Undercover: Authentication Usable in Front of Prying Eyes

Abstract from the whitepaper by authors Hirokazu Sasamoto, Nicolas Christin and Eiji Hayashi:

A number of recent scams and security attacks hinge on a crook’s ability to observe user behavior. In this paper, we describe the design, implementation, and evaluation of a novel class of user au- thentication systems that are resilient to observation attacks.

Our proposal is the first to rely on the human ability to simultaneously process multiple sensory inputs to authenticate, and is resilient to most observation attacks. We build a prototype based on user feedback gained through low fidelity tests. We conduct a within-subjects usability study of the prototype with 38 participants, which we complement with a security analysis.

Our results show that users can authenticate within times comparable to that of graphical password schemes, with relatively low error rates, while being considerably better protected against observation attacks. Our design and evaluation process allows us to outline design principles for observation-resilient authentication systems.

Read the paper at CMU.edu.