5.1 Requirements
This section describes the requirements that specifically apply to authentication in the gamepad context. To ease referring to the individual requirements in the remainder of this part of the thesis, they are each assigned both, a numeric reference of the formRx (where x is the number) and a short mnemonic descriptor. The requirements are grouped into three categories: security, technical, and usability.
5.1.1 Security Requirements
Providing a shoulder-surfing resistant text password entry for usage with gamepads is the core motivation behind the work presented in this part of the thesis, since it represents a key requirement of the gamepad context as explained in the remainder of this section.
Using gamepad-driven devices such as game consoles is for many users a social activity: 53% of users play on average five hours with others in person per week (as opposed to online multiplayer games) [68]. Therefore, usage of these devices occurs in a so-called shared space [169]. Another defining aspect of authentication on these devices is that they are usually used in conjunction with large displays such as TVs. Such large displays have been found to be perceived qualitatively different to smaller displays [199]. Tan and Czerwinski [202] found that users were more likely to read sensitive content on large screens and note that since such devices are usually outside a user’s “personal zone”, they might be perceived as less private. Yet, research indicates that 90.9% of users would authenticate in such a setting when not alone [169]. Together, these aspects indicate a large potential for shoulder-surfing threats. Due to the threat model of usage in shared spaces, the opportunistic observer (cf. section 2.3.1) is the most likely attacker in the gamepad scenario, since any recording of the authentication procedure by a friend sitting on the user’s couch right next to them is likely to draw attention. Since the definition of opportunistic observers [227] does not set a specific threshold to achieve resistance, but rather states that the attacker has access to only “a small number of observations”, the threshold is assumed to be “not more observations than there are characters in the password”1. In conclusion, the requirement regarding shoulder-surfing resistance is:
R1: Authentication schemes used on gamepad-driven devices must resist shoulder-surfing
attacks by opportunistic observers, i.e. resist observers with not more observations than there are characters in the password they want to observe. (resistant-to-opportunistic- observers)
5.1.2 Technical Requirements
In addition to the security requirementR1, several technical requirements must be fulfilled by authentication schemes in the gamepad context. Gamepads are very constrained input devices. In comparison to a keyboard, gamepads offer far less buttons. However, they often also have output capabilities, such force-feedback through vibration motors. Figure 5.1 depicts the input capabilities of a typical gamepad as considered for this work. Modern gamepads are usually equipped with two small joysticks commonly referred to as analogue sticks. They are used to capture directional input (i.e. input that moves something on the screen) and are usually operated using the thumbs (i.e. one is operated with the left thumb one with the right thumb).
5 Requirements and Status Quo of Authentication in the Gamepad Context
Analog sticks
Directional
control pad
Shoulder buttons
Front
buttons
Figure 5.1: The controls available on a typical gamepad.
In addition, gamepads have buttons which can be pressed. Firstly, there is one array of four buttons representing a directional control pad. It consists of a cross-shaped rocking button with actuators underneath and its working principle is that of a switch-activated joystick (minus the stick part) [10]. Secondly, there is usually an array of four buttons on the other side of the gamepad. Last but not least, there are four so-called shoulder buttons, which are positioned on the top of the gamepad. On the majority of modern gamepads two of these shoulder buttons (one on the left side and one on the right side) are implemented as analogue triggers (i.e. one dimensional analogue controls).
The technical requirements reflect these available controls of gamepads as well as their sensitivity and precision. In particular, authentication schemes in the gamepad context must not require more different buttons than available on a gamepad:
R2: Authentication schemes used on gamepad-driven devices must not require as controls
more than eight freely programmable buttons, one directional control pad, two analogue sticks, and two analogue triggers if they are to be compatible with the gamepads of most modern gamepad-driven devices. (compatible-with-gamepad-controls)
The accounts used on gamepad-driven devices usually require text password authentication (e.g. common services such as Netflix or Xbox Live). Therefore, remaining compatible to these accounts is of the essence. Such compatibility is trivial if the authentication scheme is explicitly designed for text password entry. Otherwise compatibility can be achieved e.g. through an extension of a traditional on-screen keyboard, a direct mapping of the characters to the gamepad controls, or scaling up the procedures of the schemes. However, a crucial aspect to compatibility with test passwords is that no changes to the backend of the verifier are necessary. The respective requirement is:
R3: Authentication schemes used on gamepad-driven devices must be compatible with text
passwords. (compatible-with-text-passwords)
Most operating systems of gamepad-driven devices do not allow installation of drivers for additional hard- ware. Therefore, the following requirement arises:
R4: Authentication schemes used on gamepad-driven devices must not require support
for additional hardware such as biometric readers or token devices. (no-additional- hardware)