Papers
Topics
Authors
Recent
Search
2000 character limit reached

IFTT-PIN: A Self-Calibrating PIN-Entry Method

Published 2 Jul 2024 in cs.HC, cs.AI, cs.CR, and cs.LG | (2407.02269v1)

Abstract: Personalising an interface to the needs and preferences of a user often incurs additional interaction steps. In this paper, we demonstrate a novel method that enables the personalising of an interface without the need for explicit calibration procedures, via a process we call self-calibration. A second-order effect of self-calibration is that an outside observer cannot easily infer what a user is trying to achieve because they cannot interpret the user's actions. To explore this security angle, we developed IFTT-PIN (If This Then PIN) as the first self-calibrating PIN-entry method. When using IFTT-PIN, users are free to choose any button for any meaning without ever explicitly communicating their choice to the machine. IFTT-PIN infers both the user's PIN and their preferred button mapping at the same time. This paper presents the concept, implementation, and interactive demonstrations of IFTT-PIN, as well as an evaluation against shoulder surfing attacks. Our study (N=24) shows that by adding self-calibration to an existing PIN entry method, IFTT-PIN statistically significantly decreased PIN attack decoding rate by ca. 8.5 times (p=1.1e-9), while only decreasing the PIN entry encoding rate by ca. 1.4 times (p=0.02), leading to a positive security-usability trade-off. IFTT-PIN's entry rate significantly improved 21 days after first exposure (p=3.6e-6) to the method, suggesting self-calibrating interfaces are memorable despite using an initially undefined user interface. Self-calibration methods might lead to novel opportunities for interaction that are more inclusive and versatile, a potentially interesting challenge for the community. A short introductory video is available at https://youtu.be/pP5sfniNRns.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (24)
  1. V. Roth, K. Richter, and R. Freidinger, “A pin-entry method resilient against shoulder surfing,” in Proceedings of the 11th ACM Conference on Computer and Communications Security, ser. CCS ’04.   New York, NY, USA: Association for Computing Machinery, 2004, p. 236–245. [Online]. Available: https://doi.org/10.1145/1030083.1030116
  2. E. von Zezschwitz, A. De Luca, B. Brunkow, and H. Hussmann, “Swipin: Fast and secure pin-entry on smartphones,” in Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems, ser. CHI ’15.   New York, NY, USA: Association for Computing Machinery, 2015, p. 1403–1406. [Online]. Available: https://doi.org/10.1145/2702123.2702212
  3. P. Markert, D. V. Bailey, M. Golla, M. Dürmuth, and A. J. Aviv, “This pin can be easily guessed: Analyzing the security of smartphone unlock pins,” in 2020 IEEE Symposium on Security and Privacy (SP).   IEEE, 2020, pp. 286–303.
  4. W. Meng, D. S. Wong, S. Furnell, and J. Zhou, “Surveying the development of biometric user authentication on mobile phones,” IEEE Communications Surveys & Tutorials, vol. 17, no. 3, pp. 1268–1293, 2015.
  5. A. J. Aviv, J. T. Davin, F. Wolf, and R. Kuber, “Towards baselines for shoulder surfing on mobile authentication,” in Proceedings of the 33rd Annual Computer Security Applications Conference, ser. ACSAC ’17.   New York, NY, USA: Association for Computing Machinery, 2017, p. 486–498. [Online]. Available: https://doi.org/10.1145/3134600.3134609
  6. J. Gugenheimer, A. De Luca, H. Hess, S. Karg, D. Wolf, and E. Rukzio, “Colorsnakes: Using colored decoys to secure authentication in sensitive contexts,” in Proceedings of the 17th International Conference on Human-Computer Interaction with Mobile Devices and Services, ser. MobileHCI ’15.   New York, NY, USA: Association for Computing Machinery, 2015, p. 274–283. [Online]. Available: https://doi.org/10.1145/2785830.2785834
  7. D. S. Tan, P. Keyani, and M. Czerwinski, “Spy-resistant keyboard: more secure password entry on public touch screen displays,” in Proceedings of the 17th Australia Conference on Computer-Human Interaction: Citizens Online: Considerations for Today and the Future, ser. OZCHI ’05.   Narrabundah, AUS: Computer-Human Interaction Special Interest Group (CHISIG) of Australia, 2005, p. 1–10.
  8. A. De Luca, K. Hertzschuch, and H. Hussmann, “Colorpin: securing pin entry through indirect input,” in Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, ser. CHI ’10.   New York, NY, USA: Association for Computing Machinery, 2010, p. 1103–1106. [Online]. Available: https://doi.org/10.1145/1753326.1753490
  9. W. A. van Eekelen, J. van den Elst, and V.-J. Khan, “Picassopass: a password scheme using a dynamically layered combination of graphical elements,” in CHI ’13 Extended Abstracts on Human Factors in Computing Systems, ser. CHI EA ’13.   New York, NY, USA: Association for Computing Machinery, 2013, p. 1857–1862. [Online]. Available: https://doi.org/10.1145/2468356.2468689
  10. A. Bianchi, I. Oakley, V. Kostakos, and D. S. Kwon, “The phone lock: audio and haptic shoulder-surfing resistant pin entry methods for mobile devices,” in Proceedings of the Fifth International Conference on Tangible, Embedded, and Embodied Interaction, ser. TEI ’11.   New York, NY, USA: Association for Computing Machinery, 2010, p. 197–200. [Online]. Available: https://doi.org/10.1145/1935701.1935740
  11. A. De Luca, M. Harbach, E. von Zezschwitz, M.-E. Maurer, B. E. Slawik, H. Hussmann, and M. Smith, “Now you see me, now you don’t: protecting smartphone authentication from shoulder surfers,” in Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, ser. CHI ’14.   New York, NY, USA: Association for Computing Machinery, 2014, p. 2937–2946. [Online]. Available: https://doi.org/10.1145/2556288.2557097
  12. M. Khamis, F. Alt, M. Hassib, E. von Zezschwitz, R. Hasholzner, and A. Bulling, “Gazetouchpass: Multimodal authentication using gaze and touch on mobile devices,” in Proceedings of the 2016 CHI Conference Extended Abstracts on Human Factors in Computing Systems, ser. CHI EA ’16.   New York, NY, USA: Association for Computing Machinery, 2016, p. 2156–2164. [Online]. Available: https://doi.org/10.1145/2851581.2892314
  13. M. Khamis, L. Trotter, V. Mäkelä, E. v. Zezschwitz, J. Le, A. Bulling, and F. Alt, “Cueauth: Comparing touch, mid-air gestures, and gaze for cue-based authentication on situated displays,” Proc. ACM Interact. Mob. Wearable Ubiquitous Technol., vol. 2, no. 4, dec 2018. [Online]. Available: https://doi.org/10.1145/3287052
  14. W.-C. Ku and H.-J. Xu, “Efficient shoulder surfing resistant pin authentication scheme based on localized tactile feedback,” in 2019 6th IEEE International Conference on Cyber Security and Cloud Computing (CSCloud)/ 2019 5th IEEE International Conference on Edge Computing and Scalable Cloud (EdgeCom), 2019, pp. 151–156.
  15. D. M. Ibrahim and S. Ambreen, “Gaze touch cross pin: Secure multimodal authentication using gaze and touch pin,” p. 777–781, Oct. 2019. [Online]. Available: http://dx.doi.org/10.35940/ijeat.A1381.109119
  16. F. Tari, A. A. Ozok, and S. H. Holden, “A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords,” in Proceedings of the Second Symposium on Usable Privacy and Security, ser. SOUPS ’06.   New York, NY, USA: Association for Computing Machinery, 2006, p. 56–66. [Online]. Available: https://doi.org/10.1145/1143120.1143128
  17. F. Binbeshr, M. Mat Kiah, L. Y. Por, and A. Zaidan, “A systematic review of pin-entry methods resistant to shoulder-surfing attacks,” Computers & Security, vol. 101, p. 102116, 2021. [Online]. Available: https://www.sciencedirect.com/science/article/pii/S0167404820303898
  18. S. G. Hart and L. E. Staveland, “Development of nasa-tlx (task load index): Results of empirical and theoretical research,” in Advances in psychology.   Elsevier, 1988, vol. 52, pp. 139–183.
  19. J. Brooke, “Sus: a retrospective,” J. Usability Studies, vol. 8, no. 2, p. 29–40, feb 2013.
  20. ISO. (1998) Ergonomic requirements for office work with visual display terminals (vdts) — part 11: Guidance on usability. [Online]. Available: https://www.iso.org/obp/ui/#iso:std:iso:9241:-11:ed-1:v1:en
  21. J. Nielsen. (2012, Jan) Usability 101: Introduction to usability. [Online]. Available: https://www.nngroup.com/articles/usability-101-introduction-to-usability/
  22. A. Bangor, P. Kortum, and J. Miller, “Determining what individual sus scores mean: adding an adjective rating scale,” J. Usability Studies, vol. 4, no. 3, p. 114–123, may 2009.
  23. L. Cranor and S. Garfinkel, “Guest editors’ introduction: Secure or usable?” IEEE Security & Privacy, vol. 2, no. 5, pp. 16–18, 2004.
  24. J. Grizou, I. n. Iturrate, L. Montesano, P.-Y. Oudeyer, and M. Lopes, “Interactive learning from unlabeled instructions,” in Proceedings of the Thirtieth Conference on Uncertainty in Artificial Intelligence, ser. UAI’14.   Arlington, Virginia, USA: AUAI Press, 2014, p. 290–299.

Summary

No one has generated a summary of this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Sign Up to Summarize

Paper to Video (Beta)

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Sign Up to Generate

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now

Continue Learning

We haven't generated follow-up questions for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now

Collections

Sign up for free to add this paper to one or more collections.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up