User Owned Device Based Approaches

The final category, user owned device based authentication mechanisms, is similar to the second category in that these systems require additional hardware. The big difference is that the hardware is owned by the users, already in their possession and carried around by them. A typical and often used device is the users’ mobile phone. Systems based on hardware owned directly by the user have the potential to eliminate the two main weaknesses of hardware based approaches. Firstly, it does not create additional costs for the service/terminal provider since mostly, hardware is employed that is already owned by the user. Since this hardware is not available to an attacker, it cannot be manipulated as is the case for hardware fixed to a terminal. While user hardware overcomes those weaknesses, it opens new ways for attacks. For instance, these systems often rely on wireless communication with the terminal which makes them vulnerable to man-in-the- middle attacks and establishing a secure channel to the terminal is a tricky and time consuming task that can easily annoy users.

User owned device based approaches are gaining importance with the rise of smartphones and other modern high tech devices. These often come with a huge variety of different sensors that can be exploited for authentication mechanisms. Not surprisingly, many approaches therefore rely on gesture based authentication, that is, the users perform a (visual) gesture with their devices to authenticate. However, authentication mechanisms in this category are still rare since the required hardware is just widely hitting the market.

One of the main weaknesses of gesture based passwords is described in the work of Chong et al. [18] from 2009. They explored a system based on ten different gestures (an example is shown in figure 2.10, left). Theoretical security of the system is fine and it is hard to record the authentication since an attacker has only limited knowledge about where the device will be located when the interaction takes place. However, the system is very insecure against standard shoulder surfing attacks performed by an attacker in personal. Therefore, the authors suggest their system to be used in private rather than public settings, thus, defining an explicit context. However, the value that comes with gesture based approaches, which is exploiting the users’ muscle memory, still drives research to more secure solutions. As a result, in 2010, Kirschnick et al. [75] presented an authentication mechanism based on gestures that, in addition to the gesture itself, uses biometric information of the user to identify not only the gesture but also who is doing

it. This way, a second, invisible information is used to make the system resistant to shoulder surfing attacks. In contrast to common biometric authentication mechanisms, being a secret task that the user is not actively performing, the system is not necessarily seen as a biometric system by the users.

Another category of approaches in this field relies on the unpredictability of the location of the mobile device and its small input and output hardware to render attacks, including shoulder surf- ing, ineffective. Most skimming attacks, i.e. manipulating ATMs, are based on the assumption that the attacker knows with 100% certainty where the input will take place. For instance, a cam- era pointing at the keyboard requires the input to happen at exactly that specific location to make the attack effective. This means that simply dislocating the input from the terminal improves security significantly. On the other hand, the plain input on the device might be an easy target to a shoulder surfer, which can be solved by using master PINs and other ways of clever design as for instance proposed by mobile phone authentication systems by Bianchi et al. [6].

The simplest imaginable form is doing the “plain” input on the mobile device. A system like this was for instance envisioned by Boring et al. [9] as shown in figure 2.10, right. In their approach, a keypad is displayed on a public screen. The input is done by filming the screen with the mobile phone’s camera and virtually “pressing” the keys on the screen of the mobile device. Technically, the system is based on the Touch Projector prototype [10] that was built for mobile interaction with public screens. There is no evaluation available but it can be expected that it does not take significantly longer than entering a PIN on any touch screen. However, the visual search and focus tasks, by trying to film the respective part of the screen, might add inconvenience and increase input times. The risk of a real shoulder surfer also remains.

User owned device based approaches have manifold theoretical advantages when it comes to security and deployment. Costs are low and dislocating the input from the terminal makes them highly resistant to skimming attacks and other manipulations of the terminal. While real shoulder surfers and theft of the device are issues, they seem to be solvable by clever design. However, connection is an issue yet to be solved that most of the work does not cover at all. Whenever a device is about to be used with a terminal it has to be connected to it. This connection should be secure (e.g. resistant to man-in-the-middle attacks), easy and fast. Honestly measuring and reporting interaction speed therefore has to include those times as will be discussed in chapter 3.3. The connection issue is additionally highly important when it comes to defining appropriate scenarios. For instance, connection becomes a minor issue when the device has to be connected anyways if it is an essential part of the interaction. This thesis explores this field deeper than it has been done before and presents two user owned device based approaches, MobilePIN [29] and VibraPass [34] which highlight the importance of connection time and partially solve the shoulder surfing and secure transmission problems as shown in chapter 3.3.