TY - JOUR
T1 - PressPIN
T2 - Enabling Secure PIN Authentication on Mobile Devices via Structure-Borne Sounds
AU - Zhou, Man
AU - Wang, Qian
AU - Lin, Xiu
AU - Zhao, Yi
AU - Jiang, Peipei
AU - Li, Qi
AU - Shen, Chao
AU - Wang, Cong
N1 - Publisher Copyright:
© 2004-2012 IEEE.
PY - 2023/3/1
Y1 - 2023/3/1
N2 - PIN authentication is widely used on mobile devices due to its usability and simplicity. However, it is known to be susceptible to shoulder surfing attacks, where an adversary spies the user's PIN by direct human observation or camera-based recording. This paper proposes PressPIN, a novel enhanced PIN authenticator on mobile devices by sensing pressures from the user's finger. Since pressure-sensitive touch screens are unavailable on most phones, we leverage the structure-borne propagation of sounds to estimate the pressure on the screen. When the user inputs the PINs, the pressure is extracted from each number to form the n-bit pressure code, where n corresponds to the length of the PIN sequence. The pressure code is difficult to be inferred by snooping or videotaping, and increases the entropy of passwords. In this way, PressPIN provides a low-cost, user-friendly, and more secure solution resistant to shoulder surfing attacks. Our extensive experiments with 30 participants and three types of smartphones demonstrate that PressPIN can authenticate legitimate users with high accuracy (e.g., as high as 96.7% within two trials), and is robust to various types of attacks (e.g., only 2.5% attack success rate even when the adversary can observe the legitimate user's PIN sequence and finger pressing clearly). Additionally, PressPIN requires no additional hardware (e.g., the pressure sensor) and can be readily integrated into existing authentication systems of mobile devices.
AB - PIN authentication is widely used on mobile devices due to its usability and simplicity. However, it is known to be susceptible to shoulder surfing attacks, where an adversary spies the user's PIN by direct human observation or camera-based recording. This paper proposes PressPIN, a novel enhanced PIN authenticator on mobile devices by sensing pressures from the user's finger. Since pressure-sensitive touch screens are unavailable on most phones, we leverage the structure-borne propagation of sounds to estimate the pressure on the screen. When the user inputs the PINs, the pressure is extracted from each number to form the n-bit pressure code, where n corresponds to the length of the PIN sequence. The pressure code is difficult to be inferred by snooping or videotaping, and increases the entropy of passwords. In this way, PressPIN provides a low-cost, user-friendly, and more secure solution resistant to shoulder surfing attacks. Our extensive experiments with 30 participants and three types of smartphones demonstrate that PressPIN can authenticate legitimate users with high accuracy (e.g., as high as 96.7% within two trials), and is robust to various types of attacks (e.g., only 2.5% attack success rate even when the adversary can observe the legitimate user's PIN sequence and finger pressing clearly). Additionally, PressPIN requires no additional hardware (e.g., the pressure sensor) and can be readily integrated into existing authentication systems of mobile devices.
KW - PIN authentication
KW - mobile device security
KW - structure-borne sounds
UR - https://www.scopus.com/pages/publications/85124813295
U2 - 10.1109/TDSC.2022.3151889
DO - 10.1109/TDSC.2022.3151889
M3 - 文章
AN - SCOPUS:85124813295
SN - 1545-5971
VL - 20
SP - 1228
EP - 1242
JO - IEEE Transactions on Dependable and Secure Computing
JF - IEEE Transactions on Dependable and Secure Computing
IS - 2
ER -