|
UPSI Digital Repository (UDRep)
|
|
| ||||||||||||||||||||||
| Abstract : Universiti Pendidikan Sultan Idris |
| Although conventional PIN-entry methods are widely used in many daily authentication
procedures, they are highly susceptible to shoulder-surfing attacks.
A plethora of PIN-entry methods have been proposed in the literature to mitigate
such attacks. Unfortunately, none of these methods is capable of replacing
the conventional PIN-entry method. This study presents the results of a systematic
review of PIN-entry methods resistant to shoulder-surfing attacks so that
the main challenges that impede their adoption can be provided along with opportunities
for future research. A systematic search was conducted on seven
databases using predefined criteria. A test–retest approach was performed by a
single author to extract data. A total of 55 articles were included in this review.
The review results manifest that PIN-entry methods are classified mainly into
direct and indirect inputs. The user study was the standard research method,
and error rate and PIN-entry time were the most frequently adopted usability
measures. The review argues that a recording-based shoulder-surfing attack is a
major threat to PIN-entry methods. Error rate and PIN-entry time are widely
adopted criteria for usability. The review indicates that most PIN-entry methods
require a high error rate and PIN-entry time than the conventional method. |
| References |
Adithya, P., Aishwarya, S., Megalai, S., Priyadharshini, S., & Kurinjimalar, R. (2017). Security enhancement in automated teller machine. In 2017 International Conference on Intelligent Computing and Control (I2C2) (pp. 505 1–5). IEEE. Almoctar, H., Irani, P., Peysakhovich, V., & Hurter, C. (2018). Path word: A multimodal password entry method for ad-hoc authentication based on digits’ shape and smooth pursuit eye movements. In Proceedings of the 20th ACM International Conference on Multimodal Interaction (pp. 268–277). 510 Alsuhibany, S. A., & Almutairi, S. G. (2016). Making pin and password entry secure against shoulder surfing using camouflage characters. International Journal of Computer Science and Information Security, 14 , 328. Aris, H., & Yaakob, W. F. (2018). Shoulder surf resistant screen locking for smartphones: A review of fifty non-biometric methods. In 2018 IEEE 515 Conference on Application, Information and Network Security (AINS) (pp. 7–14). IEEE. Breitinger, F., Tully-Doyle, R., & Hassenfeldt, C. (2020). A survey on smartphone users security choices, awareness and education. Computers & Security, 88 , 101647. 520 Carneiro, A. T. S., Elmadjian, C. E. L., Gonzales, C., Coutinho, F. L., & Morimoto, C. H. (2019). Pursuitpass: A visual pursuit-based user authentication system. In 2019 32nd SIBGRAPI Conference on Graphics, Patterns and Images (SIBGRAPI) (pp. 226–233). IEEE. CASP (2019). https://casp-uk.net/wp-content/uploads/2018/01/CASP525 Qualitative-Checklist-2018.pdf. Accessed: 2019-09-30. Chakraborty, N., Anand, S. V., Randhawa, G. S., & Mondal, S. (2016). On designing leakage-resilient vibration based authentication techniques. In 2016 IEEE Trustcom/BigDataSE/ISPA (pp. 1875–1881). IEEE. Chakraborty, N., Li, J., Mondal, S., Chen, F., & Pan, Y. (2019). On overcoming the identified 530 limitations of a usable pin entry method. IEEE Access, 7 , 124366–124378. Dan, Y.-X., & Ku, W.-C. (2017). A simple observation attacks resistant pinentry scheme employing audios. In 2017 IEEE 9th International Conference on Communication Software and Networks (ICCSN) (pp. 1410–1413). 535 IEEE. Greene, K. K., Franklin, J. M., Greene, K. K., & Kelsey, J. (2016). Measuring the Usability and Security of Permuted Passwords on Mobile Platforms. US Department of Commerce, National Institute of Standards and Technology. Guerar, M., Migliardi, M., Palmieri, F., Verderame, L., & Merlo, A. (2019). 540 Securing pin-based authentication in smartwatches with just two gestures. Concurrency and Computation: Practice and Experience, (p. e5549). Gugenheimer, J., De Luca, A., Hess, H., Karg, S., Wolf, D., & Rukzio, E. (2015). Colorsnakes: Using colored decoys to secure authentication in sensitive contexts. In Proceedings of the 17th International Conference on Human- 545 Computer Interaction with Mobile Devices and Services (pp. 274–283). Higashiyama, Y., Yanai, N., Okamura, S., & Fujiwara, T. (2015). Revisiting authentication with shoulder-surfing resistance for smartphones. In 2015 Third International Symposium on Computing and Networking (CANDAR) (pp. 89–95). IEEE. 550 Hirakawa, Y., Kogure, Y., & Ohzeki, K. (2015). A password authentication method tolerant to video-recording attacks analyzing multiple authentication operations. International Journal of Computer Science and Electronic Engineering (IJCSEE), 3 , 356–360. Hirakawa, Y., Kurihara, K., & Ohzeki, K. (2017). Borderless interface for user 555 authentication method tolerant against multiple video-recording attacks. In 2017 International Conference on Computer Systems, Electronics and Control (ICCSEC) (pp. 1144–1148). IEEE. Holland, A., & Morelli, T. (2018). Dynamic keypad–digit shuffling for secure pin entry in a virtual world. In International Conference on Virtual, Augmented 560 and Mixed Reality (pp. 102–111). Springer. Hopper, N. J., & Blum, M. (2001). Secure human identification protocols. In International conference on the theory and application of cryptology and information security (pp. 52–66). Springer. Hutton, B., Salanti, G., Caldwell, D. M., Chaimani, A., Schmid, C. H., 565 Cameron, C., Ioannidis, J. P., Straus, S., Thorlund, K., Jansen, J. P. et al. (2015). The prisma extension statement for reporting of systematic reviews incorporating network meta-analyses of health care interventions: checklist and explanations. Annals of internal medicine, 162 , 777–784. Ibrahim, D. M., & Ambreen, S. (2019). Gaze touch cross pin: Secure multi570 modal authentication using gaze and touch pin. International Journal of Engineering and Advanced Technology (IJEAT), 9 , 777–781. Jeon, I.-S., & Yoon, E.-J. (2015). A simple pin input technique resisting shoulder surfing and smudge attacks, . Kabir, M. M., Hasan, N., Tahmid, M. K. H., Ovi, T. A., & Rozario, V. S. 575 (2020). Enhancing smartphone lock security using vibration enabled randomly positioned numbers. In Proceedings of the International Conference on Computing Advancements (pp. 1–7). Kasat, O. K., & Bhadade, U. S. (2018). Revolving flywheel pin entry method to prevent shoulder surfing attacks. In 2018 3rd International Conference 580 for Convergence in Technology (I2CT) (pp. 1–5). IEEE. Keele, S. et al. (2007). Guidelines for performing systematic literature reviews in software engineering. Technical Report Technical report, Ver. 2.3 EBSE Technical Report. EBSE. Khamis, M., Hassib, M., Zezschwitz, E. v., Bulling, A., & Alt, F. (2017). Gaze- 585 touchpin: protecting sensitive data on mobile devices using secure multimodal authentication. In Proceedings of the 19th ACM International Conference on Multimodal Interaction (pp. 446–450). Kim, J.-H., Sharma, G., Cardenas, I. S., Prabakar, N., Iyengar, S. et al. (2017). Dynamicpin: A novel approach towards secure atm authentication. In 2017 590 International Conference on Computational Science and Computational Intelligence (CSCI) (pp. 68–73). IEEE. Krombholz, K., Hupperich, T., & Holz, T. (2016). Use the force: Evaluating force-sensitive authentication for mobile devices. In Twelfth Symposium on Usable Privacy and Security ({SOUPS} 2016) (pp. 207–219). 595 Ku, W.-C., Cheng, B.-R., Yeh, Y.-C., & Chang, C.-J. (2016). A simple sectorbased textual-graphical password scheme with resistance to login-recording attacks. IEICE TRANSACTIONS on Information and Systems, 99 , 529– 532. Ku, W.-C., & Xu, H.-J. (2019). Efficient shoulder surfing resistant pin au600 thentication scheme based on localized tactile feedback. In 2019 6th IEEE International Conference on Cyber Security and Cloud Computing (CSCloud)/2019 5th IEEE International Conference on Edge Computing and Scalable Cloud (EdgeCom) (pp. 151–156). IEEE. Kumar, C., Akbari, D., Menges, R., MacKenzie, S., & Staab, S. (2019). 605 Touchgazepath: Multimodal interaction with touch and gaze path for secure yet efficient pin entry. In 2019 International Conference on Multimodal Interaction (pp. 329–338). Kwon, T., & Hong, J. (2015). Analysis and improvement of a pin-entry method resilient to shoulder-surfing and recording attacks. IEEE Transactions on 610 Information Forensics and Security, 2 , 278–292. Kwon, T., & Na, S. (2014). Switchpin: Securing smartphone pin entry with switchable keypads. In 2014 IEEE International Conference on Consumer Electronics (ICCE) (pp. 23–24). IEEE. Kwon, T., & Na, S. (2015). Steganopin: Two-faced human–machine interface for 615 practical enforcement of pin entry security. IEEE Transactions on Human- Machine Systems, 46 , 143–150. Kwon, T., Shin, S., & Na, S. (2014). Covert attentional shoulder surfing: Human adversaries are more powerful than expected. IEEE Transactions on Systems, Man, and Cybernetics: Systems, 44 , 716–727. 620 Lee, J.-I., Kim, S., Fukumoto, M., & Lee, B. (2017). Reflector: Distanceindependent, private pointing on a reflective screen. In Proceedings of the 30th Annual ACM Symposium on User Interface Software and Technology (pp. 351–364). Lee, M., & Nam, H. (2013a). Secure and fast pin-entry method for 3d display. 625 Proceedings of the SECURWARE, (pp. 26–9). Lee, M.-K. (2014). Security notions and advanced method for human shouldersurfing resistant pin-entry. IEEE Transactions on Information Forensics and Security, 9 , 695–708. Lee, M.-K., Kim, J. B., & Franklin, M. K. (2016a). Enhancing the security 630 of personal identification numbers with three-dimensional displays. Mobile Information Systems, 2016 . Lee, M.-K., & Nam, H. (2013b). Secure and usable pin-entry method with shoulder-surfing resistance. In International Conference on Human- Computer Interaction (pp. 745–748). Springer. 635 Lee, M.-K., Nam, H., & Kim, D. K. (2016b). Secure bimodal pin-entry method using audio signals. Computers & Security, 56 , 140–150. Leftheriotis, I. (2013). User authentication in a multi-touch surface: a chord password system. In CHI’13 Extended Abstracts on Human Factors in Computing Systems (pp. 1725–1730). Li, 640 N., Wu, Q., Liu, J., Hu, W., Qin, B., & Wu, W. (2017). Eyesec: A practical shoulder-surfing resistant gaze-based authentication system. In International Conference on Information Security Practice and Experience (pp. 435–453). Springer. Nandhini, G., & Jayanthy, S. (2019). Mobile communication based security for 645 atm pin entry. In International Conference on Computer Networks and Communication Technologies (pp. 453–467). Springer. Nyang, D., Kim, H., Lee, W., Kang, S.-b., Cho, G., Lee, M.-K., & Mohaisen, A. (2018). Two-thumbs-up: Physical protection for pin entry secure against recording attacks. computers & security, 78 , 1–15. 650 Papadopoulos, A., Nguyen, T., Durmus, E., & Memon, N. (2017). Illusionpin: Shoulder-surfing resistant authentication using hybrid images. IEEE Transactions on Information Forensics and Security, 12 , 2875–2889. Perkovi´c, T., ˇCagalj, M., & Raki´c, N. (2010a). Sssl: shoulder surfing safe login, . 655 Perkovi´c, T., Cˇagalj, M., & Saxena, N. (2010b). Shoulder-surfing safe login in a partially observable attacker model. In International Conference on Financial Cryptography and Data Security (pp. 351–358). Springer. Rajarajan, S., Kalita, R., Gayatri, T., & Priyadarsini, P. (2018). Spinpad: A secured pin number based user authentication scheme. In 2018 Inter660 national Conference on Recent Trends in Advance Computing (ICRTAC) (pp. 53–59). IEEE. Roth, V., Richter, K., & Freidinger, R. (2004). A pin-entry method resilient against shoulder surfing. In Proceedings of the 11th ACM conference on Computer and communications security (pp. 236–245). ACM. Seetharama, M., Paelke, V., & Ro¨cker, C. (2015). Safetypin: Secure pin entry through eye tracking. In International Conference on Human Aspects of Information Security, Privacy, and Trust (pp. 426–435). Springer. Seo, H., & Kim, H. (2017). Hidden indicator based pin-entry method using audio signals. Journal of information and communication convergence en670 gineering, 15 , 91–96. Seo, H., Kim, J., Kim, H., & Liu, Z. (2017). Personal identification number entry for google glass. Computers & Electrical Engineering, 63 , 160–167. Shen, C., Yu, T., Xu, H., Yang, G., & Guan, X. (2016). User practice in password security: An empirical study of real-life passwords in the wild. 675 Computers & Security, 61 , 130–141. Shi, P., Zhu, B., & Youssef, A. (2009). A rotary pin entry scheme resilient to shoulder-surfing. In 2009 International Conference for Internet Technology and Secured Transactions,(ICITST) (pp. 1–7). IEEE. Souza, A., Cunha, ´I., & B Oliveira, L. (2018). Nomadikey: User authentication 680 for smart devices based on nomadic keys. International Journal of Network Management, 28 , e1998. Still, J. D., & Bell, J. (2018). Incognito: Shoulder-surfing resistant selection method. Journal of information security and applications, 40 , 1–8. Sugumar, V., & Soundararajan, P. (2017). Cursor masquerade: Masking of 685 authentic cursor using random numeric keypad and spurious cursors. In 2017 Third International Conference on Advances in Electrical, Electronics, Information, Communication and Bio-Informatics (AEEICB) (pp. 80–84). IEEE. Takada, T., & Kokubun, Y. (2014). Mtapin: multi-touch key input enhances 690 security of pin authentication while keeping usability. International Journal of Pervasive Computing and Communications, . Uellenbeck, S., Hupperich, T., Wolf, C., & Holz, T. (2015). Tactile one-time pad: Leakage-resilient authentication for smartphones. In International Conference on Financial Cryptography and Data Security (pp. 237–253). 695 Springer. Van Nguyen, T., Sae-Bae, N., & Memon, N. (2017). Draw-a-pin: Authentication using finger-drawn pin on touch devices. computers & security, 66 , 115– 128. Vijai, K., Kottayam, K., & Joseph, N. (2018). An efficient security key for 700 practical requirement of pin entry protection section authentication, . Von Zezschwitz, E., De Luca, A., Brunkow, B., & Hussmann, H. (2015). Swipin: Fast and secure pin-entry on smartphones. In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems (pp. 1403– 1406). 705 Watanabe, K., Higuchi, F., Inami, M., & Igarashi, T. (2012). Cursorcamouflage: multiple dummy cursors as a defense against shoulder surfing. In SIGGRAPH Asia 2012 Emerging Technologies (pp. 1–2). Weaver, J., Mock, K., & Hoanca, B. (2011). Gaze-based password authentication through automatic clustering of gaze points. In 2011 IEEE Inter710 national Conference on Systems, Man, and Cybernetics (pp. 2749–2754). IEEE. Xu, H.-J., Ku, W.-C., & Dan, Y.-X. (2016). An observation attacks resistant pin-entry scheme using localized haptic feedback. In 2016 IEEE Region 10 Symposium (TENSYMP) (pp. 59–64). IEEE. 715 Yadav, D. K., Ionascu, B., Ongole, S. V. K., Roy, A., & Memon, N. (2015). Design and analysis of shoulder surfing resistant pin based authentication mechanisms on google glass. In International conference on financial cryptography and data security (pp. 281–297). Springer. Farid Binbeshr is a PhD student at the Department of Computer System 720 and Technology, University of Malaya, Malaysia. He obtained his Master’s degree in Computer Networks from King Fahd University of Petroleum & Minerals (KFUPM), Dhahran, Saudi Arabia, in 2014. His areas of research interest are network security, authentication, and cryptography. M.L. Mat Kiah joined the Faculty of Computer Science and Information 725 Technology, University of Malaya, Malaysia as a tutor in 1997. She was appointed as a lecturer in 2001. She received her BSc. (Hons) in Computer Science from the University of Malaya in 1997, a MSc from Royal Holloway, University of London, UK in 1998 and a Ph.D. also from Royal Holloway, University of London in 2007. She is a full Professor at the Department of Computer System 730 and Technology, Faculty of Computer Science and Information Technology, University of Malaya. Since 2008, she has been actively doing research particularly in the Security area of Computing and Networking. Amongst of her research grants were a High-Impact Research Grant by the Ministry of Higher Education, Malaysia in 2012 for duration of 4 years, working on secure framework for 735 Electronic Medical Records, and a eScience grant by the Ministry of Science, Technology and Innovation in 2013 for the duration of 3 years, working on Secure Group Communication for Critical National Information Infrastructure (CNII). Her current research interests include Cyber Security, IoT and Cryptography. Lip Yee Por received the Ph.D. degree from University of Malaya, Malaysia 740 in 2012. Currently, he is an Associate Professor at the Department of Computer System and Technology, University of Malaya, Malaysia. In general, his research interests are bioinformatic (e.g. biosensors, pain research), computer security (e.g. information security, steganography, authentication (graphical password)), neural network (e.g. supervised and unsupervised learning methods such as 745 support vector machine, extreme learning machine), grid computing, and elearning framework. A.A. Zaidan received his first class B.Eng. degree in Computer Engineering in 2004 from University of Technology, Baghdad, Iraq. Then, he received his M.Sc. degree on Data Communications and computer network in 2009 from University of Malaya, Malaysia. Then, following his Ph.D. degree on artificial intelligence in 2013 from Multimedia University, Malaysia. Currently, he is in working as associated professor at Department of computing, University Pendidikan Sultan Idris. He led and was being a member of many funded research projects, and he has published more than 200 papers at various index interna755 tional conferences and journals. His research areas are: Data Science & Analysis and Cyber Security. |
| This material may be protected under Copyright Act which governs the making of photocopies or reproductions of copyrighted materials. You may use the digitized material for private study, scholarship, or research. |