IllusionPIN: Shoulder-Surfing Resistant Authentication Using Hybrid Images

Athanasios Papadopoulos, Toan Nguyen, Emre Durmus, Nasir Memon

Research output: Contribution to journalArticle

Abstract

We address the problem of shoulder-surfing attacks on authentication schemes by proposing IllusionPIN (IPIN), a PIN-based authentication method that operates on touchscreen devices. IPIN uses the technique of hybrid images to blend two keypads with different digit orderings in such a way, that the user who is close to the device is seeing one keypad to enter her PIN, while the attacker who is looking at the device from a bigger distance is seeing only the other keypad. The user’s keypad is shuffled in every authentication attempt since the attacker may memorize the spatial arrangement of the pressed digits. To reason about the security of IllusionPIN, we developed an algorithm which is based on human visual perception and estimates the minimum distance from which an observer is unable to interpret the keypad of the user.We tested our estimations with 84 simulated shoulder-surfing attacks from 21 different people. None of the attacks was successful against our estimations. In addition, we estimated the minimum distance from which a camera is unable to capture the visual information from the keypad of the user. Based on our analysis, it seems practically almost impossible for a surveillance camera to capture the PIN of a smartphone user when IPIN is in use.

Original languageEnglish (US)
JournalIEEE Transactions on Information Forensics and Security
DOIs
StateAccepted/In press - Jul 8 2017

Fingerprint

Computer keyboards
Authentication
Cameras
Touch screens
Smartphones

Keywords

  • Human Visual Perception
  • Hybrid Image
  • PIN Authentication
  • Shoulder-Surfing
  • Video Attack

ASJC Scopus subject areas

  • Safety, Risk, Reliability and Quality
  • Computer Networks and Communications

Cite this

IllusionPIN : Shoulder-Surfing Resistant Authentication Using Hybrid Images. / Papadopoulos, Athanasios; Nguyen, Toan; Durmus, Emre; Memon, Nasir.

In: IEEE Transactions on Information Forensics and Security, 08.07.2017.

Research output: Contribution to journalArticle

@article{f3a7ba98bfaf40aa9a5a10feeb9f59d1,
title = "IllusionPIN: Shoulder-Surfing Resistant Authentication Using Hybrid Images",
abstract = "We address the problem of shoulder-surfing attacks on authentication schemes by proposing IllusionPIN (IPIN), a PIN-based authentication method that operates on touchscreen devices. IPIN uses the technique of hybrid images to blend two keypads with different digit orderings in such a way, that the user who is close to the device is seeing one keypad to enter her PIN, while the attacker who is looking at the device from a bigger distance is seeing only the other keypad. The user’s keypad is shuffled in every authentication attempt since the attacker may memorize the spatial arrangement of the pressed digits. To reason about the security of IllusionPIN, we developed an algorithm which is based on human visual perception and estimates the minimum distance from which an observer is unable to interpret the keypad of the user.We tested our estimations with 84 simulated shoulder-surfing attacks from 21 different people. None of the attacks was successful against our estimations. In addition, we estimated the minimum distance from which a camera is unable to capture the visual information from the keypad of the user. Based on our analysis, it seems practically almost impossible for a surveillance camera to capture the PIN of a smartphone user when IPIN is in use.",
keywords = "Human Visual Perception, Hybrid Image, PIN Authentication, Shoulder-Surfing, Video Attack",
author = "Athanasios Papadopoulos and Toan Nguyen and Emre Durmus and Nasir Memon",
year = "2017",
month = "7",
day = "8",
doi = "10.1109/TIFS.2017.2725199",
language = "English (US)",
journal = "IEEE Transactions on Information Forensics and Security",
issn = "1556-6013",
publisher = "Institute of Electrical and Electronics Engineers Inc.",

}

TY - JOUR

T1 - IllusionPIN

T2 - Shoulder-Surfing Resistant Authentication Using Hybrid Images

AU - Papadopoulos, Athanasios

AU - Nguyen, Toan

AU - Durmus, Emre

AU - Memon, Nasir

PY - 2017/7/8

Y1 - 2017/7/8

N2 - We address the problem of shoulder-surfing attacks on authentication schemes by proposing IllusionPIN (IPIN), a PIN-based authentication method that operates on touchscreen devices. IPIN uses the technique of hybrid images to blend two keypads with different digit orderings in such a way, that the user who is close to the device is seeing one keypad to enter her PIN, while the attacker who is looking at the device from a bigger distance is seeing only the other keypad. The user’s keypad is shuffled in every authentication attempt since the attacker may memorize the spatial arrangement of the pressed digits. To reason about the security of IllusionPIN, we developed an algorithm which is based on human visual perception and estimates the minimum distance from which an observer is unable to interpret the keypad of the user.We tested our estimations with 84 simulated shoulder-surfing attacks from 21 different people. None of the attacks was successful against our estimations. In addition, we estimated the minimum distance from which a camera is unable to capture the visual information from the keypad of the user. Based on our analysis, it seems practically almost impossible for a surveillance camera to capture the PIN of a smartphone user when IPIN is in use.

AB - We address the problem of shoulder-surfing attacks on authentication schemes by proposing IllusionPIN (IPIN), a PIN-based authentication method that operates on touchscreen devices. IPIN uses the technique of hybrid images to blend two keypads with different digit orderings in such a way, that the user who is close to the device is seeing one keypad to enter her PIN, while the attacker who is looking at the device from a bigger distance is seeing only the other keypad. The user’s keypad is shuffled in every authentication attempt since the attacker may memorize the spatial arrangement of the pressed digits. To reason about the security of IllusionPIN, we developed an algorithm which is based on human visual perception and estimates the minimum distance from which an observer is unable to interpret the keypad of the user.We tested our estimations with 84 simulated shoulder-surfing attacks from 21 different people. None of the attacks was successful against our estimations. In addition, we estimated the minimum distance from which a camera is unable to capture the visual information from the keypad of the user. Based on our analysis, it seems practically almost impossible for a surveillance camera to capture the PIN of a smartphone user when IPIN is in use.

KW - Human Visual Perception

KW - Hybrid Image

KW - PIN Authentication

KW - Shoulder-Surfing

KW - Video Attack

UR - http://www.scopus.com/inward/record.url?scp=85022218631&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85022218631&partnerID=8YFLogxK

U2 - 10.1109/TIFS.2017.2725199

DO - 10.1109/TIFS.2017.2725199

M3 - Article

AN - SCOPUS:85022218631

JO - IEEE Transactions on Information Forensics and Security

JF - IEEE Transactions on Information Forensics and Security

SN - 1556-6013

ER -