Search Results (14)

The dialing-type authentication as a common PIN code input system has gained popularity due to the simple and intuitive design. However, this type of system has the security risk of “shoulder surfing attack”, so that attackers can physically view the device screen and keypad to obtain personal information. Therefore, based on the use of “Leap Motion” device and “Media Pipe” solutions, in this paper, we try to propose a new two-factor dialing-type input authentication system powered by aerial hand motions and features without contact. To be specific, based on the design of the aerial dialing system part, as the first authentication part, we constructed a total of two types of hand motion input subsystems using Leap Motion and Media Pipe, separately. The results of FRR (False Rejection Rate) and FAR (False Acceptance Rate) experiments of the two subsystems show that Media Pipe is more comprehensive and superior in terms of applicability, accuracy, and speed. Moreover, as the second authentication part, the user’s hand features (e.g., proportional characteristics associated with fingers and palm) were used for specialized CNN-LSTM model training to ultimately obtain a satisfactory accuracy. Full article

As technology advances and develops, the need for strong and simple authentication mechanisms that can help protect data intensifies. The contemporary approach to giving access control is through graphical passwords comprising images, patterns, or graphical items. The objective of this review was to determine the documented security risks that are related to the use of graphical passwords, together with the measures that have been taken to prevent them. The review was intended to present an extensive literature review of the subject matter on graphical password protection and to point toward potential future research directions. Many attacks, such as shoulder surfing attacks, SQL injection attacks, and spyware attacks, can easily exploit the graphical password scheme, which is one of the most widely used. To counter these security threats, several measures have been suggested, but none of the security attacks can be completely overcome. Each of the proposed measures has its pros and cons. This study begins by elucidating some of the graphical password schemes studied between 2012 and 2023, delving into potential threats and defense mechanisms associated with these schemes. Following a thorough identification and selection process, five of the reviewed papers explain the threat of shoulder surfing and spyware attacks on graphical password schemes, while two explain the threat of brute force attacks. One paper focuses on dictionary attacks, while four other papers address social engineering, SQL injection attacks, and guessing attacks as potential threats to graphical password schemes. In addition, the papers recognize other forms of attacks, such as video recording attacks, filtering attacks, reverse engineering attacks, multiple observation attacks, key/mouse logger attacks, insider attacks, computer vision attacks, image gallery attacks, sonar attacks, reply attacks, data interception attacks, and histogram manipulation attacks. These attacks are examined in three, three, eight, one, four, one, one, one, one, one, one, and one papers, respectively. Moreover, out of all such countermeasures, most of them are based on three categories—randomization, obfuscation, and password space complexity—which are the most commonly employed strategies for improving graphical password schemes. Full article

The rapid advancement of information technology (IT) has given rise to a new era of efficient and fast communication and transactions. However, the increasing adoption of and reliance on IT has led to the exposure of personal and sensitive information online. Safeguarding this information against unauthorized access remains a persistent challenge, necessitating the implementation of improved computer security measures. The core objective of computer security is to ensure the confidentiality, availability, and integrity of data and services. Among the mechanisms developed to counter security threats, authentication stands out as a pivotal defense strategy. Graphical passwords have emerged as a popular authentication approach, yet they face vulnerability to shoulder-surfing attacks, wherein an attacker can clandestinely observe a victim’s actions. Shoulder-surfing attacks present a significant security challenge within the realm of graphical password authentication. These attacks occur when an unauthorized individual covertly observes the authentication process of a legitimate user by shoulder surfing the user or capturing the interaction through a video recording. In response to this challenge, various methods have been proposed to thwart shoulder-surfing attacks, each with distinct advantages and limitations. This study thus centers on reviewing the resilience of existing recognition-based graphical password techniques against shoulder-surfing attacks by conducting a comprehensive examination and evaluation of their benefits, strengths, and weaknesses. The evaluation process entailed accessing pertinent academic resources through renowned search engines, including Web of Science, Science Direct, IEEE Xplore, ProQuest, Scopus, Springer, Wiley Online Library, and EBSCO. The selection criteria were carefully designed to prioritize studies that focused on recognition-based graphical password methods. Through this rigorous approach, 28 studies were identified and subjected to a thorough review. The results show that fourteen of them adopted registered objects as pass-objects, bolstering security through object recognition. Additionally, two methods employed decoy objects as pass-objects, enhancing obfuscation. Notably, one technique harnessed both registered and decoy objects, amplifying the security paradigm. The results also showed that recognition-based graphical password techniques varied in their resistance to different types of shoulder-surfing attacks. Some methods were effective in preventing direct observation attacks, while others were vulnerable to video-recorded and multiple-observation attacks. This vulnerability emerged due to attackers potentially extracting key information by analyzing user interaction patterns in each challenge set. Notably, one method stood out as an exception, demonstrating resilience against all three types of shoulder-surfing attacks. In conclusion, this study contributes to a comprehensive understanding of the efficacy of recognition-based graphical password methods in countering shoulder-surfing attacks by analyzing the diverse strategies employed by these methods and revealing their strengths and weaknesses. Full article

Personal Identification Numbers (PIN) and unlock patterns are two of the most often used smartphone authentication mechanisms. Because PINs have just four or six characters, they are subject to shoulder-surfing attacks and are not as secure as other authentication techniques. Biometric authentication methods, such as fingerprint, face, or iris, are now being studied in a variety of ways. The security of such biometric authentication is based on PIN-based authentication as a backup when the maximum defined number of authentication failures is surpassed during the authentication process. Keystroke-dynamics-based authentication has been studied to circumvent this limitation, in which users were categorized by evaluating their typing patterns as they input their PIN. A broad variety of approaches have been proposed to improve the capacity of PIN entry systems to discriminate between normal and abnormal users based on a user’s typing pattern. To improve the accuracy of user discrimination using keystroke dynamics, we propose a novel approach for improving the parameters of a Bidirectional Recurrent Neural Network (BRNN) used in classifying users’ keystrokes. The proposed approach is based on a significant modification to the Dipper Throated Optimization (DTO) algorithm by employing three search leaders to improve the exploration process of the optimization algorithm. To assess the effectiveness of the proposed approach, two datasets containing keystroke dynamics were included in the conducted experiments. In addition, we propose a feature selection algorithm for selecting the proper features that enable better user classification. The proposed algorithms are compared to other optimization methods in the literature, and the results showed the superiority of the proposed algorithms. Moreover, a statistical analysis is performed to measure the stability and significance of the proposed methods, and the results confirmed the expected findings. The best classification accuracy achieved by the proposed optimized BRNN is 99.02% and 99.32% for the two datasets. Full article

Present-day smartphones provide various conveniences, owing to high-end hardware specifications and advanced network technology. Consequently, people rely heavily on smartphones for a myriad of daily-life tasks, such as work scheduling, financial transactions, and social networking, which require a strong and robust user authentication mechanism to protect personal data and privacy. In this study, we propose draw-a-deep-pattern (DDP)—a deep learning-based end-to-end smartphone user authentication method using sequential data obtained from drawing a character or freestyle pattern on the smartphone touchscreen. In our model, a recurrent neural network (RNN) and a temporal convolution neural network (TCN), both of which are specialized in sequential data processing, are employed. The main advantages of the proposed DDP are (1) it is robust to the threats to which current authentication systems are vulnerable, e.g., shoulder surfing attack and smudge attack, and (2) it requires few parameters for training; therefore, the model can be consistently updated in real-time, whenever new training data are available. To verify the performance of the DDP model, we collected data from 40 participants in one of the most unfavorable environments possible, wherein all potential intruders know how the authorized users draw the characters or symbols (shape, direction, stroke, etc.) of the drawing pattern used for authentication. Of the two proposed DDP models, the TCN-based model yielded excellent authentication performance with average values of 0.99%, 1.41%, and 1.23% in terms of AUROC, FAR, and FRR, respectively. Furthermore, this model exhibited improved authentication performance and higher computational efficiency than the RNN-based model in most cases. To contribute to the research/industrial communities, we made our dataset publicly available, thereby allowing anyone studying or developing a behavioral biometric-based user authentication system to use our data without any restrictions. Full article

In many smart devices and numerous digital applications, authentication mechanisms are widely used to validate the legitimacy of users’ identification. As a result of the increased use of mobile devices, most people tend to save sensitive and secret information over such devices. Personal Identification Number (PIN)-based and alphanumeric passwords are simple to remember, but at the same time, they are vulnerable to hackers. Being difficult to guess and more user-friendly, graphical passwords have grown in popularity as an alternative to all such textual passwords. This paper describes an innovative, hybrid, and much more robust user authentication approach, named GRA-PIN (GRAphical and PIN-based), which combines the merits of both graphical and pin-based techniques. The feature of simple arithmetic operations (addition and subtraction) is incorporated in the proposed scheme, through which random passwords are generated for each login attempt. In the study, we have conducted a comparative study between the GRA-PIN scheme with existing PIN-based and pattern-based (swipe-based) authentications approaches using the standard Software Usability Scale (SUS). The usability score of GRA-PIN was analyzed to be as high as 94%, indicating that it is more reliable and user friendly. Furthermore, the security of the proposed scheme was challenged through an experiment wherein three different attackers, having a complete understanding of the proposed scheme, attempted to crack the technique via shoulder surfing, guessing, and camera attack, but they were unsuccessful. Full article

Smartphones as ubiquitous gadgets are rapidly becoming more intelligent and context-aware as sensing, networking, and processing capabilities advance. These devices provide users with a comprehensive platform to undertake activities such as socializing, communicating, sending and receiving e-mails, and storing and accessing personal data at any time and from any location. Nowadays, smartphones are used to store a multitude of private and sensitive data including bank account information, personal identifiers, account passwords and credit card information. Many users remain permanently signed in and, as a result, their mobile devices are vulnerable to security and privacy risks through assaults by criminals. Passcodes, PINs, pattern locks, facial verification, and fingerprint scans are all susceptible to various assaults including smudge attacks, side-channel attacks, and shoulder-surfing attacks. To solve these issues, this research introduces a new continuous authentication framework called DeepAuthen, which identifies smartphone users based on their physical activity patterns as measured by the accelerometer, gyroscope, and magnetometer sensors on their smartphone. We conducted a series of tests on user authentication using several deep learning classifiers, including our proposed deep learning network termed DeepConvLSTM on the three benchmark datasets UCI-HAR, WISDM-HARB and HMOG. Results demonstrated that combining various motion sensor data obtained the highest accuracy and energy efficiency ratio (EER) values for binary classification. We also conducted a thorough examination of the continuous authentication outcomes, and the results supported the efficacy of our framework. Full article

Authentication methods using personal identification number (PIN) and unlock patterns are widely used in smartphone user authentication. However, these authentication methods are vulnerable to shoulder-surfing attacks, and PIN authentication, in particular, is poor in terms of security because PINs are short in length with just four to six digits. A wide range of research is currently underway to examine various biometric authentication methods, for example, using the user’s face, fingerprint, or iris information. However, such authentication methods provide PIN-based authentication as a type of backup authentication to prepare for when the maximum set number of authentication failures is exceeded during the authentication process such that the security of biometric authentication equates to the security of PIN-based authentication. In order to overcome this limitation, research has been conducted on keystroke dynamics-based authentication, where users are classified by analyzing their typing patterns while they are entering their PIN. As a result, a wide range of methods for improving the ability to distinguish the normal user from abnormal ones have been proposed, using the typing patterns captured during the user’s PIN input. In this paper, we propose unique keypads that are assigned to and used by only normal users of smartphones to improve the user classification performance capabilities of existing keypads. The proposed keypads are formed by randomly generated numbers based on the Mersenne Twister algorithm. In an attempt to demonstrate the superior classification performance of the proposed unique keypad compared to existing keypads, all tests except for the keypad type were conducted under the same conditions in earlier work, including collection-related features and feature selection methods. Our experimental results show that when the filtering rates are 10%, 20%, 30%, 40%, and 50%, the corresponding equal error rates (EERs) for the proposed keypads are improved by 4.15%, 3.11%, 2.77%, 3.37% and 3.53% on average compared to the classification performance outcomes in earlier work. Full article

Access management of IoT devices is extremely important, and a secure login authentication scheme can effectively protect users’ privacy. However, traditional authentication schemes are threatened by shoulder-surfing attacks, and biometric-based schemes, such as fingerprint recognition and face recognition, that are commonly used today can also be cracked. Researchers have proposed some schemes for current attacks, but they are limited by usability. For example, the login authentication process requires additional device support. This method solves the problem of attacks, but it is unusable, which limits its application. At present, most authentication schemes for the Internet of Things and mobile platforms either focus on security, thus ignoring availability, or have excellent convenience but insufficient security. This is a symmetry problem worth exploring. Therefore, users need a new type of login authentication scheme that can balance security and usability to protect users’ private data or maintain device security. In this paper, we propose a login authentication scheme named PinWheel, which combines a textual password, a graphical password, and biometrics to prevent both shoulder-surfing attacks and smudge attacks and solves the current schemes’ lack of usability. We implemented PinWheel and evaluated it from the perspective of security and usability. The experiments required 262 days, and 573 subjects participated in our investigation. The evaluation results show that PinWheel can at least effectively resist both mainstream attacks and is superior to most existing schemes in terms of usability. Full article

Pattern unlock is a popular screen unlock scheme that protects the sensitive data and information stored in mobile devices from unauthorized access. However, it is also susceptible to various attacks, including guessing attacks, shoulder surfing attacks, smudge attacks, and side-channel attacks, which can achieve a high success rate in breaking the patterns. In this paper, we propose a new two-factor screen unlock scheme that incorporates surface electromyography (sEMG)-based biometrics with patterns for user authentication. sEMG signals are unique biometric traits suitable for person identification, which can greatly improve the security of pattern unlock. During a screen unlock session, sEMG signals are recorded when the user draws the pattern on the device screen. Time-domain features extracted from the recorded sEMG signals are then used as the input of a one-class classifier to identify the user is legitimate or not. We conducted an experiment involving 10 subjects to test the effectiveness of the proposed scheme. It is shown that the adopted time-domain sEMG features and one-class classifiers achieve good authentication performance in terms of the $F_1$ score and Half of Total Error Rate (HTER). The results demonstrate that the proposed scheme is a promising solution to enhance the security of pattern unlock. Full article

Graphical passwords are a method of authentication in computer security. Computer security is one of the disciplines of computer science. Shoulder-surfing attacks are a well-known threat to graphical passwords, although is getting commonly used especially in granting access for a secure system. Shoulder-surfing occurs when attackers skillfully capture important data/activities, such as login passwords, via direct observation or video recording methods. Many methods have been proposed to overcome the problem of shoulder-surfing attacks. After we reviewed some related works, we found out that most of the existing methods are still vulnerable to multiple observations and video-recorded shoulder-surfing attacks. Thus, we propose a new method to combat this problem. In our proposed method, we make used of two concepts to combat shoulder-surfing attacks. In the first concept, we used registered locations (something that only the users know) and 5 image directions (something that the users can see) to determine a pass-location (new knowledge). Secondly, the images used in our proposed method have higher chances to offset each other. The idea of offset could increase the password spaces of our proposed method if an attacker intended to guess the registered location used. By combining these two concepts, the pass-location produced by our proposed method in each challenge set could be varied. Therefore, it is impossible for the attackers to shoulder-surf any useful information such as the images/locations clicked by the user in each challenge set. A user study was conducted to evaluate the capabilities of the proposed method to prevent shoulder-surfing attacks. The shoulder-surfing testing results indicated that none of the participants were able to login, although they knew the underlying algorithm and they have been given sufficient time to perform a shoulder-surfing attack. Therefore, the proposed method has proven it can prevent shoulder-surfing attacks, provided the enrolment procedure is carried out in a secure manner. Full article

In this paper, we focus on methods to prevent shoulder-surfing attacks. We initially adopted digraph substitution rules from PlayFair cipher as our proposed method. PlayFair cipher is a modern cryptography method, which exists at the intersection of the disciplines of mathematics and computer science. However, according to our preliminary study it was insufficient to prevent shoulder-surfing attacks. Thus, a new method had to be proposed. In this new proposed method, we improvised the digraph substitution rules and used these rules together with an output feedback method to determine a pass-image. Our proposed method was evaluated with a user study. The results showed our proposed method was robust against both direct observation and video-recorded shoulder-surfing attacks. Full article

The prevalence of smart devices in our day-to-day activities increases the potential threat to our secret information. To counter these threats like unauthorized access and misuse of phones, only authorized users should be able to access the device. Authentication mechanism provide a secure way to safeguard the physical resources as well the information that is processed. Text-based passwords are the most common technique used for the authentication of devices, however, they are vulnerable to a certain type of attacks such as brute force, smudge and shoulder surfing attacks. Graphical Passwords (GPs) were introduced as an alternative for the conventional text-based authentication to overcome the potential threats. GPs use pictures and have been implemented in smart devices and workstations. Psychological studies reveal that humans can recognize images much easier and quicker than numeric and alphanumeric passwords, which become the basis for creating GPs. In this paper a novel Fractal-Based Authentication Technique (FBAT) has been proposed by implementing a Sierpinski triangle. In the FBAT scheme, the probability of password guessing is low making system resilient against abovementioned threats. Increasing fractal level makes the system stronger and provides security against attacks like shoulder surfing. Full article

We introduce a two-stream model to use reflexive eye movements for smart mobile device authentication. Our model is based on two pre-trained neural networks, iTracker and PredNet, targeting two independent tasks: (i) gaze tracking and (ii) future frame prediction. We design a procedure to randomly generate the visual stimulus on the screen of mobile device, and the frontal camera will simultaneously capture head motions of the user as one watches it. Then, iTracker calculates the gaze-coordinates error which is treated as a static feature. To solve the imprecise gaze-coordinates caused by the low resolution of the frontal camera, we further take advantage of PredNet to extract the dynamic features between consecutive frames. In order to resist traditional attacks (shoulder surfing and impersonation attacks) during the procedure of mobile device authentication, we innovatively combine static features and dynamic features to train a 2-class support vector machine (SVM) classifier. The experiment results show that the classifier achieves accuracy of 98.6% to authenticate the user identity of mobile devices. Full article