Hardware Based Approaches

In hardware based approaches, additional hardware is employed during the authentication process that helps to make a system resistant to manifold attacks. In most cases, this hardware is used to provide an invisible communication channel to or from the user to transfer secret information.

Enhanced security is based on this information, which cannot or only with great effort be stolen

Figure 2.7: Left: The prototype of the tactile PIN-entry mechanism by Deyle et al. [39].

Passwords consist of a sequence of fingers. Right: A similar tactile system by Bianchi et al. [7], which uses a sequence of tactons (vibrotactile cues) as passwords.

by an attacker. The main advantage of these systems is that they have the potential to be extremely secure especially compared to software based systems. Performance-wise, the here presented approaches are comparable (or slightly better) than software based authentication mechanisms.

Within a public context, however, these systems are extremely sensitive to manipulations of the hardware which causes extra security problems. Additionally, deployment costs are much higher than for software based systems. This is something that has to be kept in mind for their design and especially when considering appropriate scenarios for them. With other words: when designing for a specific scenario, these two drawbacks should always be kept in mind.

Delivering Secret Information to the User

The first examples in this chapter use hardware as an invisible communication channel to deliver secret information to the users. Based on this, the users can then infer the correct input that represents their password. In all those systems, the input, which can be spied on, is meaningless without the information that has been exchanged. Since this information is transmitted securely and invisibly, the systems are theoretically highly secure.

Hardware based authentication mechanisms that secretly transmit information to the user often rely on tactile information, that is, something the users can feel. In 2006, Deyle et al. [39]

implemented and evaluated a system which uses a sequence of fingers as passwords. The users put their fingers over pins that are either lowered or raised (see figure 2.7, left). Authentication is done by selecting whether the current password-finger’s pin is lowered or raised (using two buttons). To perfectly identify a finger, three rounds are required. Therefore, the system is similar to the cognitive trapdoor game by his co-author Volker Roth [106] in that it requires several rounds to identify a finger (digit) of the password. An attacker can only spy on the user input. Without the knowledge about the randomized position of the pins, this knowledge is useless. Unfortunately, no user study is published and thus, the performance of the system remains unclear. It can be expected, however, that the input speed is equally slow to the cognitive trapdoor game since the approaches are very similar. Security-wise it can be expected to perform much better.

Figure 2.8: Left: The mechanical prototype of Undercover by Sasamoto et al. [110]. Center:

The movement of the ball assigns a different order of five buttons to the images on the screen (right). This way, the secret information “ball movement” is mapped to a keypad layout.

Bianchi et al. [7] created a tactile authentication mechanism very similar to the just discussed approach, with the important difference that the password consists of a sequence of tactons [12]

(vibration patterns that a user can distinguish). Three different tactons are randomly assigned to three keys as shown in figure 2.7, right. To authenticate, the users press the key that performs the current tacton. In a study with different password sizes, the system performed equal to the cognitive trapdoor game. It took on average 22 seconds for a 6-tacton password and 34 seconds for a 9-tacton password. The use of six and nine tactons instead of four as compared to a PIN, is needed to balance the small password space by only having three keys. Security can be rated high since the input does not give away any information on the users’ password. The authors also spent large effort on other haptic based authentication mechanisms like the haptic wheel [8].

The final example of a system that uses secret information transmitted to the user has been de-veloped by Sasamoto et al. in 2008. Undercover [110] uses a mechanical ball, hidden by the user’s hand, to secretly transmit one of five keypad layouts as depicted in figure 2.8. The ar-rangement of the layout tells the users which button to press to select their pass image on the screen. This way, Undercover is a security enhanced version of a cognometric authentication mechanism as introduced in chapter 2.3. A study with seven challenges per authentication round revealed good security attributes but low performance with times between 32 and 45 seconds on average. However, the system is a good example of how a theoretically secure system can easily be compromised by its users. In this case, it can be argued that this is due to complexity since the authentication token of nine participants could be stolen due to reasons like not completely covering the ball or pointing on the respective keypad layout. That is, the participants opened security holes without noticing it.

Receiving Secret Information from the User

The second category of examples uses an invisible communication channel as well. The differ-ence to the previous mentioned systems is that the channel is used to secretly transmit information from the user to the system. That is, in these authentication mechanisms, security is achieved by making the input of the password itself invisible.

11 2 3 4 5 6 7 8

2 3 4 5 6 7 8

Figure 2.9: Left: PressureFaces by Kim et al. [74] which uses pressure information on a multi-touch surface for secret authentication. Right: A similar approach by Malek et al. [89]

that extends drawing based graphical passwords with pressure information to secure the input. Bold lines indicate pressure.

A very illustrative example is using eye tracking technology to securely authenticate to a system as for example proposed by Hoanca et al. [61] as a security improvement for Passfaces^TM. The basic idea behind these systems is that the channel to the terminal, the users’ gaze, is invisible and thus completely shoulder surfing resistant.

One of the first thorough approaches in this area has been implemented by Kumar et al. in 2007 [78], in which they evaluated standard gaze-based interaction techniques on their appro-priateness for password-entry. Technique number one was dwell time [87], in which a user has to focus on a specific area, like a button, for a specific time to trigger an action. The second technique was called “gaze and trigger” in which an action was triggered by a button press. An evaluation using a set of alphanumerical passwords, revealed performance problems of the ap-proach but at the same time potentially high security in combination with ease-of-use. The main problem besides performance is the need for eye tracking technology at the terminal that can precisely identify the location of the users’ gaze and the need for a calibration mechanism that can cost the users significant amounts of time. The same problem applies to Cued-Gaze Points by Forget et al. [54] that applied eye tracking to Cued Click Points [17], thus requiring a user to look at specific points in a picture in a given order. In the scope of this thesis, a gaze-based authentication mechanism based on gaze gestures [43] was developed and evaluated that over-comes this weakness [35]. In a second iteration, a significant performance enhancement for this system was developed, namely EyePassShapes [27], which will be introduced in chapter 3.2.4.

The next two systems use pressure as the secret information from the user to the terminal. This is based on the assumption that pressure is an attribute that is very hard to spy on by an attacker.

Theoretically, even video attacks can theoretically be overcome this way, even though none of the presented systems actually employed such an attack.

Haptic-based graphical passwords have been proposed by Malek et al. [89]. Their system uses pressure based surfaces to improve the security of “Draw a Secret”-like drawmetric pass-words [67]. In addition to the users’ shape, the system remembers a binary pressure information for each stroke (pressure yes or no) as shown in figure 2.9, right. This way, the secret second dimension makes attacks much harder. Unfortunately, the evaluation presented in their work is purely qualitative and thus does not allow objective judgment of the system’s performance be-sides the fact that the study participants seemed to like it. Another weakness is that only part of the authentication credential is hidden. Therefore, based on the password length, the missing information can theoretically be identified in a certain number of rounds.

Similarly, Kim et al. [74] use pressure information on multi-touch for their PressureGrid system.

Figure 2.9, left, shows PressureFaces, a PressureGrid variant based on PassFaces^TM. To select the photos that build the users’ password, the users have to add pressure to the respective fingers that, in combination, uniquely identify a cell in an 3x3 grid. For instance, selecting the middle photo requires the user to add pressure to both middle fingers. The intersection of these imaginary lines marks the cell. To “force” the users to behave securely, the system only works if all buttons are occupied with a finger. To additionally hide the pressure and confuse and attacker, the buttons blink. The main advantage of this system compared to the haptic-based graphical passwords is that the whole input is hidden and thus a visual attack does not reveal parts of the authentication token. Additionally, with an average input speed of twelve seconds, the system performs well, especially compared to software based authentication mechanisms.

An advantage that both systems share is the (potential) use of multi-touch hardware, which could also run haptic-based graphical passwords. This technology is very likely to widely hit the public terminal market in the near future. In some scenarios, in which multi-touch screens are avail-able like some public information screens, these systems could be deployed without any major additional costs.

Finally, Pass-thoughts by Thorpe et al. [127] clearly deserves to be mentioned in this chapter. In 2005, they discussed a theoretical system in which the users’ thoughts could be used to securely authenticate. This is clearly usage of a hidden channel to the terminal. However, some time will pass till such a system can be effectively evaluated.

The special appeal of hardware based authentication mechanisms is their great security poten-tial. Enabling the users to secretly receive or transmit information from and to a terminal offers great possibilities. As seen, some hardware based systems additionally manage to achieve high performance in terms of input speed. Vandalism and more specifically manipulations are their main problems alongside with potential deployment costs. Correct use of the systems can be an issue as well that might open security holes. In this thesis, two hardware based authentica-tion mechanisms were developed and evaluated based on eye tracking which seemed to have the highest potential among the different approaches. EyePIN [35] and its usability extension Eye-PassShapes [27] were designed to overcome the main problems of gaze-based authentication, deployment costs and the need for calibration (see chapter 3.2).

Figure 2.10: Left: A “tilt left” gesture of the gesture based authentication system by Chong et al. [18]. Right: PIN-entry using the Touch Projector system by Boring et al. [9, 10].