Usability and Security of Text Passwords on Mobile Devices

Melicher, William; Kurilova, Darya; Segreti, Sean M.; Kalvani, Pranshu; Shay, Richard; Ur, Blase; Bauer, Lujo; Christin, Nicolas; Cranor, Lorrie Faith; Mazurek, Michelle L.

doi:10.1145/2858036.2858384

Cited by 67 publications

(51 citation statements)

References 34 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…• Password based authentication, sometimes called an alphanumeric passcode: where a user is asked to recall a standard text-based password (entered using a so -keyboard) to unlock the device. e usability and security of PINs [9,40], pa erns [4,36] and passwords [22,29] have been well documented by researchers. Beyond these methods, picture-based [46] and biometric based mechanisms are also used to unlock mobile devices.…”

Section: Background and Related Workmentioning

confidence: 99%

Towards Baselines for Shoulder Surfing on Mobile Authentication

Aviv

Davin

Wolf

et al. 2017

Proceedings of the 33rd Annual Computer Security Applications Conference

View full text Add to dashboard Cite

Given the nature of mobile devices and unlock procedures, unlock authentication is a prime target for credential leaking via shoulder sur ng, a form of an observation a ack. While the research community has investigated solutions to minimize or prevent the threat of shoulder sur ng, our understanding of how the a ack performs on current systems is less well studied. In this paper, we describe a large online experiment (n = 1173) that works towards establishing a baseline of shoulder sur ng vulnerability for current unlock authentication systems. Using controlled video recordings of a victim entering in a set of 4-and 6-length PINs and Android unlock pa erns on di erent phones from di erent angles, we asked participants to act as a ackers, trying to determine the authentication input based on the observation. We nd that 6-digit PINs are the most elusive a acking surface where a single observation leads to just 10.8% successful a acks (26.5% with multiple observations). As a comparison, 6-length Android pa erns, with one observation, were found to have an a ack rate of 64.2% (79.9% with multiple observations). Removing feedback lines for pa erns improves security to 35.3% (52.1% with multiple observations). is evidence, as well as other results related to hand position, phone size, and observation angle, suggests the best and worst case scenarios related to shoulder sur ng vulnerability which can both help inform users to improve their security choices, as well as establish baselines for researchers. CCS CONCEPTS•Security and privacy → Graphical / visual passwords; Social aspects of security and privacy;

show abstract

Section: Background and Related Workmentioning

confidence: 99%

Towards Baselines for Shoulder Surfing on Mobile Authentication

Aviv

Davin

Wolf

et al. 2017

Proceedings of the 33rd Annual Computer Security Applications Conference

View full text Add to dashboard Cite

show abstract

“…In addition, the properties of the authentication device play a major role in this process. The authors of [159] investigated the usability of textual passwords on mobile devices. It was proven that using a smartphone or other keyboardless equipment for creating a password suffers from poor usability as compared to conventional personal computers.…”

Section: Usabilitymentioning

confidence: 99%

Multi-Factor Authentication: A Survey

et al. 2018

View full text Add to dashboard Cite

Today, digitalization decisively penetrates all the sides of the modern society. One of the key enablers to maintain this process secure is authentication. It covers many different areas of a hyper-connected world, including online payments, communications, access right management, etc. This work sheds light on the evolution of authentication systems towards Multi-Factor Authentication (MFA) starting from Single-Factor Authentication (SFA) and through Two-Factor Authentication (2FA). Particularly, MFA is expected to be utilized for human-to-everything interactions by enabling fast, user-friendly, and reliable authentication when accessing a service. This paper surveys the already available and emerging sensors (factor providers) that allow for authenticating a user with the system directly or by involving the cloud. The corresponding challenges from the user as well as the service provider perspective are also reviewed. The MFA system based on reversed Lagrange polynomial within Shamir's Secret Sharing (SSS) scheme is further proposed to enable more flexible authentication. This solution covers the cases of authenticating the user even if some of the factors are mismatched or absent. Our framework allows for qualifying the missing factors by authenticating the user without disclosing sensitive biometric data to the verification entity. Finally, a vision of the future trends in MFA is discussed.

show abstract

“…Despite the significant advancements in authentication on smartphones and tablets, text passwords continue to be one of the most widely used schemes on handheld mobile devices. They are often used when accessing services such as emails, online banking, e-shopping, and more [21].…”

Section: Introductionmentioning

confidence: 99%

“…Entering text passwords on mobile devices is not only error prone and time consuming [13,21,23], but also subject to shoulder surfing [4,27]. Melicher et al reported that users take 20% longer to enter passwords on mobile devices, and made twice as many errors [21].…”

Section: Introductionmentioning

confidence: 99%

Passquerade

Khamis

Seitz

Leonhard

et al. 2019

Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems

View full text Add to dashboard Cite

Figure 1: We investigate how graphical filters impact the usability and security of text passwords on mobile devices compared to displaying them in plain text or asterisks. It is difficult to mentally reverse distortions, hence it is challenging for observers to know what the text passwords above are. At the same time, if a user knows that the leftmost word is Color-Halftone, they can easily map the word's letters to the distortions. This improves error correction, while maintaining observation resistance. ABSTRACTEntering text passwords on mobile devices is a significant challenge. Current systems either display passwords in plain text: making them visible to bystanders, or replace characters with asterisks shortly after they are typed: making editing them harder. This work presents a novel approach to mask text passwords by distorting them using graphical filters. Distorted passwords are difficult to observe by attackers because they cannot mentally reverse the distortions. Yet passwords remain readable by their owners because humans can recognize visually distorted versions of content they saw before. We present results of an online questionnaire and a user study where we compared Color-halftone, Crystallize, Blurring, and Mosaic filters to Plain text and Asterisks when 1) entering, 2) editing, and 3) shoulder surfing one-word passwords, random character passwords, and passphrases. Rigorous analysis shows that Color-halftone and Crystallize filters significantly improve editing speed, editing accuracy and observation resistance compared to current approaches. CCS CONCEPTS• Security and privacy → Authentication; • Human-centered computing → Human computer interaction.

show abstract

Usability and Security of Text Passwords on Mobile Devices

Cited by 67 publications

References 34 publications

Towards Baselines for Shoulder Surfing on Mobile Authentication

Towards Baselines for Shoulder Surfing on Mobile Authentication

Multi-Factor Authentication: A Survey

Passquerade

Contact Info

Product

Resources

About