A secure pin-entry method resistant to shoulder-surfing and recording attacks / Farid Binbeshr

The regular PIN-entry method has been considered the most common method of authentication for systems and networks. However, PINs are easy to be captured through shoulder-surfing and recording attacks. An adversary may shoulder surf the authentication session to obtain the PIN. He or she may use...

Full description

Saved in:
Bibliographic Details
Main Author: Farid , Binbeshr
Format: Thesis
Published: 2022
Subjects:
Online Access:http://studentsrepo.um.edu.my/15111/1/Farid_Binbeshr.pdf
http://studentsrepo.um.edu.my/15111/2/Farid_Binbeshr.pdf
http://studentsrepo.um.edu.my/15111/
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:The regular PIN-entry method has been considered the most common method of authentication for systems and networks. However, PINs are easy to be captured through shoulder-surfing and recording attacks. An adversary may shoulder surf the authentication session to obtain the PIN. He or she may use a video-recording device to record a user while performing authentication and later reproduce the PIN. It is also possible that the adversary might install spyware on the compromised device and capture the user input and screen content. This problem with the regular PIN-entry method could be attributed to the involuntary nature of entering the original PIN during authentication. A plethora of PIN-entry methods have been proposed in the literature to mitigate such attacks. They are categorised into direct input and indirect input methods according to the way of entering the original PIN. Unfortunately, these methods either provide no protection against shoulder-surfing and recording attacks (video-based and spyware-based) or hamper the PIN-entry method’s usability or compatibility. In this research, an indirect input method that employs the challenge-response approach is proposed in order to produce a One Time PIN (OTP) that obscures the original PIN. Three versions of the proposed PIN-entry method are designed. Two user studies were conducted; preliminary and primary. The preliminary user study was used to find the best version of the proposed PIN-entry method. The primary user study was used to evaluate the security and usability of the best version and compared it with the related work. The results of the user study manifest that the proposed PIN-entry method provides better security than the existing PIN-entry methods while maintaining an acceptable level of usability. Moreover, the user feedback fully supports the use of the proposed PIN-entry method in critical-security situations.