Gesture Authentication for Smartphones: Evaluation of Gesture Password Selection Policies

2020 IEEE Symposium on Security and Privacy (SP) Pub Date : 2020-05-01 DOI:10.1109/SP40000.2020.00034

Eunyong Cheon, Yonghwan Shin, J. Huh, Hyoungshick Kim, Ian Oakley

{"title":"Gesture Authentication for Smartphones: Evaluation of Gesture Password Selection Policies","authors":"Eunyong Cheon, Yonghwan Shin, J. Huh, Hyoungshick Kim, Ian Oakley","doi":"10.1109/SP40000.2020.00034","DOIUrl":null,"url":null,"abstract":"Touchscreen gestures are attracting research attention as an authentication method. While studies have showcased their usability, it has proven more complex to determine, let alone enhance, their security. Problems stem both from the small scale of current data sets and the fact that gestures are matched imprecisely – by a distance metric. This makes it challenging to assess entropy with traditional algorithms. To address these problems, we captured a large set of gesture passwords (N=2594) from crowd workers, and developed a security assessment framework that can calculate partial guessing entropy estimates, and generate dictionaries that crack 23.13% or more gestures in online attacks (within 20 guesses). To improve the entropy of gesture passwords, we designed novel blacklist and lexical policies to, respectively, restrict and inspire gesture creation. We close by validating both our security assessment framework and policies in a new crowd-sourced study (N=4000). Our blacklists increase entropy and resistance to dictionary based guessing attacks.","PeriodicalId":6849,"journal":{"name":"2020 IEEE Symposium on Security and Privacy (SP)","volume":"28 1","pages":"249-267"},"PeriodicalIF":0.0000,"publicationDate":"2020-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"10","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2020 IEEE Symposium on Security and Privacy (SP)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SP40000.2020.00034","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 10

Abstract

Touchscreen gestures are attracting research attention as an authentication method. While studies have showcased their usability, it has proven more complex to determine, let alone enhance, their security. Problems stem both from the small scale of current data sets and the fact that gestures are matched imprecisely – by a distance metric. This makes it challenging to assess entropy with traditional algorithms. To address these problems, we captured a large set of gesture passwords (N=2594) from crowd workers, and developed a security assessment framework that can calculate partial guessing entropy estimates, and generate dictionaries that crack 23.13% or more gestures in online attacks (within 20 guesses). To improve the entropy of gesture passwords, we designed novel blacklist and lexical policies to, respectively, restrict and inspire gesture creation. We close by validating both our security assessment framework and policies in a new crowd-sourced study (N=4000). Our blacklists increase entropy and resistance to dictionary based guessing attacks.

查看原文本刊更多论文

智能手机的手势认证:手势密码选择策略的评估

触摸屏手势作为一种身份验证方法正引起研究人员的关注。虽然研究表明了它们的可用性，但事实证明，确定它们的安全性更为复杂，更不用说增强它们的安全性了。问题源于当前数据集的小规模，以及手势不精确匹配的事实——通过距离度量。这使得用传统算法评估熵具有挑战性。为了解决这些问题，我们从人群工作人员那里捕获了大量的手势密码(N=2594)，并开发了一个安全评估框架，可以计算部分猜测熵估计，并生成字典，可以破解23.13%或更多的在线攻击手势(在20次猜测内)。为了提高手势密码的熵，我们设计了新的黑名单和词法策略，分别限制和激励手势的创建。最后，我们在一项新的众包研究(N=4000)中验证了我们的安全评估框架和策略。我们的黑名单增加了熵和对基于字典的猜测攻击的抵抗力。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2020 IEEE Symposium on Security and Privacy (SP)

自引率

0.00%

发文量