Defeating Shoulder Surfing (Tutorial)

Although multi-factor authentication is becoming more and more common password security is still a critical element to an overall security policy. Password security is faced with the following threats:
  • Storage compromise
  • Transmission compromise
  • Artificial agent
  • Psychological evaluation
  • Brute force
  • User dissemination
  • Attacker observation

If security theory teaches us anything, it is that a single high assurance point of control offers the greatest security. The problem with password security is that the controls used to protect passwords against transmission compromise, artificial agent, psychological evaluation, user dissemination, and attacker observation fall directly on the shoulders of each and every user.
In the case of transmission compromise it is critical for the user to ensure they are not using a compromised/monitored host or network, a plain text protocol, or a flawed protocol. It is critical that the user ensure they are providing the password to the proper agent. How difficult is it to create a fake login screen?
In the case of psychological evaluation attacks, users are given the burden of selecting passwords unrelated to personal information (spouse’s name, pet’s name, birthdays, etc.).
User dissemination via post-it notes or whatever is directly related to the user’s ability to remember their passwords, which in turn is related to both the complexity and quantity of passwords they are required to remember.
Lastly we have attacker observation, which historically has been limited to a person watching and remembering the password inputs. Technological advancements have made various keystroke recorders as well as easily concealed video recording devices more available to the general public (including of course any potential attackers). This is exceptionally difficult for a user to ensure that no such recording devices are present.

Unfortunately at this time no single technique (although multi-factor authentication helps) defeats all of these vulnerabilities. Traditional means of strong hashes, strong password, secure channels, frequently changing password, etc fail to address all of these issues, in particular they fail to address input monitoring. Fortunately last October Roth, Richter, and Freidinger published “A PIN-entry method resilient against shoulder surfing” (http://portal.acm.org/citation.cfm?id=1030116), which introduces the idea of Cognitive and Probabilistic Cognitive Trapdoor Games. Although this paper specifically addresses PIN entry, it translates to passwords very easily though perhaps ideally... I will modify and expand on it for my purposes.

The idea is to discontinue the use of passwords and switch users to smart cards/trusted systems and simple 4-6 digit PINs.

Storage compromise: shows an increased likelihood of hash compromise
Transmission compromise: shows no change
Artificial agent: shows no change
Psychological evaluation: shows an increased likelihood of correct guessing
Brute force: shows an increased likelihood of correct guessing, but see below
User dissemination: shows a clear decrease in likelihood
Attacker observation: is dramatically reduced

To elaborate this will increase the likelihood of hash cracking in the event of a system compromise and may exasperate the issue of psychological attacks, as users are likely to pick simple dates (birthday, anniversary, last four digits of their phone number, etc) and lastly brute forcing is easier as there is a shorter key length and simpler data set. With all of these negatives, why in god’s name would I think of this as a good idea?

Well first and foremost brute forcing will in fact decrease when this PIN is coupled with an account lockout policy and the requirement of the second factor of authentication. Additionally the account lockout policy can require the smart card to be re-keyed preventing a second attempt by the attacker. The account lockout policy may be unusually strict as well due to the limited complexity of the PIN, the user is unlikely to typo repeatedly and impossible to mis-shift.

User dissemination is far less likely due to the aforementioned reduction in complexity as well, though this issue will never be completely removed so long as users need to remember anything.

The meat of all of this is the game! The idea is to create a game so simple that any user can win if they know the key, but sufficiently difficult to win for an attacker that doesn’t know the key. Additionally the attacker should not be able to learn the key, even after observing the entire input and output of the authentication transaction.

The user will be presented with a 10-key display, either touch screen, an actually keypad (for more secure environments), or most likely a display with binary keys defined on the keyboard. (left and right arrow for example) Half of the digits are white text on black keys and the other half or black text on white keys. The touch screen, keypad, or binary keyboard keys will represent both the white and black keys. In order to select a given number select its key color, the result is a high degree of ambiguity for an observer.

Example (The PIN is 2005):
Code:
Round 1:
Black (1,3,4,7,0) - White(2,5,6,8,9)
Select - White

Round 2:
Black (2,3,5,7,0) - White(1,4,6,8,9)
Select - Black

Round 3:
Black (1,2,5,8,9) – White (3,4,6,7,0)
Select - White

Round 4:
Black (1,4,5,7,0) – White (2,3,6,8,9)
Select – Black
In this simple example an observer is left with the following potential PINs:

2231, 2234, 2235, etc, etc (625 possible for a four digit PIN) however, since the entry method is binary the attacker doesn’t need to know the exact password since each selection has a 50/50 chance of being correct. The odds now of a correct guess are not one in 625 after a single, complete observation (which is much better than one in one after a complete observation) but one in 16 after no observations (which is much, much worse) and unchanged after a single observation.

Clearly this implementation isn’t that great, but perhaps you see where we’re going with it. In the aforementioned article they use two methods. The first is directed at deterring simple human observation (Cognitive Trapdoor Game), which requires four inputs like the one above for each digit in the PIN, resulting in 16 entries over all. Each entry is presented in real time. The second approach (Probabilistic Cognitive Trapdoor Game) is intended to even defeat observation attacks where the observer acquires all of the input, such as with a recording device. This method presents a sequence of four screens and then prompts the user for black and whites after the sequence; this process is repeated for each digit. The key in the Probabilistic Cognitive Trapdoor Game is that each entry defines two digits instead of one to ensure a level of ambiguity, otherwise after 2-3 selections is it usually possible to isolate which digit is correct… for example:

First PIN digit
Code:
Round 1:
Black (1,3,4,7,0) – White (2,5,6,8,9)
Select - Black

Round 2:
Black (2,3,5,7,0) – White (1,4,6,8,9)
Select - Black

Round 3:
Black (1,2,5,8,9) – White (3,4,6,7,0)
Select - White

Round 4:
Black (1,4,5,7,0) – White (2,3,6,8,9)
Select – White
Using this data we can determine that first digit:

Round 1: 1,3,4,7,0
Round 2: 2,3,5,7,0
Round 3: 3,4,6,7,0
Round 4: 2,3,6,8,9

First Elimination: 1,2,4,5
Second Elimination: 6
Third Elimination: 7,8,9,0

Leaving only 3.

I wish to take a slightly different path, although many are available depending on your given needs. In the system I will present here, the objectives were simplicity and the ability to optionally and seamlessly integrate a duress alarm for critical accounts.

The user requires:
[list=1][*]Their smart card[*]Their numerical password[*]Their color[/list=1]
To authenticate themselves to the system the user must present their smart card (in this case a USB keychain). Next the user is presented with the numerical display and the left arrow key is used to indicate black, the right arrow key for white. The user must enter each digit of their PIN and their color once, while each digit of their password not first presented in their color twice. For example:

Now let us assume the user password is 1234 and their color is black.

Code:
Round 1:
Black (1,3,4,7,0) – White (2,5,6,8,9)
Select - Black

Round 2:
Black (2,3,5,7,0) – White (1,4,6,8,9)
Select – Black
Since the users color is black, these digits are entered correctly.
Code:
Round 3:
Black (1,2,5,8,9) – White (3,4,6,7,0)
Select – White
Now in this case the digit (0) was a white key, the user must enter the third digit again
Code:
Round 4:
Black (1,4,5,7,0) – White (2,3,6,8,9)
Select- Black
This completes the third digit, even if the digit showed as white again.
Code:
Round 5:
Black (1,2,5,6,9) – White (3,4,7,8,0)
Select- Black
This conclude the actually data entry portion, (in this case five rounds) to further complicate the issue, since the entry may take up to 12 rounds (six digit password, each time of the none chosen color.) it is best to have all password entry sequences of a fixed length, otherwise the observer may verify the password length. In the given example, the user only entered five rounds leaving seven rounds open.

In this system we have three types of accounts, and each account makes different use of these empty rounds.

Type 1: Standard User
These rounds are blank and the user can enter anything they see fit. This passwords must be at least five digits.

Type 2: Medium Security User
These rounds are filled in by running through the password repeatedly (as much as will fit in the 12 rounds).

Type 3: High Security User
Same as type two, expect this account is fitted with a duress alarm. After the initial password, the user can error in a predefined manner in the repetition phase. Passwords for this user type can be no longer than five digits.

My experience is that upon implementing this type of access control system for remote ERP access (sales reps and such) required 30 minutes of training, resulting in initial error rates comparable to standard passwords and after three months error rates roughly 20% lower than standard. Added benefits include of course increased immunity to keystroke recorders and shoulder surfing.

Cheers,

catch