Keeping Secrets from Friends: Design Guidelines for Multiplexed Graphical Passwords

Abstract

Background Entering passwords on mobile devices often takes place inpublic, situations in which input actions are exposed to the people around youand passwords can be compromised simply by sneaky glances over shoulders. However, the people who surround a user are typically not malicious attackersseeking to steal data, but rather friends and colleagues. This article characterizessuch individuals as casual observers and describes the threats they pose to securityand password integrity. Methods Based on an analysis of the literature and design space, weintroduce a systematic framework for multiplexed authentication, a term weintroduce to describe a class of systems that maintain security against the threatsposed by casual observers through obsfuscated input. Building on this knowledge,we present a set of design dimensions and guidelines for multiplexed graphicalpasswords. Finally, we present ShaPIN, a multiplexed input prototype designed inlight of these guidelines and that aims to protect users against casual observation. Results Evaluations of ShaPIN with a user study reveal it can be usedrapidly, accurately and that it provides protection against in-person observation. ShaPIN also offers substantial performance imporvements over prior systems inits class, evidence that helps support and validate our design framework. Conclusion We believe that the framework of multiplexed authenticationcan inform and shape future work to ensure that passwords stay safe and secretin front of friends. By presenting design guidelines for multiplexed graphicalpasswords we also hope to raise awareness of the important issue of passwordsecurity in the design community and to show how design research can innovatein this area to create more usable and effective password systems.