Hirokazu Sasamoto, Nicolas Christine, and Eiji Hayashi

Sensemaking Workshop at ACM Conference on Human Factors in Computing Systems (CHI)

January 2008

A number of recent scams and security attacks (phishing, spyware, fake terminals, ...) hinge on a crook’s ability to ob- serve user behavior. In this paper, we describe the design, implementation, and evaluation of a novel class of user authentication systems that are resilient to observation attacks. Our proposal is the first to rely on the human ability to simultaneously process multiple sensory inputs to authenticate, and is resilient to most observation attacks. We build a prototype based on user feedback gained through low fidelity tests. We conduct a within-subjects usability study of the prototype with 38 participants, which we complement with a security analysis. Our results show that users can authenticate within times comparable to that of graphical password schemes, with relatively low error rates, while being considerably better protected against observation attacks. Our design and evaluation process allows us to outline design principles for observation-resilient authentication systems.