Cleveland State University EngagedScholarship@CSU ETD Archive 2018 Improving the Security of Mobile Devices Through Multi- Dimensional and Analog Authentication Jonathan Gurary Follow this and additional works at: https://engagedscholarship.csuohio.edu/etdarchive Part of the Computer Engineering Commons How does access to this work benefit ou?y Let us know! Recommended Citation Gurary, Jonathan, "Improving the Security of Mobile Devices Through Multi-Dimensional and Analog Authentication" (2018). ETD Archive. 1025. https://engagedscholarship.csuohio.edu/etdarchive/1025 This Dissertation is brought to you for free and open access by EngagedScholarship@CSU. It has been accepted for inclusion in ETD Archive by an authorized administrator of EngagedScholarship@CSU. For more information, please contact [email protected]. IMPROVING THE SECURITY OF MOBILE DEVICES THROUGH MULTI-DIMENSIONAL AND ANALOG AUTHENTICATION JONATHAN GURARY Bachelor of Computer Engineering Cleveland State University 2012 Master of Electrical Engineering Cleveland State University 2013 submitted in partial fulfillment of the requirements for the degree DOCTOR OF ENGINEERING at the CLEVELAND STATE UNIVERSITY May 2018 We hereby approve the dissertation of Jonathan Gurary Candidate for the Doctor of Engineering degree. SIGNATURE PAGE ON FILE WITH CLEVELAND STATE UNIVERSITY This dissertation has been approved for the Department of ELECTRICAL AND COMPUTER ENGINEERING and CLEVELAND STATE UNIVERSITY College of Graduate Studies by Thesis Committee Chairperson, Dr. Wenbing Zhao Department/Date For my wife, my family, my country, for the Emperor. If the road is easy, the destination is worthless. ACKNOWLEDGMENTS Of course, a great thank you to my adviser, Dr. Zhao, for his tremendous help and support. A thank you to my entire committee: Dr. Dong, Dr. Simon, Dr. Wang, and Dr. Wu, for their time and dedication in reviewing this work. And thank you to the EECE department here at Cleveland State, for their financial support and for an overall excellent experience in time I spent working towards this degree. Thank you to Dr. Zhu for getting me started on this journey. Thank you to my collaborating authors from Oakland University for their help. I wish you all the very best. This work is dedicated to everyone who supported me. I'd like to thank my wife, for being omnipresent in support and bearing with me while I finished this lengthy project. My parents, for all their love and patience as well, even if they have no idea what I'm doing “over there at school”. My friends, for distracting me from finishing this sooner, but keeping me entertained in the meantime. iv IMPROVING THE SECURITY OF MOBILE DEVICES THROUGH MULTI-DIMENSIONAL AND ANALOG AUTHENTICATION JONATHAN GURARY ABSTRACT Mobile devices are ubiquitous in today's society, and the usage of these devices for secure tasks like corporate email, banking, and stock trading grows by the day. The first, and often only, defense against attackers who get physical access to the device is the lock screen: the authentication task required to gain access to the device. To date mobile devices have languished under insecure authentication scheme offerings like PINs, Pattern Unlock, and biometrics- or slow offerings like alphanumeric passwords. This work addresses the design and creation of five proof-of-concept authentication schemes that seek to increase the security of mobile authentication without compromising memorability or usability. These proof-of-concept schemes demonstrate the concept of Multi-Dimensional Authentication, a method of using data from unrelated dimensions of information, and the concept of Analog Authentication, a method utilizing continuous rather than discrete information. Security analysis will show that these schemes can be designed to exceed the security strength of alphanumeric passwords, resist shoulder-surfing in all but the worst- case scenarios, and offer significantly fewer hotspots than existing approaches. Usability analysis, including data collected from user studies in each of the five schemes, will show promising results for entry times, in some cases on-par with existing PIN or Pattern Unlock v approaches, and comparable qualitative ratings with existing approaches. Memorability results will demonstrate that the psychological advantages utilized by these schemes can lead to real-world improvements in recall, in some instances leading to near-perfect recall after two weeks, significantly exceeding the recall rates of similarly secure alphanumeric passwords. vi TABLE OF CONTENTS Page ACKNOWLEDGMENTS ............................................................................................. iv ABSTRACT .................................................................................................................. v LIST OF TABLES ...................................................................................................... xii LIST OF FIGURES ...................................................................................................... xiii CHAPTER I. OVERVIEW AND MOTIVATION ..................................................................... 1 1.1 Mobile: An Opportunity for Change .................................................. 1 1.2 Shortcomings of the Current Paradigm ............................................... 4 1.3 Statistical Testing ................................................................................ 7 1.4 Contributions and Outline .................................................................... 7 II. MULTI-DIMENSIONAL AUTHENTICATION ................................................. 10 2.1 Outline .................................................................................................. 10 2.2 Introduction to Multi-Dimensional Authentication .............................. 11 2.2.1 An Example of MAPS ............................................................ 12 2.2.2 MAPS vs Traditional Authentication ....................................... 13 2.3 Related Work: Graphical Passwords ................................................... 15 2.4 Chess Based MAPS (CMAPS) ........................................................... 21 2.4.1 Graphical Hints ........................................................................ 22 2.5 Security Strength of MAPS ................................................................. 24 2.5.1 Security Strength of MAPS ...................................................... 24 2.5.2 Security Strength of CMAPS ................................................... 26 2.6 Usability Analysis ................................................................................. 30 2.7 User Study ............................................................................................. 31 vii 2.7.1 Overview ................................................................................ 31 2.7.2 Apparatus ................................................................................ 32 2.7.3 Conditions ................................................................................. 33 2.7.4 Participants .............................................................................. 33 2.7.5 Memorability .......................................................................... 34 2.7.6 Usability ................................................................................... 35 2.7.7 Hotspots ................................................................................... 41 2.7.8 User Choice in CMAPS Passwords .......................................... 43 2.7.9 Graphical Hints Generated by Participants .............................. 45 2.8 Discussion ............................................................................................ 46 III. SHOULDER-SURFING RESISTANCE ............................................................. 48 3.1 Outline .................................................................................................. 48 3.2 Expanding MAPS to Reduce Shoulder-Surfing .................................... 49 3.2.1 CMAPS vs Shoulder-Surfing and Smudge Attacks .................. 49 3.2.2 PassGame: Adding Shoulder-Surfing Resistance to MAPS . 50 3.3 Related Work: Shoulder-Surfing Resistance ....................................... 51 3.3.1 Testing Shoulder-Surfing ......................................................... 52 3.3.2 Hardware-based Shoulder-Surfing Resistance ........................ 53 3.3.3 Challenge-Response .................................................................. 54 3.4 The Design of PassGame .................................................................... 55 3.4.1 Random Board Generation ...................................................... 56 3.4.2 Available Rules ........................................................................ 57 3.4.3 Additional rules ........................................................................ 60 3.5 Security of PassGame .......................................................................... 61 3.6 PassGame User Study .......................................................................... 62 3.6.1 Participants .............................................................................. 62 3.6.2 Overview ................................................................................. 63 viii 3.6.3 Memorability Results ............................................................... 64 3.6.4 Usability Results ..................................................................... 65 3.6.5 User Choice