The presenter was Haryani Zakaria of Newcastle University. She began with an introduction to the graphical system they used, called “Draw-A-Secret.” This graphical password system consists of a user drawing a pattern on a screen. The authors were concerned about shoulder surfing attacks on this scheme. The authors considered three defense techniques against shoulder surfing in this paper. Decoy strokes were false strokes made by the system, being drawn automatically to confuse the attacker. Disappearing strokes occur when the system makes the lines drawn by the user vanish as soon as the stylus is lifted. The line snaking defense consists of the lines disappearing as well, but with the disappearance occurring as the user is drawing a line, without waiting for the stylus to be raised. The authors studied these techniques in both their effectiveness and usability.
User Study 1: effectiveness. The non-experimenter participants in the experiment were the attackers. They were introduced and given a demonstration, and an experimenter acted as the victim. The participants observed the victim entering a password, with different defense techniques depending on condition. The results indicate that the control group and the decoy stroke group both were successful in about three-quarters of their attacks, with under half for the disappearing stroke and line snaking techniques.
User Study 2: usability. The authors removed the less successful decoy technique and performed a usability study on the remaining two. There were 30 participants, assigned to these conditions. They looked at login time and login error rate. Line snaking takes longer to log in, and more attempts to log in, than disappearing stroke. And more users preferred the disappearing stroke technique. Participants felt more confident when their lines remained until completion, letting them know their line was drawn correctly. Thus, the disappearing stroke technique appears to offer comparably good protection while being more usable than the snaking technique.
Read the full paper at: http://cups.cs.cmu.edu/soups/2011/proceedings/a6_Zakaria.pdf