A PIN-entry method resilient against shoulder surfing

Röth, Volker; Richter, Kai; Freidinger, Rene

doi:10.1145/1030083.1030116

Cited by 216 publications

(149 citation statements)

References 22 publications

Supporting

Mentioning

138

Contrasting

Unclassified

Order By: Relevance

“…Roth et al [26] focused their attention on handling PINs of magnetic strip cards, where each PIN digit is inserted by the user in several rounds. In each round, the system shows the possible digits randomly partitioned into two sets, whose elements are depicted with a different color (e.g.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

A Graphical PIN Authentication Mechanism with Applications to Smart Cards and Low-Cost Devices

Galdi¹

2008

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Passwords and PINs are still the most deployed authentication mechanisms and their protection is a classical branch of research in computer security. Several password schemes, as well as more sophisticated tokens, algorithms, and protocols, have been proposed during the last years. Some proposals require dedicated devices, such as biometric sensors, whereas, others of them have high computational requirements. Graphical passwords are a promising research branch, but implementation of many proposed schemes often requires considerable resources (e.g., data storage, high quality displays) making difficult their usage on small devices, like old fashioned ATM terminals, smart cards and many low-price cellular phones.In this paper we present a graphical mechanism that handles authentication by means of a numerical PIN, that users have to type on the basis of a secret sequence of objects and a graphical challenge. The proposed scheme can be instantiated in a way to require low computation capabilities, making it also suitable for small devices with limited resources. We prove that our scheme is effective against "shoulder surfing" attacks.

show abstract

Section: Related Workmentioning

confidence: 99%

“…The intersection of sets selected at every round gives the PIN digit for the user. The security of the scheme against attacks performed by adversaries either with human memorization capabilities or with camera recording capabilities was also discussed in [26].…”

Section: Related Workmentioning

confidence: 99%

A Graphical PIN Authentication Mechanism with Applications to Smart Cards and Low-Cost Devices

Galdi¹

2008

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…Static password schemes, 13 one-time password (OTP) schemes [18], password schemes resilient to shoulder surfing attacks [12,27], and schemes generating domain-specific passwords from a combination of single user-chosen passwords and multiple domain-specific keys [26,11] can all be used to authenticate users and thereby solve parts of the problem of phishing and/or IDF. Our scheme can be viewed as a careful combination of known and modified tools and techniques (e.g.…”

Section: Related Work and Comparisonmentioning

confidence: 99%

CROO: A Universal Infrastructure and Protocol to Detect Identity Fraud

Nali

Oorschot

2008

Computer Security - ESORICS 2008

View full text Add to dashboard Cite

Abstract. Identity fraud (IDF) may be defined as unauthorized exploitation of credential information through the use of false identity. We propose CROO, a universal (i.e. generic) infrastructure and protocol to either prevent IDF (by detecting attempts thereof), or limit its consequences (by identifying cases of previously undetected IDF). CROO is a capture resilient one-time password scheme, whereby each user must carry a personal trusted device used to generate one-time passwords (OTPs) verified by online trusted parties. Multiple trusted parties may be used for increased scalability. OTPs can be used regardless of a transaction's purpose (e.g. user authentication or financial payment), associated credentials, and online or on-site nature; this makes CROO a universal scheme. OTPs are not sent in cleartext; they are used as keys to compute MACs of hashed transaction information, in a manner allowing OTP-verifying parties to confirm that given user credentials (i.e. OTPkeyed MACs) correspond to claimed hashed transaction details. Hashing transaction details increases user privacy. Each OTP is generated from a PIN-encrypted non-verifiable key; this makes users' devices resilient to off-line PIN-guessing attacks. CROO's credentials can be formatted as existing user credentials (e.g. credit cards or driver's licenses).

show abstract

“…McCune [27] proposes the use of a visual channel to secure authentication, users scan barcodes with their smartphones. Roth et al [28] propose a challenge-based approach to PIN-entry that minimises the threat of user's being observed entering their authentication secret . Nevertheless, while the proposed approach is not particularly burdensome, especially so when contrasted with the aforementioned approaches, Roth et al reported that users simply did not perceive the benefits as worth the cost of entry.…”

Section: Introductionmentioning

confidence: 99%

ZeTA-Zero-Trust Authentication: Relying on Innate Human Ability, Not Technology

Gutmann

Renaud

Maguire

et al. 2016

2016 IEEE European Symposium on Security and Privacy (EuroS&P)

View full text Add to dashboard Cite

Abstract-Reliable authentication requires the devices and channels involved in the process to be trustworthy; otherwise authentication secrets can easily be compromised. Given the unceasing efforts of attackers worldwide such trustworthiness is increasingly not a given. A variety of technical solutions, such as utilising multiple devices/channels and verification protocols, has the potential to mitigate the threat of untrusted communications to a certain extent. Yet such technical solutions make two assumptions: (1) users have access to multiple devices and (2) attackers will not resort to hacking the human, using social engineering techniques. In this paper, we propose and explore the potential of using human-based computation instead of solely technical solutions to mitigate the threat of untrusted devices and channels. ZeTA (Zero Trust Authentication on untrusted channels) has the potential to allow people to authenticate despite compromised channels or communications and easily observed usage. Our contributions are threefold: (1) We propose the ZeTA protocol with a formal definition and security analysis that utilises semantics and human-based computation to ameliorate the problem of untrusted devices and channels. (2) We outline a security analysis to assess the envisaged performance of the proposed authentication protocol. (3) We report on a usability study that explores the viability of relying on human computation in this context.

show abstract

A PIN-entry method resilient against shoulder surfing

Cited by 216 publications

References 22 publications

A Graphical PIN Authentication Mechanism with Applications to Smart Cards and Low-Cost Devices

A Graphical PIN Authentication Mechanism with Applications to Smart Cards and Low-Cost Devices

CROO: A Universal Infrastructure and Protocol to Detect Identity Fraud

ZeTA-Zero-Trust Authentication: Relying on Innate Human Ability, Not Technology

Contact Info

Product

Resources

About