Total from participants, we concluded that the time required
Accuracy is still 93.33%. We surveyed the participants for for registration is acceptable to users in practice. During
the possible reasons of the big drop in the First Accuracy registration, participants can choose 3 to 5 pass-images as
and also analyzed those failed login attempts in the second their passwords. In our experiment, all but five participants
session. We found out that the participants did not really chose 3 images (mean=3.2 images). The average time each
forget their passwords. Most of them still remember the user spent on practice and login (see Table 4) in the first
locations of their pass-squares. However, they accidentally session was 47.86 seconds and 31.31 seconds respectively.
shifted the horizontal or vertical bar to a wrong position The required time to log into PassMatrix is reduced by 16.55
and submitted without checking. Most of them could log seconds after practicing 4 times on average to get familiar
into the system successfully in the very next try and that is with the shifting (i.e., dragging and flinging) operations
why the Total Accuracy (93.33%) is much higher than the on touch screens. The results are good due to the fact
First Accuracy (66.67%) in the second session. that 73% of participants have either no or less than one
Table 2 shows the average number of re-tries until the year of experience of using smart phones (see Figure 13).
user finally logged in successfully. Even after more than Furthermore, even after more than two weeks (16.3 days on
two weeks, participants were able to log into the system average), the average login time was still as low as 37.11
successfully in an average of 0.64 (Median=0) re-tries, or seconds, not far away from that (31.11 seconds) in the first
in other words a total of 1.64 tries. 25 out of 30 (83.33%) session. The reason that the time was slightly increased was
participants were able to log into their account within three because participants needed to recall their passwords. A
tries. For the rest, 4 participants logged in successfully survey showed that the time spent in the login process is
within ten tries and only one participant failed to log in acceptable to 83.33% of participants. They felt that spending
after trying ten times. According to the data recorded, these a little bit extra time is worthwhile if the authentication
5 participants failed to log in within 3 tries were all having system can protect their passwords from being seen by
trouble to pass only one of the three pass-images they set in others peeking over their shoulders.
the registration phase. For the shifting operations, while aligning a login in-
In summary, we conclude that the passwords of our dicator to a pass-square in each pass-image (see Table 4),
PassMatrix are easy to memorize. Users can log into the there is no significant difference (F=3.6, p> 0.05) in the
system with only 1.64 (Median=1) authentication requests number of such operations in the practice phase and in
on average, and the Total Accuracy of all login trials is the login phase in both sessions, where F means the F-test
93.33% even after two weeks. (http://en.wikipedia.org/wiki/F-test) and p means the p-
value (http://en.wikipedia.org/wiki/P-value). Because the
TABLE 2
The mean, median and standard deviation of the number of retries login indicator is randomly generated for each pass-image
in a successful attempt. and elements in both the horizontal bar and vertical bar are
also randomly shuffled, the number of shifting operations
First Session Second Session used to move the login indicator to the right position may
Mean Median S.D Mean Median S.D differ as well. There are two types of shifting operations,
which are dragging (aligning the login indicator with the
Practice Phase 0.41 0 0.50 - - -
pass-square in a single move) and flinging (fast finger
Login Phase 0.13 0 0.35 0.64 0 2.64
movement on the screen; only shifting one unit at a time). As
IEEE Transactions on Dependable and Secure Computing (Volume:PP , MARCH 2016)
shown in the experimental results, participants only shifted scales, in which 1 represents a strong disagreement and 5
4 to 5 times per pass-image on average. indicates a strong agreement.
Table 5 shows all the questions with their mean and
TABLE 4 median scores. As the result shows, participants felt it is
The mean, median and standard deviation of total time and the insecure to use traditional text passwords or PIN methods,
number of shifts in practice/authentication phase and they believed that using PassMatrix to log in can protect
their passwords from being shoulder surfing attacked. For
Practice(1st) Login(1st) Login(2nd) the user experience on PassMatrix, the mean scores of the
Mean Median Mean Median Mean Median series of questions are high, ranging from 3.87 to 4.20. All
Time(s) 47.86 41 31.31 29.5 37.11 34 participants agreed that PassMatrix is easy to use and the
shift 5.67 5 4.91 5 4.9 4 majority of them (93.33%) considered the time spent (or in
other words, complexity) for the PassMatrixs login process
is acceptable. For an in-depth investigation at the number
In summary, the experimental results showed that all
of pass-images users may accept in different authentication
participants can operate the login process through the Pass-
scenarios, see Figure 14, we found out that users tended to
Matrixs authentication interface. Thus, our PassMatrix is
set only one pass-image as their password for screen lock
friendly to use in practice. Users may need to spend more
in their mobile phones, 2 to 3 for OS user login and e-mail
time to log into PassMatrix in the practice phase (47.86
service login, and 5 or more for bank accounts.
seconds on average) right after registering their accounts.
We told participants to choose meaningful pass-squares
However, they can log into the system more quickly, even
to be their passwords and some of them really did. They
two weeks after registration (in between 31.31 seconds and
spent more time in finding and memorizing special squares
37.11 seconds). The results also showed that users could
meaningful to them. However, when being asked how they
easily control the horizontal and vertical bars to align lo-
decided pass-squares, most of them expressed that they
gin indicators with pass-squares. Hence, our PassMatrix is
chose a square that is conspicuous in an image. This might
practical in the perspectives of easy-to-use and efficiency.
result in hot-spot problems [46] and we will discuss this
issue in the next section.
TABLE 5 In summary, the overall feedback from the participants
Questionnaire responses. Scores are 1 to 5.
is good. They have no trouble using PassMatrix to log in
and they believe PassMatrix can protect their pass-squares
Questions Mean Median from being known by others when operating in public. In
Some information is exposed when authenticat- 4.13 4
addition, the required time for login is acceptable to most of
ing in public. them and we believe the login time will be decreased when
I would have serious loss if my passwords were 4 4 users gain more experience in using PassMatrix.
cracked.
PassMatrix can protect my passwords from be- 4.23 4
ing attacked by SSA.
Compared to text passwords and PIN, PassMa- 4.27 4
trix is more secure.
PassMatrix is secure and trustable. 4.27 4
Its difficult to find out the pass-square of others 4.27 4
even if I had screen shots or videos of ones login
process.
Its easy and fast to create an account in Pass- 3.87 4
Matrix. Fig. 14. Number of pass-images users may accept in different authenti-
In general, PassMatrix is a user-friendly system 4.2 4 cation scenarios.
and is easy to use.
The time consumed for using PassMatrix is ac- 4.07 4
ceptable. 6.4 Cracking PassMatrix
The login indicator is clear and easy to memo- 3.9 4 In order to brainstorm different ways, if any, to crack
rize temporarily. PassMatrix through shoulder surfing attacks, we aggregated
The login indicator is safe from being peeped at 4 4 the pass-images and pass-squares chosen by participants
by others.
during the registration phase and randomly picked 10 to-
I tend to choose squares that are eye-catching. 3.83 4 be-cracked accounts, each with three pass-images. 30 partic-
I tend to choose squares that are obtrusive. 2.6 2 ipants were divided into 10 groups, each with 3 participants.
Each group was asked to crack one account. We simulated
the owners of these 10 accounts to log into PassMatrix two
times and screenshot the entire login processes. These two
6.3 Questionnaires
login records of each account along with an answer sheet
Participants were asked to fill out questions about their were given to three participants. They were asked to crack
personal background and a set of Likert-scale questions (identify) the pass-square in each pass-image from the given
about their experience in using PassMatrix at the end of the two login records. 25 participants returned their answer
first and the second sessions. We adopted five-point Likert sheets after two weeks.
IEEE Transactions on Dependable and Secure Computing (Volume:PP , MARCH 2016)
In our implementation, we built a prototype of Pass- image, the password space will not be narrowed down even
Matrix on Android OS, and conducted the user study on if the whole authentication process is recorded by attackers.
Samsung Nexus S, which is a device with a small screen. Furthermore, the login indicator for each pass-image varies
Due to the size limitation, the tolerance squares are 60 60 so that each pass-image is an independent case. Thus, no
pixels, so that users can distinguish squares clearly. Since pattern can be extracted from a set of pass-images in an
the size of images is 420 660 pixels, we have 7 partitions authentication trial, neither from multiple login processes.
on the x-axis and 11 partitions on the y-axis, which means With the above security features, PassMatrix should be
we have a total of 7 11 squares in each image. strong enough to resist shoulder surfing attacks, even if the
Table 8 shows the entropies of PassMatrix type 1 (getting attacks are camera-equipped.
login indicators by touching the screen with hand grasped)
and type 2 (getting login indicators through predefined 7.3 Smudge Attack
images) from one pass-image to five pass-images (1-5 click
points), as well as the corresponding entropies of text pass- A smudge attack [39] is an implicit attack where attackers
words and PIN passwords. We can see that the entropies attempt to extract sensitive information from recent users
of type 1 are larger than those of PIN passwords. With 3 input by inspecting smudges left on touch screens. Since
pass-images the entropy of our proposed system is 18.8 both the horizontal and vertical bars in PassMatrix are scrol-
bits, which is larger than the entropy 18.57 bits of the lable, shifting on any element within the bar can circulate
Android pattern screen lock [48], currently the primary the whole bar. Thus, users do not have to shift the bars by
authentication mechanism of Android devices. For the type touching the login indicators. The smudge left by users may
2 of our proposed system, i.e., obtaining login indicators be quite fixed, but it only indicates the habitual stretching
through graph, random guess attackers require more effort range of the thumb or finger. The length of the smudge left
to crack the system because they need to discover not only on the screen also provides no useful information since the
the correct pass-square but also the correct login indicator in login indicator is generated randomly for each pass-image
each grid. Even if attackers know the pass-square of a pass- and the permutations of elements on both bars are also
image, they still couldnt break into the account without the randomly re-arranged in each pass-image and in each login
correct login indicator of that trial. Therefore, the entropies session. Therefore, the proposed PassMatrix is immune from
of the PassMatrix type 2 systems are significantly larger than smudge attacks.
those of PIN passwords and those of the Android pattern
screen lock with just two pass-images. 8 C ONCLUSION
Furthermore, in some applications such as the OS user
login or web applications on PCs/laptops with big screens, 8.1 Discussion
where images with high resolution can be displayed en- Although we discretized each image into a grid of 7 11,
tirely on the screen without scroll bars, we can set a high which holds 77 squares per image, we still think it is not
discretization degree for images to increase the security secure enough to resist against brute force attacks or random
strength of PassMatrix. For instance, with the size of 40 40 guessing attacks. According to the result of questionnaires
pixels for each square, a 1280 800 image is divided into 32 in the user study, users expressed that they prefer to use
and 20 partitions on the x-axis and on the y-axis respectively, only 1 to 2 pass-images for screen lock after considering the
so that the entropy can be increased to log2 (32 20)n . trade-off between security and usability. This means that the
entropies of PassMatrix in screen lock will be 6.27 bits and
12.53 bits for one pass-image and two pass-images respec-
7.2 Shoulder Surfing Attack tively, and can be strengthened to 12.53 and 25.07 bits when
Due to the fact that shoulder surfing has been a real threat obtaining login indicators through the graphical method. In
to authentication systems with either textual or graphical order to be more secure than the existing Android pattern
passwords, many novel authentication schemes were pro- password with entropy 18.57 bits against brute force attacks,
posed to protect systems from this attack. Unfortunately, users have to set two pass-images and use the graphical
most of them were unsuccessful to alleviate the threat if method to obtain the one-time login indicators.
the shoulder-surfing attack is camera-based. For instance, Like most of other graphical password authentication
some schemes such as PIN-entry method [34] and spy- systems, PassMatrix is vulnerable to random guess attacks
resistant keyboard [19] were designed based on the difficul- based on hot-spot analyzing. This weakness can be im-
ties of short-term memory. Camera-based shoulder surfing proved by letting users upload their own images and there-
attacks can easily crack the passwords of these schemes. fore make it more difficult for attackers to collect statistics
The password spaces of other schemes such as those in of hot-spots. Moreover, because images with less indepen-
CAPTCHA-based method [24], Pass-icons [18] and Color- dent objects usually suffer more on the hot-spot problem,
rings [25] can be narrowed down by camera-based shoulder carefully selecting images with rich objects can alleviate the
surfing attacks. hot-spot based random guess attacks.
The proposed authentication system PassMatrix takes Here we summary the features of PassMatrix. Compared
full advantage of adding extra information to obfuscate the with DAS [6], PassPoints [7] and Marcoss finger-drawn
login process, using an approach to point out the locations doodles [33], PassMatrix is strong enough to resist shoulder
of pass-squares implicitly instead of typing or clicking on surfing attacks, even if the attacks are camera-equipped.
password objects directly. Since the horizontal and vertical And the PIN-entry method [34], FakePointer [35], Wieden-
bars are circulative and thus cover the entire area of the backs scheme [36] and Color Rings [25] do not have enough
IEEE Transactions on Dependable and Secure Computing (Volume:PP , MARCH 2016)
computational complexity while facing to random guess [7] S. Wiedenbeck, J. Waters, J. Birget, A. Brodskiy, and N. Memon,
attack, which PassMatrix can withstand. Passpoints: Design and longitudinal evaluation of a graphical
password system, International Journal of Human-Computer Studies,
vol. 63, no. 1-2, pp. 102127, 2005.
8.2 Conclusion [8] A. Paivio, T. Rogers, and P. Smythe, Why are pictures easier to
With the increasing trend of web services and apps, users recall than words? Psychonomic Science, 1968.
[9] D. Nelson, U. Reed, and J. Walling, Picture superiority effect,
are able to access these applications anytime and anywhere Journal of Experimental Psychology: Human Learning and Memory,
with various devices. In order to protect users digital prop- vol. 3, pp. 485497, 1977.
erty, authentication is required every time they try to access [10] S. Brostoff and M. Sasse, Are passfaces more usable than pass-
their personal account and data. However, conducting the words? a field trial investigation, PEOPLE AND COMPUTERS,
pp. 405424, 2000.
authentication process in public might result in potential [11] A. De Angeli, M. Coutts, L. Coventry, G. Johnson, D. Cameron,
shoulder surfing attacks. Even a complicated password can and M. Fischer, Vip: a visual approach to user authentication, in
be cracked easily through shoulder surfing. Using tradi- Proceedings of the Working Conference on Advanced Visual Interfaces.
tional textual passwords or PIN method, users need to ACM, 2002, pp. 316323.
[12] B. Ives, K. Walsh, and H. Schneider, The domino effect of pass-
type their passwords to authenticate themselves and thus word reuse, Communications of the ACM, vol. 47, no. 4, pp. 7578,
these passwords can be revealed easily if someone peeks 2004.
over shoulder or uses video recording devices such as cell [13] J. Long and K. Mitnick, No Tech Hacking: A Guide to Social Engi-
phones. neering, Dumpster Diving, and Shoulder Surfing. Elsevier Science,
2011.
To overcome this problem, we proposed a shoulder- [14] T. Kwon, S. Shin, and S. Na, Covert attentional shoulder surf-
surfing resistant authentication system based on graphi- ing: Human adversaries are more powerful than expected, IEEE
cal passwords, named PassMatrix. Using a one-time login Transactions on Systems, Man, and Cybernetics: Systems, vol. 44, no. 6,
indicator per image, users can point out the location of pp. 716727, June 2014.
[15] Google glass snoopers can steal your passcode with a glance,
their pass-square without directly clicking or touching it, http://www.wired.com/2014/06/google-glass-snoopers-can-
which is an action vulnerable to shoulder surfing attacks. steal-your-passcode-with-a-glance/.
Because of the design of the horizontal and vertical bars that [16] M. Sasse, S. Brostoff, and D. Weirich, Transforming the weakest
cover the entire pass-image, it offers no clue for attackers linka human/computer interaction approach to usable and effec-
tive security, BT technology journal, vol. 19, no. 3, pp. 122131,
to narrow down the password space even if they have 2001.
more than one login records of that account. Furthermore, [17] Mobile marketing statistics compilation,
we implemented a PassMatrix prototype on Android and http://www.smartinsights.com/mobile-marketing/mobile-
carried out user experiments to evaluate the memorability marketing-analytics/mobile-marketing-statistics/.
[18] D. Hong, S. Man, B. Hawes, and M. Mathews, A password
and usability. The experimental result showed that users can scheme strongly resistant to spyware, in Proceedings of Interna-
log into the system with an average of 1.64 tries (Median=1), tional conference on security and management, 2004.
and the Total Accuracy of all login trials is 93.33% even two [19] D. Tan, P. Keyani, and M. Czerwinski, Spy-resistant keyboard:
weeks after registration. The total time consumed to log into Towards more secure password entry on publicly observable
touch screens, in Proceedings of OZCHI-Computer-Human Interac-
PassMatrix with an average of 3.2 pass-images is between tion Special Interest Group (CHISIG) of Australia. Canberra, Australia:
31.31 and 37.11 seconds and is considered acceptable by ACM Press. Citeseer, 2005.
83.33% of participants in our user study. [20] M. Kumar, T. Garfinkel, D. Boneh, and T. Winograd, Reducing
Based on the experimental results and survey data, shoulder-surfing by using gaze-based password entry, in Proceed-
ings of the 3rd symposium on Usable privacy and security. ACM,
PassMatrix is a novel and easy-to-use graphical pass- 2007, pp. 1319.
word authentication system, which can effectively alleviate [21] H. Zhao and X. Li, S3pas: A scalable shoulder-surfing resis-
shoulder-surfing attacks. In addition, PassMatrix can be ap- tant textual-graphical password authentication scheme, in Ad-
plied to any authentication scenario and device with simple vanced Information Networking and Applications Workshops, 2007,
AINAW07. 21st International Conference on, vol. 2. IEEE, 2007,
input and output capabilities. The survey data in the user pp. 467472.
study also showed that PassMatrix is practical in the real [22] X. Bai, W. Gu, S. Chellappan, X. Wang, D. Xuan, and B. Ma,
world. Pas: predicate-based authentication services against powerful
passive adversaries, in 2008 Annual Computer Security Applications
Conference. IEEE, 2008, pp. 433442.
R EFERENCES [23] Z. Zheng, X. Liu, L. Yin, and Z. Liu, A stroke-based textual
[1] S. Sood, A. Sarje, and K. Singh, Cryptanalysis of password password authentication scheme, in Education Technology and
authentication schemes: Current status and key issues, in Methods Computer Science, 2009. ETCS09. First International Workshop on,
and Models in Computer Science, 2009. ICM2CS 2009. Proceeding of vol. 3. IEEE, 2009, pp. 9095.
International Conference on, Dec 2009, pp. 17. [24] L. Wang, X. Chang, Z. Ren, H. Gao, X. Liu, and U. Aickelin,
[2] S. Gurav, L. Gawade, P. Rane, and N. Khochare, Graphical Against spyware using captcha in graphical password scheme,
password authentication: Cloud securing scheme, in Electronic in 2010 24th IEEE International Conference on Advanced Information
Systems, Signal Processing and Computing Technologies (ICESC), 2014 Networking and Applications. IEEE, 2010, pp. 760767.
International Conference on, Jan 2014, pp. 479483. [25] D. Kim, P. Dunphy, P. Briggs, J. Hook, J. Nicholson, J. Nichol-
[3] K. Gilhooly, Biometrics: Getting back to business, Computer- son, and P. Olivier, Multi-touch authentication on tabletops, in
world, May, vol. 9, 2005. Proceedings of the 28th international conference on Human factors in
[4] R. Dhamija and A. Perrig, Deja vu: A user study using images computing systems. ACM, 2010, pp. 10931102.
for authentication, in Proceedings of the 9th conference on USENIX [26] Black hat: Google glass can steal your passcodes,
Security Symposium-Volume 9. USENIX Association, 2000, pp. 44. https://www.technologyreview.com/s/529896/black-hat-
[5] Realuser, http://www.realuser.com/. google-glass-can-steal-your-passcodes/.
[6] I. Jermyn, A. Mayer, F. Monrose, M. Reiter, and A. Rubin, The [27] A. De Luca, M. Harbach, E. von Zezschwitz, M.-E. Maurer, B. E.
design and analysis of graphical passwords, in Proceedings of the Slawik, H. Hussmann, and M. Smith, Now you see me, now
8th conference on USENIX Security Symposium-Volume 8. USENIX you dont: Protecting smartphone authentication from shoulder
Association, 1999, pp. 11. surfers, in Proceedings of the 32Nd Annual ACM Conference on
IEEE Transactions on Dependable and Secure Computing (Volume:PP , MARCH 2016)
Human Factors in Computing Systems, ser. CHI 14. New York, Hung-Min Sun received the B.S. and
NY, USA: ACM, 2014, pp. 29372946. M.S. degrees in applied mathematics from
[28] E. von Zezschwitz, A. De Luca, and H. Hussmann, Honey, National Chung-Hsing University, in 1988 and
i shrunk the keys: Influences of mobile devices on password 1990, respectively, and the Ph.D. degree in
composition and authentication performance, in Proceedings of computer science and information engineering
the 8th Nordic Conference on Human-Computer Interaction: Fun, Fast, fromNational Chiao-Tung University, in 1995.
Foundational, ser. NordiCHI 14. New York, NY, USA: ACM, 2014, He was an associate professor with the
pp. 461470. Department of Information Management,
[29] A. Bianchi, I. Oakley, V. Kostakos, and D. S. Kwon, The phone Chaoyang University of Technology, from 1995
lock: Audio and haptic shoulder-surfing resistant pin entry meth- to 1999, the Department of Computer Science
ods for mobile devices, in Proceedings of the Fifth International and Information Engineering, National Cheng-
Conference on Tangible, Embedded, and Embodied Interaction, ser. TEI Kung University, from 2000 to 2002, and the Department of Computer
11. New York, NY, USA: ACM, 2011, pp. 197200. Science, National Cheng-Kung University, from 2002 to 2008. Currently,
[30] A. Bianchi, I. Oakley, and D. S. Kwon, The secure haptic keypad: he is working as a full professor with the Department of Computer
A tactile password system, in Proceedings of the SIGCHI Conference Science, National Tsing Hua University. He has published more than
on Human Factors in Computing Systems, ser. CHI 10. New York, 150 international journal and conference papers. He was the program
NY, USA: ACM, 2010, pp. 10891092. cochair of 2001 National Information Security Conference, and the
[31] I. Oakley and A. Bianchi, Multi-touch passwords for mobile program committee members of many international conferences. He
device access, in Proceedings of the 2012 ACM Conference on Ubiq- was the honor chairs of 2009 International Conference on Computer and
uitous Computing, ser. UbiComp 12. New York, NY, USA: ACM, Automation Engineering, 2009 International Conference on Computer
2012, pp. 611612. Research and Development, and 2009 International Conference on
[32] M. Martinez-Diaz, J. Fierrez, and J. Galbally, The doodb graphical Telecom Technology and Applications. He serves as the editor-in-chief
password database: Data analysis and benchmark results, Access, of the International Journal of Digital Content Technology and its
IEEE, vol. 1, pp. 596605, 2013. Applications, and the editor members of many international journals
[33] M. Martinez-Diaz, J. Fierrez, and J. Galbally, Graphical password- including ISRN Communications and Networking, and International
based user authentication with free-form doodles, IEEE Transac- Journal of Security, Advances in Information Sciences and Service
tions on Human-Machine Systems, vol. PP, no. 99, pp. 18, 2015. Sciences: an International Journal of Research and Innovation,
[34] V. Roth, K. Richter, and R. Freidinger, A pin-entry method re- International Journal of Intelligent Information Processing, and Journal
silient against shoulder surfing, in Proceedings of the 11th ACM of Next Generation Information Technology. He won many best paper
conference on Computer and communications security, ser. CCS 04. awards in academic journal and conferences, including the annual best
New York, NY, USA: ACM, 2004, pp. 236245. paper award from the Journal of Information Science and Engineering
[35] T. Takada, fakepointer: An authentication scheme for improving in 2003, the best paper award in MobiSys09, NSC05, NISC06, NISC07,
security against peeping attacks using video cameras, in Mobile CISC09, and ICS2010. He won the Y. Z. Hsu Scientific Paper Award,
Ubiquitous Computing, Systems, Services and Technologies, 2008. UBI- Far Eastern Y. Z. Hsu Science and Technology Memorial Foundation,
COMM08. The Second International Conference on. IEEE, 2008, pp. 2010. His research interests include network security, cryptography,
395400. and wireless networks.
[36] S. Wiedenbeck, J. Waters, L. Sobrado, and J.-C. Birget, Design
and evaluation of a shoulder-surfing resistant graphical password
scheme, in Proceedings of the working conference on Advanced visual
interfaces, ser. AVI 06. New York, NY, USA: ACM, 2006, pp. 177 Shiuan-Tung Chen received his B.S. degree in
184. Department of Applied Mathematics from Na-
[37] B. Laxton, K. Wang, and S. Savage, Reconsidering physical key tional Chung Hsing University in 2004, his M.S.
secrecy: Teleduplication via optical decoding, in Proceedings of degree in Department of Information System
the 15th ACM conference on Computer and communications security. and Application from National Tsing Hua Univer-
ACM, 2008, pp. 469478. sity in 2007. He is a Ph.D. student in Department
[38] X. Suo, Y. Zhu, and G. Owen, Analysis and design of graphical of Computer Science of National Tsing Hua
password techniques, Advances in Visual Computing, pp. 741749, University from 2007 to now, and has already
2006. been a Ph.D. candidate. His research interests
[39] A. Aviv, K. Gibson, E. Mossop, M. Blaze, and J. Smith, Smudge include forward error correction codes, reliable
attacks on smartphone touch screens, in USENIX 4th Workshop on data transmission and applied cryptography.
Offensive Technologies, 2010.
[40] S. Chiasson, P. van Oorschot, and R. Biddle, Graphical pass-
word authentication using cued click points, Computer Security
ESORICS 2007, pp. 359374, 2007.
[41] Secure socket layer ssl, http://en.wikipedia.org/wiki/ Jyh-haw Yeh received a B.A. degree in Ap-
Transport\ Layer\ Security. plied Mathematics from National Chung-Hsing
[42] L. Cranor and S. Garfinkel, Security and Usability. OReilly Media, University, Taiwan in 1984, a M.S. degree in
Inc., 2005. Computer Information Science from Cleveland
[43] Google play, https://play.google.com/store/. State University, Cleveland, Ohio in 1993, and
[44] Android developer, http://developer.android.com/index.html. a Ph.D degree in Computer and Information Sci-
[45] Android version of distribution, http://developer.android. ence and Engineering from University of Florida
com/resources/dashboard/platform-versions.html. in 1999. He joined the department of Computer
[46] J. Thorpe and P. van Oorschot, Human-seeded attacks and Science at Boise State University in 2000 and
exploiting hot-spots in graphical passwords, in Proceedings of was awarded tenure at 2006. He served as an
16th USENIX Security Symposium on USENIX Security Symposium. editor, track chair or PC member in an array of
USENIX Association, 2007, p. 8. international journals and conference proceedings. He also served as
[47] S. Wiedenbeck, J. Waters, J. Birget, A. Brodskiy, and N. Memon, a Panelist of 2008 NSF Cyber Trust Program. His current research
Authentication using graphical passwords: effects of tolerance interests are in the area of computer security, cloud security and cryp-
and image choice, in Proceedings of the 2005 symposium on Usable tography.
privacy and security. ACM, 2005, pp. 112.
[48] Android 2.2 platform highlights, http://developer.android.
com/sdk/android-2.2-highlights.html,.
Chia-Yun Cheng received her B.S. degree in Department of Information
Management from National Sun Yat-sen University in 2010, her M.S. de-
gree in Department of Information System and Application from National
Tsing Hua University in 2012. Her research interests include wireless
network security, multimedia security and applied cryptography.