Tactile one-time pad: Leakage-resilient authentication for smartphones

Abstract

Nowadays, Smartphones are widely used and they have a growing market share of already more than 55% according to recent studies. They often contain sensitive or private data that can easily be accessed by an attacker if the device is unlocked. Since smartphones are mobile and used as everyday gadgets, they are susceptible to get lost or stolen. To prevent the data from being accessed by an attacker, access control mechanisms like user authentication are needed. However, commonly used authentication mechanisms like PINs, passwords, and patterns suffer from the same weakness: They are vulnerable against different kinds of attacks, most notably shoulder surfing. In order to prevent shoulder surfing, a secure channel between the smartphone and the user must be established that cannot be eavesdropped by an adversary. In this paper, we concentrate on the smartphone’s tactile feedback to add a new security layer to the plain PIN-based authentication mechanism. The key idea is to use vibrations as an additional channel to complement PINs with a tactile one-time pattern. To calibrate the usability of our approach, we developed a game that more than 220 participants played to determine the shortest vibration duration most people can sense. In a security evaluation, we recorded the acoustical signal of the vibration motor of five different smartphones at four different locations with a high-end microphone to cross-correlate a login scenario with a pre-recorded acoustical fingerprint of the devices. Our evaluation results demonstrate that it is not possible for an attacker to spot the user’s secret under normal conditions, e. g., in a restaurant or during a conversation, even with professional equipment. Finally, we show that the required overhead of our approach is reasonable in practice and outperforms prior work.