Multi-Touch Authentication on Tabletops

Computing in public spaces has become common due to the increasing ubiquity of mobile computing and portable computers with the capability of Internet connectivity “anywhere”, “anytime”.   However, when performing security-sensitive tasks on these devices in public, both passive and active observers are given an opportunity to eavesdrop on this information.  This is particularly critical for authentication; alphanumeric passwords and personal identification numbers (PINs) are multi-platform authentication mechanisms.  However, as both are based on "something you know", it is relatively easy for an attacker to replicate the authentication process after observing the user’s input, or on-screen content.

The introduction of digital tabletop interfaces, such as Microsoft Surface have given rise to the need to develop secure and usable authentication techniques that are appropriate for the co-located collaborative settings for which they have been designed.  It is inevitable that applications naturally evolve to require authentication, and in their current form, PINs and passwords are more vulnerable to observation than in more conventional contexts. Observation could be restricted by simply shielding the input of the credentials with a hand. However, people respond to a social imperative that makes it difficult for them to signal an explicit mistrust of colleagues. This calls for particular design of schemes for this new context...

 

Authentication Techniques

We explored the design space for authentication techniques that leverages a number of qualities available on multi-touch displays and designed five new authentication techniques for digital tabletops addressing the issues mentioned above.

The physicality and directness of touch interaction allows a user to directly touch and interact with virtual interface elements that exploit direct physical metaphors -- which could improve usability and comprehension of underlying security mechanisms.

We tried to hamper observation of the authentication process by interfering with one or more steps in the observer’s processes of sense making and knowledge acquisition.

ShieldPIN

Our first technique is called ShieldPIN and tries to reduce visibility of the input area in first place. It incorporates a compulsory hand shielding gesture that provides a physical barrier to visibility of an item. This gesture forms part of an interlock mechanism that prevents the appearance of the PIN keypad until the gesture is detected in a hand-shaped zone on the interface. Upon detection, the keypad is displayed behind the shield. This enables PIN entry with the remaining hand where shielding is designed into the interaction and is no longer a voluntary action that could be interpreted as an indicator of mistrust. The PIN keypad can appear and disappear in response to the detection of the shielding gesture.

The PIN entry process itself is unchanged which has significant usability and comprehensibility benefits. An observation attack on this method is likely to be difficult due to the small screen real estate used by the mechanism and the comparative size of shielding gesture. However, an attacker is most likely to be successful from a vantage point behind the shield.

SlotPIN

SlotPIN is a technique based on the principle of providing redundant information and encouraging concurrent actions. The user enters a PIN by aligning reels on the interface so that one row contains the correct PIN. The particular row is determined by the first (static) wheel. The task of the attacker is complicated by the order of number on all reels being randomized at each login. The user must manipulate the three remaining wheels to complete the alignment of the remaining PIN digits. The interface consists of four vertical reels of randomly ordered digits (0-9). The wheels cannot be turned by direct interaction to reduce the likelihood that users directly touch – and reveal – each correct PIN digit. Instead a scroll wheel is provided below each of the three movable reels.

In its current form SlotPIN is immune to one shoulder surfing attack, but has a vulnerability to multiple attacks. After recording the end-state of one login, the attacker has 10 candidate PINs. However, observing one further successful login enables the attacker to find the PIN that two logins have in common, when none of the remaining candidate PINs reappear.

CuePIN

CuePIN addresses the weakness of SlotPIN to reveal the correct PIN to an attacker over time by combining features of both SlotPIN and ShieldPIN to eliminate any patterns appearing in the final reel states. The shield gesture is used to create a covert channel between the system and the user so that each PIN digit can be aligned to a random row of a reel. The interface is visually similar to that of SlotPIN with the addition of an area to receive a shield gesture, and that every reel can now be manipulated by the user. Each row is also supplemented with an identifier character in the range A-J.

To enter a PIN the user performs the shield gesture in a defined area to reveal a random character in the range A-J. Then the user manipulates the first reel to align the first PIN digit to the row revealed by the shielding gesture. When the user touches the next reel the shielded area reveals the row where the user has to align the next PIN digit. Attackers can only extract the correct PIN from observations when they record both the shielded area and the reels.

Color-Rings

Color-Rings is a visual authentication scheme that exploits both concurrent and redundant actions, presents redundant information and aims to restrict visibility through the size of objects on the interface. Unlike SlotPIN, that also employs concurrent actions, Color-Rings has this designed into the interaction. The user is assigned a number of key icons (e.g. 4 icons) that are collectively assigned one single color-ring: red, green, blue, or pink. At login the user is presented with a grid of icons where the corresponding icon is displayed together with a number of decoy icons (e.g. 72) in randomized positions. For each grid the user must “lasso” the key icon with the correctly colored ring, which is large enough to capture more than one icon. To begin the interaction the user is asked to place 4 fingers down on the display (ideally index finger and thumb from each hand) around which four rings of different colors are then drawn. The user must drag all 4 rings concurrently and place them in the grid -- three of the rings make decoy selections. Users confirm a selection by dropping the rings in position.

To perform a random guess attack the password space is significantly larger than PIN due to the two tasks of discovering the correct ring, and the correct icons in each grid. The task of deciphering the information on-screen we believe to be too difficult based on short-term memory. However, a camera-based attack is potentially feasible over multiple logins, as this technique also reveal the correct credential over time.

Pressure-Grid

Pressure-Grid is a technique that exploits the capability of some touch technologies to detect pressure changes of touching fingers. In Pressure-Grid the user is presented with a number of 3x3 grids each containing 9 objects (digits, distinct image or faces) where the user has to indirectly select an object by changing the pressure of their fingers resting on the digital table surface in order to input a PIN or a sequence of images.

The user begins to authenticate by placing three fingers of each hand at two orthogonal edges of the grid. As soon as the system detects all six fingers resting on the table the user is presented with a 3x3 grid (3 rows and 3 columns) containing 9 distinct objects in either static or randomized order. The user selects an object of the grid by applying additional pressure on the fingers resting in front of the column and row containing the wanted object. This can be repeated until an entire sequence of objects is selected. The key element that underpins the security of this technique is that attackers will have difficulty attending simultaneously to sources of pressure from both hands and the object to which the pressure maps.

We believe it to be a promising solution to co-located observation attacks. A camera attack also seems difficult, although one useful approach could exploit a technology described by Joe Marshall and his colleagues where cameras are used to detect the change in color of flesh beneath the fingernail, caused by pressure of the finger upon a surface.

 

Considering all system designs, we believe ShieldPIN, CuePIN, and Pressure-Grid to be promising exemplars of authentication on multi-touch interfaces. Further research and development is needed to make CuePIN and Pressure-Grid suitable for real installations, however, ShieldPIN offers a number of instant benefits. Firstly, it is based on the existing PIN entry paradigm which makes it likely to be intuitive to diverse groups of users; its limitations can be easily perceived by the users; and finally its simple design makes it highly deployable.

We believe that SlotPIN and Color-Rings can easily be migrated to mobile phone touch interfaces by exploiting capabilities of modern smart phones, such as sensing acceleration and orientation of the device. The risk of leaking credentials is increased even more on touch based devices, as they give observers better visual access to the input area. The virtual keys on smart phones are usually bigger than their physical counterparts as to enable users to input accurately with their fingers and Tablet PCs lack physical shielding as the display panel doesn’t hide the keyboard in contrast to laptops.

An issue which needs to be addressed for shared interfaces is that most touch technologies are not capable of distinguishing the identity of users, and so a further challenge concerns how to ensure that authenticated access to an object remains restricted to a particular user throughout a session. A simple software response to the problem could be to restrict the movement of authenticated objects beyond protected areas of the surface.

 

Authors

David Kim, Newcastle University, UK. E-Mail:
Paul Dunphy, Newcastle University, UK. E-Mail:
Pam Briggs, Northumbria University, UK. E-Mail:
Jonathan Hook, Newcastle University, UK. E-Mail:
John Nicholson, Newcastle University, UK. E-Mail:
James Nicholson, Northumbria University, UK. E-Mail:
Patrick Olivier, Newcastle University, UK. E-Mail: