A PIN-entry method resilient against shoulder surfing
- 25 October 2004
- conference paper
- conference paper
- Published by Association for Computing Machinery (ACM) in Proceedings of the 11th ACM conference on Computer and communications security - CCS '04
- p. 236-245
- https://doi.org/10.1145/1030083.1030116
Abstract
Magnetic stripe cards are in common use for electronic payments and cash withdrawal. Reported incidents document that criminals easily pickpocket cards or skim them by swiping them through additional card readers. Personal identification numbers (PINs) are obtained by shoulder surfing, through the use of mirrors or concealed miniature cameras. Both elements, the PIN and the card, are generally sufficient to give the criminal full access to the victim's account. In this paper, we present alternative PIN entry methods to which we refer as cognitive trapdoor games. These methods make it significantly harder for a criminal to obtain PINs even if he fully observes the entire input and output of a PIN entry procedure. We also introduce the idea of probabilistic cognitive trapdoor games, which offer resilience to shoulder surfing even if the criminal records a PIN entry procedure with a camera. We studied the security as well as the usability of our methods, the results of which we also present in the paper.Keywords
This publication has 12 references indexed in Scilit:
- Neural activity predicts individual differences in visual working memory capacityNature, 2004
- HCI and security systemsPublished by Association for Computing Machinery (ACM) ,2003
- Elementary ProbabilityPublished by Cambridge University Press (CUP) ,2003
- Moving from the design of usable security technologies to the design of useful secure applicationsPublished by Association for Computing Machinery (ACM) ,2002
- Secure Human Identification ProtocolsLecture Notes in Computer Science, 2001
- Human Identification Through Insecure ChannelPublished by Springer Science and Business Media LLC ,2001
- Pass-sentence— a new approach to computer codeComputers & Security, 1994
- Authenticating users by word associationComputers & Security, 1987
- The retention of individual items.Journal of Experimental Psychology, 1961
- Short-term retention of individual verbal items.Journal of Experimental Psychology, 1959