VRSafe: A Secure Virtual Keyboard to Mitigate Keystroke Inference in Virtual Reality

TL;DR

VRSafe is a novel virtual keyboard designed for VR that introduces false keystrokes and a malicious login detector to defend against keystroke inference attacks, improving security with minimal usability impact.

Contribution

This paper presents VRSafe, a VR keyboard that effectively mitigates keystroke inference attacks and detects unauthorized logins, addressing a significant security gap in VR password authentication.

Findings

VRSafe significantly reduces keystroke inference attack accuracy.

The malicious login detector achieves high detection rate with low resource usage.

User study shows modest usability overhead with improved security.

Abstract

Password-based authentication is one of the most commonly used methods for verifying user identities, and its widespread usage continues in virtual reality (VR) applications. As a result, various forms of attacks on password-based authentication in traditional environments such as keystroke inference and shoulder surfing, are still effective in VR applications. While keystroke inference attacks on virtual keyboards have been studied extensively, few efforts have developed an effective and cost-efficient defense strategy to mitigate keystroke inferences in VR. To address this gap, this paper presents a novel QWERTY keyboard called \textit{VRSafe} that is resilient to keystroke inference attacks. The proposed keyboard carefully introduces false positive keystrokes into the information collected by attackers during the typing process, making the inference of the original password difficult. \textit{VRSafe} also incorporates a novel malicious login detector that can effectively identify unauthorized login attempts using credentials inferred from keystroke inference attacks with high detection rate and minimal time and memory cost. The proposed design is evaluated through both simulation experiments and a real-world user study, and the results show that \textit{VRSafe} can significantly reduce the accuracy of keystroke inference attacks while incurring a modest overhead from a usability standpoint.