Thwarting Password Shoulder Surfing
If you visit a spy museum, you will see various devices with hidden cameras. Back in those days, these were special gadgets privy only to spies. Today, however, these kinds of devices are easily accessible to an average consumer.
For instance, here is a hidden camera masquerading as a smoke detector, selling on Amazon for $50. It is to be positioned on a ceiling.
This kind of camera, positioned above a computer workstation desk, can capture your password.
There are also portable hidden cameras, masquerading as a car key fob. Here is one that sells on Amazon for $35:
Standing near someone who types a password, one can covertly record him by pretending to fondle with car keys.
If you are an iPhone user, you already have a hidden camera with you. You can record a video inconspicuously with your iPhone while pretending to listen to music. On the iPhone, video recording can be activated by pressing the volume button on your headphones.
Furthermore, high resolutions of modern cameras allow capturing video from far away, and then zooming into the video.
All these ways and many others that I have not mentioned, allow someone to record you while you are typing a password. If he is able to get your webmail password this way, he will be able to log in to all the other websites that you frequent using the “forgot password” mechanism.
How does tech innovations in security catch up with tech innovations in video camera equipment? Imagine that you want to log in into a website, and that your keyboard and screen are recorded by a rogue camera. Can you think of a defence? (Even if you use second factor authentication, it will not prevent your password from being stolen.)
A researcher in Egypt, by the name of Walid Khedr, came up with an ingenious solution based on an on-screen virtual keyboard. It looks like this,
Under each character there is an emoticon icon. Pressing the arrow keys on the physical keyboard shifts rows and columns of the emoticons, keeping the characters fixed. (Note that the yellow frame is shown only for demonstration, it does not appear in the actual virtual keyboard.)
For instance, pressing the down key on the physical keyboard will shifting the red, blue, and black emoticons one row down, and move the green emoticons to the top row. Similarly, pressing the left arrow on the physical keyboard would shift the columns to the left, moving the first column to the back.
The user inputs the password by positioning a particular emoticon under the letter of interest. For instance, the diagram shows a vacuum emoticon under the letter “w”. If the user wants to input the letter “a”, he must position that emoticon under the letter “a” like this:
In order to input the next letter of the password, the user hits a spacebar on a physical keyboard. This resets the layout of emoticons to a new random arrangement:
Now, the user has to track the new emoticon that is shown under letter “a” and position it under the new letter he wants to input. Let’s say he wants to input letter “b”. Then he must shift four columns to the right, and one row down, arriving at the following arrangement:
On the receiving end, the application can reconstruct the password as long as it knows the starting letter “w” which identified the first emoticon. This special starting character is agreed upon at sign-up time.
Undoubtedly this scheme is much slower than typing a password on physical keyboard. And, it would make typing long passwords difficult tedious. But, I challenge you, dear reader, to find a better solution given the problem statement. Note that this scheme is as resilient against physical camera capturing as against operating system compromised with a key and mouse logger.
Some speed improvements to this scheme can be made by moving the virtual keyboard to the mobile phone and getting the user to rotate the rows and columns with a flick of a thumb. We have seen that using onscreen mobile keyboards can be very fast with practice.
For more information please refer to the the original paper.