Designing leakage-resilient password entry on touchscreen mobile devices

Author

Qiang YAN, Singapore Management UniversityFollow
Jin HAN, Institute for Infocomm Research
Yingjiu LI, Singapore Management UniversityFollow
Jianying ZHOU, Institute for Infocomm Research
Robert H. DENG, Singapore Management UniversityFollow

Publication Type

Conference Proceeding Article

Version

publishedVersion

Publication Date

5-2013

Abstract

Touchscreen mobile devices are becoming commodities as the wide adoption of pervasive computing. These devices allow users to access various services at anytime and anywhere. In order to prevent unauthorized access to these services, passwords have been pervasively used in user authentication. However, password-based authentication has intrinsic weakness in password leakage. This threat could be more serious on mobile devices, as mobile devices are widely used in public places. Most prior research on improving leakage resilience of password entry focuses on desktop computers, where specific restrictions on mobile devices such as small screen size are usually not addressed. Meanwhile, additional features of mobile devices such as touch screen are not utilized, as they are not available in the traditional settings with only physical keyboard and mouse. In this paper, we propose a user authentication scheme named CoverPad for password entry on touchscreen mobile devices. CoverPad improves leakage resilience by safely delivering hidden messages, which break the correlation between the underlying password and the interaction information observable to an adversary. It is also designed to retain most benefits of legacy passwords, which is critical to a scheme intended for practical use. The usability of CoverPad is evaluated with an extended user study which includes additional test conditions related to time pressure, distraction, and mental workload. These test conditions simulate common situations for a password entry scheme used on a daily basis, which have not been evaluated in the prior literature. The results of our user study show the impacts of these test conditions on user performance as well as the practicability of the proposed scheme.

Keywords

User Authentication, Leakage-Resilience, Mobile Devices

Discipline

Information Security

Research Areas

Cybersecurity

Publication

ASIA CCS '13: Proceedings of the 8th ACM SIGSAC symposium on Information, Computer and Communications Security: May 8-10, Hangzhou, China

First Page

37

Last Page

48

ISBN

9781450317672

Identifier

10.1145/2484313.2484318

Publisher

ACM

City or Country

New York

Citation

YAN, Qiang; HAN, Jin; LI, Yingjiu; ZHOU, Jianying; and DENG, Robert H.. Designing leakage-resilient password entry on touchscreen mobile devices. (2013). ASIA CCS '13: Proceedings of the 8th ACM SIGSAC symposium on Information, Computer and Communications Security: May 8-10, Hangzhou, China. 37-48.
Available at: https://ink.library.smu.edu.sg/sis_research/1944

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.

Additional URL

https://doi.org/10.1145/2484313.2484318