Researchers at the NYU Tandon School of Engineering recently developed a new technology that combats shoulder-surfing, a spying technique in which personal information such as PINs, passwords and other personal data are obtained by looking over someone’s shoulder or standing next to them.
This new app, known as IllusionPIN, was developed over the course of a year. The project was headed by Tandon professor Nasir Memon, with help from doctoral candidates Toan Nguyen, Emre Durmas and Athanasios Papadopoulos, all members of the NYU Center for Cybersecurity. They developed a prototype and mathematical algorithm that allows IllusionPIN to effectively combat shoulder-surfing.
IllusionPIN changes the appearance and configuration of a user’s electronic device screen for others who are not immediately in front of the screen. The basic premise behind IllusionPIN’s technology is the use of a hybrid image keyboard.
Papadopoulos described the hybrid image keyboard as “an image which alternates between two perceptions depending on the distance of the observer.”
“We created what we call a hybrid keypad, which is a keypad that is perceived as having a specific digit ordering from close distance, and as having a different digit ordering from a bigger distance,” Papadopoulos said.
“The underlying technology blends one image of a keyboard configuration with high spatial frequency and a second, completely different, keyboard configuration with low spatial frequency,” Nguyen said.
In this way, those who are not directly in front of the screen and hence not the user, will perceive a completely different keyboard or image on the user’s screen. One of the benefits of this screen reconfiguration is that it helps prevent attackers from memorizing the pattern of users’ fingers on the screen, especially when typing short PINs and passcodes.
Along with the development of the technology behind IllusionPIN, Memon’s team also performed usability testing with very favorable results, indicating success in preventing shoulder-surfing attacks.
A recent NYU Tandon press release stated that when IllusionPIN was tested on 21 participants for a total of 84 attacks, not one of the attempted attacks succeeded. The testing was further validated in that the attempted attacks were performed at several distances, including three, five and seven feet away from the device screen. Furthermore, another usability test that the team performed on devices not running IllusionPIN showed that in 21 attempted attacks, all were unsuccessful in maintaining passcode security.
Various other techniques of password protection and authentication have been explored by Memon and his team of researchers, and they will continue to explore new and improved technologies that will combat other very specific cases where device protection is necessary. Memon explains that he is currently working on developing a technology that can determine whether a user is a child.
“A parent might give their phone to their child to play games, but the child can get out of the game and starts reading texts or looking through pictures,” Memon said. “How can you automatically detect the user is a child and immediately turn off certain applications? We have some preliminary data, for example, by the way children hold and interact with phones.”
Nguyen is also working on a new project called Draw-A-PIN, which he explains is a “two-factor authentication method in the sense that users are verified based on the secret of the PIN as well as their drawing characteristics which are unique to each person.”
IllusionPIN is currently in the patent application process, and should be available in application stores in several months; it will first be available on Android devices, and later on Apple devices.
Email Flavia Sinha at [email protected]