IllusionPIN: Shoulder-Surfing Resistant Authentication Using Hybrid Images

TL;DR

IllusionPIN is a touchscreen authentication method that uses hybrid images to prevent shoulder-surfing attacks by making the keypad appear differently to nearby users and distant observers, enhancing security.

Contribution

The paper introduces IllusionPIN, a novel hybrid image-based PIN entry system that significantly improves resistance to shoulder-surfing and camera-based observation attacks.

Findings

None of the simulated attacks succeeded against the estimations.

The minimum distance for effective shoulder-surfing is significantly increased.

Camera capture of PINs is practically impossible with IllusionPIN.

Abstract

We address the problem of shoulder-surfing attacks on authentication schemes by proposing IllusionPIN (IPIN), a PIN-based authentication method that operates on touchscreen devices. IPIN uses the technique of hybrid images to blend two keypads with different digit orderings in such a way, that the user who is close to the device is seeing one keypad to enter her PIN, while the attacker who is looking at the device from a bigger distance is seeing only the other keypad. The user's keypad is shuffled in every authentication attempt since the attacker may memorize the spatial arrangement of the pressed digits. To reason about the security of IllusionPIN, we developed an algorithm which is based on human visual perception and estimates the minimum distance from which an observer is unable to interpret the keypad of the user. We tested our estimations with 84 simulated shoulder-surfing attacks from 21 different people. None of the attacks was successful against our estimations. In addition, we estimated the minimum distance from which a camera is unable to capture the visual information from the keypad of the user. Based on our analysis, it seems practically almost impossible for a surveillance camera to capture the PIN of a smartphone user when IPIN is in use.