Our research broadly examines issues related to the usability, security and privacy for mobile device authentication. More specifically, we examine the ways in which current authentication mechanisms are used, analyze the passcodes that are selected, investigate attitudes related to security and privacy among different user groups, and investigate shoulder-surfing vulnerability in order to establish baseline measurements. Our research also examines the feasibility of technologies to resist observer and guessing attacks. Guidance developed from our studies aims to support mobile device users when authenticating, and aid interface designers when developing unlock mechanisms. The research is a collaborative effort between USNA and UMBC, funded through the Office of Naval Research.
Impact of Grid Size for Unlock Mechanisms on Mobile Devices
Mobile devices on the Android OS can be unlocked by “drawing” a pattern that connects a sequence of contact points arranged in a 3x3 grid. However, patterns selected for small grids are known to be guessable. We investigated whether increasing the grid size increases the security of human-generated patterns. Our findings suggest both yes and no.
H4Plock – A gestural and tactile solution to support mobile authentication
H4Plock aims to support authentication and better resist observer attacks. In order to authenticate, the user enters up to four pre-selected on-screen free-form gestures, informed by tactile prompts. The system has been designed in such a way that the sequence of gestures will vary on each authentication attempt, reducing the capability of a shoulder surfer to recreate entry.
Our research has examined the feasibility of Brain–Computer Interface (BCI) and gestural technologies to support the process of authentication. Unlike other input modalities, tokens detected using a BCI headset (e.g., “push,” “lift,” “excitement”), can overcome some of the security vulnerabilities associated with PIN authentication (e.g., observations from third parties). A study was conducted to compare performance against 4 digit PINs. The work was then extended to identify the benefits of these technologies for individuals who are blind.
Emotiv Epoc used for study
Publications:IJHCI 2017, ASSETS 2017 Faculty: Adam J Aviv (USNA), Ravi Kuber (UMBC) Students: Charles Lechner (UMBC), Sidas Saulynas (UMBC)
When faced with the threat of observational attacks, mobile device users may attempt to mask the graphical interface to authenticate entry, to reduce the likelihood of third parties viewing and recreating the authentication sequence. A study was conducted examining the efficacy of authenticating entry using both PINs and graphical patterns when the mobile interface is outside of the line of sight of third parties and the user (termed: non-observable). A tactile aid to support assistive spatialization was also evaluated. A classification process has been conducted on gesture traces to identify strategies taken for unlocking and using tactile feedback.
Developing Baseline Measurements for Shoulder Surfing Analysis
A comprehensive study of shoulder surfing was conducted based on video recordings of a victim authenticating, to better understand how attacks can be affected by different factors. Authentication type and length, observation angle, phone size and method of interaction were varied. Findings which can both help inform users to improve their security choices, as well as establish baselines for researchers.
Focused view shown to participants
Publications:ACSAC 2017, CHI 2017, ACSAC 2018 Faculty: Adam J Aviv (USNA), Ravi Kuber (UMBC) Students: John Davin (USNA), Flynn Wolf (UMBC), KC Marume (UMBC)
Understanding User Selections of Passcodes
Studies have been undertaken to analyze the impact of collection methods and demographics, and examine the impact of alphabet and culture on graphical passcodes.
Empirical investigations have been undertaken to examine the difficulties balancing security and usability for mobile interactions. Our work has specifically examined the needs of security-conscious users, whose attitudes and usage behaviors differ to those with lower levels of security training/exposure, and examined adoption of technologies such as biometrics. Our research has also examined the ways in which user attitudes towards privacy and security relating to mobile devices and the data stored thereon may impact the strength of unlock authentication, focusing on Android’s graphical unlock patterns.
Wolf, F., Kuber, R. & Aviv. A.J., 2018: How Do We Talk Ourselves Into These Things? Challenges with Adoption of Biometric Authentication for Expert and Non-Expert Users. To appear in Thirteenth Symposium on Usable Privacy and Security – SOUPS’18, Baltimore, MD. (Poster refers to pre-published CHI extended abstract)