Abstract
Nowadays, Smartphones are widely used and they have a growing market share of already more than 55 % according to recent studies. They often contain sensitive or private data that can easily be accessed by an attacker if the device is unlocked. Since smartphones are mobile and used as everyday gadgets, they are susceptible to get lost or stolen. To prevent the data from being accessed by an attacker, access control mechanisms like user authentication are needed. However, commonly used authentication mechanisms like PINs, passwords, and patterns suffer from the same weakness: They are vulnerable against different kinds of attacks, most notably shoulder surfing. In order to prevent shoulder surfing, a secure channel between the smartphone and the user must be established that cannot be eavesdropped by an adversary.
In this paper, we concentrate on the smartphone’s tactile feedback to add a new security layer to the plain PIN-based authentication mechanism. The key idea is to use vibrations as an additional channel to complement PINs with a tactile one-time pattern. To calibrate the usability of our approach, we developed a game that more than 220 participants played to determine the shortest vibration duration most people can sense. In a security evaluation, we recorded the acoustical signal of the vibration motor of five different smartphones at four different locations with a high-end microphone to cross-correlate a login scenario with a pre-recorded acoustical fingerprint of the devices. Our evaluation results demonstrate that it is not possible for an attacker to spot the user’s secret under normal conditions, e. g., in a restaurant or during a conversation, even with professional equipment. Finally, we show that the required overhead of our approach is reasonable in practice and outperforms prior work.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Aviv, A.J., Gibson, K., Mossop, E., Blaze, M., Smith, J.M.: Smudge attacks on smartphone touch screens. In: WOOT (2010)
Aviv, A.J., Sapp, B., Blaze, M., Smith, J.M.: Practicality of accelerometer side channels on smartphones. In: ACSAC (2012)
Balzarotti, D., Cova, M., Vigna, G.: ClearShot: eavesdropping on keyboard input from video. In: IEEE Symposium on Security and Privacy (2008)
Bianchi, A., Oakley, I., Kostakos, V., Kwon, D.-S.: The phone lock: audio and haptic shoulder-surfing resistant PIN entry methods for mobile devices. In: Tangible and Embedded Interaction (2011)
Bianchi, A., Oakley, I., Kwon, D.S.: The secure haptic keypad: a tactile password system. In: CHI (2010)
Bonneau, J., Preibusch, S., Anderson, R.: A birthday present every eleven wallets? the security of customer-chosen banking PINs. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 25–40. Springer, Heidelberg (2012)
Brown, E., Cairns, P.A.: A grounded investigation of game immersion. In: Extended Abstracts of Conference on Human Factors in Computing Systems (2004)
Cranor, L., Garfinkel, S.: Security and Usability: Designing Secure Systems That People Can Use. O’Reilly Media Inc., Sebastopol (2005)
Davis, A., Rubinstein, M., Wadhwa, N., Mysore, G.J., Durand, F., Freeman, W.T.: The visual microphone: passive recovery of sound from video. ACM Trans. Graph. 33(4), 79 (2014)
De Luca, A., Weiss, R., Drewes, H.: Evaluation of eye-gaze interaction methods for security enhanced PIN-entry. In: Australasian Conference on Computer-Human Interaction: Entertaining User Interfaces (2007)
Forget, A., Chiasson, S., Biddle, R.: Shoulder-surfing resistance with eye-gaze entry in cued-recall graphical passwords. In: CHI (2010)
Gartner Research: Gartner Says Smartphone Sales Accounted for 55 Percent of Overall Mobile Phone Sales in Third Quarter of 2013 (2013). http://www.gartner.com/newsroom/id/2623415
Hayashi, E., Riva, O., Strauss, K., Brush, A.J.B., Schechter, S.E.: Goldilocks and the two mobile devices: going beyond all-or-nothing access to a device’s applications. In: SOUPS (2012)
Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)
Murdoch, S.J., Drimer, S., Anderson, R.J., Bond, M.: Chip and PIN is broken. In: IEEE Symposium on Security and Privacy (2010)
Perković, T., Čagalj, M., Saxena, N.: Shoulder-surfing safe login in a partially observable attacker model. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 351–358. Springer, Heidelberg (2010)
Riva, O., Qui, C., Strauss, K., Lymberopoulos, D.: Progressive authentication: deciding when to authenticate on mobile phones. In: USENIX Security Symposium (2012)
Roth, V., Richter, K., Freidinger, R.: A PIN-entry method resilient against shoulder surfing. In: CCS (2004)
Schneier, B.: Applied Cryptography: Protocols, Algorithms, and Source Code in C. Wiley, New York (1995)
Shannon, C.E.: Communication in the presence of noise. In: Proceedings of the Institute of Radio Engineers (IRE) (1949)
Tari, F., Ozok, A.A., Holden, S.H.: A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords. In: SOUPS (2006)
Uellenbeck, S., Hupperich, T., Wolf, C., Holz, T.: Tactile one-time pad: smartphone authentication resilient against shoulder surfing. Technical report, Horst Görtz Institute for IT-Security (HGI), HGI-2014-003, September 2014
Wilfong, G.T.: Method and Apparatus for Secure PIN Entry, 08 1999. Lucent Technologies Inc, U.S. Patent, US5940511 A
Yan, Q., Han, J., Li, Y., Zhou, J., Deng, R.H.: Designing leakage-resilient password entry on touchscreen mobile devices. In: Chen, K., Xie, Q., Qiu, W., Li, N., Tzeng, W.-G. (eds.) ASIACCS, pp. 37–48. ACM (2013)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Uellenbeck, S., Hupperich, T., Wolf, C., Holz, T. (2015). Tactile One-Time Pad: Leakage-Resilient Authentication for Smartphones. In: Böhme, R., Okamoto, T. (eds) Financial Cryptography and Data Security. FC 2015. Lecture Notes in Computer Science(), vol 8975. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-47854-7_15
Download citation
DOI: https://doi.org/10.1007/978-3-662-47854-7_15
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-47853-0
Online ISBN: 978-3-662-47854-7
eBook Packages: Computer ScienceComputer Science (R0)