SlidePIN

INTRODUCTION

SlidePIN is a PIN entry mechanism based on slide input method combined with a random numeric keypad. As slide input method ensures higher usability and security, random numeric keypad introduced, at a slight cost of usability, conspicuously enhances the security of SlidePIN. As an indirect entry mechanism, SlidePIN keeps users away from additional computation or memory burden. SlidePIN performs effectively against one-time shoulder surfing attack and better than 4-digit PIN mechanism against multi-time shoulder surfing attack.

BACKGROUND

The 4-digit PIN (Personal Identification Numbers) mechanism that is used most widely asks users to input the PIN directly, which makes it vulnerable to shoulder surfing attacks. With better resistance against shoulder surfing attacks, invisible entry mechanism and indirect entry mechanism are proposed and developed. However, these mechanisms need either additional hardware or extra computation to ensure security and usability. The Word-Gesture Keyboard concept was proposed by Montgomery in 1982 and inspired by this concept, we propose SlidePIN as an indirect entry mechanism with a random numeric keypad and slide input method.

CONCEPT

Design:
  1. Slide input is faster. It has been shown that click input is an operation with more complexity than slide input, which suggests that slide input will help improve input efficiency.
  2. Slide input is more secure. As for slide input, a user tends to wittingly or unwittingly slide to other non-PIN numbers, making the user’s PIN concealed in a slide sequence with more digits. This makes SlidePIN more secure than traditional click input method against shoulder surfing attacks.
  3. Input with a random numeric keypad is more secure. With a random numeric keypad introduced, randomness helps SlidePIN perform better against replay attacks.
       SlidePIN's Introduction
Implementation:
  1. Setup Phase: Like 4-digit PIN, the user chooses 4 ordered digit numbers as the master secret between him/her and the smartphone, usually referred to a PIN.
  2. Unlocking Phase: Instead of directly input, the user touches and slides over a keypad passing all digits of PIN in order. As figure shows, the keypad is a random numeric keypad. In addition, the sliding process should start from '*' and end up with '#'. If slide sequence contains the PIN as its subsequence, the authentication will be passed. For instance, '1245' as a user's PIN, the user needs to slide over a trace starting from '*' and ending with '#' and subsequence '1245' has to be contained in exact order on the numeric keypad. As figure shows, '*381629458#' is one of the valid sliding traces which can unlock the phone.

EXPERIMENTS

To evaluate the usability and security of SlidePIN, we recruited in total 20 students as volunteers to conducted relevant experiments. Based on data obtained from these experiments, we analyzed the reasonable range of slide sequence, orientation time, unlock time, error rate and the capability of SlidePIN against multi-time shoulder surfing attacks.

SlidePIN's Experiment Experiment Consequence
  1. Average Sequence Length: 11.46 (theoretical value: 11.55)
  2. Orientation Time: 1.186s
  3. Unlock Time: 3.552s
  4. Error Rate: 13.04%
  5. The Capability Against Multi-time Shoulder Surfing: at least 2 times
Last update: 2015-3-25