Towards Baselines for Shoulder Surfing on Mobile Authentication

Shoulder surfing, as a form of observation attack, by which an attacker observes a victim entering security credentials. Given the nature of mobile devices and unlock procedures, such unlock authentication is a prime target for credential leaking via shoulder surfing. While the community has investigated solutions to minimize or prevent the threat of shoulder surfing, our understanding of how the attack performs on current system is less well studied. In this paper, we describe a large online experiment ($n=1173$) that works towards establishing a baseline of performance of current unlock authentication system against shoulder surfing. Using controlled video recordings of a victim entering in a set of 4- and 6-digit length PINs and 4- and 6-length Android unlock patterns, on different phones from different angles, we asked participants in the experiment to act as attackers, trying to determine the authentication input based on an observation of input. We find that 6-digit PINs proved the most elusive attacking surface where a single observation leads to 10.8\% successful attacks, improving to 26.5\% with multiple observations. As a comparison, 6-length Android patterns, with one observation, suffered 64.2\% attack rate and 79.9\% with multiple observations. Removing feedback lines for patterns improves security from 35.3\% and 52.1\% for single and multiple observations, respectively. This evidence, as well as other results related to hand position, phone size, and observation angle, suggests that baselines for should surfing vulnerability can be established and should be centered around longer PINs, at least 6-digits in length.