PIN sign-ins are a popular authentication method for various software and devices, from smartphones to ATMs. These relatively short string of digits are easy to remember but, for much the same reason, they are also easy to crack.
“The traditional configuration of numbers on a keypad is so familiar that it’s possible for an observer to discern a PIN or access code after several viewings of surveillance video,” Nasir Memon, a New York University Tandon School of Engineering professor, told Digital Trends. Memon said his team’s aim was to make PIN authentication more secure without requiring much more work from the device or making user experience any less smooth.
The app they developed uses a hybrid-image keyboard that tricks the eye when viewed from a distance of a few feet or more. The specific technology combines an image of a keyboard with a high spatial frequency and a different image of a keyboard with a low spatial frequency. The visibility of each image depends on the distance from which it is seen and results in an illusion that deceives the eye of a “shoulder surfer” so that the keyboard appears to be normal when, in fact, it isn’t.
To test whether IllusionPIN would actually trick an onlooker, the researchers performed 84 shoulder-surfing attacks on 21 participants as they entered their PIN using the app. In a study published online last one in the journal IEEE Xplore, the researchers report that none of the attempted attacks were successful. They also preformed one attack on each participant without using IllusionPIN, each which successfully identified the password.
“We also determined that IllusionPIN makes it nearly impossible to steal PIN or other authentication information using surveillance footage,” Memon said.
Moving forward, the team will explore ideas for deploying their technology on smartphones, ATMs, and computers.
