preventing shoulder surfing using randomized augmented ...focus on preventing shoulder sur ng...
TRANSCRIPT
![Page 1: Preventing Shoulder Surfing using Randomized Augmented ...Focus on preventing shoulder sur ng attacks only for authentication information such as passwords or PINs. Graphical passwords](https://reader034.vdocuments.us/reader034/viewer/2022050601/5fa83caab2440408e73e8627/html5/thumbnails/1.jpg)
Preventing Shoulder Surfing using
Randomized Augmented Reality Keyboards
Anindya Maiti, Murtuza Jadliwala, and Chase Weber
March 13, 2017
![Page 2: Preventing Shoulder Surfing using Randomized Augmented ...Focus on preventing shoulder sur ng attacks only for authentication information such as passwords or PINs. Graphical passwords](https://reader034.vdocuments.us/reader034/viewer/2022050601/5fa83caab2440408e73e8627/html5/thumbnails/2.jpg)
Table of Contents
1. Introduction
2. Related Work
3. Adversary Model
4. Proposed Defense Model
5. Evaluation
6. Discussion
7. Conclusion
2
![Page 3: Preventing Shoulder Surfing using Randomized Augmented ...Focus on preventing shoulder sur ng attacks only for authentication information such as passwords or PINs. Graphical passwords](https://reader034.vdocuments.us/reader034/viewer/2022050601/5fa83caab2440408e73e8627/html5/thumbnails/3.jpg)
Introduction
![Page 4: Preventing Shoulder Surfing using Randomized Augmented ...Focus on preventing shoulder sur ng attacks only for authentication information such as passwords or PINs. Graphical passwords](https://reader034.vdocuments.us/reader034/viewer/2022050601/5fa83caab2440408e73e8627/html5/thumbnails/4.jpg)
Keystroke Inference Attacks - Visual Shoulder Surfing
Visual Shoulder Surfing: Direct observation techniques, such as
looking over someone’s shoulder, to obtain typed information
(such as passwords, PINs, credit card details, emails, etc.).
4
![Page 5: Preventing Shoulder Surfing using Randomized Augmented ...Focus on preventing shoulder sur ng attacks only for authentication information such as passwords or PINs. Graphical passwords](https://reader034.vdocuments.us/reader034/viewer/2022050601/5fa83caab2440408e73e8627/html5/thumbnails/5.jpg)
Keystroke Inference Attacks - Side-Channel Shoulder Surfing
Side-Channel Shoulder Surfing: Indirect observation techniques,
such as analysis of keystroke emanations or wrist movements,
to infer typed information.
5
![Page 6: Preventing Shoulder Surfing using Randomized Augmented ...Focus on preventing shoulder sur ng attacks only for authentication information such as passwords or PINs. Graphical passwords](https://reader034.vdocuments.us/reader034/viewer/2022050601/5fa83caab2440408e73e8627/html5/thumbnails/6.jpg)
How to Protect Keystroke Privacy?
Randomizing the keyboard layout from the default to something
different.
Limitations: Works only against side-channel shoulder surfing,
and requires dynamically changeable keypad.
Our Solution:
Key Randomization + Augmented Reality = Keystroke Privacy
6
![Page 7: Preventing Shoulder Surfing using Randomized Augmented ...Focus on preventing shoulder sur ng attacks only for authentication information such as passwords or PINs. Graphical passwords](https://reader034.vdocuments.us/reader034/viewer/2022050601/5fa83caab2440408e73e8627/html5/thumbnails/7.jpg)
Related Work
![Page 8: Preventing Shoulder Surfing using Randomized Augmented ...Focus on preventing shoulder sur ng attacks only for authentication information such as passwords or PINs. Graphical passwords](https://reader034.vdocuments.us/reader034/viewer/2022050601/5fa83caab2440408e73e8627/html5/thumbnails/8.jpg)
Keystroke Privacy
Kumar et al. [11] proposed EyePassword, where orientation of the
user’s pupils were used for password entry.
Graphical password is also proposed as an alternative, where users
select a predetermined image or set of images in a particular order
[12] [13].
Recently, Yan et al. [17] proposed CoverPad where a user covers
the screen (by hand) to securely read a hidden message that
contains information on removing the correlation between the
actual password (or PIN) and the one entered by the user.
8
![Page 9: Preventing Shoulder Surfing using Randomized Augmented ...Focus on preventing shoulder sur ng attacks only for authentication information such as passwords or PINs. Graphical passwords](https://reader034.vdocuments.us/reader034/viewer/2022050601/5fa83caab2440408e73e8627/html5/thumbnails/9.jpg)
Limitations of Previous Works
Focus on preventing shoulder surfing attacks only for
authentication information such as passwords or PINs.
Graphical passwords are not completely secure against visual
shoulder-surfing attacks [15] [16].
Usability factors.
Our model protects all kinds of textual inputs, against both visual
and side-channel shoulder surfing attacks.
9
![Page 10: Preventing Shoulder Surfing using Randomized Augmented ...Focus on preventing shoulder sur ng attacks only for authentication information such as passwords or PINs. Graphical passwords](https://reader034.vdocuments.us/reader034/viewer/2022050601/5fa83caab2440408e73e8627/html5/thumbnails/10.jpg)
Adversary Model
![Page 11: Preventing Shoulder Surfing using Randomized Augmented ...Focus on preventing shoulder sur ng attacks only for authentication information such as passwords or PINs. Graphical passwords](https://reader034.vdocuments.us/reader034/viewer/2022050601/5fa83caab2440408e73e8627/html5/thumbnails/11.jpg)
Eavesdropping Adversary
Eavesdropping Adversary
User
The adversary may attempt to accomplish the keystroke
inference attack directly using visual channel,
or using other forms of side-channels.
11
![Page 12: Preventing Shoulder Surfing using Randomized Augmented ...Focus on preventing shoulder sur ng attacks only for authentication information such as passwords or PINs. Graphical passwords](https://reader034.vdocuments.us/reader034/viewer/2022050601/5fa83caab2440408e73e8627/html5/thumbnails/12.jpg)
Proposed Defense Model
![Page 13: Preventing Shoulder Surfing using Randomized Augmented ...Focus on preventing shoulder sur ng attacks only for authentication information such as passwords or PINs. Graphical passwords](https://reader034.vdocuments.us/reader034/viewer/2022050601/5fa83caab2440408e73e8627/html5/thumbnails/13.jpg)
Key Randomization + Augmented Reality
Eavesdropping Adversary
User Wearing Augmented Reality
Device
A H
B Q
: :
To obscure keystrokes from the eavesdropping adversary,
we propose the use of randomized keyboard layouts
in cohort with an augmented reality device.
13
![Page 14: Preventing Shoulder Surfing using Randomized Augmented ...Focus on preventing shoulder sur ng attacks only for authentication information such as passwords or PINs. Graphical passwords](https://reader034.vdocuments.us/reader034/viewer/2022050601/5fa83caab2440408e73e8627/html5/thumbnails/14.jpg)
Randomization Strategies
Row 2
Row 1
Row 3
Individual Key Randomization (IKR), Row Shifting (RS), and
Column Shifting (CS).
Security Analysis (Based on Possible Number of Unique Layouts):
IKR > CS > RS
14
![Page 15: Preventing Shoulder Surfing using Randomized Augmented ...Focus on preventing shoulder sur ng attacks only for authentication information such as passwords or PINs. Graphical passwords](https://reader034.vdocuments.us/reader034/viewer/2022050601/5fa83caab2440408e73e8627/html5/thumbnails/15.jpg)
Proof-of-Concept
A QWERTY keyboard with alphabetic Hiro markers glued on top
of the corresponding alphabet keys.
15
![Page 16: Preventing Shoulder Surfing using Randomized Augmented ...Focus on preventing shoulder sur ng attacks only for authentication information such as passwords or PINs. Graphical passwords](https://reader034.vdocuments.us/reader034/viewer/2022050601/5fa83caab2440408e73e8627/html5/thumbnails/16.jpg)
Proof-of-Concept
An instance of augmented keyboard with IKR strategy as observed
by a typer wearing a EPSON Moverio BT-200.
Custom implementation of ARToolKit library [19] in Android 4.0.
16
![Page 17: Preventing Shoulder Surfing using Randomized Augmented ...Focus on preventing shoulder sur ng attacks only for authentication information such as passwords or PINs. Graphical passwords](https://reader034.vdocuments.us/reader034/viewer/2022050601/5fa83caab2440408e73e8627/html5/thumbnails/17.jpg)
Evaluation
![Page 18: Preventing Shoulder Surfing using Randomized Augmented ...Focus on preventing shoulder sur ng attacks only for authentication information such as passwords or PINs. Graphical passwords](https://reader034.vdocuments.us/reader034/viewer/2022050601/5fa83caab2440408e73e8627/html5/thumbnails/18.jpg)
Experimental Setup
Study Design:
• Anker A7726121 Bluetooth keyboard (with Hiro markers).
• EPSON BT-200 with 640x480 resolution front camera.
• 13 participants.
Task:
• Audio-visual instructions on what to type on the keyboard.
• 26 alphabets of English language in random order.
• 5 familiar words: first name, last name, hometown, address
street, and area of work.
• An experimental password of choice.18
![Page 19: Preventing Shoulder Surfing using Randomized Augmented ...Focus on preventing shoulder sur ng attacks only for authentication information such as passwords or PINs. Graphical passwords](https://reader034.vdocuments.us/reader034/viewer/2022050601/5fa83caab2440408e73e8627/html5/thumbnails/19.jpg)
Results - Typing Speed
0
0.5
1
1.5
2
2.5
3
3.5
4
QWERTY IKR CS RS
Aver
age
Key
stro
ke I
nte
rval
(S
econ
ds)
Random Letters Familiar Words Password
Results suggest that there is an increase in task completion time.
However, it may decrease with prolonged usage and habituation.
19
![Page 20: Preventing Shoulder Surfing using Randomized Augmented ...Focus on preventing shoulder sur ng attacks only for authentication information such as passwords or PINs. Graphical passwords](https://reader034.vdocuments.us/reader034/viewer/2022050601/5fa83caab2440408e73e8627/html5/thumbnails/20.jpg)
Results - Typing Accuracy
50
55
60
65
70
75
80
85
90
95
100
QWERTY IKR CS RS
Typin
g A
ccu
racy
(%
)
Random Letters Familiar Words Password
Typing accuracies are comparable to typing on QWERTY
keyboards.
20
![Page 21: Preventing Shoulder Surfing using Randomized Augmented ...Focus on preventing shoulder sur ng attacks only for authentication information such as passwords or PINs. Graphical passwords](https://reader034.vdocuments.us/reader034/viewer/2022050601/5fa83caab2440408e73e8627/html5/thumbnails/21.jpg)
Results - Perceived Task Load (NASA-TLX)
0
10
20
30
40
50
60
70
OverallScore
Mental Physical Temporal Perform Effort Frustration
TL
X S
core
Low: Physical demand, Temporal demand and Performance Issues.
However, few participants complained about lag in rendering of the
keys, noticeable when the user moves his/her head.
High: Mental demand and Effort.
21
![Page 22: Preventing Shoulder Surfing using Randomized Augmented ...Focus on preventing shoulder sur ng attacks only for authentication information such as passwords or PINs. Graphical passwords](https://reader034.vdocuments.us/reader034/viewer/2022050601/5fa83caab2440408e73e8627/html5/thumbnails/22.jpg)
Discussion
![Page 23: Preventing Shoulder Surfing using Randomized Augmented ...Focus on preventing shoulder sur ng attacks only for authentication information such as passwords or PINs. Graphical passwords](https://reader034.vdocuments.us/reader034/viewer/2022050601/5fa83caab2440408e73e8627/html5/thumbnails/23.jpg)
Limitations and Future Work
Hardware Limitations: Camera resolution of EPSON BT-200 is
extremely low (640x480 pixels), which makes marker recognition
error-prone and difficult, especially at a distance from the
keyboard. These limitations can be resolved with advances in
augmented reality device technology.
Usability: We plan to conduct a comprehensive usability study
with the help of a significant number of participants, prolonged
natural typing experiments, and standard usability metrics.
23
![Page 24: Preventing Shoulder Surfing using Randomized Augmented ...Focus on preventing shoulder sur ng attacks only for authentication information such as passwords or PINs. Graphical passwords](https://reader034.vdocuments.us/reader034/viewer/2022050601/5fa83caab2440408e73e8627/html5/thumbnails/24.jpg)
Generalization to Other Keyboards
Proposed design can be easily generalized and deployed across
different types of keyboards/keypads.
Character recognition, instead of the exemplary marker recognition
used in our prototype, can enable such a generalized design.
24
![Page 25: Preventing Shoulder Surfing using Randomized Augmented ...Focus on preventing shoulder sur ng attacks only for authentication information such as passwords or PINs. Graphical passwords](https://reader034.vdocuments.us/reader034/viewer/2022050601/5fa83caab2440408e73e8627/html5/thumbnails/25.jpg)
Conclusion
![Page 26: Preventing Shoulder Surfing using Randomized Augmented ...Focus on preventing shoulder sur ng attacks only for authentication information such as passwords or PINs. Graphical passwords](https://reader034.vdocuments.us/reader034/viewer/2022050601/5fa83caab2440408e73e8627/html5/thumbnails/26.jpg)
Conclusion
We proposed a novel technique to overcome various forms of
shoulder surfing attacks on physical keyboards.
Preliminary evaluation showed that keyboard randomization
strategies and augmentation does increase the time required by
users to complete their typing tasks.
Requires further investigation on usability and prolonged usage.
26