Abstract
Touch-enabled user interfaces have become ubiquitous, such as on ATMs or portable devices. At the same time, authentication using touch input is problematic, since finger smudge traces may allow attackers to reconstruct passwords. We present SmudgeSafe, an authentication system that uses random geometric image transformations, such as translation, rotation, scaling, shearing, and flipping, to increase the security of cued-recall graphical passwords. We describe the design space of these transformations and report on two user studies: A lab-based security study involving 20 participants in attacking user-defined passwords, using high quality pictures of real smudge traces captured on a mobile phone display; and an inthe- field usability study with 374 participants who generated more than 130,000 logins on a mobile phone implementation of SmudgeSafe. Results show that SmudgeSafe significantly increases security compared to authentication schemes based on PINs and lock patterns, and exhibits very high learnability, efficiency, and memorability.
F. Alt, S. Schneegass, A. Sahami Shirazi, M. Hassib, and A. Bulling, “Graphical Passwords in the Wild – Understanding How Users Choose Pictures and Passwords in Image-based Authentication Schemes,” in Proceedings of the 17th International Conference on Human-computer Interaction with Mobile Devices and Services, New York, NY, USA, 2015. |
S. Schneegass, F. Steimle, A. Bulling, A. Schmidt, and F. Alt, “SmudgeSafe: Geometric Image Transformations for Smudge-resistant User Authentication,” in Proceedings of the 2014 ACM International Joint Conference on Pervasive and Ubiquitous Computing, {New York, NY, USA}, 2014. |
Introduction
Touch-enabled interfaces have become common on mobile phones and tablets, ATMs, or ticket machines and we use these interfaces on a regular basis in our daily life. These devices store and provide personal data that needs to be protected from unauthorized access, such as bank account details, emails, or contact lists. While communication between devices can be secured, for example through encryption, secure authentication and data access with touch-enabled devices remain major challenges. Muslukhov et al. found that while 64% of the users protect their smartphone, the vast majority of them still use PINs and lock patterns that can easily be eavesdropped in public [22]. One solution is the use of physiological or behavioral biometrics [9]. Yet, current approaches suffer from insufficient maturity (e.g., face unlock [18] can easily be fooled by using printed images of the target person [14]) or lack of user acceptance. For instance, TouchID is popular on smartphones but it is questionable whether users would want to give their biometric data to third parties [28].
Graphical passwords were demonstrated to significantly increase security and usability – they provide a larger password space and make it easier for users to remember their passwords [20, 30]. However, graphical passwords suffer from the same problem as all state-of-the-art touch-based authentication schemes: Finger smudge trails on the display from previous logins may allow attackers to reconstruct the password and access personal data. Previous approaches to address this problem alter a custom login screen each time the user logs in [35]. While such approaches have been shown to increase security, they require custom login procedures that users first have to learn. In contrast, our approach can – if integrated with the device OS – be applied to arbitrary graphical password schemes (e.g., lock pattern, image-based passwords or even PINs). This minimizes the burden for the user since they can continue using their favorite login mechanism.
In this work we introduce SmudgeSafe, a novel authentication system that relies on geometric image transformations to improve security of graphical passwords defined on a single image (Figure 1). These transformations significantly increase password security as the appearance of the underlying image is different for each login. Hence, each login creates an increasingly chaotic pattern of overlapping smudge traces that make it more difficult to guess the original password. It is important to note that while we focus on locimetric cued-recall graphical passwords and touch-enabled mobile devices, the proposed approach is generic and applicable to other graphical password schemes, including cognometric and drawmetric, as well as to arbitrary touch-enabled surfaces.
Our contribution is two-fold. First, we introduce the idea of applying geometric image transformations to increase smudge resistance of graphical passwords, such as translation, rotation, scaling, shearing, and flipping. We describe the design space and present a login screen application for Android that implements these transformations. Second, we evaluate the proposed approach in two user studies. In a security study with a realistic threat model, participants were asked to attack graphical passwords with geometric transformations and commonly used PINs and lock patterns. During an in-the-wild study we collected 130.000 logins from 374 users who downloaded our application from Google Play and used it over five months. We assessed the usability of our system using a builtin questionnaire and logged user performance.
The SmudgeSafe System
Skin fat produces a smudge trace whenever a user interacts with a touch-enabled surface (Figure 2). This trace is clearly visible under slant incident light and was shown to allow attackers to reconstruct the original password [3]. This is particularly critical for authentication systems in which the smudge trace can be directly matched to the underlying password, such as lock patterns [34]. In contrast, text passwords, PINs, and image-based passwords are more difficult to reconstruct: While the individual password elements, such as a character or number, may be extracted rather easily, the sequence in which they were entered by the user can typically not be easily deduced from the individual finger smudges alone.
This security threat can only be addressed by either cleaning the touch surface carefully after each use or by hiding the password trace within further traces generated while interacting with the phone. However, while users pull out their phone frequently throughout the day, cleaning the display on a regular basis is not practical. In a similar fashion, particularly when users are on the move, interactions are typically very short [25] and, for example, clicking on the mail symbol to check for new emails does not generate a sufficient number of additional smudges to hide the login trace. In addition, interaction traces can also often be distinguished from login traces based on their distinct location.
At the core of SmudgeSafe is the idea of applying affine geometric transformations to the underlying password image. Such transformations may include translations (the image is shown at a different location), rotations (the image is rotated by an angle ), scalings (the image is scaled by a factor S), shearings (the image is sheared by a distance D), or flippings (the image is flipped horizontally or vertically). If these image transformations are applied randomly every time the user logs in, smudge traces from a previous login will not match the current password image, which renders password reconstruction difficult or even impossible. In addition, subsequent logins will result in an increasingly chaotic set of smudge traces overlaying each other, which further increases security.
Transformations are applied to all pixels of the image and take into account the location of the password points. Specifically, we ensure that none of the original password points falls outside of the touch-sensitive display area after applying the transformation. We solve this by calculating the maximum possible parameter value for each transformation from the user-provided password points during runtime. It is important to note that the location of the password points also has an influence on password security and the effective password space. Generally speaking, the closer the password points are to the edge of the image the smaller the transformations can be, for example, the smaller the rotation angle or the scaling factor S. Transformations impact security as they may reduce the effective password space and potentially allow an attacker to reconstruct the password more easily. We solve this by restricting password point selection to a central part of the image (see Figure 3). This ensures that transformations still significantly change the location of the password points while at the same time preserving a reasonably large TPS. Combining several transformations is possible and transformations could also be applied only to certain image parts. We opted to focus on the basic affine transformations described here and leave multiple transformations for future work.
Design Space
In the following, we present the design space for transformations in graphical password systems, namely, aspects that need to be considered when implementing and using such systems, because they potentially impact security and usability.
Spatial Dimensions
Transformation can be applied in different spatial dimensions, namely in 2D and 3D. We believe spatial dimensions to be of particular interest as auto-stereoscopic displays enter the market. In general, transformations can be applied both in 2D and 3D but may have unexpected effects. For example, a 3D translation in z-axis is similar to a 2D zoom transformation. Note, that while 3D transformations could enhance security by further increasing the TPS, this may compromise usability, for example, as points are obscured in a 3D scene.
Body Rigidity
An important factor is whether the transformation is body rigid, i.e., the image maintains its form throughout the transformation. Body rigidity may have an impact on how well users can remember a password. For example, a password may include a circle. Through a non-rigid transformation (e.g., shearing), the form might be transformed into an ellipse, making it more difficult to find the password points.
Combination of Transformations
Transformation can be combined by simply applying several transformation, for example first a rotation and then scaling. Mathematically, the transformation matrices are multiplied. While this may lead to higher security this may come at the cost of usability as strongly transformed images may make it difficult to remember a password. Note that applying transformations in different order leads to different results.
Image Context and Viewport
Prior research shows that users sometimes tend to memorize passwords by creating stories around the password points [4]. For example, an image may show a street scene with several persons, a bus stop, passing cars, and a traffic light. A password hint may then be ”The man waiting next to the bus stop sign jumps into the red car and passes the traffic light” and the according password are the man, the car, and the traffic light. In this case, the bus stop is not a part of the password but important to remember, which man was chosen as part of the password. Through transformations, for example scaling, the bus stop sign may move out of the viewport, thus making it harder for the user to remember the password. Note, that there are certain transformations, such as flip, that in general preserve the context, but make it otherwise difficult to perceive and interpret content. Examples include flipped text as well as symmetrical or close-to-symmetrical images, like close-ups of faces, that make if difficult to determine whether an image has been flipped.
Image Complexity
Prior work suggests image complexity, for example the number of image features, to influence password security [27]. Low complexity leads to fewer hotspots and makes it easier for attackers to guess the password. Transformations such as zoom may alter the complexity. Note, that complexity may increase for zoom out or rotation in case passwords were only defined on a part of the image.
Type of Background
We envision transformations to be applicable to a wide variety of authentication mechanisms. As a result, one can imagine background images other than a picture taken during holidays or the lock pattern, that are not static. For example, the background may consist of a short video clip from which users could select password points or of a 3D image, such as a rotating dice from which users need to select the correct side. In these cases, the matrix contains one or more variables that change, depending on one or more external factors. Factors could include time, sensor data, or even input by the user.
Prototype Implementation
We developed a prototype SmudgeSafe authentication system on an Android phone that implements all of the previously described image transformations. To replace the lock screen we used Android’s Device Policy Manager. The Device Policy Manager is able to set a password and to lock the phone.
To set up our lock screen, the user has to register our application as a device administrator. The graphical password itself is created with a wizard style dialog. First, the user needs to define a PIN, which is later used by the Device Policy Manager to lock the phone. Furthermore, this PIN can be used as a backup login mechanism in case the authentication with the graphical password fails. Such mechanisms were reported to be perceived as a valuable feature by users [11]. Then, the user has to choose whether a picture provided by our application or a picture from the phone’s gallery should be used as password picture. Note, that to apply our approach to the lock pattern, the user could simply choose a lock pattern background image. Finally, the user has to set up a graphical password consisting of a series of password point within the image and enable the lock screen. Once the lock screen is enabled a service is started. A broadcast receiver listens to the intents ACTION SCREEN OFF and ACTION SCREEN ON. Once the screen goes off, the phone is being locked and the lock screen is loaded in the background. When the screen is turned on again, the lock screen is brought to the foreground. Subsequently, the user can proceed with the login process. If the user is not able to login to our system, pressing the home button forces the system to show Android’s PIN input mask, where the PIN supplied in the setup can be used as a backup for authentication.
Evaluation
Security Study
We designed a lab-based user study to investigate the security of geometrically transformed graphical passwords. We hypothesize that such passwords are more secure to smudge attacks compared to PINs and lock patterns, because (a) transformations make it more difficult for attackers to interpret smudge traces and (b) the theoretical password space is increased. We compare SmudgeSafe graphical passwords with the most commonly used authentication mechanisms for mobile phones [22], namely lock patterns and personal identification numbers (PIN). The study consists of two steps: First, we ask one group of participants to generate a set of realistic graphical passwords. We then recruit a second group and train them to attack these passwords by analyzing high-resolution pictures of the corresponding smudge traces captured from the mobile phone display.
Usability Study
To analyse usability we modified our prototype implementation so that it saves every login attempt to a log file on the phone. This file is sent to our server. Each log file entry consists of a timestamp, the transformation used and its parameters, the entered and the original graphical password, and whether the login attempt was successful. We released our application in the Google Play store to create insights with regard to the usability in the wild, which we consider more ecologically valid than lab studies [16]. All following analyses cover a period of five month. 632 users actively used the application over the reporting period according to Google Play store statistics. For privacy reasons we allowed users to turn off the logging functionality and, hence, to not share data with us. We received data from two different sources. First, we logged the user’s authentication attempts and, second, we embedded a questionnaire within the app.
Conclusion
In this paper we presented SmudgeSafe, an authentication system for touch-enabled devices that increases security by applying random geometric transformations to the image underlying graphical passwords. Results from our user studies show that SmudgeSafe is significantly more secure than stateof- the-art authentication schemes based on PINs and lock patterns. Furthermore, an in-the-wild study attributes high usability with regard to learnability, efficiency, memorability, errors, and satisfaction. These results underpin the significant potential of this approach, particularly as it is also applicable beyond locimetric passwords. In general, any password schemes that are based on a series of password points can benefit from our approach. Even though we focused on mobile phones as one particular use case for our approach, we see large potential in applying it to other ubiquitous systems, such as tablets, terminals, and public displays.
Related Publications
F. Alt, S. Schneegass, A. Sahami Shirazi, M. Hassib, and A. Bulling, “Graphical Passwords in the Wild – Understanding How Users Choose Pictures and Passwords in Image-based Authentication Schemes,” in Proceedings of the 17th International Conference on Human-computer Interaction with Mobile Devices and Services, New York, NY, USA, 2015. |
S. Schneegass, F. Steimle, A. Bulling, A. Schmidt, and F. Alt, “SmudgeSafe: Geometric Image Transformations for Smudge-resistant User Authentication,” in Proceedings of the 2014 ACM International Joint Conference on Pervasive and Ubiquitous Computing, {New York, NY, USA}, 2014. |