Shoulder Surfing: From An Experimental Study to a Comparative Framework

by   Leon Bošnjak, et al.

Shoulder surfing is an attack vector widely recognized as a real threat - enough to warrant researchers dedicating a considerable effort toward designing novel authentication methods to be shoulder surfing resistant. Despite a multitude of proposed solutions over the years, few have employed empirical evaluations and comparisons between different methods, and our understanding of the shoulder surfing phenomenon remains limited. Barring the challenges in experimental design, the reason for that can be primarily attributed to the lack of objective and comparable vulnerability measures. In this paper, we develop an ensemble of vulnerability metrics, a first endeavour toward a comprehensive assessment of a given method's susceptibility to observational attacks. In the largest on-site shoulder surfing experiment (n = 274) to date, we verify the model on four conceptually different authentication methods in two observation scenarios. On the example of a novel hybrid authentication method based on associations, we explore the effect of input type on the adversary's effectiveness. We provide first empirical evidence that graphical passwords are easier to observe; however, that does not necessarily mean that the observed information will allow the attacker to guess the victim's password easier. An in-depth analysis of individual metrics within the clusters offers insight into many additional aspects of the shoulder surfing attack not explored before. Our comparative framework makes an advancement in evaluation of shoulder surfing and furthers our understanding of observational attacks. The results have important implications for future shoulder surfing studies and the field of Password Security as a whole.



There are no comments yet.



Securing Password Authentication for Web-based Applications

The use of passwords and the need to protect passwords are not going awa...

Predicting Missing Information of Key Aspects in Vulnerability Reports

Software vulnerabilities have been continually disclosed and documented....

Adversary Models for Mobile Device Authentication

Mobile device authentication has been a highly active research topic for...

Disparate Vulnerability: on the Unfairness of Privacy Attacks Against Machine Learning

A membership inference attack (MIA) against a machine learning model ena...

An empirical study of touch-based authentication methods on smartwatches

The emergence of smartwatches poses new challenges to information securi...

An Automated, End-to-End Framework for Modeling Attacks From Vulnerability Descriptions

Attack graphs are one of the main techniques used to automate the risk a...

The Effectiveness of Privacy Enhancing Technologies against Fingerprinting

We measure how effective Privacy Enhancing Technologies (PETs) are at pr...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.