Communications of the ACM
Human-computer cryptography: an attempt
CCS '96 Proceedings of the 3rd ACM conference on Computer and communications security
Communications of the ACM
Handbook of Applied Cryptography
Handbook of Applied Cryptography
Secure Human Identification Protocols
ASIACRYPT '01 Proceedings of the 7th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
A PIN-entry method resilient against shoulder surfing
Proceedings of the 11th ACM conference on Computer and communications security
Cognitive Authentication Schemes Safe Against Spyware (Short Paper)
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Design and evaluation of a shoulder-surfing resistant graphical password scheme
Proceedings of the working conference on Advanced visual interfaces
SOUPS '06 Proceedings of the second symposium on Usable privacy and security
Computer Viruses and Malware (Advances in Information Security)
Computer Viruses and Malware (Advances in Information Security)
S3PAS: A Scalable Shoulder-Surfing Resistant Textual-Graphical Password Authentication Scheme
AINAW '07 Proceedings of the 21st International Conference on Advanced Information Networking and Applications Workshops - Volume 02
Déjà Vu: a user study using images for authentication
SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
On user choice in graphical password schemes
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Cryptanalysis of a Cognitive Authentication Scheme (Extended Abstract)
SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
Undercover: authentication usable in front of prying eyes
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Use Your Illusion: secure authentication usable anywhere
Proceedings of the 4th symposium on Usable privacy and security
User Identification Based on Handwritten Signatures with Haptic Information
EuroHaptics '08 Proceedings of the 6th international conference on Haptics: Perception, Devices and Scenarios
A privacy-respectful input method for public terminals
Proceedings of the 5th Nordic conference on Human-computer interaction: building bridges
PAS: Predicate-Based Authentication Services Against Powerful Passive Adversaries
ACSAC '08 Proceedings of the 2008 Annual Computer Security Applications Conference
Vibrapass: secure authentication based on shared lies
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Mobile Malware Attacks and Defense
Mobile Malware Attacks and Defense
Image-Feature Based Human Identification Protocols on Limited Display Devices
Information Security Applications
Feasibility study of tactile-based authentication
International Journal of Human-Computer Studies
On the Security of PAS (Predicate-Based Authentication Service)
ACSAC '09 Proceedings of the 2009 Annual Computer Security Applications Conference
The secure haptic keypad: a tactile password system
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Shoulder-surfing resistance with eye-gaze entry in cued-recall graphical passwords
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
The haptic wheel: design & evaluation of a tactile password system
CHI '10 Extended Abstracts on Human Factors in Computing Systems
Human identification through insecure channel
EUROCRYPT'91 Proceedings of the 10th annual international conference on Theory and application of cryptographic techniques
On the Matsumoto and Imai's human identification scheme
EUROCRYPT'95 Proceedings of the 14th annual international conference on Theory and application of cryptographic techniques
Towards understanding ATM security: a field study of real world ATM use
Proceedings of the Sixth Symposium on Usable Privacy and Security
Timing attacks on PIN input devices
Proceedings of the 17th ACM conference on Computer and communications security
A new human identification protocol and coppersmith's baby-step giant-step algorithm
ACNS'10 Proceedings of the 8th international conference on Applied cryptography and network security
The phone lock: audio and haptic shoulder-surfing resistant PIN entry methods for mobile devices
Proceedings of the fifth international conference on Tangible, embedded, and embodied interaction
Cryptanalysis of the convex hull click human identification protocol
ISC'10 Proceedings of the 13th international conference on Information security
Shoulder-Surfing safe login in a partially observable attacker model
FC'10 Proceedings of the 14th international conference on Financial Cryptography and Data Security
Human identification through image evaluation using secret predicates
CT-RSA'07 Proceedings of the 7th Cryptographers' track at the RSA conference on Topics in Cryptology
| Hi-index | 0.00 |
This paper reports two attacks on Undercover, a human authentication scheme against passive observers proposed at CHI 2008. The first attack exploits nonuniform human behavior in responding to authentication challenges and the second one is based on information leaked from authentication challenges or responses visible to the attacker. The second attack can be generalized to break two alternative Undercover designs presented at Pervasive 2009. All the attacks exploit design flaws of the Undercover implementations. Theoretical and experimental analyses show that both attacks can reveal the user's password with high probability with O(10) observed login sessions. Both attacks were verified by using the login data collected in a user study with 28 participants. We also propose some enhancements to make Undercover secure against the attacks reported in this paper. Our research in breaking and improving Undercover leads to two broader implications. First, it reemphasizes the principle of "devil is in details" for the design of security-related human-computer interface. Secondly, it reveals a subtle relationship between security and usability: human users may behave in an insecure way to compromise the security of a system. To design a secure human-computer interface, designers should pay special attention to possible negative influence of any detail of the interface including how human users interact with the system.