A New Graphical Password Scheme Resistant to Shoulder-Surfing

TL;DR

This paper introduces a graphical password scheme designed for PDAs that enhances resistance to shoulder-surfing attacks while maintaining usability, using drawing-based input and additional security measures.

Contribution

The paper presents a novel drawing-based graphical password scheme that improves shoulder-surfing resistance without sacrificing usability, inspired by DAS and Story methods.

Findings

Users could accurately enter passwords using the scheme.

Users remembered passwords over time.

The scheme demonstrated good resistance to shoulder-surfing.

Abstract

Shoulder-surfing is a known risk where an attacker can capture a password by direct observation or by recording the authentication session. Due to the visual interface, this problem has become exacerbated in graphical passwords. There have been some graphical schemes resistant or immune to shoulder-surfing, but they have significant usability drawbacks, usually in the time and effort to log in. In this paper, we propose and evaluate a new shoulder-surfing resistant scheme which has a desirable usability for PDAs. Our inspiration comes from the drawing input method in DAS and the association mnemonics in Story for sequence retrieval. The new scheme requires users to draw a curve across their password images orderly rather than click directly on them. The drawing input trick along with the complementary measures, such as erasing the drawing trace, displaying degraded images, and starting and ending with randomly designated images provide a good resistance to shouldersurfing. A preliminary user study showed that users were able to enter their passwords accurately and to remember them over time.