Multi-Touch Authentication on Tabletops David Kim, Paul Dunphy, Pam Briggs*, Jonathan Hook, John Nicholson, James Nicholson*, Patrick Olivier School of Computing Science Culture Lab, Newcastle University, UK {david.kim, p.m.dunphy, j.d.hook, john.nicholson, p.l.olivier}@ncl.ac.uk *School of Psychology and Sports Science PACT Lab Northumbria University, UK {p.briggs, james.nicholson}@unn.ac.uk ABSTRACT The introduction of tabletop interfaces has given rise to the need for the development of secure and usable authentica- tion techniques that are appropriate for the co-located col- laborative settings for which they have been designed. Most commonly, user authentication is based on something you know, but this is a particular problem for tabletop interfaces, as they are particularly vulnerable to shoulder surfing given their remit to foster co-located collaboration. In other words, tabletop users would typically authenticate in full view of a number of observers. In this paper, we introduce and eval- uate a number of novel tabletop authentication schemes that exploit the features of multi-touch interaction in order to in- hibit shoulder surfing. In our pilot work with users, and in our formal user-evaluation, one authentication scheme - Pressure-Grid - stood out, significantly enhancing shoulder surfing resistance when participants used it to enter both PINs and graphical passwords. Author Keywords User authentication, graphical passwords, shoulder surfing, multi-touch interaction ACM Classification Keywords D.4.6 Operating Systems: Security and Protection ��� Ac- cess controls, authentication H.5.3 Information Interfaces an Presentation (e.g., HCI): Group and Organization Inter- faces - Computer-supported cooperative work. General Terms Security, Human Factors, Design. INTRODUCTION Protracted interactions with computer-based technologies of- ten begin with a process of user authentication. This process typically involves a knowledge-based exchange in which a user inputs some credentials known only to themselves (such Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. CHI 2010, April 10 ��� 15, 2010, Atlanta, Georgia, USA Copyright 2010 ACM 978-1-60558-929-9/10/04...$10.00. as a Personal Identification Number (PIN), or an alphanu- meric or graphical passwords). In public settings, the user is encouraged to shield this secret information from possi- ble onlookers, and typically does so through body orienta- tion, as this type of authentication is innately vulnerable to shoulder surfing. While such simple precautions can prove effective for an intimate single user, personal interface ex- change, they are likely to prove problematic for shared inter- faces such as digital tabletops that encourage simultaneous, co-present, multi-user authentication and engagement. Tabletop interfaces are set to become commonplace as com- mercial products such as Microsoft Surface [12] start to ap- pear. Such interactive tabletop systems are usually designed to afford co-located collaboration between groups of users, i.e. the tabletop becomes a communal work-space shared by a small group of friends or colleagues. The very motiva- tion of such systems is to allow the entire collection of users good visual access to the whole tabletop display. Conse- quently, intrinsically private processes, such as authentica- tion, present a significant design challenge. The challenge is made still more pressing by the social context of tabletop use - close colleagues will not wish to signal mistrust in their fellow users and are therefore less likely to adhere to proper security compliant behaviors (such as shielding PINs). This design challenge assumes that tabletop applications will require authentication, and we are surely justified in making this assumption: there is an increasingly large research com- munity addressing information privacy (e.g. [4] [23] [29]) and security (e.g. [5] [27] [20]) on interactive surfaces and public displays. Indeed, in developing the Surface, Microsoft anticipate applications that include financial transactions and other security sensitive interactions that most likely require differentiation between collaborators with different levels of security clearance [20]. A final point is that current and future surfaces feature a software development kit (SDK) that enables third party developers to create bespoke applica- tions. If these new applications require user authentication, it is likely to involve something you know to some extent, even if only as a mechanism of last resort. Despite the po- tential of more elaborate hardware-based, or biometric pro- tocols, knowledge-based authentication is already pervasive, low-cost and does not require additional hardware. Motivated by this, we explore the properties of multi-touch authentication protocols that are resistant to observation at- CHI 2010: Input, Security, and Privacy Policies April 10���15, 2010, Atlanta, GA, USA 1093

tacks (or shoulder surfing). Our contributions are: (i) to pro- vide an evaluation of the vulnerability of conventional au- thentication methods to shoulder surfing attacks and (ii) to consider both the key principles involved in the design of knowledge-based authentication schemes, particularly those suitable for multi-touch interaction, and to apply an under- standing of user behavior in collaborative settings. A consid- eration of both sets of factors culminates in (iii) the design and evaluation of a set of authentication schemes that are the result of an initial exploration of the design space. These schemes range from simple manipulations designed to shield PIN entry, to more elaborate visual PINs and pressure-based systems that do not require accompanying shielding actions. The result of this design process is (iv) the formal analy- sis of one particularly promising mechanism ��� the Pressure- Grid ��� that in our evaluation effectively improved the obser- vation resistance of existing mechanisms such as PIN and recognition-based graphical passwords. RELATED WORK As we���ve argued, tabletop interfaces and public displays po- tentially pose new challenges for knowledge-based authen- tication processes and recent research has begun to explore design solutions. One set of solutions demands the separa- tion of private and public information across private (e.g. mo- bile device) and public displays respectively [5]. While such solutions are conceptually elegant, they do require the inclu- sion of additional devices. Other solutions involve the use of angle-dependent views on tabletops, using display masks, lenses or polarizing filters (e.g. [21] [17]) but significant dis- advantages include the fact that either only few fixed angles are supported or special glasses must be worn by the users. Other solutions requiring special hardware have also been considered [6] [9] [18]. These solutions are likely to be more costly due to the additional hardware required. In this paper we explore software-based solutions that do not rely on additional hardware and that can therefore be deemed suitable for the mass-market. Such solutions rely on the design of protocols that physically or conceptually ob- fuscate user input. Unfortunately, such obfuscations often sacrifice elements of usability as either comprehensibility or usage times are adversely affected. Baker [1] describes an entry mechanism where the user identifies a row or column in which each particular character of a memorized password resides (using a 6 �� 6 matrix of randomly positioned char- acters). A drawback of this method is that while the user does not explicitly reveal their credentials, the interaction still leaks useful information over time. For example, by recording the grid state and action made by the user for each password character across multiple logins, an intersection attack (set intersection of all selected rows and columns for each character) could be performed to decipher each pass- word character. Roth et al. [16] describe a protocol to permit observation resistant entry of PINs in a cognitive trapdoor game. This involves the user performing rounds of a protocol where the PIN is not explicitly selected, but knowledge of the PIN is crucial to completion. However, a user study found that this increased login durations by a factor of ten over stan- dard PIN entry. Tan et al. [27] developed an on-screen key- board for public displays to protect against observation of alphanumeric passwords. Once again, this method incurred a heavy time penalty for legitimate users, with average lo- gin times (when using the enhancement) increasing by 50 seconds over those recorded by a control group. Graphical passwords [25] are increasingly proposed as a us- able knowledge-based authentication mechanism. Recogni- tion based systems [15] [26] are highly intuitive and their designs are becoming increasingly standardized and under- stood. General schemes of this genre assign users a sequence of secret key images which comprise the authentication cre- dentials of the user. At login, the user must recognize and select these amongst a number of decoy images or foils. Us- ability benefits center around the capacity of humans to re- liably recognize (as opposed to recall) large numbers of im- ages following relatively brief presentations of key images in a learning phase (e.g. [24]). Passfaces [14] is a commercial system based on this concept that also exploits innate human ability to recognize faces. The images presented in the login challenges are taken from a proprietary database of faces, and one user study reports impressive recognition rates over long periods of time [3]. A typical login challenge uses a 3��3 array of faces, of which one is a key image, and the rest decoys. The challenge is repeated until the user has demon- strated knowledge of all key images (typically four). Despite (and perhaps because of) the demonstrable usability bene- fits of graphical passwords, such recognition-based schemes are perceived to be vulnerable to shoulder surfing. Tari et. al. [28] compared the ability of an observer to carry out a shoulder surfing attack on Passfaces and alphanumeric pass- words in a variety of configurations. Participants showed themselves to be capable of observing and remembering the Passfaces logins of others, especially when logins were per- formed with a mouse. One graphical password scheme specifically designed to re- sist the shoulder surfing threat is the Convex Hull Click scheme [30]. Here the user is assigned a number of icons that they must locate among hundreds of decoy icons in a series of challenges. At each challenge the user must lo- cate three icons and click within the convex hull formed by their on-screen positions. Following the recurring theme in this field of observation resistance incurring time penalties to the user, the average successful login duration was 72 sec- onds although users were accurate in recalling their graphi- cal password. DESIGN CONSIDERATIONS A number of researchers have provided us with use-cases that establish the need for improved authentication in table- top environments. For example, Smith and Piekarski [23] envision the use of multi-view displays in an employer-emplo- yee meeting at a digital tabletop where the employer has ac- cess to the employee���s history file. In such examples, we can identify a number of key themes: firstly, people have differ- ent access rights because they exist in different levels of a hierarchy and fear the disclosure of information that should CHI 2010: Input, Security, and Privacy Policies April 10���15, 2010, Atlanta, GA, USA 1094