A systematic review of PIN-entry methods resistant to shoulder-surfing attacks
Introduction
The entry method of using a conventional personal identification number (PIN) is widely used in daily authentication of many services and systems, including automatic teller machines, mobile screen locks, and electronic doors. Widespread adoption of the PIN-entry method is due to the ease of remembering the PIN and entering the system (Greene et al., 2016). PIN is an example of textual passwords (text, digits, and/or symbols) that is composed only of digits and is typically 4-6 characters. Shen et al. (2016) conducted a study on 6 million textual passwords and found that most of them consist of only digits/numbers.
However, the conventional PIN-entry method is highly susceptible to shoulder-surfing attacks. The problem of shoulder surfing arises when an attacker observes the login PIN directly or by using a recording tool, and later reproduces the PIN (Ku, Cheng, Yeh, Chang, 2016, Nyang, Kim, Lee, Kang, Cho, Lee, Mohaisen, 2018). The reason for this problem is that users reveal their real PINs at each authentication session (Still and Bell, 2018). It could be argued that physiological biometric authentication methods, such as fingerprints, can solve this problem. Besides, users are favoring biometric authentication methods over the PIN entry method (Breitinger et al., 2020). Nonetheless, biometric methods are still error-prone, costly, and unchangeable once leaked (Yadav et al., 2015). Furthermore, the PIN-entry method is used by most devices for fallback authentication when biometric fails. Consequently, an attacker can resort to the fallback authentication method to detour biometric verification (Van Nguyen et al., 2017). Thus, a worthwhile task is to review and analyse the current PIN-entry methods resistant to shoulder-surfing attacks.
Shoulder-surfing attacks are classified into human-based and recording-based, according to the selected articles. Human-based shoulder surfing is the act of obtaining a user’s PIN through direct observation. In recording based shoulder-surfing, the attacker records the authentication session using a camera device to identify the PIN. This systematic review (SR) shows a considerable body of literature on PIN-entry methods resistant to shoulder-surfing attacks.
In general, shoulder-surfing resistant PIN-entry methods are classified into either direct or indirect input. Direct input methods aim to disguise the observer from known the PIN through gaze input, visual distraction and other methods. In gaze-based methods (e.g., Carneiro, Elmadjian, Gonzales, Coutinho, Morimoto, 2019, Ibrahim, Ambreen, 2019, Kumar, Akbari, Menges, MacKenzie, Staab, 2019), people use their eyes to enter the PIN to reduce the shoulder-surfing effect caused by direct input. Visual distraction methods provide only additional actions to disguise the observer through cursor camouflage (Still, Bell, 2018, Sugumar, Soundararajan, 2017, Watanabe, Higuchi, Inami, Igarashi, 2012), input distraction (Guerar, Migliardi, Palmieri, Verderame, Merlo, 2019, Shi, Zhu, Youssef, 2009), and keypad distraction (Adithya, Aishwarya, Megalai, Priyadharshini, Kurinjimalar, 2017, Kabir, Hasan, Tahmid, Ovi, Rozario, 2020, Nandhini, Jayanthy, 2019, Papadopoulos, Nguyen, Durmus, Memon, 2017). Other direct input methods used a pressure-based mechanism (Krombholz et al., 2016), multi-touch key input (Takada and Kokubun, 2014), and tapping PIN digits using fingers (Leftheriotis, 2013), to resist shoulder-surfing attacks.
Indirect input methods prevent users from revealing the actual PIN during the authentication process. They can also be classified into challenge-response methods and others. Most indirect input methods belong to the challenge-response category in which a user is given a challenge and s/he needs to compute and input the response. Current studies use various channels to send or receive the challenge such as audio (e.g., Dan, Ku, 2017, Hirakawa, Kurihara, Ohzeki, 2017, Rajarajan, Kalita, Gayatri, Priyadarsini, 2018), haptic (e.g., Ku, Xu, 2019, Souza, Cunha, B Oliveira, 2018, Xu, Ku, Dan, 2016), and visual (e.g., Chakraborty, Li, Mondal, Chen, Pan, 2019, Kasat, Bhadade, 2018, Vijai, Kottayam, Joseph). The other indirect input method (Alsuhibany and Almutairi, 2016) imposes additional decoy digits to resist shoulder surfing.
The review and analysis of these methods have identified several limitations. To date, no compatible PIN-entry method provides high resistance against recording-based shoulder-surfing attack. Moreover, the current work on PIN-entry methods resistant to shoulder-surfing lacks a standard evaluation framework. For usability, most of the current methods require high PIN entry time, and their error rate is high.
To the best of knowledge, no prior systematic review has focused on PIN-entry methods resistant to shoulder-surfing attacks. Aris and Yaakob (2018) conducted the most relevant review on non-biometric lock screen methods resistant to shoulder-surfing attacks. That is, the review was limited only to screen lock methods and excluded other authentication login methods. It also covered few real PIN-entry methods because it focused generally on knowledge-based and token-based authentication methods. The objective of this SR is to review the existent PIN-entry authentication methods resistant to shoulder-surfing attacks to identify the main challenges that impede their acceptance and adoption and provide a pledge to appropriately conduct further research activities. To meet this objective, we present the following research question and sub-questions:
What are the existent PIN-entry methods resistant to shoulder-surfing attack in the literature?
- What evaluation metrics were used to evaluate the PIN-entry methods?
- What are the limitations and open solutions/recommendations of the current PIN-entry methods?
Section snippets
Review methodology
This section describes the methods used to conduct this SR. It includes eligibility criteria, information sources, search strategy, study selection, quality assessment process, and data extraction strategy.
Results
This section describes the results obtained from this SR.
Discussion
This section provides answers to the research question and sub-questions stated in Section 1.
Conclusion
A systematic review has been conducted on 55 articles relevant to PIN-entry methods resistant to shoulder-surfing attacks. These methods are classified into direct and indirect inputs. Direct input methods are categorised into visual distraction, gaze-based, and others. The visual distraction methods include cursor camouflage, direct distraction, and keypad distraction methods. Indirect input methods are classified into challenge-response and others. Challenge–response methods can also be
Declaration of Competing Interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
Acknowledgements
This study was supported by the Fundamental Research Grant Scheme (Grant no. FP114-2018A) from the Ministry of Higher Education, Malaysia and by Hadhramout Foundation, Yemen.
Farid Binbeshr is a PhD student at the Department of Computer System and Technology, University of Malaya, Malaysia. He obtained his Master’s degree in Computer Networks from King Fahd University of Petroleum & Minerals (KFUPM), Dhahran, Saudi Arabia, in 2014. His areas of research interest are network security, authentication, and cryptography.
References (66)
- et al.
A survey on smartphone user’s security choices, awareness and education
Comput. Secur.
(2020) - et al.
Secure bimodal pin-entry method using audio signals
Comput. Secur.
(2016) - et al.
Two-thumbs-up: Physical protection for pin entry secure against recording attacks
Comput. Secur.
(2018) - et al.
Personal identification number entry for google glass
Comput. Electr. Eng.
(2017) - et al.
User practice in password security: An empirical study of real-life passwords in the wild
Comput. Secur.
(2016) - et al.
Incognito: Shoulder-surfing resistant selection method
J. inform. Secur. Applica.
(2018) - et al.
Security enhancement in automated teller machine
2017 International Conference on Intelligent Computing and Control (I2C2)
(2017) - et al.
Path word: a multimodal password entry method for ad-hoc authentication based on digits’ shape and smooth pursuit eye movements
Proceedings of the 20th ACM International Conference on Multimodal Interaction
(2018) - et al.
Making pin and password entry secure against shoulder surfing using camouflage characters
Int. J. Comput. Sci. Inform. Secur.
(2016) - et al.
Shoulder surf resistant screen locking for smartphones: a review of fifty non-biometric methods
2018 IEEE Conference on Application, Information and Network Security (AINS)
(2018)
Pursuitpass: A visual pursuit-based user authentication system
2019 32nd SIBGRAPI Conference on Graphics, Patterns and Images (SIBGRAPI)
On designing leakage-resilient vibration based authentication techniques
2016 IEEE Trustcom/BigDataSE/ISPA
On overcoming the identified limitations of a usable pin entry method
IEEE Access
A simple observation attacks resistant pin-entry scheme employing audios
2017 IEEE 9th International Conference on Communication Software and Networks (ICCSN)
Measuring the Usability and Security of Permuted Passwords on Mobile Platforms
Securing pin-based authentication in smartwatches with just two gestures
Concurr. Comput.
Colorsnakes: using colored decoys to secure authentication in sensitive contexts
Proceedings of the 17th International Conference on Human-Computer Interaction with Mobile Devices and Services
Revisiting authentication with shoulder-surfing resistance for smartphones
2015 Third International Symposium on Computing and Networking (CANDAR)
A password authentication method tolerant to video-recording attacks analyzing multiple authentication operations
Int. J. Comput. Sci. Electron. Eng. (IJCSEE)
Borderless interface for user authentication method tolerant against multiple video-recording attacks
2017 International Conference on Computer Systems, Electronics and Control (ICCSEC)
Dynamic keypad–digit shuffling for secure pin entry in a virtual world
International Conference on Virtual, Augmented and Mixed Reality
Secure human identification protocols
International conference on the theory and application of cryptology and information security
The prisma extension statement for reporting of systematic reviews incorporating network meta-analyses of health care interventions: checklist and explanations
Ann. Internal Med.
Gaze touch cross pin: Secure multimodal authentication using gaze and touch pin
Int. J. Eng. Adv. Technol. (IJEAT)
Enhancing smartphone lock security using vibration enabled randomly positioned numbers
Proceedings of the International Conference on Computing Advancements
Revolving flywheel pin entry method to prevent shoulder surfing attacks
2018 3rd International Conference for Convergence in Technology (I2CT)
Guidelines for performing systematic literature reviews in software engineering
Technical Report
Gazetouchpin: protecting sensitive data on mobile devices using secure multimodal authentication
Proceedings of the 19th ACM International Conference on Multimodal Interaction
Dynamicpin: A novel approach towards secure atm authentication
2017 International Conference on Computational Science and Computational Intelligence (CSCI)
Use the force: Evaluating force-sensitive authentication for mobile devices
Twelfth Symposium on Usable Privacy and Security (SOUPS 2016)
A simple sector-based textual-graphical password scheme with resistance to login-recording attacks
IEICE Trans. Inform. Syst.
Cited by (0)
Farid Binbeshr is a PhD student at the Department of Computer System and Technology, University of Malaya, Malaysia. He obtained his Master’s degree in Computer Networks from King Fahd University of Petroleum & Minerals (KFUPM), Dhahran, Saudi Arabia, in 2014. His areas of research interest are network security, authentication, and cryptography.
M.L. Mat Kiah joined the Faculty of Computer Science and Information Technology, University of Malaya, Malaysia as a tutor in 1997. She was appointed as a lecturer in 2001. She received her BSc. (Hons) in Computer Science from the University of Malaya in 1997, a MSc from Royal Holloway, University of London, UK in 1998 and a Ph.D. also from Royal Holloway, University of London in 2007. She is a full Professor at the Department of Computer System and Technology, Faculty of Computer Science and Information Technology, University of Malaya. Since 2008, she has been actively doing research particularly in the Security area of Computing and Networking. Amongst of her research grants were a High-Impact Research Grant by the Ministry of Higher Education, Malaysia in 2012 for duration of 4 years, working on secure framework for Electronic Medical Records, and a eScience grant by the Ministry of Science, Technology and Innovation in 2013 for the duration of 3 years, working on Secure Group Communication for Critical National Information Infrastructure (CNII). Her current research interests include Cyber Security, IoT and Cryptography.
Lip Yee Por received the Ph.D. degree from University of Malaya, Malaysia in 2012. Currently, he is an Associate Professor at the Department of Computer System and Technology, University of Malaya, Malaysia. In general, his research interests are bioinformatic (e.g. biosensors, pain research), computer security (e.g. information security, steganography, authentication (graphical password)), neural network (e.g. supervised and unsupervised learning methods such as support vector machine, extreme learning machine), grid computing, and e-learning framework.
A.A. Zaidan received his first class B.Eng. degree in Computer Engineering in 2004 from University of Technology, Baghdad, Iraq. Then, he received his M.Sc. degree on Data Communications and computer network in 2009 from University of Malaya, Malaysia. Then, following his Ph.D. degree on artificial intelligence in 2013 from Multimedia University, Malaysia. Currently, he is in working as associated professor at Department of computing, University Pendidikan Sultan Idris. He led and was being a member of many funded research projects, and he has published more than 200 papers at various index international conferences and journals. His research areas are: Data Science & Analysis and Cyber Security.