Shoulder Surfing: From An Experimental Study to a Comparative Framework

02/07/2019
by   Leon Bošnjak, et al.
0

Shoulder surfing is an attack vector widely recognized as a real threat - enough to warrant researchers dedicating a considerable effort toward designing novel authentication methods to be shoulder surfing resistant. Despite a multitude of proposed solutions over the years, few have employed empirical evaluations and comparisons between different methods, and our understanding of the shoulder surfing phenomenon remains limited. Barring the challenges in experimental design, the reason for that can be primarily attributed to the lack of objective and comparable vulnerability measures. In this paper, we develop an ensemble of vulnerability metrics, a first endeavour toward a comprehensive assessment of a given method's susceptibility to observational attacks. In the largest on-site shoulder surfing experiment (n = 274) to date, we verify the model on four conceptually different authentication methods in two observation scenarios. On the example of a novel hybrid authentication method based on associations, we explore the effect of input type on the adversary's effectiveness. We provide first empirical evidence that graphical passwords are easier to observe; however, that does not necessarily mean that the observed information will allow the attacker to guess the victim's password easier. An in-depth analysis of individual metrics within the clusters offers insight into many additional aspects of the shoulder surfing attack not explored before. Our comparative framework makes an advancement in evaluation of shoulder surfing and furthers our understanding of observational attacks. The results have important implications for future shoulder surfing studies and the field of Password Security as a whole.

READ FULL TEXT
research
01/27/2022

SoK: An Overview of PPG's Application in Authentication

Biometric authentication prospered during the 2010s. Vulnerability to sp...
research
11/12/2020

Securing Password Authentication for Web-based Applications

The use of passwords and the need to protect passwords are not going awa...
research
08/06/2020

Predicting Missing Information of Key Aspects in Vulnerability Reports

Software vulnerabilities have been continually disclosed and documented....
research
06/02/2019

Disparate Vulnerability: on the Unfairness of Privacy Attacks Against Machine Learning

A membership inference attack (MIA) against a machine learning model ena...
research
06/09/2023

GAN-CAN: A Novel Attack to Behavior-Based Driver Authentication Systems

For many years, car keys have been the sole mean of authentication in ve...
research
12/04/2019

The method of detecting online password attacks based on high-level protocol analysis and clustering techniques

Although there have been many solutions applied, the safety challenges r...
research
10/02/2022

GANTouch: An Attack-Resilient Framework for Touch-based Continuous Authentication System

Previous studies have shown that commonly studied (vanilla) implementati...

Please sign up or login with your details

Forgot password? Click here to reset