GB2476822A - Observation-resistant authentication method using finger pressure determination - Google Patents

Observation-resistant authentication method using finger pressure determination Download PDF

Info

Publication number
GB2476822A
GB2476822A GB1000356A GB201000356A GB2476822A GB 2476822 A GB2476822 A GB 2476822A GB 1000356 A GB1000356 A GB 1000356A GB 201000356 A GB201000356 A GB 201000356A GB 2476822 A GB2476822 A GB 2476822A
Authority
GB
United Kingdom
Prior art keywords
grid
user
fingers
objects
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
GB1000356A
Other versions
GB201000356D0 (en
GB2476822B (en
Inventor
Paul Michael Dunphy
David Kim
James Nicholson
John Nicholson
Jonathan Hook
Pamela Briggs
Patrick Olivier
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to GB1000356.4A priority Critical patent/GB2476822B/en
Publication of GB201000356D0 publication Critical patent/GB201000356D0/en
Publication of GB2476822A publication Critical patent/GB2476822A/en
Application granted granted Critical
Publication of GB2476822B publication Critical patent/GB2476822B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/30Individual registration on entry or exit not involving the use of a pass
    • G07C9/32Individual registration on entry or exit not involving the use of a pass in combination with an identity check
    • G07C9/33Individual registration on entry or exit not involving the use of a pass in combination with an identity check by means of a password
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/10Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
    • G07F7/1025Identification of user by a PIN code
    • G07F7/1033Details of the PIN pad
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/36User authentication by graphic or iconic representation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/82Protecting input, output or interconnection devices
    • G06F21/83Protecting input, output or interconnection devices input devices, e.g. keyboards, mice or controllers thereof
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/01Input arrangements or combined input and output arrangements for interaction between user and computer
    • G06F3/048Interaction techniques based on graphical user interfaces [GUI]
    • G06F3/0487Interaction techniques based on graphical user interfaces [GUI] using specific features provided by the input device, e.g. functions controlled by the rotation of a mouse with dual sensing arrangements, or of the nature of the input device, e.g. tap gestures based on pressure sensed by a digitiser
    • G06F3/0488Interaction techniques based on graphical user interfaces [GUI] using specific features provided by the input device, e.g. functions controlled by the rotation of a mouse with dual sensing arrangements, or of the nature of the input device, e.g. tap gestures based on pressure sensed by a digitiser using a touch-screen or digitiser, e.g. input of commands through traced gestures
    • G07C9/00142
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/10Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/10Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
    • G07F7/1008Active credit-cards provided with means to personalise their use, e.g. with PIN-introduction/comparison system
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/10Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
    • G07F7/1016Devices or methods for securing the PIN and other transaction-data, e.g. by encryption

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Human Computer Interaction (AREA)
  • User Interface Of Digital Computer (AREA)

Abstract

Observation-resistant authentication methods are likely to become increasingly important, as situated computing technologies such as tabletop interfaces and public displays become habitual. The method includes the user placing the fingers of both hands on a multi-touch surface substantially perpendicularly to each other. A grid is defined by the fingers, the grid containing a number of cells each containing an object. The method further includes the user communicating the coordinate of an object (x,y) by increasing pressure on fingers (x,y) on the edge of the grid. The multi-touch surface records this increased pressure and maps the coordinates to the object in the grid. This is repeated until the user has identified all objects in their authentication sequence and access can then be allowed or denied. The location of the objects in the grid can be varied after each input. Not all five fingers on each hand may be used. The authentication method is particularly resistant to shoulder-surfing.

Description

Invention Record Form i. Title: Authentication by Multi-Level Pressure Exertion on Multi-touch Interfaces
3. Description
3.1. Background
Knowledge-based authentication systems have an innate vulnerability to being compromised at the point of login using simple observation techniques (or shoulder surfing). An attacker can then used information gained to launch a replay attack where the observed credentials are re-used at a later time. As pervasive technologies become more widely accepted and deployed, there is a pressing need to explore authentication procedures that are resistant to the observation they are likely to incur.
One PIN entry mechanism designed to be resistant to shoulder surfing is the cognitive trapdoor game by Roth et al (2004) where the PIN is not explicitly exposed. bin knowledge of the PIN is crucial to completion. One drawback is that PIN entry times are increased by tell times over a control group not using the enhancement. Tan et al (2005) proposed a Spy-Resistant Keyboard, although much like Cognitive Trapdoor Game system, it took a long time to authenticate.
Graphical Passwords (Suo et. al 2005) are increasingly proposed as usable knowledge-based authentication mechanisms.
These are based on a strong conceptual basis that humans have more effective memory for images than words an numbers. Tan et al., 2006 discovered that non-dictionary alphanumeric passwords were more observable than graphical Passfaccs graphical passwords. Wiedenbeck et al (2006) propose the Convex Hull Click scheme where users identify a number of their objects in a larger set of objects (in this case icons) and are required to click within the convex hull formed by the positioning of the objects on screen. This system has the benefit that users do not directly click on their objects, therefore making it difficult to observe. A similar system using text instead of icons was proposed by Zhao and Li (2007) with the exception that the user is required to type a character that is inside the area instead of clicking.
Malek et. al describe a pen pressure-based solution that is based on the draw a secret (Jermyn et. al. 1999). Here the user makes a drawing on a tablet computer and pen pressure at various points of the drawing is encoded as an extra degree of complexity. The difference with our invention is that ours is multi-purpose, we exploit multi-touch technology which is a key design feature, and don't require additional hardware of the user.
Finally, gaze-based password entry has been explored by Kumar et al (2007) using eye-tracking. Although results were positive, eye tracking is still not feasible in real installations due to the high cost of hardware.
3.2. Detailed Description
We believe the invention could be deployed on public displays, tabletop interfaces or any other context that makes use of multi-touch interaction. The invention is also multi-purpose which means it is not restricted to work with one particular knowledge-based authentication scheme. This makes it applicable to graphical passwords (Suo et. al. 2005), PINs, alphanumeric passwords, or even a mixture.
A priori the user must enrol in an authentication scheme that harnesses the pressure-grid. In this process the user is assigned authentication credentials and is given time to remember them or record them in a secure manner. The invention is used in the authentication phase, where the user must demonstrate knowledge of their assigned credentials.
Firstly for calibration the user is required to initially place fingers on the interface. Then, relative to the finger positions an NxN grid is displayed. The grid is already populated with objects. of which the user is challenged to select any components of their original password sequence that appear in the grid. Objects in the grid are referenced by an (x,y) coordinate system, and one hand of the user is assigned x, and the other v. Each finger on the hands are assigned x=l, x=2...x=5. or y=1. y=2..y=5. In order to select an object the user is required to exert additional pressure on one finger per hand to communicate an (x,y) coordinate that identifies their chosen object. (see Figure 1). The user will only be authenticated if they correctly select all their objects. If a user fails one or more grids, they will not be authenticated and they will have the opportunity to try again.
Figure 1: The grid of objects (grey), green dots indicate fingers resting upon the surface. To select the object in the grid highlighted yellow; pressure is increased on one finger per hand (orange), the intersection of this in the grid communicates the object.
The system is effective as users do not directly touch the desired object, thus not revealing it to any observers. The attacker is required to simultaneously determine which finger on each hand is exerting pressure. and the object to which the pressure maps. Also the solution allows fast entry of authentication credentials, in our own evaluation we have seen PIN entry and Passfaces graphical password entry affected by only a few seconds.
3.3. References Roth, V., Richter, K., and Freidinger, R. 2004. A PIN-entry method resilient against shoulder surfing. In Proceedings of the 11th ACM Conference on Computer and Communications Security (Washington DC, USA, October 25 -29, 2004).
CCS 04. ACM, New York, NY, 236-245.
Zhao, H., and Li, X. 2007. S3PAS: A Scalable Shoulder-Surfing Resistant Textual-Graphical Password Authentication Scheme. Advanced Information Networking and Applications Workshops, AINAW 07. 21st International Conference on, vol.2, no., 467-472, 21-23.
Wiedenbeck, 5., Waters, J., Sobrado, L., and Birget, J. 2006. Design and evaluation of a shoulder-surfing resistant graphical password scheme. In Proceedings of the Working Conference on Advanced Visual interfaces (Venezia, Italy, May 23 -26, 2006). AVI 06. ACM, New York, NY, 177-184.
Kumar, M., Garfinkel, T., Boneh, D., and Winograd. T. 2007. Reducing shoulder-surfing by using gaze-based password entry. In Proceedings of the 3rd Symposium on Usable Privacy and Security (Pittsburgh. Pennsylvania, July 18 -20, 2007). SOUPS 07, vol. 229. ACM, New York, NY, 13-19.
Taxi, F., Ozok, A. A., and Holden, S. H. 2006. A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords. In Proceedings of the Second Symposium on Usable Privacy and Security (Pittsburgh, Pennsylvania, July 12 -14, 2006). SOUPS 06, vol. 149. ACM, New York, NY, 56-66.
Tan, D. S., Keyani, P.. and Czerwinski, M. 2005. Spy-resistant keyboard: more secure password entry on public touch screen displays. In Proceedings of the 17th Australia Conference on Computer-Human interaction: Citizens online: Considerations For Today and the Future (Canberra, Australia, November 21 -25, 2005). OZCFII, vol. 122. Computer-Human Interaction Special Interest Group (CHISIG) of Australia, Narrabundah, Australia, 1-10.
X. Suo, Y. Zhu, G. S. Owen, "Graphical Passwords: A Survey," 21st Annual Computer Security Applications Conference (ACSAC'OS), 2005, pp. 463-472.
B. Malek, M. Orozco, and A. El Saddik. Novel shoulder-surfing resistant haptic-based graphical password. In Proc. EuroHaptics'06, 2006.
Jermyn. I.. Mayer, A., Monrose, F., Reiter, M. K.. and Rubin, A. D. 1999. The design and analysis of graphical passwords. In Proceedings of the 8th Conference on USENIX Security Symposium -Volume 8 (Washington, D.C..
August 23 -26, 1999). USENIX Security Symposium. USENIX Association, Berkeley, CA, 1-1

Claims (9)

  1. 4. Claims 1. An authentication entry method on multi-touch interfaces that involves the user placing fingers of both hands on a multi-touch interface; an NxN grid of objects is displayed relative to the hands, the dimensions determined by the size of the hands; within the grid, each cell contains objects and are each assigned an (x,y) coordinate; fingers of the user are also assigned x or y coordinates; with the user making selections by exerting additional pressure upon the fingers that communicate the desired (x,y) coordinate; the system then translates the finger pressure into selection of object (x.y). The objects in the grid can then either be changed everytime the user makes a selection, or kept static. This is repeated until the user has entered their entire authentication sequence and the system gives feedback as to whether the user has entered the correct sequence. If incorrect the user is able to try again.
  2. 2. As in claim 1 Where coordinates are assigned to fingers through the use of pressure zones that are used make easier the translation between finger pressure and an object. Pressure within the zone is used to associate pressure with a finger.
  3. 3. As in claim 1 Where pressure thresholds are calculated for each finger individually depending on perceived dexterity or strength, in order to determine "additional pressure".
  4. 4. As in claim 1 where the user is expected to select multiple objects in the same grid.
  5. 5. As in claim 1 where no on-screen feedback is given as to each object selected.
  6. 6. As in claim 1 where the positions of objects in the grid are randomized at each new authentication attempt.
  7. 7. As in claim 1 where less than 5 fingers per hand are used in the interaction.
  8. 8. As in claim I where objects can be symbols, images, numbers, alphabetic characters, colors, or any object representation that can be formatted into the grid. r r 0*) rAmendments to the Claims have been filed as followsCLAIMS1. A dynamically calibrated and positioned inpifi method for user authentication on a multi-touch interface comprising: the user placing the fingers of both hands upon the interface approximately one hand-width apart; whereby a grid consisting of cells that each contain an object is dynamically sized to reflect dimensions of the hand and the spacing of fingers is positioned relative to the hands, and extended to form selection zones around the fingers of each hand; enabling the user to discreetly select an object within the grid by increasing pressure upon one finger per hand that can be interpreted as selection of one row and one column.2. An authentication entry method on a multi-touch device as defined in claim 1 where hands are further spaced apart, or closer together.3. An authentication entry method on a multi-touch device as defined in claim 1 where fewer than 5 fingers per hand are used in the interaction.4. An authentication entry method on a multi-touch device as defined in claim 1 where one dimension of a Cartesian 2D coordinate is assigned to each hand, and particular values within that dimension to each finger.5. An authentication entry method on a multi-touch device as defined in claim 1 where pressure capabilities are recorded for individual fingers to inform calculation of a threshold for detection of selections by each finger.6. An authentication entry method on a multi-touch device as defined in claim 1 where no on-screen feedback is given as to which object was selected.7. An authentication entry method on a multi-touch device as defined in claim 1 where objects within the grid can be symbols, images, numbers, alphabetic characters, colors, or any representation that can be formatted into the grid.8. An authentication entry method on a multi-touch device as defined in claim 1 where the user is able to select a sequence of objects.
  9. 9. An authentication entry method on a multi-touch device as defined in claim 1 where the selection zones are not explicitly displayed. r r 0*) r
GB1000356.4A 2010-01-11 2010-01-11 Authentication by multi-level pressure exertion on multi-touch tabletop interfaces Expired - Fee Related GB2476822B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB1000356.4A GB2476822B (en) 2010-01-11 2010-01-11 Authentication by multi-level pressure exertion on multi-touch tabletop interfaces

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB1000356.4A GB2476822B (en) 2010-01-11 2010-01-11 Authentication by multi-level pressure exertion on multi-touch tabletop interfaces

Publications (3)

Publication Number Publication Date
GB201000356D0 GB201000356D0 (en) 2010-02-24
GB2476822A true GB2476822A (en) 2011-07-13
GB2476822B GB2476822B (en) 2012-05-09

Family

ID=41819151

Family Applications (1)

Application Number Title Priority Date Filing Date
GB1000356.4A Expired - Fee Related GB2476822B (en) 2010-01-11 2010-01-11 Authentication by multi-level pressure exertion on multi-touch tabletop interfaces

Country Status (1)

Country Link
GB (1) GB2476822B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2913741A1 (en) * 2014-02-28 2015-09-02 Orange Method for access control using haptic feedback
CN103809830B (en) * 2014-03-03 2016-08-31 欧浦登(福建)光学有限公司 Implementation method based on single-layer double-side conductor wire membrane capacitance formula gate inhibition's touch-control

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106340104B (en) * 2016-08-31 2018-08-03 谢志豪 A kind of coded lock, coded lock control system and method

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5276314A (en) * 1992-04-03 1994-01-04 International Business Machines Corporation Identity verification system resistant to compromise by observation of its use
US20080092245A1 (en) * 2006-09-15 2008-04-17 Agent Science Technologies, Inc. Multi-touch device behaviormetric user authentication and dynamic usability system
US20090006941A1 (en) * 2007-06-29 2009-01-01 Funai Electric Co., Ltd. Password entry apparatus
GB2456048A (en) * 2007-05-16 2009-07-08 David John Duke Pin authentication using variable input matrix

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5276314A (en) * 1992-04-03 1994-01-04 International Business Machines Corporation Identity verification system resistant to compromise by observation of its use
US20080092245A1 (en) * 2006-09-15 2008-04-17 Agent Science Technologies, Inc. Multi-touch device behaviormetric user authentication and dynamic usability system
GB2456048A (en) * 2007-05-16 2009-07-08 David John Duke Pin authentication using variable input matrix
US20090006941A1 (en) * 2007-06-29 2009-01-01 Funai Electric Co., Ltd. Password entry apparatus

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2913741A1 (en) * 2014-02-28 2015-09-02 Orange Method for access control using haptic feedback
FR3018122A1 (en) * 2014-02-28 2015-09-04 Orange METHOD FOR CONTROLLING ACCESS BY HAPTIC RETURN
US10234943B2 (en) 2014-02-28 2019-03-19 Orange Access control method by haptic feedback
CN103809830B (en) * 2014-03-03 2016-08-31 欧浦登(福建)光学有限公司 Implementation method based on single-layer double-side conductor wire membrane capacitance formula gate inhibition's touch-control

Also Published As

Publication number Publication date
GB201000356D0 (en) 2010-02-24
GB2476822B (en) 2012-05-09

Similar Documents

Publication Publication Date Title
Gao et al. A survey on the use of graphical passwords in security.
Chiang et al. Improving user authentication on mobile devices: A touchscreen graphical password
Kwon et al. TinyLock: Affordable defense against smudge attacks on smartphone pattern lock systems
Tan et al. Spy-resistant keyboard: more secure password entry on public touch screen displays
Weaver et al. Gaze-based password authentication through automatic clustering of gaze points
EP2763070B1 (en) Graphical user interface (GUI) that receives directional input to change face for receiving passcode
Rao et al. Novel shoulder-surfing resistant authentication schemes using text-graphical passwords
Rajanna et al. A gaze gesture-based user authentication system to counter shoulder-surfing attacks
Perković et al. Breaking undercover: Exploiting design flaws and nonuniform human behavior
Islam et al. A review on recognition-based graphical password techniques
Shammee et al. A systematic literature review of graphical password schemes
Lai et al. A shoulder-surfing resistant scheme embedded in traditional passwords
Rajarajan et al. Shoulder surfing resistant virtual keyboard for internet banking
GB2476822A (en) Observation-resistant authentication method using finger pressure determination
Lashkari et al. A wide range survey on recall based graphical user authentications algorithms based on iso and attack patterns
Kita et al. Proposal and its evaluation of a shoulder-surfing attack resistant authentication method: Secret tap with double shift
Tabrez et al. Pass-matrix authentication a solution to shoulder surfing attacks with the assistance of graphical password authentication system
Yi et al. Touch logger resistant mobile authentication scheme using multimodal sensors
Kim et al. FakePIN: Dummy key based mobile user authentication scheme
Ali et al. Developing and evaluating a gestural and tactile mobile interface to support user authentication
Farmand et al. Improving graphical password resistant to shoulder-surfing using 4-way recognition-based sequence reproduction (RBSR4)
Yang et al. TIM: Secure and usable authentication for smartphones
Ibrahim et al. Gaze touch cross PIN: Secure multimodal authentication using gaze and touch PIN
Alsuhibany A Camouflage Text‐Based Password Approach for Mobile Devices against Shoulder‐Surfing Attack
Park et al. Proposal of a puzzle authentication method with shoulder-surfing attack resistance

Legal Events

Date Code Title Description
PCNP Patent ceased through non-payment of renewal fee

Effective date: 20190111