Tac­tile One-Ti­me Pad. Smart­pho­ne Au­then­ti­fi­ca­ti­on. Resi­li­ent Against Shoul­der Sur­fing

Sebastian Uellenbeck, Thomas Hupperich, Christopher Wolf, Thorsten Holz

TR-HGI-2014-003, Ruhr-Uni­ver­si­tät Bo­chum, Horst Görtz In­sti­tut für IT-Si­cher­heit (HGI), September 2014


Nowadays, smartphones are widely used and they have a growing market share of already more than 55% according to recent studies. Smartphones often contain sensitive or private data like contacts, pictures, or even passwords that can easily be accessed by an attacker if the device is unlocked. Since smartphones are mobile and used as everyday gadgets, they are susceptible to get lost or stolen. To prevent the data from being accessed by an attacker, access control mechanisms such as user authentication are needed. However, commonly used authentication mechanisms like PINs, passwords, and patterns suffer from the same weakness: They are vulnerable against different kinds of attacks, most notably shoulder surfing. In order to prevent shoulder surfing, a secure channel between the smartphone and the user must be established that cannot be eavesdropped by an adversary.

In this paper we concentrate on the smartphone's tactile feedback to add a new security layer to the plain PIN-based authentication mechanism. The key idea is to use vibrations as an additional channel to complement PINs with a tactile one-time pattern. We present our prototype implementation developed for the Android platform. To calibrate the usability of our approach, we developed a game that more than 220 participants played to determine the shortest vibration duration most people can sense. In a security evaluation, we recorded the acoustical signal of the vibration motor of five different smartphones at four different locations with a high-end microphone to cross-correlate a login scenario with a pre-recorded acoustical fingerprint of the devices. Our evaluation results demonstrate that it is not possible for an attacker to spot the user's secret under normal conditions, e. g., in a restaurant or during a conversation, even with professional equipment. Finally, we show that the required overhead of our approach is reasonable in practice and outperforms prior work on this topic.


tags: feedback, security;, smartphone, tactile