User-Generated Free-Form Gestures for Authentication: Security and Memorability Michael Sherman*, Gradeigh Clark*, Yulong Yang*, Shridatt Sugrim*, Arttu Modig^, Janne Lindqvist*, Antti Oulasvirta+~, Teemu Roos^ *Rutgers University, +Max Planck Institute for Informatics, ~Saarland University, ^University of Helsinki Poster Presenter: Xianyi Gao − Rutgers University
ABSTRACT
RESULTS
This project studies the security and memorability of free-form multitouch gestures for mobile authentication [1].
Factors Affecting Security
• 63 participants generated free-form gestures, repeated them, and were later retested for memory. • We adapted a recent information theoretic metric for measuring the security and memorability of gestures. • We designed a practical multitouch gesture recognizer. • We evaluated the potential of free-form gestures against the shoulder-surfing attack. Factors Affecting Memorability
Recognizer Performance
MOTIVATION • Gestures can be performed faster than text-based passwords. • Traditional 3×3 grid authentication for Android is prone to attacks such as shoulder surfing and smudge attacks.
Shoulder Surfing Attack Trial
• Free-form multitouch gestures: No visual reference, allow multifingers, arbitrary shapes, scale and position invariant, and more difficult to attack
CONCLUSION • Results on security and memorability are favorable to free-form gestures for mobile authentication. • One-finger gestures had higher average mutual information than multi-fingers.
METHOD
• Gestures with many hard angles and turns had highest mutual information.
Evaluating Security of Gestures Using Information-Theoretic Metric [1]:
• The best-remembered gestures included signatures and simple angular shapes. More information available at: http://securegestures.org/
ACKNOWLEDGMENTS • Participants: session 1 (N=63, 24 males and 39 females) session 2 (N=57 returned) • Experiment Design: 17×2 mixed factor design (17 gesture repetitions with creations and recalls, 2 study sessions), second session is conducted at least 10 days after first session
This material is based upon work supported by the National Science Foundation under Grant Number 1228777. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.
REFERENCE [1] Michael Sherman, Gradeigh Clark, Yulong Yang, Shridatt Sugrim, Arttu Modig, Janne Lindqvist, Antti Oulasvirta, and Teemu Roos. 2014. User-generated free-form gestures for authentication: security and memorability. In Proceedings of the 12th annual international conference on Mobile systems, applications, and services (MobiSys '14). ACM, New York, NY, USA, 176-189.