There is a growing need for usable and secure authentication in immersive virtual reality (VR). Established concepts (e.g., 2D authentication schemes) are vulnerable to observation attacks, and most alternatives are relatively slow. We present RubikAuth, an authentication scheme for VR where users authenticate quickly and secure by selecting digits from a virtual 3D cube that leverages coordinated 3D manipulation and pointing. We report on results from three studies comparing how pointing using eye gaze, head pose, and controller tapping impact RubikAuth’s usability, memorability, and observation resistance under three realistic threat models. We found that entering a four-symbol RubikAuth password is fast: 1.69–3.5 s using controller tapping, 2.35–4.68 s using head pose and 2.39 –4.92 s using eye gaze, and highly resilient to observations: 96–99.55% of observation attacks were unsuccessful. RubikAuth also has a large theoretical password space: 45 n for an n -symbols password. Our work underlines the importance of considering novel but realistic threat models beyond standard one-time attacks to fully assess the observation-resistance of authentication schemes. We conclude with an in-depth discussion of authentication systems for VR and outline five learned lessons for designing and evaluating authentication schemes.

中文翻译：

---

使用协调的 3D 操作和指向在虚拟现实中进行快速安全的身份验证

沉浸式虚拟现实 (VR) 中对可用且安全的身份验证的需求日益增长。已建立的概念（例如，2D 身份验证方案）容易受到观察攻击，并且大多数替代方案相对较慢。我们提出了 RubikAuth，这是一种用于 VR 的身份验证方案，用户通过从利用协调 3D 操作和指向的虚拟 3D 立方体中选择数字来快速且安全地进行身份验证。我们报告了三项研究的结果，比较了在三种现实威胁模型下使用眼睛注视、头部姿势和控制器敲击如何影响 RubikAuth 的可用性、记忆性和观察阻力。我们发现输入四符号 RubikAuth 密码很快：1.69-3.5 秒使用控制器轻击，2.35-4.68 秒使用头部姿势，2.39-4.92 秒使用眼睛注视，并且对观察具有高度弹性：96-99。55% 的观察攻击不成功。RubikAuth 还有一个很大的理论密码空间：45 n 为n-符号密码。我们的工作强调了在标准一次性攻击之外考虑新颖但现实的威胁模型以全面评估身份验证方案的观察抵抗力的重要性。最后，我们深入讨论了 VR 身份验证系统，并概述了设计和评估身份验证方案的五个经验教训。