Towards Baselines for Shoulder Surfing on Mobile Authentication

TL;DR

This study establishes baseline vulnerabilities of current mobile authentication methods to shoulder surfing attacks through a large online experiment, revealing significant differences in attack success rates across PINs and patterns.

Contribution

It provides the first comprehensive baseline analysis of shoulder surfing vulnerability on current mobile unlock systems using controlled video experiments.

Findings

6-digit PINs are relatively resistant to single observations (10.8% success rate).

Android patterns are highly vulnerable, with up to 64.2% success rate with one observation.

Removing feedback lines from patterns significantly improves security against shoulder surfing.

Abstract

Given the nature of mobile devices and unlock procedures, unlock authentication is a prime target for credential leaking via shoulder surfing, a form of an observation attack. While the research community has investigated solutions to minimize or prevent the threat of shoulder surfing, our understanding of how the attack performs on current systems is less well studied. In this paper, we describe a large online experiment (n=1173) that works towards establishing a baseline of shoulder surfing vulnerability for current unlock authentication systems. Using controlled video recordings of a victim entering in a set of 4- and 6-length PINs and Android unlock patterns on different phones from different angles, we asked participants to act as attackers, trying to determine the authentication input based on the observation. We find that 6-digit PINs are the most elusive attacking surface where a single observation leads to just 10.8% successful attacks, improving to 26.5\% with multiple observations. As a comparison, 6-length Android patterns, with one observation, suffered 64.2% attack rate and 79.9% with multiple observations. Removing feedback lines for patterns improves security from 35.3\% and 52.1\% for single and multiple observations, respectively. This evidence, as well as other results related to hand position, phone size, and observation angle, suggests the best and worst case scenarios related to shoulder surfing vulnerability which can both help inform users to improve their security choices, as well as establish baselines for researchers.