Journal of Information Security and Applications 40 (2018) 1–8 Contents lists available at ScienceDirect Journal of Information Security and Applications journal homepage: www.elsevier.com/locate/jisa Incognito: Shoulder-surfing resistant selection method Jeremiah D. Still a,∗ , Jarad Bell b a Old Dominion University, Norfolk, VA 23529-0267, United States b San Jose State University, San Jose, CA, United States a r t i c l e i n f o Article history: Keywords: Shoulder-surfing Authentication PIN Privacy Usable security a b s t r a c t Authentication methods need to, at minimum, prevent casual attackers with limited resources from gain- ing access to our private information. Although, Personal Identification Numbers (PIN) have been ubiq- uitously implemented to validate a user’s identity, it is surprisingly easy for PINs to be stolen by ca- sual shoulder-surfing attackers. We offer Incognito, a selection technique, which is resistant to casual shoulder-surfing and extendable to emerging graphical authentication methods. This was achieved by employing indirect interactions and masking standard cursor feedback. We show this selection technique effectively prevents casual shoulder-surfing attacks. The users controlled Incognito with either a mouse or eye tracker. We examined its usability by measuring effectiveness, performance, and user satisfaction in contrast with a conventional PIN approach. Our results show marginal login performance differences between the conventional method and Incognito with mouse-based interactions, but not for eye tracker based interactions. Incognito shows promise as a viable selection technique within public spaces. © 2018 Elsevier Ltd. All rights reserved. 1. Introduction We value the convenience of being able to access services vir- tually and publicly, but this connectivity comes with potential se- curity risks [17,36]. Therefore, it is critically important for online services to validate a user’s identity successfully and privately. This validation occurs during the authentication process. Typically, users are prompted to provide both public (e.g., username) and pri- vate (e.g., password) information. E-mail addresses are often used as usernames, which are usually available to the public. This leaves passwords as the only barrier between one’s private information and an attacker, therefore, passwords are often the focus of an attack. One specific type of password – the PIN – is commonly used in both virtual and physical environments (e.g., PassFaces; Gate Ac- cess). Successful employment of this method requires users main- tain a private Personal Identification Number (PIN) for authentica- tion. However, PINs are often easy to capture through an observa- tion attack known as shoulder-surfing [17,39,42,46]. These attacks are performed by a wide variety of predators. We are focusing on preventing casual attackers, which represent those without train- ing, with limited resources, and a lack of strong motivation. They are simply opportunistic. The conventional design of PIN interfaces provides clear visibility of a user’s input. This makes stealing PIN ∗ Corresponding author. E-mail address: jstill@odu.edu (J.D. Still). information too easy. De Luca et al. [17] note that 65% of users do not effectively conceal their authentication process when oth- ers are nearby. Thus, users often reveal their PINs unintentionally in public environments, because they are carrying items (e.g., bags or phone) or simply trust persons perceived as normal. Designers need to search for alternative interactions that offer additional pro- tection from potentially malicious onlookers. As human-centered designers, we need to create interfaces that exploit the user’s natural abilities and design-out security is- sues. Some authors suggest that usable security is very difficult to achieve (c.f., [40,47]). For instance, as authentication complexity in- creases (i.e., length, complexity, shorter renewal rates) typically the usability decreases in step (i.e., harmed learnability and memora- bility). High failure rates and low compliance rates are reflective of the poor usability of traditional authentication systems. Findings like these can lead authentication developers to believe that us- ability and security are competing views. We suggest, like others [44], that usable security is possible if viewed as a design chal- lenge. Stakeholders can simply ask users to behave a certain way – even provide extensive training – and sell the idea that it is per- sonally and socially responsible to behave in that way, but, if the design they are using does not directly support or encourage that behavior, change will not occur. Also, the threats to private authen- tication are constantly evolving and adapting to new design solu- tions. Beyond casual shoulder-surfing, some experts employ technol- ogy to enhance their attacks. These resources pose a more covert threat [12,33,36]. Optical devices, such as cameras within phones https://doi.org/10.1016/j.jisa.2018.02.006 2214-2126/© 2018 Elsevier Ltd. All rights reserved.