Alexander De Luca

Touch me once and i know it's you!: implicit authentication based on touch screen patterns

Password patterns, as used on current Android phones, and other shape-based authentication schemes are highly usable and memorable. In terms of security, they are rather weak since the shapes are easy to steal and reproduce. In this work, we introduce an implicit authentication approach that enhances password patterns with an additional security layer, transparent to the user. In short, users are not only authenticated by the shape they input but also by the way they perform the input. We conducted two consecutive studies, a lab and a long-term study, using Android applications to collect and log data from user input on a touch screen of standard commercial smartphones. Analyses using dynamic time warping (DTW) provided first proof that it is actually possible to distinguish different users and use this information to increase security of the input while keeping the convenience for the user high.

Patterns in the wild: a field study of the usability of pattern and pin-based authentication on mobile devices

Graphical password systems based upon the recall and reproduction of visual patterns (e.g. as seen on the Google Android platform) are assumed to have desirable usability and memorability properties. However, there are no empirical studies that explore whether this is actually the case on an everyday basis. In this paper, we present the results of a real world user study across 21 days that was conducted to gather such insight; we compared the performance of Android-like patterns to personal identification numbers (PIN), both on smartphones, in a field study. The quantitative results indicate that PIN outperforms the pattern lock when comparing input speed and error rates. However, the qualitative results suggest that users tend to accept this and are still in favor of the pattern lock to a certain extent. For instance, it was rated better in terms of ease-of-use, feedback and likeability. Most interestingly, even though the pattern lock does not provide any undo or cancel functionality, it was rated significantly better than PIN in terms of error recovery; this provides insight into the relationship between error prevention and error recovery in user authentication.

CityFlocks: designing social navigation for urban mobile information systems

CityFlocks is a mobile system enabling visitors and new residents in a city to tap into the knowledge and experiences of local residents, so as to gather information about their new environment. Its design specifically aims to lower existing barriers of access and facilitate social navigation in urban places. This paper presents a design case study of a mobile system prototype that offers an easy way for information seeking new residents or visitors to access tacit knowledge from local people about their new community. In various user tests we evaluate two general user interaction alternatives - direct and indirect social navigation - and analyse under what conditions which interaction method works better for people using a mobile device to socially navigate urban environments. The outcomes are relevant for the user interaction design of future mobile information systems that leverage off of a social navigation approach.

PassShapes: utilizing stroke based authentication to increase password memorability

Authentication today mostly relies on passwords or personal identification numbers (PINs). Therefore the average user has to remember an increasing amount of PINs and passwords. Unfortunately, humans have limited capabilities for remembering abstract alphanumeric sequences. Thus, many people either forget them or use very simple ones, which implies several security risks. In this work, a novel authentication method called PassShapes is presented. In this system users authenticate themselves to a computing system by drawing simple geometric shapes constructed of an arbitrary combination of eight different strokes. We argue that using such shapes will allow more complex and thus more secure authentication tokens with a lower cognitive load and higher memorability. To prove these assumptions, two user studies have been conducted. The memorability evaluation showed that the PassShapes concept is able to increase the memorability when users can practice the PassShapes several times. This effect is even increasing over time. Additionally, a prototype was implemented to conduct a usability study. The results of both studies indicate that the PassShapes approach is able to provide a usable and memorable authentication method.

Back-of-device authentication on smartphones

This paper presents BoD Shapes, a novel authentication method for smartphones that uses the back of the device for input. We argue that this increases the resistance to shoulder surfing while remaining reasonably fast and easy-to-use. We performed a user study (n=24) comparing BoD Shapes to PIN authentication, Android grid unlock, and a front version of our system. Testing a front version allowed us to directly compare performance and security measures between front and back authentication. Our results show that BoD Shapes is significantly more secure than the three other approaches. While performance declined, our results show that BoD Shapes can be very fast (up to 1.5 seconds in the user study) and that learning effects have an influence on its performance. This indicates that speed improvements can be expected in long-term use.

Look into my eyes!: can you guess my password?

Authentication systems for public terminals and thus public spaces have to be fast, easy and secure. Security is of utmost importance since the public setting allows manifold attacks from simple shoulder surfing to advanced manipulations of the terminals. In this work, we present EyePassShapes, an eye tracking authentication method that has been designed to meet these requirements. Instead of using standard eye tracking input methods that require precise and expensive eye trackers, EyePassShapes uses eye gestures. This input method works well with data about the relative eye movement, which is much easier to detect than the precise position of the users gaze and works with cheaper hardware. Different evaluations on technical aspects, usability, security and memorability show that EyePassShapes can significantly increase security while being easy to use and fast at the same time.

ColorPIN: securing PIN entry through indirect input

Automated teller machine (ATM) frauds are increasing drastically these days. When analyzing the most common attacks and the reasons for successful frauds, it becomes apparent that the main problem lies in the PIN based authentication which in itself does not provide any security features (besides the use of asterisks). That is, security is solely based on a users behavior. Indirect input is one way to solve this problem. This mostly comes at the costs of adding overhead to the input process. We present ColorPIN, an authentication mechanism that uses indirect input to provide security enhanced PIN entry. At the same time, ColorPIN remains a one-to-one relationship between the length of the PIN and the required number of clicks. A user study showed that ColorPIN is significantly more secure than standard PIN entry while enabling good authentication speed in comparison with related systems.

Now you see me, now you don't: protecting smartphone authentication from shoulder surfers

In this paper, we present XSide, an authentication mechanism that uses the front and the back of smartphones to enter stroke-based passwords. Users can switch sides during input to minimize the risk of shoulder surfing. We performed a user study (n = 32) to explore how switching sides during authentication affects usability and security of the system. The results indicate that switching the sides increases security while authentication speed stays relatively fast (≤ 4 seconds). The paper furthermore provides insights on accuracy of eyes-free input (as used in XSide) and shows how 3D printed prototype cases can improve the back-of-device interaction experience.

Towards understanding ATM security: a field study of real world ATM use

With the increase of automated teller machine (ATM) frauds, new authentication mechanisms are developed to overcome security problems of personal identification numbers (PIN). Those mechanisms are usually judged on speed, security, and memorability in comparison with traditional PIN entry systems. It remains unclear, however, what appropriate values for PIN-based ATM authentication actually are. We conducted a field study and two smaller follow-up studies on real-world ATM use, in order to provide both a better understanding of PIN-based ATM authentication, and on how alternative authentication methods can be compared and evaluated. Our results show that there is a big influence of contextual factors on security and performance in PIN-based ATM use. Such factors include distractions, physical hindrance, trust relationships, and memorability. From these findings, we draw several implications for the design of alternative ATM authentication systems, such as resilience to distraction and social compatibility.

I Feel Like I'm Taking Selfies All Day!: Towards Understanding Biometric Authentication on Smartphones

We present the results of an MTurk survey (n=383) on the reasons for using and not using biometric authentication systems on smartphones. We focused on Apples Touch ID as well as Androids Face Unlock as they are the most prevalent systems on the market. For both systems, we categorized the participants as a) current users, b) former users that deactivated it at some point and c) nonusers. The results show that usability is one of the main factors that influences the decision on whether or not to use biometric verification on the smartphone. To our surprise and as opposed to previous research on biometric authentication, privacy and trust issues were not among the most important decision factors.