This is the "accepted version" of IEEE Trans. Inf. Forensics Secur. 10(2) pp.278-292 (2015). http://dx.doi.org/10.1109/TIFS.2014.2374352 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. ?, NO. ?, ????? ????

1

Analysis and Improvement of a PIN-Entry Method Resilient to Shoulder-Surfing and Recording Attacks Taekyoung Kwon, Member, IEEE, and Jin Hong

Abstract—Devising a user authentication scheme based on personal identification numbers (PINs) that is both secure and practically usable is a challenging problem. The greatest difficulty lies with the susceptibility of the PIN entry process to direct observational attacks such as human shoulder-surfing and camera-based recording. This work starts with an examination of a previous attempt at solving the PIN entry problem, which was based on an elegant adaptive black and white coloring of the ten-digit keypad in the standard layout. Even though the method required uncomfortably many user inputs, it had the merit of being easy to understand and use. Our analysis that takes both experimental and theoretical approaches reveals multiple serious shortcomings of the previous method, including round redundancy, unbalanced key presses, highly frequent system errors, and insufficient resilience to recording attacks. The lessons learned through our analysis are then used to improve the black and white PIN entry scheme. The new scheme, which we name TictocPIN, has the remarkable property of resisting camera-based recording attacks over an unlimited number of authentication sessions without leaking any of the PIN digits. Index Terms—PIN, authentication, shoulder-surfing.

I. I NTRODUCTION

T

HE most widespread user authentication method in use today is obviously the password-based authentication, where the user enters a pre-arranged textual, graphical, and/or numerical password directly through the user interface of the authentication system. However, the password submission process is prone to direct observational attacks, such as shouldersurfing, and this is a source of security concerns. The entry of a password can easily be observed by nearby adversaries in crowded places, aided by vision enhancing and/or recording devices, and the information that should be kept secret is leaked in a relatively non-technical manner [13]. Even partial Manuscript received June 01, 2014; revised September 04, 2014; accepted November 16, 2014. Date of publication ????? ??, ????; date of current version November 19, 2014. This work was supported by Basic Science Research Program through the National Research Foundation of Korea (NRF) with fundings from the Ministry of Education, Science and Technology (NRF2012-R1A1B3000965) and the Ministry of Science, ICT & Future Planning (NRF-2012R1A1B4003379). This work was also supported by the ICT R&D program of MSIP/IITP [10039180, Intuitive, convenient and secure HCIbased usable security technologies for mobile authentication and security enhancement in mobile computing environments]. J. Hong is the contact author. The associate editor coordinating the review of this manuscript and approving it for publication was Prof. Nitesh Saxena. Copyright (c) 2014 IEEE. Personal use of this material is permitted. However, permission to use this material for any other purposes must be obtained from the IEEE by sending a request to [email protected] T. Kwon is with the Graduate School of Information, Yonsei University, Seoul, 120-749, Korea. E-mail: [email protected]. J. Hong is with the Department of Mathematical Sciences and ISaC, Seoul National University, Seoul, 151-747, Korea. E-mail: [email protected].

information leakage can be greatly harmful, since users tend to use similar or even identical passwords on multiple systems, some of which may be more important than others. The personal identification number (PIN), typically consisting of four decimal digits, is especially susceptible to observational attacks, due to its short length and the simplicity of the ten-digit keypad. The whole secret PIN could be leaked through even a single authentication session. Since PINs are so popularly used in a variety of common devices, such as smartphones, automated teller machines (ATM), and point-ofsale (PoS) terminals, there is a great need for a secure PIN entry scheme that does not significantly sacrifice usability. Various security enforcement methods have been proposed to deal with this situation, but achieving both security and usability still remains a challenging goal [24]. Of the many previous attempts, this work focuses on a remarkably simple PIN entry method proposed by Roth et al. [18]. We will refer to the scheme as the BW method in this paper. The basic BW method presents the decimal digit keypad to the user, in the standard layout, with random half of the keys colored in black and the other half colored in white, and the user must indicate the color of his PIN by pressing a separate black or white button. A 4-round procedure identifies each PIN digit, so that the 4-digit PIN entry requires 16 rounds to complete. Each single round operation is quite simple and intuitive to the user, but the large number of rounds causes practical usability issues. There are four versions of the BW method. Two of these are meant to resist shoulder-surfing attacks done by human adversaries that are limited in their observational capabilities. The other two versions attempt to be resilient to even the stronger camera-based recording attacks by having the amount of information transferred from the user to the system, and thus exposed to the adversary, insufficient for unique determination of the PIN, even at the cost of making naive guessing attacks slightly easier. Although the justifications presented by [18] has brought about the wide acceptance [5], [17], [24] of the view that the BW scheme achieves its security objectives, our study uncovered issues that seriously contest its security and reliability. The first author of this paper recently showed [11] that the basic version of the BW method was actually vulnerable to a shoulder-surfing attack that employed sophisticated strategies and training. In this paper, we study the BW method further and obtain the following results, both experimentally and theoretically, concerning the scheme. • The shoulder-surfing resilient versions hold severe round

c 0000–0000/00$00.00 2014 IEEE

2

IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. ?, NO. ?, ????? ????

redundancy, and this can be exploited by adversaries. • The black and white key presses during PIN entries are unbalanced, and this can be exploited by the adversaries. • The frequency of system errors reported by one version (the delayed oracle choices version) is unacceptably high. • The two recording resilient versions provide very little protection against recording attacks. The insight obtained through the above findings has lead us to strengthen and improve the BW scheme into a new viable scheme, which we refer to as TictocPIN. In Section II, we summarize the threat model and review the BW method. The BW method is then thoroughly analyzed in Section III. In Section IV, we introduce the improved TictocPIN scheme and evaluate its security and usability. The related works are briefly discussed in Section V and the paper is concluded in Section VI. II. P RELIMINARIES A. Threat Model The PIN-based authentication process may be straightforwardly abstracted as communication between two entities, human user and computing system, through a user interface. Although a PIN is usually linked to other settings, such as ID and/or token, this simple model is sufficient, considering the fact that the associated information and/or object can quite easily be stolen and/or copied in the real world. The user first makes a one-time registration of a PIN to the system through a secure channel. When the user later needs to be authenticated to the system, the system presents challenges to the user through the user interface, without referencing the stored PIN. For example, the BW method system
presents a series of challenges chosen from a pool of 10 possible 5 patterns, and the regular PIN entry system may be interpreted as presenting an empty challenge. The user answers the challenges appropriately, based on his knowledge of the PIN. The system compares the information conveyed by the user with the stored PIN and either authorizes or denies the user of further access to the system. The threat model focuses on a passive adversary who tries to observe a user-system interaction at a user interface in order to obtain the user’s PIN. There are two types of passive adversaries. The shoulder-surfing attacker is a weaker adversary whose capabilities are confined to those of a human. She does not have any automatic recording device and relies only on manual tools, such as paper and pencil [18]. On the other hand, the camera-based recording attacker is a stronger adversary equipped with automatic recording devices, such as a concealed camera, to capture the complete interactions. The BW method is known to be resilient against shoulder surfers, and its probabilistic variants are meant to provide security up to a few camera-based recordings [18], [24]. B. Review of the BW Scheme The BW PIN entry method [18] can be used with any finite set of PIN characters and with PINs of arbitrary lengths, but let us restrict it to the case of decimal digit PINs of length 4 in

Algorithm 1 Immediate Oracle Choices (System Procedure) 1: 2: 3: 4: 5: 6: 7: 8: 9: 10: 11: 12: 13:

˜=∅ Q = {0, 1, . . . , 9}; Q for i = 1, · · · , 4 do ˜ (L, R) ← γ ◦ π(Q); (O, P ) ← γ ◦ π(Q) display B = L ∪ P and W = R ∪ O in black and white [User: submit PIN color by pressing black/white button] receive user input: choice ∈ {black, white} if choice = black then ˜←Q ˜∪R Q ← L; Q else ˜←Q ˜∪L Q ← R; Q end if end for return Q

our description. There are two versions of the BW scheme and both versions can be modified in the same manner to produce two more variants. The most basic version will be referred to in this work as the IOC (immediate oracle choices) BW method. Noting dlog2 10e = 4, the IOC BW scheme executes a certain 4round procedure per PIN digit, so that the delivery of the full 4-digit PIN requires 16 rounds to complete. In each round, the numeric keypad in the standard layout is somewhat randomly colored in black and white, and the user presses a separate color button to indicates which of the two colors her key digit belongs to. The system combines the information obtained through the four color choices to single out the PIN digit the user intended to submit. Figure 1 illustrates this concept. The speed of user reaction at each round of the IOC BW scheme is unpredictable, and the colored patterns of the keypad could be left exposed to the adversary for too long. The DOC (delayed oracle choices) version of the BW method deals with this problem by first displaying the colored numeric keypads for the four rounds sequentially for preset time periods and asking for the four color inputs only later. Although both the IOC and DOC BW methods provide some level of protection against shoulder-surfing attacks, an adversary with a camera recording of a successful PIN entry session can easily identify the PIN. The RR (recording resilient) variants of the IOC and DOC BW methods attempt to solve this problem. The two RR variants are identical to the IOC and DOC BW methods except that a smaller number of rounds are executed for each digit. The amount of information made available to the system and the adversary is reduced, and both are forced to work with a pool of possible PIN candidates rather than a uniquely identified PIN. Details of the BW schemes are summarized below, following the original description [18] closely. IOC BW Scheme. Algorithm 1 presents a formal description of the IOC BW scheme. The operator γ ◦ π should be understood as dividing the input set into two parts of similar sizes, and its exact definition can be inferred from the algorithm ˜ denote the description given below. The symbols Q and Q current set of possible and eliminated key digits maintained by ˜ the system, and their sizes are written as q = |Q| and q˜ = |Q|, so that q + q˜ = 10. Initially, we have Q = {0, 1, . . . , 9} and ˜ = ∅. At each round, the system divides Q randomly into Q

KWON AND HONG: ANALYSIS AND IMPROVEMENT OF A PIN-ENTRY METHOD RESILIENT TO SHOULDER-SURFING AND RECORDING ATTACKS

3

Fig. 1. The IOC BW PIN entry scheme. The digit 1 is being submitted by the user in this example of a 4-round procedure. (a)

(b)

two parts, consisting of a d 2q e-sized L and a b 2q c-sized R. ˜ into O of size d q˜ e and P of size The system also divides Q 2 q˜ b 2 c. The four parts are then recombined as B = L ∪ P and W = R∪O. The digits from the two 5-digit sets B and W are displayed to the user in colors black and white, respectively. Then, depending on the user input, the system sets one of L or R to be the set of possible digits Q for the next round, and ˜ After the joins the other part to the set of eliminated digits Q. 4-th round, only a single digit remains in Q and it is taken as the key digit submitted by the user. Figure 1 illustrates the entry of a single PIN digit through a set of 4 rounds of the IOC BW scheme. The user input is received by the system at each round, immediately after the display of the colored numeric keypad. DOC BW Scheme. Algorithm 2 presents a formal description of the DOC BW scheme. The system maintains a division of the digit space consisting of two 5-digit sets Pi,0 and Pi,1 , where 0 ≤ i ≤ 4. The initial division of P0,0 and P0,1 is chosen randomly. At the i-th round, Pi−1,0 is divided into 10 00 two halves, L0 of size 3 = d 10 4 e and L of size 2 = b 4 c. The other half Pi−1,1 is likewise divided into two halves, R0 of size 3 and R00 of size 2. The four parts are recombined as Pi,0 = L0 ∪ R00 and Pi,1 = R0 ∪ L00 , so that each contains 5 digits. The system displays digits from Pi,0 and Pi,1 in black and white, respectively, for 500 milliseconds. This is done for i = 1, . . . , 4, without any user interaction. During the display of each colored numeric keypad, the user memorizes the color of his PIN digit, but does not take any action. After the 4-th round, the user enters the four memorized colors in the correct order. Finally, the system derives Q as the intersection of the four Pi,j ’s indicated by the user inputs. If Q contains more than one digit, the system reports error. One could understand Figure 1 as a DOC procedure, if the bottom input buttons are removed and the delayed user inputs are illustrated after the 4-th box. However, the more careful reader may have noticed that the two pattern transitions from (a) to (b) and from (c) to (d) cannot occur through an execution of Algorithm 2. RR Variants of the BW Scheme. The algorithms for the RR variants of the IOC and DOC BW methods are identical to those given by Algorithm 1 and Algorithm 2, except that the

(c)

(d)

Algorithm 2 Delayed Oracle Choices (System Procedure) 1: 2: 3: 4: 5: 6: 7: 8: 9: 10: 11: 12: 13: 14: 15: 16:

(P0,0 , P0,1 ) = γ ◦ π({0, 1, . . . , 9}) for i = 1, · · · , 4 do (L0 , L00 ) ← γ ◦ π(Pi−1,0 ); (R0 , R00 ) ← γ ◦ π(Pi−1,1 ) Pi,0 ← L0 ∪ R00 ; Pi,1 ← R0 ∪ L00 display Pi,0 and Pi,1 in black and white, respectively [User: note and memorize i-th color for PIN digit] end for for i = 1, · · · , 4 do [User: recall and submit i-th color through black/white button] receive user input: bi ∈ {black = 0, white = 1} end for T Q ← 4i=1 Pi,bi if |Q| 6= 1 then return error end if return Q

number of rounds, i.e., the range of i, is reduced, and that the |Q| 6= 1 error is not reported in the DOC case. The L and Q after the reduced final rounds could contain multiple digits, and the system must test all combinations of possible digits coming from each PIN position and verify if one of these candidates is the correct 4-digit PIN. In the example of Figure 1, the RR variant of the IOC BW method would stop with (c). The article [18] did not specify the number of rounds to be used by the RR variant of the BW method, but our analysis will assume a 3-round RR variant and the reason for not treating a 2-round RR variant will be explained at the end. III. A NALYSIS OF THE BW M ETHOD Although the BW scheme was evaluated to be resilient against practical attacks [18], [24], our investigation of the method will reveal various concerns about its security and reliability. In a previous work [11], we exploited the fact that perceiving the black and white keypad separations as visual patterns, in contrast to attending to the explicit digits, was sufficient in singling out the key digit and demonstrated that the IOC BW method could be defeated in practice. In this section, we further investigate the security of the BW method, both experimentally and theoretically, covering not just the

4

IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. ?, NO. ?, ????? ????

1 Avg.

1

0.8 0.8

0.6 0.6

0.4

0.4

0.2 0

123

12 4

1 34

234

Fig. 2. Experimentally obtained round redundancies of the IOC BW method. The height of each bar gives the redundancy rate for the round marked with a dot.

IOC BW method, but also the DOC BW method and the RR variants. The list of concerns to be discussed include round redundancy, unbalanced key presses, frequent system errors from ambiguity, and recording non-resilience. Let us introduce some terminology to be used in the proofs given below and in the appendix. We will refer to the B ∪ W and Pi,0 ∪ Pi,1 separations of the digit space appearing in Algorithm 1 and Algorithm 2 as 5+5 splits and refer to the sets B, W , Pi,0 , and Pi,1 as the 5-digit sets for these splits. A natural partition of the digit space appears when appropriate intersections of the 5-digit sets from 2, 3, or 4 consecutive rounds of 5+5 splits are collected. Each component of the partition is a cell and a cell containing i-many digits is referred to as an i-cell. For example, the partition associated with the first two rounds of the DOC BW scheme always consists of four cells. The P1,0 ∩ P2,0 and P1,1 ∩ P2,1 are 3-cells, while P1,0 ∩ P2,1 and P1,1 ∩ P2,0 are 2-cells. Note that the first two rounds of the IOC BW method also creates a partition of these cell sizes.

0.2 0

1

2

3

4

Number of rounds Round number Fig. 3. Experimentally obtain ratios of black and white button presses for the IOC BW scheme. The horizontal solid line marks the mean probability of 0.625.

Lemma 2. The 3-rd round of the IOC BW method is redundant with probability 0.478. Lemma 3. The 4-th round of the IOC BW method is redundant with probability 0.6. The proofs of these lemmas are given in the Appendix. They essentially amount to a very careful listing and counting of all possible events. The following statement is a direct consequence of the above three lemmas. Theorem 4. A random round of the 4-round IOC BW PIN entry method is redundant in identifying a single key digit with probability 0.531. In other words, the attacker may miss a random round and still be able to recover the key digit in 0.531 of the cases. B. Unbalanced Color Selection Frequencies

A. Round Redundancy The BW scheme specifies for 4 = dlog2 10e rounds to be executed for every PIN digit. However, since log2 10 = 3.32 is much closer to 3 than 4, one of the four rounds that are used to enter each PIN digit could quite often be redundant. We first conducted a simulated experiment of entering 250 random 4-digit PINs (i.e., 1000 random digits) through the IOC BW method. As illustrated in Figure 2, one of the four rounds was redundant with mean probability 0.53, during our experiment. In particular, the fourth round was highly redundant with probability 0.596. The high probability of round redundancy implies that the identification of a PIN digit by the adversary can often be possible even when he has missed one of the four rounds. This observation also partially explains the successfulness of our previous humanbased attack [11]. Our experimental figures are in full agreement with the theoretical analyses given below. Lemma 1. The 1-st round of the IOC BW method is redundant with probability 0.524. The 2-nd round is also redundant with the same probability.

Note that the BW scheme specified the colors to be given to each of the two 5-digit sets, after each regrouping of the digit space into two new halves. We conducted an experiment to test whether the black (B) and white (W) inputs from the users would be equally likely. The simulation of entering 100,000 random 4-digit PINs to an IOC BW system resulted in the data presented by Figure 3. The two colors were pressed equally only in the 1-st round, and the B presses were more frequent in subsequent rounds. The bias is exceptionally large in the 4-th rounds with 80% of the inputs being B. In all, the B and W were pressed 1,000,449 and 599,551 times, respectively, during the 1,600,000 rounds, which translates to the ratio 0.625 of B presses. Furthermore, we noticed that the color sequences BBWW, BWBW, BWWW, WBWW, WWBW, and WWWW never occurred during the entry of any digit, so that only 10 of the 16 possible color combinations were ever used. This simply means that the amount of information conveyed by pressing the two color buttons are unequal, and does not directly imply weakness in the cryptographic sense. However, the property does make shoulder-surfing practically easier by allowing the observer to pay more attention to the black digits than the white digits, and this was actually done in our previous work [11].

KWON AND HONG: ANALYSIS AND IMPROVEMENT OF A PIN-ENTRY METHOD RESILIENT TO SHOULDER-SURFING AND RECORDING ATTACKS

Our corresponding theoretical analysis agrees exactly with the test results. The proof of the following statement is given in the Appendix. Lemma 5. The black/white button presses for the IOC BW method are expected to show the ratio 5/3, assuming the user does not make mistakes. The black/white ratios expected from each of the four rounds are 1/1, 3/2, 3/2, and 4/1. C. Digit Identification Failures in the DOC BW Method The DOC version of the BW method was devised to prevent the user from inadvertently exposing the black and white patterns for too long [18]. However, this version requires higher mental effort from the user, such as remembering a sequence of colors. It was estimated that the mean probability of user errors would be 0.2 for the DOC BW method, which is higher than the 0.09 expected of the IOC BW method [18]. Referring to Algorithm 2 of Section II-B, we note that a DOC BW system is suppose to “return error if |Q| = 6 1,” i.e., if the key digit is not identified uniquely. This behavior needs to be investigated, since it would be undesirable to have the user experience frequent system errors during the authentication process. We first conducted a simulation-based experiment of entering random PINs to a DOC BW system. A computer program simulated 100 users entering their 4-digit PINs, each for 100 sessions. Within the simulation, the system component forced the user component to re-execute the 4-round process, possibly multiple times, whenever it found any PIN digit to be ambiguous. The simulation results are summarized in Figure 4. The ratio of 4-digit PIN entry sessions that returned at least one error, averaged over all users, was 0.689. Of greater concern was the fact that three or more errors were experienced in 0.176 of the sessions. For instance, simulated-user #91 of Figure 4 experienced at least one error in 81 sessions, two or more errors in 46 sessions, and three or more errors in 18 sessions, among her 100 sessions. These repeated system errors are sure to frustrate many users, and the current form of DOC BW scheme does not seem fit for deployments that target the general public. We also performed a theoretical analysis of the DOC BW method. The above experimental figures are in good agreement with Theorem 7 given below. The proof of Lemma 6 is given in the Appendix. Lemma 6. A 4-round execution of the DOC BW scheme will fail to uniquely identify the submitted key digit with probability 0.25. Theorem 7. Consider a DOC BW PIN authentication system that is set to announce a system error and require the user to re-execute the 4-round process whenever it fails to identify a key digit uniquely. A user submitting a 4-digit PIN to this system has probability 0.684 of experiencing at least one error. The probabilities for the system to generate two or more and three or more errors are 0.367 and 0.169, respectively. Proof: It follows directly
4 from Lemma 6 that the first claimed probability is 1 − 34 = 175 256 . Lemma 6 also allows

5


4
us to state the probability for a single failure as 41 14 34
. Here, where the correct combination to be used is not 51 , since the last of the five attempts must be a successful one.
4
4 175 47 47 347 Thus, we can state 256 − 41 345 = 128 and 128 − 52 346 = 2048 as the remaining two claimed probabilities. We clarify that the error probabilities claimed by this theorem are for the system errors and are not related to the errors made by the user. D. Inadequate Recording Resilience The RR variant of the BW method attempts to provide security against adversaries that are equipped with camerabased recording devices [18]. The approach was to remove one round from the 4-round process required for each PIN digit entry. This creates ambiguity in the PIN digits to the observer (and to the PIN entry system), and the adversary is forced to guess the correct 4-digit PIN from a pool of possible PINs. However, the effectiveness of this approach can only be questioned after understanding Theorem 4. We conducted a simulated experiment to measure the ambiguity left to the recording observer of a 4-digit RR IOC BW PIN entry session. As before, the computer simulated 100 users entering random 4-digit PINs for 100 sessions, and transcripts were made of one randomly chosen session per simulated-user. Then, each transcript was studied to derive the PIN candidates, in exactly the same manner as would have been tried by an attacker. The results are summarized in Figure 5. It was highly probable that the number of PIN candidates was extremely small. The rate of unique PIN identifications was just 0.129, but that of finding three or less PIN candidates was 0.469 and that of at most five was 0.816. We also experimented with the recording of multiple sessions for the same user. As expected, the PIN could be identified uniquely with high probability. The experimentally obtained figures can be explained theoretically as well. First, note that since the 3-round IOC BW scheme always restrict each PIN digit to a set of size 1 or 2, the 4-digit PIN candidate sets can only be of sizes 1, 2, 4, 8, and 16. The following is a direct consequence of Lemma 3. Lemma 8. Consider the IOC BW scheme variant that executes only 3 rounds per digit. The probability for a 4-digit PIN entry session to reduce
the number of 4-digit PIN candidates to a i 4−i set of size 2i is 4i 2 354 , for each i = 0, . . . , 4. Proof: The
probability for none of the four digits to be 4 ambiguous is 53 . The probability for the PIN to be restricted
3 to a set of two PINs is 41 2·3 54 . The general situation should now be clear. Thus, the 4-digit PIN candidate pool is of size at most 3 with probability 0.475 = 81+216 and at most 5 with probability 625 0.821 = 81+216+216 , in agreement with Figure 5. 625 No user would feel adequately protected, knowing the existence of an adversary that could make three guesses from a pool of candidate PINs that is expected to be quite small. The following claim shows that the attacker will indeed success with a very high probability.

6

IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. ?, NO. ?, ????? ????

Uses 100

1

80

0.8

60

0.6

40

0.4

20

0.2 None

0

20

40

1

2

60

3

More

80

0

100 Users

System error User error

(a)

(b)

Fig. 4. System errors of the DOC BW scheme. (a) Error count distributions for 100 4-digit PIN entry sessions for 100 users. (b) Error rates. (The user error rate has been taken from [18].)

1

1 Number of PIN candidates

0.8

0.8

0.6

0.6

0.4

0.4

0.2

0.2

0

1