Understanding Attacking Behaviors toward Password-based Mobile User Authentication
Lina Zhou, UNC Charlotte Kanlun Wang, UNC Charlotte
Jianwei Lai, Illinois State University
Abstract
Password-based mobile user authentication is vulnerable to a
variety of security threats. Shoulder-surfing is the key to those
security threats. Despite a large body of research on password
security with mobile devices, existing studies have focused on
shaping the security behavior of mobile users by enhancing the
strengths of user passwords or by establishing secure password
composition policies. There is little understanding of how an
attacker actually goes about observing the password of a target
user. This study empirically examines attackers’ behaviors in
observing password-based mobile user authentication sessions
across the three observation attempts. It collects data through
a longitudinal user study and analyzes the data collected
through a system log. The results reveal several behavioral
patterns of attackers. The findings suggest that attackers are
strategic in deploying attacks of shoulder-surfing. The findings
have implications for enhancing users’ password security and
refining organizations’ password composition policies.
1. Introduction
Password remains one of the most common methods for
mobile user authentication [1]. Despite some benefits offered
by passwords in terms of usability and deployability, ‘legacy’
passwords receive a poor rating on security [2]. Targeted
online password guessing is an underestimated threat [3], in
view of the wealth of personal data ranging from usernames
and passwords to social security numbers stored on those
devices. In particular, shouldersurfing attacks, if successful,
can lead to illegal access to all kinds of sensitive data and
information on a mobile device or system which can poten-
tially lead to malicious activities. There are separate bodies
of research on user password behaviors, password strength,
password cracking/guessing, and shoulder-surfing attacks.
Unlike shoulder-surfing attacks, password cracking/guessing
is focused on automated programs or computer-based
solutions [4]. Empirical studies on shoulder surfing attacks
on password-based authentication remain scarce. Despite
Copyright is held by the author/owner. Permission to make digital or hard
copies of all or part of this work for personal or classroom use is granted
without fee.
USENIX Symposium on Usable Privacy and Security (SOUPS) 2021.
August 8–10, 2021, Virtual Conference.
Dongsong Zhang, UNC Charlotte
a few relatively comprehensive studies of shoulder surfing
susceptibility of password-based authentication methods (e.g.,
[5,6]), none has examined the shoulder-surfing behavior and
strategies across multiple observation attempts. Additionally,
one of the studies [6] considered graph passwords instead
of text passwords. We aim to fill the literature gap by
answering the following research question: What are the
behavioral patterns of should-surfing attacks? Do attackers
coordinate their shoulder-surfing behaviors over multiple
attempts? If so, how? We answer these research questions
by conducting a longitudinal user study where participants
were asked to play the role of imposters who observed
password-based authentication sessions. To support the
investigation of multiple observation attempts, we simulate
observation attacks by preparing prerecorded video clips of
password authentication sessions and showing each video
three times without interruption. This is the first study that
examines the temporal patterns of shoulder-surfing behaviors
in observation attacks. The findings can help increase users’
awareness of security threats to password-based mobile
user authentication, guide mobile authentication developers
in developing strategies for combating shoulder-surfing
attacks, and enhance the password composition policies of
organizations and websites.
2. Background and Related Work
In this section, we first provide background on password-
based mobile user authentication and shoulder-surfing secu-
rity models, and finally discuss shoulder-surfing susceptibility
of password-based methods.
2.1. Password-based Authentication
Passwords are one of the most common methods for mo-
bile user authentication [7]. A password-based authentica-
tion matches a user-entered password against a pre-set secret
password that typically consists of a string of letters, digits,
graphics, and/or symbols [3,4]. Among others, textual pass-
words are the most common [10]. Passwords bring some us-
ability and deployability benefits [2], but they are vulnerable
to various types of attacks (e.g., [11]), where attackers aim to
shoulder surf the target user’s passwords by leveraging various
sources of information such as observations and personal in-
formation. Passwords are vulnerable to security threats, partly
because password login attempts can potentially be observed
by shoulder-surfers.
2.2. Shoulder-surfing Security Models
Security models used in shoulder-surfing research can be clas-
sified into four categories based on whether authentication
sessions were recorded or not and how many times adver-
saries can observe the authentication sessions [12]. The single
recording and multiple recording models both present adver-
saries with recorded authentication sessions. The difference
between the two models is that adversaries are only given a
small number of recorded sessions with the single recording
model, but a large number of recorded authentication sessions
with the latter. With the opportunistic observer and the insider
observer models, adversaries observe user authentication ses-
sions live. However, opportunistic observers can only observe
a small number of authentication sessions live, but insider ob-
servers can observe victims many times. It is important to
choose the right model based on the context of attacks [12].
For example, the single recording model is not suitable for
research on shoulder-surfing at-tacks among family members,
who can observe their victims repeatedly [13]. Instead, the
insider observer model will be more suitable. All types of
security models would expose credentials to attackers while
increasing the vulnerability of a mobile device.
2.3. Shoulder-surfing Susceptibility of Password-based methods
In case of password-based mobile user authentication,
the goal of shoulder-surfing attacks is to steal a victim’s
password. The limited empirical studies on shoulder-surfing
behavior in mobile user authentication have focused on the
comparisons between PIN and pattern lock variations [6], PIN
and ForcePIN [13], or alphanumeric and graphical passwords
[14]. While a previous study investigated the shoulder-surfing
susceptibility of password-based authentication on a variety
of smartphone platforms [5], it was focused on the security
model of opportunistic observers, where the participants
were allowed to observe each password entering process
once only. Similarly, the majority of shoulder-surfing studies
(e.g., [15,16]) only allowed for a single observation from an
adversary in decoding the victim’s authentication credentials
except for a couple of studies that considered two observations
[13,17]. Empirical evidence has shown that the observer needs
to observe a login attempt more than three times on average
in order to reproduce the low-entropy passwords, and the
number is even much higher for high-entropy passwords [18].
More importantly, those studies did not consider the attackers’
change of behaviors over different attempts.
This study aims to fill the literature gap by investigating
the dynamics of shoulder-surfing behaviors across different
observations of password-based mobile user authentication.
To this end, we adopted the opportunistic observer/multiple
recording model in this study.
3. Methods
We first describe the password-based authentication method,
and then introduce the details of the user study design.
3.1. Password Method
QWERTY remains the de facto keyboard for mobile users
to enter their passwords. Since our user study was conducted
in the United States, we adopted the conventional QWERTY-
based textual passwords as the authentication method. To enter
a password, the user needs to press each key corresponding
to each character in a password one by one. A login attempt
succeeds if an entered password exactly matches the actual
password. We developed a prototype to support mobile user au-
thentication using QWERTY, which logs the user’s keystroke
activities with timestamps.
Figure 1. A screenshot of the shoulder-surfing setting
3.2. Study Design
The study was approved by the Institutional Review Board
of the authors’ home institute. The participants were first
introduced to the objectives and procedure of the study in a
designated lab. After signing the consent form, the participants
received training on password authentication methods using
QWERTY and another keyboard. To make sure that the
participants were familiar with the password authentication
methods regardless of their prior experience, the participants
were asked to go through a two-week-long daily practice with
both password authentication methods by entering a new set
of 20 passwords. Finally, the participants were asked to take a
test in the lab by entering a new set of 40 passwords. Only
those participants who were able to keep up with the daily
practice and achieved a sufficient level of accuracy (75% or
higher) in the last lab-based test were eligible for participation
in the shoulder-surfing study. The accuracy was defined as
the percentage of the characters in the passwords that were
entered correctly.
The shoulder-surfing session was conducted in a lab, where
the participants were asked to play the role of an attacker.
The attacker’s task was to identify passwords based on their
observations of mobile user authentication attempts. To
simulate the opportunistic observer model, we pre-recorded
videos of password-based sessions of an expert user. The use
of an expert user followed previous shoulder-surfing studies
[6, 19], which not only allowed us to manipulate the password
entry performance to match the level of an average user but
also helped to minimize the effects of confounding factors
introduced by using participants. We developed a web-based
experiment system to support the experiment. The sys-
tem allowed the participants to watch the videos and enter
and/or correct their passwords. Participants’ video watching
and password-entering behaviors (e.g., letter and deletion
operation) were recorded in a server log. The participants
did not receive any feedback on the accuracy of their entered
passwords throughout the experiment. The password length
was set to be 8-character long and did not exist in dictionaries
(e.g., “mkxcrdqu”) to achieve a balance between security and
complexity.
The participants received training with the experiment
system and practiced shoulder-surfing attacks with sample
video clips of password authentication sessions similar to
those used in the formal study before proceeding with the
formal tasks. The participants were also informed that they
would be observing each of the authentication sessions three
times in a row, and making one password entering attempt
after each observation, and the password length is 8-character
long. The shoulder-surfing attacks in the formal tasks were
performed under a variety of settings. In this paper, we
focused on the setting where the participants observed the
QWERTY-based password authentication method from a near
distance when the authentication was performed using the
thumb of the same hand that holds the device.
It is common to use student participants in mobile user
authentication studies [20,21], we recruited participants via a
university mailing list. Among the 17 participants who had
participated, 13 were successfully completed all experiment
tasks and each of them received a $45 gift card. All the
participants were English speakers and had experience with
interacting with mobile devices in the past three months.
Among the participants, nine were aged from 19 to 24 years
and four from 25 to 36 years, and five were male and eight
were female.
3.3. Variables and Measurements
Given the novelty of the research problem, we introduce the
following variables to measure attackers’ shoulder-surfing be-
havior.
• Guessed password length is defined as the number of
characters included in each password guess,
• Specificity is defined as the percentage of correctly iden-
tified characters in a password guess, and
• Sensitivity is defined as the percentage of characters in
the actual passwords that are guessed correctly.
The following three measures were introduced specifically
to understand attackers’ possible coordination behavior across
multiple observation attempts.
• Levenshtein Distance measures the discrepancy between
two strings of characters [22], which is defined as the
minimum number of single-character edits to transform a
password guess into another.
• Modification is defined as the percentage of the partici-
pants who revise a password guess based on the previous
password guess(es).
• Deletion refers to the number of deletion operations per-
formed in each password observation attempt.
4. Results
The descriptive statistics of shoulder-surfing behavior and
across-attempt coordination behavior are reported in Table
1. Since modification and Levenshtein Distance are measured
among attempts, we report them separately in Table 2. We test
the effect of multiple observation attempts on shoulder-surfing
behavior and performance, we performed one-way repeated-
measures ANOVA by using attempt as the independent vari-
able, and each of the shoulder-surfing and coordination behav-
ior as the dependent variable separately. For the Levenshtein
Distance, we analyzed the effect of the attempt using a paired-
sample t-test.
The analyses of specificity did not yield a significant main ef-
fect (p>.1). However, the result shows that specificity gradually
increases as the number of observations increases. In addition,
four out of the thirteen participants could observe the actual
password correctly within the three attempts. Among them,
three participants made a correct guess in the first attempt and
one participant made it in the second attempt. For those who
achieve success in the first attempt, only one participant kept
their correct guess in the sequential two observations and the
other two participants revised their guesses to incorrect ones
in the second and third attempts respectively. There was no
change found for the participant who made a correct guess in
the second attempt.
Given the significant main effect for sensitivity (p<.05), we
followed up with post-hoc multiple comparisons. The results
are reported in Table 3. The result shows that there was a sig-
nificant difference in sensitivity between the first two attempts
(p<.05) and between the first and the third attempts (p<.001),
but the difference between the last two attempts was not sig-
nificant (p>.1).
In addition, the analyses yielded a significant main effect for
guessed password length (p<.01). The results of post-hoc mul-
tiple comparisons reveal that the guess length increased from
the first to the third attempt (p<0.01) and from the first to the
second attempt (p<0.05), and the increase in the guessed length
from the second to the third attempt was marginally significant
(p<0.1).
Further, the analysis results on Levenshtein Distance yields
a marginally significant effect of attempt (p<.1). Specifically,
the distance between the first two attempts is greater than that
between the last two attempts. A comparison of modification
between attempts shows that modification increases with the
number of attempts, however, the analysis results on deletion
do not reveal a significant effect of attempt (p>.1).
 Table 1: Descriptive statistics (mean (std)) for was a greater amount of changes in the guessed password
shoulder-surfing behavior length between the first two attempts than between the last two
attempts. These observations further underline the importance
Variables Attempt 1 Attempt 2 Attempt 3 of repetition for shoulder-surfing. Even one additional attempt
could make a significant difference in the shoulder-surfing
Specificity 0.732 (0.182) 0.788 (0.184) 0.812 (0.171)
outcomes.
Sensitivity 0.538 (0.194) 0.712 (0.194) 0.817 (0.141) Third, while being provided with the option of modifying their
previous guesses, a few participants still chose to redo the
Guessed password length 5.923 (2.019) 7.308 (1.312) 8.154 (0.689)
entire observation in subsequent attempts. One explanation is
Deletion 0.077 (0.277) 1.462 (1.898) 1.538 (2.727) that the attacker participants had to make significant modifica-
tions to their previous guesses, and it might be more efficient
Table 2: Descriptive Statistics (mean (std)) of to start from scratch than making incremental changes.
shoulder-surfing coordination behavior The above findings on the temporal patterns of shoulder-
surfing behaviors suggest that attackers are strategic in ob-
Variables 1 to 2 2 to 3 serving user passwords.
This research has some limitations that could invite future re-
Levenshtein Distance 3.154 (1.214) 1.923 (1.801) search. First, it is not uncommon to use a small sample size in
controlled lab experiments for mobile user authentication stud-
Modification* 76.9% 92.3% ies [25,26]. This research could benefit from a larger sample of
Note: *: Binary variable is reported with the percentage. a diversified population. Second, the attacker participants were
informed that they had the opportunity to make three observa-
Table 3: Post-hoc Multiple Comparison Results tions at the beginning of the study. The findings on behavioral
patterns and strategies of shoulder-surfing may not generalize
to other types of settings. Third, the password length was set
Variables 1 Vs. 2 2. Vs. 3 1 Vs. 3
to eight. In reality, the length of user passwords varies signifi-
p=0.032 p =.124 p =.0003 cantly. Thus, it would be fruitful to replicate this study with
Sensitivity (0.173) (0.106) (0.278)
varying the length of passwords to gain an understanding of the
p =.049 p =.051 p =.001 possible influence of password length on shoulder-surfing be-
Guessed password length (1.385) (0.846) (2.231) haviors. Fourth, we used video recordings of password-based
mobile user authentication sessions as stimuli in the user study.
Note: p-values are reported, and mean differences are in parenthesis.
In addition to the observation-based attacks, the attackers could
also launch recorded attacks. It is a worthy effort to study the
5. Discussion and Conclusion behavioral patterns of recorded attacks separately. Our research
Although the security vulnerability of password-based mobile paves the way for future research in this area.
user authentication has received widespread attention, there are Acknowledgement
few research studies of attackers’ shoulder-surfing on mobile This research was partially supported by the National Sci-
devices. In this study, we empirically investigate the attack- ence Foundation [Award #s: CNS 1917537 and SES 1912898).
ers’ behaviors displayed in shoulder-surfing while targeting Any opinions, findings, and conclusions, or rec-ommendations
mobile user authentication. Based on an analysis of server log expressed in this paper are those of the au-thors and do not
files, we were able to identify several behavioral patterns of necessarily reflect the views of the above funding agency.
shoulder-surfers across multiple attempts.
First, the sensitivity of password guesses improves and the References
length of password guesses increases over time. These find- [1] K. Wang, L. Zhou, and D. Zhang, “User Preferences and
ings are also in line with the cognitive load theory that humans Situational Needs of Mobile User Authentication Meth-
have limited working memory for processing information. The ods,” 2019, pp. 18–23. doi: 10.1109/ISI.2019.8823274
capacity of short-term memory is estimated to be in the or- [2] J. Bonneau, C. Herley, P. C. van Oorschot, and F. Sta-
der of four items [23], which is much less than the length of jano, “The Quest to Replace Passwords: A Framework for
passwords used in our experiments. Studies have shown that Comparative Evaluation of Web Authentication Schemes,”
repetition is one of the most powerful influencers on memory in 2012 IEEE Symposium on Security and Privacy, May
[24]. The effect of repetition on memory judgments is particu- 2012, pp. 553–567. doi: 10.1109/SP.2012.44.
larly pronounced [24]. [3] D. Wang, Z. Zhang, P. Wang, J. Yan, and X. Huang,
Second, there was a greater amount of modification between “Target- ed Online Password Guessing: An Underesti-
the first and the second attempts than between the last two mated Threat,” in Proceedings of the 2016 ACM SIGSAC
attempts based on the Levenshtein Distance. Similarly, there Conference on Computer and Communications Security,
 New York, NY, USA, Oct. 2016, pp. 1242–1254. doi:
10.1145/2976749.2978339.
[4] E. Conrad, “Chapter 9 - Domain 9: Operations Security,”
in Eleventh Hour CISSP, E. Conrad, Ed. Boston: Syn-
gress, 2011, pp. 147–160. doi: 10.1016/B978-1-59749-
566- 0.00009-6.
[5] F. Schaub, R. Deyhle, and M. Weber, “Password Entry
Usa- bility and Shoulder Surfing Susceptibility on Differ-
ent Smartphone Platforms,” in Proceedings of the 11th
Interna- tional Conference on Mobile and Ubiquitous Mul-
timedia, New York, NY, USA, 2012, p. 13:1-13:10. doi:
10.1145/2406367.2406384.
[6] A. J. Aviv, J. T. Davin, F. Wolf, and R. Kuber, “Towards
Baselines for Shoulder Surfing on Mobile Authentica-
tion,” Proceedings of the 33rd Annual Computer Secu-
rity Applica- tions Conference on - ACSAC 2017, pp.
486–498, 2017, doi: 10.1145/3134600.3134609.
[7] K. Wang, L. Zhou, D. Zhang, Z. Liu, and J. Lim, “What is
More Important for Touch Dynamics based Mobile User
Au- thentication?,” p. 15, 2020.
[8] C. Castelluccia, M. Durmuth, and D. Perito, “Adaptive
Pass- word-Strength Meters from Markov Models,” p. 14.
[9] B. Ur et al., Poster: The Art of Password Creation.
[10] C. Herley and P. Van Oorschot, “A Research Agenda
Ac- knowledging the Persistence of Passwords,” IEEE
Security Privacy, vol. 10, no. 1, pp. 28–36, Jan. 2012, doi:
10.1109/MSP.2011.150.
[11] J. Yan, A. Blackwell, R. Anderson, and A. Grant, “Pass-
word memorability and security: empirical results,” IEEE
Security Privacy, vol. 2, no. 5, pp. 25–31, Sep. 2004, doi:
10.1109/MSP.2004.81.
[12] O. Wiese and V. Roth, “See you next time: a model for
mod- ern shoulder surfers,” in Proceedings of the 18th
International Conference on Human-Computer Interaction
with Mobile Devices and Services, New York, NY, USA,
Sep. 2016, pp. 453–464. doi: 10.1145/2935334.2935388.
[13] H. Khan, U. Hengartner, and D. Vogel, “Evaluating At-
tack and Defense Strategies for Smartphone PIN Shoul-
der Surf- ing,” in Proceedings of the 2018 CHI Con-
ference on Human Factors in Computing Systems -
CHI ’18, Montreal QC, Canada, 2018, pp. 1–10. doi:
10.1145/3173574.3173738.
[14] F. Tari, A. A. Ozok, and S. H. Holden, “A compari-
son of perceived and real shoulder-surfing risks between
alphanu- meric and graphical passwords,” in Proceedings
of the second symposium on Usable privacy and security
- SOUPS ’06, Pittsburgh, Pennsylvania, 2006, p. 56. doi:
10.1145/1143120.1143128.
[15] A. De Luca, E. von Zezschwitz, L. Pichler, and H. Huss-
mann, “Using fake cursors to secure on-screen password
en- try,” in Proceedings of the SIGCHI Conference on
Human Factors in Computing Systems - CHI ’13, Paris,
France, 2013, p. 2399. doi: 10.1145/2470654.2481331.
[16] M. Khamis, F. Alt, M. Hassib, E. von Zezschwitz, R.
Hasholzner, and A. Bulling, “GazeTouchPass: Multimodal
Authentication Using Gaze and Touch on Mobile Devices,”
in Proceedings of the 2016 CHI Conference Extended
Ab- stracts on Human Factors in Computing Systems,
New York, NY, USA, May 2016, pp. 2156–2164. doi:
10.1145/2851581.2892314.
[17] F. Schaub, M. Walch, B. Könings, and M. Weber, “Ex-
ploring the design space of graphical passwords on smart-
phones,” in Proceedings of the Ninth Symposium on Us-
able Privacy and Security - SOUPS ’13, Newcastle, United
Kingdom, 2013, p. 1. doi: 10.1145/2501604.2501615.
[18] P. Dunphy, A. P. Heiner, and N. Asokan, “A closer look at
recognition-based graphical passwords on mobile devices,”
in Proceedings of the Sixth Symposium on Usable Privacy
and Security, New York, NY, USA, Jul. 2010, pp. 1–12.
doi: 10.1145/1837110.1837114.
[19] O. Wiese and V. Roth, “Pitfalls of Shoulder Surfing Stud-
ies,” Jan. 2015. doi: 10.14722/usec.2015.23007
[20] W. Meng, Y. Wang, D. S. Wong, S. Wen, and Y. Xiang,
“TouchWB: Touch behavioral user authentication based
on web browsing on smartphones,” Journal of Network
and Computer Applications, vol. 117, pp. 1–9, Sep. 2018,
doi: 10.1016/j.jnca.2018.05.010.
[21] S. Sen and K. Muralidharan, “Putting ‘pressure’
on mobile authentication,” in 2014 Seventh Interna-
tional Conference on Mobile Computing and Ubiqui-
tous Networking (ICMU), Jan. 2014, pp. 56–61. doi:
10.1109/ICMU.2014.6799058.
[22] L. Bošnjak and B. Brumen, “Shoulder surfing: From an
ex- perimental study to a comparative framework,” Inter-
national Journal of Human-Computer Studies, vol. 130,
pp. 1–20, Oct. 2019, doi: 10.1016/j.ijhcs.2019.04.003.
[23] N. Cowan, “The magical number 4 in short-term memory:
A reconsideration of mental storage capacity,” Behavioral
and Brain Sciences, vol. 24, no. 1, pp. 87–114, Feb. 2001,
doi: 10.1017/S0140525X01003922.
[24] D. L. Hintzman, “Repetition and Memory11Preparation
of this chapter was supported by a grant GB-40360 from
the Na- tional Science Foundation. Special thanks are
due to Michael J. Hacker and James V. Hinrichs for
making their un- published data available to the author.,”
in Psychology of Learning and Motivation, vol. 10, G.
H. Bower, Ed. Academ- ic Press, 1976, pp. 47–91. doi:
10.1016/S0079- 7421(08)60464-8
[25] S. A. Alsuhibany, M. Almushyti, N. Alghasham, and F.
Alkhudhayr, “The impact of using different keyboards on
free-text keystroke dynamics authentication for Arabic lan-
guage,” Information & Computer Security, vol. 27, no. 2,
pp. 221–232, Jan. 2019, doi: 10.1108/ICS-09-2017-0062.
[26] K. Vertanen and P. O. Kristensson, “Complementing text
entry evaluations with a composition task,” ACM Trans.
Comput.-Hum. Interact., vol. 21, no. 2, p. 8:1-8:33, Feb.
2014, doi: 10.1145/2555691.
 Appendix 42 colorlinks ,
43 linkcolor ={ green !80! black },
Code with comments. 44 citecolor ={ red !70! black },
45 urlcolor ={ blue !70! black },
46 }
Style File 47
48 %
49 % USENIX wants margins of : 0.75" sides , 1" bottom ,
1 % usenix . sty - to be used with latex 2e for USENIX . and 1" top .
2 % To use this style file , look at the template 50 % 0.33" gutter between columns .
usenix _ template . tex 51 % Gives active areas of 7" x 9"
3 % 52 %
4 % $ Id : usenix .sty ,v 1.2 2005/02/16 22:30:47 53 \ setlength {\ textheight }{9.0 in } % height of
maniatis Exp $ column
5 % 54 \ setlength {\ columnsep }{0.27 in } % gap between two
6 % The following definitions are modifications of columns
standard article . sty ----------------------------------------------------------
7 % definitions , arranged to do a better job of
matching the USENIX 55 \ setlength {\ textwidth }{7.03 in } % width of column
8 % guidelines . ----------------------------------------------------------
9 % It will automatically select two - column mode and
56
the Times - Roman
10 % font . 57 \ setlength {\ topmargin }{ -0.05 in }
11 % 58 \ setlength {\ headheight }{0.0 in }
59
12 % 2018 -12 -19 [ for ATC ’19]: add packages to help
embed all fonts in 60 \ setlength {\ headsep }{0.0 in }
61
13 % pdf ; to improve appearance ( hopefully ); to
make refs and citations 62 \ addtolength {\ oddsidemargin }{ -0.25 in }
14 % clickable in pdf 63 \ addtolength {\ evensidemargin }{ -0.25 in }
64
15
16 % 65 % Usenix wants no page numbers for camera - ready
17 % USENIX papers are two - column . papers , so that they can
18 % Times - Roman font is nice if you can get it ( 66 % number them themselves . But submitted papers
requires NFSS , should have page numbers
19 % which is in latex 2e. 67 % for the reviewers ’ convenience .
20
68 %
21
69 %
22 \ if@twocolumn \ else \ input twocolumn . sty \ fi 70 % \ pagestyle { empty }
71
23 \ usepackage { mathptmx } % times roman , including
math ( where possible ) %
72

24
% Usenix titles are in 14 - point bold type , with no
73

25 % hopefully embeds all fonts in pdf date , and with no

74 % change in the empty page headers . The whole
26 \ usepackage [T 1]{ fontenc }
27 \ usepackage [ utf 8]{ inputenc } author section is 12 point
75 % italic --- you must use {\ rm } around the actual
28 \ usepackage { pslatex }
29
author names to get
76 % them in roman .
30 % appearance
77 %
31 \ usepackage [ kerning , spacing ]{ microtype } % more
78 \ def \ maketitle {\ par
compact and arguably nicer
32 \ usepackage { flushend } % make cols in last page 79 \ begingroup
equal in size 80 \ renewcommand \ thefootnote {\ fnsymbol { footnote }} %
33 \ pagenumbering { gobble } % to ensure there is no 81 \ def \ @makefnmark {\ hbox to \ z@ {$\ m@th ^{\
page number @thefnmark }$\ hss }} %
82 \ long \ def \ @makefntext ##1{\ parindent 1 em \
----------------------------------------------------------------------------------------------------------
noindent
34
83 \ hbox to 1.8 em {\ hss $\ m@th ^{\ @thefnmark
35 % refs and bib }$}##1} %
36 \ usepackage { cite } % order multiple 84 \ if@twocolumn
entries in \ cite {...} 85 \ twocolumn [\ @maketitle ]%
37 \ usepackage { breakurl } % break too - long 86 \ else \ newpage
urls in refs 87 \ global \ @topnum \ z@
38 \ usepackage { url } % allow \ url in 88 \ @maketitle \ fi \ @thanks
bibtex for clickable links 89 \ endgroup
39 \ usepackage { xcolor } % color 90 \ setcounter { footnote }{0} %
definitions , to be use for ... 91 \ let \ maketitle \ relax
40 \ usepackage [ pdfusetitle ]{ hyperref } % ... 92 \ let \ @maketitle \ relax
clickable refs within pdf ... 93 \ gdef \ @thanks {}\ gdef \ @author {}\ gdef \ @title {}\ let \
41 \ hypersetup { % ... like so thanks \ relax
94 }
95 148 {0 pt }
96 149 {0.0 ex plus 1 ex minus .2 ex }
97 \ def \ @maketitle {\ newpage 150 {0.0 ex plus .2 ex }
98 \ vbox to 1.15 in { 151
99 \ vspace *{\ fill } 152 \ titlespacing *{\ subsection } % this will determine
100 \ vskip 2 em subsection spacing
101 \ begin { center }% ----------------------------------------------------------
102 {\ Large \ bf \ @title \ par }%
103 \ vskip 0.375 in minus 0.300 in 153 {0 pt }
104 {\ large \ it 154 {0.0 ex plus 1 ex minus .2 ex }
105 \ lineskip .5 em 155 {0.0 ex plus .2 ex }
106 \ begin { tabular }[ t ]{ c }\ @author 156 %\ usepackage { secdot } % Dot After Section Name
107 \ end { tabular }\ par }% 157 %\ sectiondot { subsection } % Dot After Subsection
108 \ end { center }% Name
109 \ par 158
110 \ vspace *{\ fill } 159 \ titleformat {\ section }
111 \ hypersetup { 160 {\ normalfont \ large \ bfseries }{\ thesection .\ quad
112 pdfauthor = {\ plainauthor }} % MLM : Put " }{ -0.7 em }{} % .\ quad means . dot after number
plainauthor " into pdf metadata -------------------------------------
113 161
114 162 \ titleformat {\ subsection }
115 \ vskip 3 em % gap between paragraph title & 163 {\ normalfont \ small \ bfseries }{\ thesubsection .\
authors ’ names quad }{ -0.7 em }{} % .\ quad means . dot after
-----------------------------------------------------------------
number --------------------------------
164
116 } 165
117 } 166
118 167 % set up for copyright box ( adapted from ACM
119 % template used in SOUPS 2018)
120 % The abstract is preceded by a 12 - pt bold 168
centered heading 169 % create a float for the copyright box
121 \ def \ abstract {\ begin { center }% 170 \ usepackage { float }
122 {\ large \ bf \ abstractname \ vspace { -.5 em }\ vspace {\ z@ 171 \ newfloat { soupscopyright }{ b} %A new float type so
}} % it doesn ’t count against figures
123 \ end { center }} 172
124 \ def \ endabstract {} 173\ def \ thecopyright {
125 174 \ begin { soupscopyright }[ b] % declare a float of
126 % the type
127 % Main section titles are 12 - pt bold . Others can 175 \ begin { center }
be same or smaller . 176 \ setlength {\ unitlength }{1 pc }
128 % 177 \ begin { picture }(20 ,6) % Space for copyright
129 notice
130 \ def \ section {\ @startsection { section }{1}{\ z@ } 178 % \ put (0 , -0.95) { TEST }
% distance from left side 179 \ put (0 , -0.95) { %" Put " adds text to the " picture "
131 { -4.7556 ex plus -1 ex 180 \ parbox [b ]{20 pc }{\ baselineskip 9 pt % parbox
minus -.2 ex } lets you have newlines and such
132 {0.3 ex plus .2 ex } 181 \ footnotesize { Copyright is held by the author /
133 {\ reset@font \ large \ bf owner . Permission
}} 182 to make digital or hard copies of all or part of
134 this work for
135 183 personal or classroom use is granted without fee
136 .\ par
137 \ def \ subsection {\ @startsection { subsection } 184 \ emph { USENIX Symposium on Usable Privacy and
138 {2} % information about level Security
139 {\ z@ }% information about indent 185 ( SOUPS )} 2021. \\ August ~8 - -10 ,~2021 , Virtual ~
140 { -0.7 ex plus 0.1 ex minus -0.05 ex } Conference .}
141 {0.1 pt } 186 }}
142 {\ reset@font \ normalsize \ bf } 187 \ end { picture }
143 } 188 \ end { center }
144 189 \ end { soupscopyright }
145 % this is a titlesec package 190 }
-----------------------------------------------------------------------------------------------------------------

146 \ usepackage { titlesec }

147 \ titlespacing *{\ section } % this will determine
section spacing
-------------------------------------------------------------------------
 Main Latex File 42 % * Make template self - contained in terms of
figures , to
43 % allow this file to be compiled .
1 %
44 %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
45 % * Added packages for hyperref , embedding fonts
2 % Template for USENIX papers . , and improving
46 % appearance .
3 %
47 %
4 % History :
48 % * Removed outdated text .
5 %
49 %
6 % - TEMPLATE for Usenix papers , specifically to
50 %
meet requirements of
7 % USENIX ’05. originally a template for %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
producing IEEE - format
8 % articles using LaTeX . written by Matthew Ward , 51 \ documentclass [ letterpaper , twocolumn ,10 pt ]{ article
CS Department , }
9 % Worcester Polytechnic Institute . adapted by 52 \ usepackage { usenix 2021_ SOUPS }
53
David Beazley for his
10 % excellent SWIG paper in Proceedings , Tcl 96. 54 % to be able to draw some self - contained figs
turned into a 55 \ usepackage { tikz }
11 % smartass generic template by De Clarke , with 56 \ usepackage { amsmath }
thanks to both the 57 \ usepackage { caption }
12 % above pioneers . Use at your own risk . 58 \ usepackage { listings }
Complaints to / dev / null . 59 \ usepackage { xcolor }
60
13 % Make it two column with no page numbering ,
61
default is 10 point .
14 % 62 %
15 % - Munged by Fred Douglis < douglis@research . att . ----------------------------------------------------------
com > 10/97 to
16 % separate the . sty file from the LaTeX source 63 \ begin { document }
template , so that 64 %
17 % people can more easily include the . sty file ----------------------------------------------------------
into an existing
65
18 % document . Also changed to more closely follow
the style guidelines 66 %don ’t want date printed
19 % as represented by the Word sample file . 67 \ date {}
68
20 %
21 % - Note that since 2010 , USENIX does not require 69 % make title bold and 14 pt font ( Latex default is
endnotes . If you non - bold , 16 pt )
22 % want foot of page notes , don ’t include the 70 \ title {\ large \ bf Understanding Attacking
endnotes package in the Behaviors toward Password - based Mobile User
23 % usepackage command , below . Authentication }
71
24 % - This version uses the latex 2e styles , not the
very ancient 2.09 72 % if you leave this blank it will default to a
25 % stuff . possibly ugly attempt
26 % 73 % to make the contents of the \ author command
27 % - Updated July 2018: Text block size changed below into a string
from 6.5" to 7" 74 \ def \ plainauthor { Author name (s) for PDF metadata .
28 % Don ’t forget to anonymize for submission !}
75
29 % - Updated Dec 2018 for ATC ’19:
30 % 76 % for single author ( just remove % characters )
31 % * Revised text to pass HotCRP ’s auto - 77 \ author {
formatting check , with 78 {\ rm Lina Zhou , \ emph { UNC Charlotte }}\\ % name and
32 % hotcrp . settings . submission _ form . body _ font _ institute of authors
size =10 pt , and 79 {\ rm Jianwei Lai , \ emph { Illinois State University
33 % hotcrp . settings . submission _ form . line _ height }} % name and institute of authors
=12 pt 80 \ and
34 % 81 {\ rm Kanlun Wang , \ emph { UNC Charlotte }}\\ % name
35 % * Switched from \ endnote -s to \ footnote -s to and institute of authors
match Usenix ’s policy . 82 {\ rm Dongsong Zhang , \ emph { UNC Charlotte }} % name
36 % and institute of authors
37 % * \ section * => \ begin { abstract } ... \ end { 83 % copy the following lines to add more authors
abstract } 84 % \ and
38 % 85 % {\ rm Name }\\
39 % * Make template self - contained in terms of 86 % Name Institution
bibtex entires , to allow 87 } % end author
88
40 % this file to be compiled . ( And changing refs
style to ’plain ’.) 89 \ maketitle
41 % 90 \ thecopyright
91
92 % surfing susceptibility of password - based
-------------------------------------------------------------------------------
93 \ section *{ Abstract } % remove numbering
94 % attempts . Additionally , one of the studies [6]
-------------------------------------------------------------------------------
95 Password - based mobile user authentication is
vulnerable to a variety of security threats .
Shoulder - surfing is the key to those security
threats . Despite a large body of research on
password security with mobile devices ,
existing studies have focused on shaping the
security behavior of mobile users by enhancing
the strengths of user passwords or by
establishing secure password composition
policies . There is little understanding of how
an attacker actually goes about observing the
password of a target user . This study
empirically examines a t t a c k e r s behaviors in
observing password - based mobile user
authentication sessions across the three
observation attempts . It collects data through
a longitudinal user study and analyzes the
data collected through a system log . The
results reveal several behavioral patterns of
attackers . The findings suggest that attackers
are strategic in deploying attacks of
shoulder - surfing . The findings have
implications for enhancing u s e r s password
security and refining o r g a n i z a t i o n s
password composition policies .
96 \\
97 \\
98
99 %
-------------------------------------------------------------------------------
100 \ section { Introduction }
101 %
-------------------------------------------------------------------------------
102
103 Password remains one of the most common methods
for mobile user authentication [1]. Despite
some benefits offered by passwords in terms of
usability and deployability , legacy
passwords receive a poor rating on security
[2]. Targeted online password guessing is an
underestimated threat [3] , in view of the
wealth of personal data ranging from usernames 116 Passwords are one of the most common methods for
and passwords to social security numbers
stored on those devices . In particular ,
shouldersurfing attacks , if successful , can
lead to illegal access to all kinds of
sensitive data and information on a mobile
device or system which can potentially lead to
malicious activities .
104 There are separate bodies of research on user
password behaviors , password strength ,
password cracking / guessing , and shoulder -
surfing attacks . Unlike shoulder - surfing
attacks , password cracking / guessing is focused
on automated programs or computer - based
solutions [4]. Empirical studies on shoulder
surfing attacks on password - based
authentication remain scarce . Despite a few
relatively comprehensive studies of shoulder
authentication methods (e.g., [5 ,6]) , none has
examined the shoulder - surfing behavior and
strategies across multiple observation
considered graph passwords instead of text
passwords . We aim to fill the literature gap
by answering the following research question :
What are the behavioral patterns of should -
surfing attacks ? Do attackers coordinate their
shoulder - surfing behaviors over multiple
attempts ? If so , how ?
105 We answer these research questions by conducting a
longitudinal user study where participants
were asked to play the role of imposters who
observed password - based authentication
sessions . To support the investigation of
multiple observation attempts , we simulate
observation attacks by preparing prerecorded
video clips of password authentication
sessions and showing each video three times
without interruption . This is the first study
that examines the temporal patterns of
shoulder - surfing behaviors in observation
attacks . The findings can help increase
u s e r s awareness of security threats to
password - based mobile user authentication ,
guide mobile authentication developers in
developing strategies for combating shoulder -
surfing attacks , and enhance the password
composition policies of organizations and
websites .
106 \\
107 %
----------------------------------------------------------
108 \ section { Background and Related Work }
109 %
----------------------------------------------------------
110
111 In this section , we first provide background on
password - based mobile user authentication and
shoulder - surfing secu - rity models , and finally
discuss shoulder - surfing susceptibility of
password - based methods .
112
113
114 \ subsection { Password - based Authentication }
115
mobile user authentication [7]. A password -
based authentication matches a user - entered
password against a pre - set secret password
that typically consists of a string of letters
, digits , graphics , and / or symbols [3 ,4].
Among others , textual passwords are the most
common [10]. Passwords bring some usability
and deployability benefits [2] , but they are
vulnerable to various types of attacks (e.g.,
[11]) , where attackers aim to shoulder surf
the target u s e r s passwords by leveraging
various sources of information such as
observations and personal information .
Passwords are vulnerable to security threats ,
partly because password login attempts can
potentially be observed by shoulder - surfers .
117 128
118 \ newpage
119
120 \ subsection { Shoulder - surfing Security Models }
121
122 Security models used in shoulder - surfing research
can be classified into four categories based
on whether authentication sessions were 129
recorded or not and how many times adversaries 130
can observe the authentication sessions [12].
The single recording and multiple recording
models both present adversaries with recorded 131
authentication sessions . The difference 132
between the two models is that adversaries are
only given a small number of recorded
sessions with the single recording model , but 133
a large number of recorded authentication 134
sessions with the latter . With the
opportunistic observer and the insider
observer models , adversaries observe user 135
authentication sessions live . However , 136
opportunistic observers can only observe a 137
small number of authentication sessions live , 138
but insider observers can observe victims many 139
times . It is important to choose the right
model based on the context of attacks [12].
For example , the single recording model is not
suitable for research on shoulder - surfing at -
tacks among family members , who can observe
their victims repeatedly [13]. Instead , the
insider observer model will be more suitable .
All types of security models would expose
credentials to attackers while increasing the
vulnerability of a mobile device .
123
124
125 \ subsection { Shoulder - surfing Susceptibility of 140
Password - based methods } 141
126 142
127 In case of password - based mobile user 143
authentication , the goal of shoulder - surfing 144
attacks is to steal a v i c t i m s password . The 145
limited empirical studies on shoulder - surfing
behavior in mobile user authentication have 146
focused on the comparisons between PIN and 147
pattern lock variations [6] , PIN and ForcePIN 148
[13] , or alphanumeric and graphical passwords 149
[14]. While a previous study investigated the
shoulder - surfing susceptibility of password - 150
based authentication on a variety of 151
smartphone platforms [5] , it was focused on
the security model of opportunistic observers , 152
where the participants were allowed to 153
observe each password entering process once 154
only . Similarly , the majority of shoulder - 155
surfing studies (e.g., [15 ,16]) only allowed 156
for a single observation from an adversary in 157
decoding the v i c t i m s authentication 158
credentials except for a couple of studies 159
that considered two observations [13 ,17]. 160
Empirical evidence has shown that the observer
needs to observe a login attempt more than
three times on average in order to reproduce
the low - entropy passwords , and the number is
even much higher for high - entropy passwords
[18]. More importantly , those studies did not
consider the a t t a c k e r s change of behaviors
over different attempts .\\
This study aims to fill the literature gap by
investigating the dynamics of shoulder - surfing
behaviors across different observations of
password - based mobile user authentication . To
this end , we adopted the opportunistic
observer / multiple recording model in this
study .\\
\\
%
----------------------------------------------------------
\ section { Methods }
%
----------------------------------------------------------
We first describe the password - based
authentication method , and then introduce the
details of the user study design .
\ subsection { Password Method }
QWERTY remains the de facto keyboard for mobile
users to enter their passwords . Since our user
study was conducted in the United States , we
adopted the conventional QWERTY - based textual
passwords as the authentication method . To
enter a password , the user needs to press each
key corresponding to each character in a
password one by one . A login attempt succeeds
if an entered password exactly matches the
actual password . We developed a prototype to
support mobile user authentication using
QWERTY , which logs the u s e r s keystroke
activities with timestamps .
% this part will bold the caption title
\ captionsetup [ figure ]{ labelfont ={ bf }, name ={ Figure
}, labelsep = period }
\ begin { figure }[ h]
\ centering
\ includegraphics [ width =0.195\ textwidth ]{
Graphics / way 2021 - zhou . jpg }
\ vspace { -3 mm }
\ caption {A screenshot of the shoulder - surfing
setting }
\ label { fig : Figure }
\ end { figure }
\ subsection { Study Design }
The study was approved by the Institutional Review
Board of the a u t h o r s home institute . The
participants were first introduced to the
objectives and procedure of the study in a
designated lab . After signing the consent form
, the participants received training on
password authentication methods using QWERTY
and another keyboard . To make sure that the
participants were familiar with the password
 authentication methods regardless of their
prior experience , the participants were asked
to go through a two - week - long daily practice
with both password authentication methods by
entering a new set of 20 passwords . Finally ,
the participants were asked to take a test in
the lab by entering a new set of 40 passwords .
Only those participants who were able to keep
up with the daily practice and achieved a
sufficient level of accuracy (75\ % or higher )
in the last lab - based test were eligible for
participation in the shoulder - surfing study .
The accuracy was defined as the percentage of
the characters in the passwords that were
entered correctly .\\
161 The shoulder - surfing session was conducted in a
lab , where the participants were asked to play
the role of an attacker . The a t t a c k e r s
task was to identify passwords based on their
observations of mobile user authentication
attempts . To simulate the opportunistic
observer model , we pre - recorded videos of
password - based sessions of an expert user . The
use of an expert user followed previous
shoulder - surfing studies [6 , 19] , which not
only allowed us to manipulate the password
entry performance to match the level of an
average user but also helped to minimize the
effects of confounding factors introduced by
using participants . We developed a web - based
162 \\
163 \\
164 experiment system to support the experiment . The
system allowed the participants to watch the
videos and enter and / or correct their
passwords . P a r t i c i p a n t s video watching and
password - entering behaviors (e.g., letter and
deletion operation ) were recorded in a server
log . The participants did not receive any
feedback on the accuracy of their entered
passwords throughout the experiment . The
password length was set to be 8- character long
and did not exist in dictionaries (e.g.,
mkxcrdqu ) to achieve a balance between
security and complexity .\\
165 \\
166 The participants received training with the
experiment system and practiced shoulder -
surfing attacks with sample video clips of
password authentication sessions similar to
those used in the formal study before
proceeding with the formal tasks . The
participants were also informed that they
would be observing each of the authentication
sessions three times in a row , and making one
password entering attempt after each
observation , and the password length is 8-
character long . The shoulder - surfing attacks
in the formal tasks were performed under a
variety of settings . In this paper , we focused
on the setting where the participants
observed the QWERTY - based password
authentication method from a near distance
when the authentication was performed using
the thumb of the same hand that holds the
device .\\
167 It is common to use student participants in mobile
user authentication studies [20 ,21] , we
recruited participants via a university
mailing list . Among the 17 participants who
had participated , 13 were successfully
completed all experiment tasks and each of
them received a \$45 gift card . All the
participants were English speakers and had
experience with interacting with mobile
devices in the past three months . Among the
participants , nine were aged from 19 to 24
years and four from 25 to 36 years , and five
were male and eight were female .
168
169
170 \ subsection { Variables and Measurements }
171 Given the novelty of the research problem , we
introduce the following variables to measure
a t t a c k e r s shoulder - surfing behavior .
172
173 \ begin { itemize }
174 \ item Guessed password length is defined as the
number of characters included in each password
guess ,
175 \ item Specificity is defined as the percentage
of correctly identified characters in a
password guess , and
176 \ item Sensitivity is defined as the percentage
of characters in the actual passwords that are
guessed correctly .
177 \ end { itemize }
178
179 The following three measures were introduced
specifically to understand a t t a c k e r s
possible coordination behavior across multiple
observation attempts .
180
181 \ begin { itemize }
182 \ item Levenshtein Distance measures the
discrepancy between two strings of characters
[22] , which is defined as the minimum number
of single - character edits to transform a
password guess into another .
183 \ item Modification is defined as the percentage
of the participants who revise a password
guess based on the previous password guess ( es )
.
184 \ item Deletion refers to the number of deletion
operations performed in each password
observation attempt .
185 \ end { itemize }
186
187
188
189
190 %
----------------------------------------------------------
191 \ section { Results }
192 %
----------------------------------------------------------
193
194 The descriptive statistics of shoulder - surfing
behavior and across - attempt coordination
behavior are reported in Table 1. Since
modification and Levenshtein Distance are
measured among attempts , we report them
separately in Table 2. We test the effect of
multiple observation attempts on shoulder -
 surfing behavior and performance , we performed 210 \ begingroup
one - way repeated - measures ANOVA by using 211 \ setlength {\ tabcolsep }{8 pt } % fixing the width of
attempt as the independent variable , and each Table Cell
of the shoulder - surfing and coordination 212 \ renewcommand {\ arraystretch }{2.3} % fixing the
behavior as the dependent variable separately . height of Table Cell
For the Levenshtein Distance , we analyzed the 213 \ begin { center }
effect of the attempt using a paired - sample t 214 \ scriptsize
- test .\\ 215 \ begin { tabular }{ |c|c|c|c| }
195 The analyses of specificity did not yield a 216 \ hline
significant main effect (p >.1) . However , the 217 \ bf Variables & \ bf
result shows that specificity gradually Attempt 1 & \ bf Attempt 2 & \ bf
increases as the number of observations Attempt 3 \\
increases . In addition , four out of the 218 \ hline
thirteen participants could observe the actual 219 \ bf Specificity & 0.732
password correctly within the three attempts . (0.182) & 0.788 (0.184) & 0.812
Among them , three participants made a correct (0.171) \\
guess in the first attempt and one 220 \ hline
participant made it in the second attempt . For 221 \ bf Sensitivity & 0.538
those who achieve success in the first (0.194) & 0.712 (0.194) & 0.817
attempt , only one participant kept their (0.141) \\
correct guess in the sequential two 222 \ hline
observations and the other two participants 223 \ bf Guessed password length & 5.923
revised their guesses to incorrect ones in the (2.019) & 7.308 (1.312) & 8.154
second and third attempts respectively . There (0.689) \\
was no change found for the participant who 224 \ hline
made a correct guess in the second attempt .\\ 225 \ bf Deletion & 0.077
196 Given the significant main effect for sensitivity (0.277) & 1.462 (1.898) & 1.538
(p <.05) , we followed up with post - hoc multiple (2.727) \\
comparisons . The results are reported in 226 \ hline
Table 3. The result shows that there was a 227 \ end { tabular }
significant difference in sensitivity between 228 \ end { center }
the first two attempts (p <.05) and between the 229 \ endgroup
first and the third attempts (p <.001) , but 230
the difference between the last two attempts 231
was not significant (p >.1) .\\ 232 % inserting Table
197 In addition , the analyses yielded a significant 2---------------------------------------------------------
main effect for guessed password length (p
<.01) . The results of post - hoc multiple 233 \ begin { center }
comparisons reveal that the guess length 234 \ textbf { Table 2: Descriptive Statistics ( mean
increased from the first to the third attempt ( std )) of shoulder - surfing coordination
(p <0.01) and from the first to the second behavior }
attempt (p <0.05) , and the increase in the 235 \ vspace { -.3 em }
guessed length from the second to the third 236 \ end { center }
attempt was marginally significant (p <0.1) .\\ 237 \ begingroup
198 Further , the analysis results on Levenshtein 238 \ setlength {\ tabcolsep }{11 pt } % fixing the width of
Distance yields a marginally significant Table Cell
effect of attempt (p <.1) . Specifically , the 239 \ renewcommand {\ arraystretch }{2.6} % fixing the
distance between the first two attempts is height of Table Cell
greater than that between the last two 240 \ begin { center }
attempts . A comparison of modification between 241 \ scriptsize
attempts shows that modification increases 242 \ begin { tabular }{ |c|c|c| }
with the number of attempts , however , the 243
analysis results on deletion do not reveal a 244 \ hline
significant effect of attempt (p >.1) . 245 \ bf Variables & \ bf 1 to 2
199 & \ bf 2 to 3 \\
200 \ newpage 246 \ hline
201 247 \ bf Levenshtein Distance & 3.154 (1.214)
202 & 1.923 (1.801) \\
203 % inserting Table 248 \ hline
1--------------------------------------------------------------------------------
249 \ bf Modification * & 76.9\ %
& 92.3\% \\
204 250 \ hline
205 \ begin { center } 251 \ end { tabular }\\
206 \ textbf { Table 1: Descriptive statistics ( mean 252 \ end { center }
( std )) for shoulder - surfing behavior } 253 \ endgroup
207 \ vspace { -1 em } 254 \ begin { center }
208 \ end { center } 255 \ vspace { -.6 em }
209 256 \ footnotesize Note : *: Binary variable is
 reported with the percentage . in line with the cognitive load theory that
257 \ end { center } humans have limited working memory for
258 processing information . The capacity of short -
259 term memory is estimated to be in the order of
260 % inserting Table four items [23] , which is much less than the
3--------------------------------------------------------------------------------
length of passwords used in our experiments .
Studies have shown that repetition is one of
261 \ begin { center } the most powerful influencers on memory [24].
262 \ textbf { Table 3: Post - hoc Multiple Comparison The effect of repetition on memory judgments
Results } is particularly pronounced [24].\\
263 \ vspace { -.3 em } 294 Second , there was a greater amount of modification
264 \ end { center } between the first and the second attempts
265 \ begingroup than between the last two attempts based on
266 \ setlength {\ tabcolsep }{11 pt } % fixing the width of the Levenshtein Distance . Similarly , there was
Table Cell a greater amount of changes in the guessed
267 \ renewcommand {\ arraystretch }{3.3} % fixing the password length between the first two attempts
height of Table Cell than between the last two attempts . These
268 \ begin { center } observations further underline the importance
269 \ scriptsize of repetition for shoulder - surfing . Even one
270 \ begin { tabular }{ |c|c|c|c| } additional attempt could make a significant
271 \ hline difference in the shoulder - surfing outcomes .\\
272 \ bf Variables & \ bf 1 Vs . 2 295 Third , while being provided with the option of
& \ bf 2. Vs . 3 modifying their previous guesses , a few
& \ bf 1 Vs . 3 \\ participants still chose to redo the entire
273 \ hline observation in subsequent attempts . One
274 \ bf Sensitivity & \ shortstack explanation is that the attacker participants
{p =0.032 \\ (0.173) } & \ shortstack {p =.124 had to make significant modifications to their
\\ (0.106) } & \ shortstack {p =.0003 \\ previous guesses , and it might be more
(0.278) } \\ efficient to start from scratch than making
275 \ hline incremental changes .\\
276 \ bf Guessed password length & \ shortstack 296 The above findings on the temporal patterns of
{p =.049 \\ (1.385) } & \ shortstack {p =.051 shoulder - surfing behaviors suggest that
\\ (0.846) } & \ shortstack {p =.001 \\ attackers are strategic in ob - serving user
(2.231) } \\ passwords .\\
277 \ hline 297 This research has some limitations that could
278 \ end { tabular } invite future research . First , it is not
279 uncommon to use a small sample size in
280 \ end { center } controlled lab experiments for mobile user
281 \ endgroup authentication studies [25 ,26]. This research
282 could benefit from a larger sample of a
283 \ begin { center } diversified population . Second , the attacker
284 \ vspace { -.6 em } participants were informed that they had the
285 \ footnotesize Note : p - values are reported , and opportunity to make three observations at the
mean differences are in parenthesis . beginning of the study . The findings on
286 \ end { center } behavioral patterns and strategies of shoulder
287 \ vspace {1 em } - surfing may not generalize to other types of
288 % settings . Third , the password length was set
----------------------------------------------------------------------------------------
to eight . In reality , the length of user
passwords varies significantly . Thus , it would
289 \ section { Discussion and Conclusion } be fruitful to replicate this study with
290 % varying the length of passwords to gain an
----------------------------------------------------------------------------------------
understanding of the possible influence of
password length on shoulder - surfing behaviors .
291 Fourth , we used video recordings of password -
292 Although the security vulnerability of password - based mobile user authentication sessions as
based mobile user authentication has received stimuli in the user study . In addition to the
widespread attention , there are few research observation - based attacks , the attackers could
studies of a t t a c k e r s shoulder - surfing on also launch recorded attacks . It is a worthy
mobile devices . In this study , we empirically effort to study the behavioral patterns of
investigate the a t t a c k e r s behaviors recorded attacks separately . Our research
displayed in shoulder - surfing while targeting paves the way for future research in this area
mobile user authentication . Based on an .
analysis of server log files , we were able to 298
identify several behavioral patterns of 299 %
shoulder - surfers across multiple attempts .\\ ----------------------------------------------------------
293 First , the sensitivity of password guesses
improves and the length of password guesses 300 \ section *{ Acknowledgement }
increases over time . These findings are also 301 %
 ----------------------------------------------------------------------------------------
355 \ lstinputlisting [ language = tex ]{ usenix 2021_ SOUPS .
tex }
302 This research was partially supported by the 356
National Sci - ence Foundation [ Award \# s: CNS 357 \ newpage
1917537 and SES 1912898) . Any opinions , 358
findings , and conclusions , or rec - ommendations 359 \ begin { center }
expressed in this paper are those of the au - 360 \ Large Bibliography File
thors and do not necessarily reflect the views 361 \ end { center }
of the above funding agency . 362
303 % 363 \ lstinputlisting [ language = tex ]{ usenix 2021_ SOUPS .
-------------------------------------------------------------------------------
bib }
364
304 % BibioGraphy Codes 365 \ end { document }
305 \ input { usenix 2021_ SOUPS . bib }
306
307 \ newpage
308 %
---------------------------------------------------------------------

309
310
311 % commented code as appendix
312
313 %
---------------------------------------------------------------------

314 \ definecolor { codegreen }{ rgb }{0 ,0.6 ,0}

315 \ definecolor { codegray }{ rgb }{0.5 ,0.5 ,0.5}
316 \ definecolor { codepurple }{ rgb }{0.58 ,0 ,0.82}
317 \ definecolor { backcolour }{ rgb }{0.95 ,0.95 ,0.92}
318
319 \ lstdefinestyle { mystyle }{
320 backgroundcolor =\ color { backcolour },
321 commentstyle =\ color { codegreen },
322 keywordstyle =\ color { magenta },
323 numberstyle =\ tiny \ color { codegray },
324 % stringstyle =\ color { codepurple },
325 % texcsstyle =\ color { codepurple },
326 basicstyle =\ ttfamily \ footnotesize ,
327 breakatwhitespace = false ,
328 breaklines = true ,
329 captionpos =b ,
330 keepspaces = true ,
331 numbers = left ,
332 numbersep =5 pt ,
333 showspaces = false ,
334 showstringspaces = false ,
335 showtabs = false ,
336 tabsize =2
337 }
338
339 \ lstset { style = mystyle }
340 \ begin { center }
341 \ Large \ textbf { Appendix }\\
342 Code with comments .\\
343 \ vspace {1 em }
344 \ Large Style File
345 \ end { center }
346
347 \ lstinputlisting [ language = tex ]{ usenix 2021_ SOUPS .
sty }
348
349 \ newpage
350
351 \ begin { center }
352 \ Large Main Latex File
353 \ end { center }
354
 Bibliography File 40 2011 , pp . 147 160. doi : 10.1016/ B
978 -1 -59749 -566 -
41 0.00009 -6.
1
42 %
2 \ bibliographystyle { plain } % this is a plain bib ----------------------------------------------------------
style
43
3
44 \ bibitem { five } % 5 th bib item
4 % we are minimizing gap between the bibs
-------------------------------------------- --------------------------------------------
45 F. Schaub , R. Deyhle , and M. Weber , Password
5 \ let \ OLDthebibliography \ thebibliography
6 \ renewcommand \ thebibliography [1]{ Entry Usa -
46 bility and Shoulder Surfing Susceptibility on
7 \ OLDthebibliography {#1}
8 \ setlength {\ parskip }{0 pt } Different
47 Smartphone Platforms , in Proceedings of the 11
9 \ setlength {\ itemsep }{0 pt plus 0.3 ex }
10 } th Interna -
48 tional Conference on Mobile and Ubiquitous
11 %
Multimedia ,
------------------------------------------------------------------------------------------
49 New York , NY , USA , 2012 , p. 13:1 -13:10. doi :
50 10.1145/2406367.2406384.
12
51 %
13 \ begin { thebibliography }{9}
14
----------------------------------------------------------
15 \ bibitem { one } % first bib item
52
--------------------------------------------
53 \ bibitem { six } % 6 th bib item
16 K. Wang , L. Zhou , and D. Zhang , User
Preferences and --------------------------------------------
54 A. J. Aviv , J. T. Davin , F. Wolf , and R. Kuber ,
17 Situational Needs of Mobile User Authentication
Methods , Towards
55 Baselines for Shoulder Surfing on Mobile
18 2019 , pp . 18 23. doi : 10.1109/ ISI .2019.8823274
19 % Authentication ,
56 Proceedings of the 33 rd Annual Computer Security
------------------------------------------------------------------------------------------
Applica -
57 tions Conference on - ACSAC 2017 , pp . 486 498 ,
20
21 \ bibitem { two } % 2 nd bib item 2017 , doi :
58 10.1145/3134600.3134609.
--------------------------------------------
59 %
22 J. Bonneau , C. Herley , P. C. van Oorschot , and F.
Stajano , ----------------------------------------------------------
23 The Quest to Replace Passwords : A Framework for
60
Comparative Evaluation of Web Authentication
61 \ bibitem { seven } % 7 th bib item
Schemes , in
24 2012 IEEE Symposium on Security and Privacy , May --------------------------------------------
62 K. Wang , L. Zhou , D. Zhang , Z. Liu , and J. Lim ,
2012 ,
25 pp . 553 567. doi : 10.1109/ SP .2012.44. What is
63 More Important for Touch Dynamics based Mobile
26 %
User Au -
------------------------------------------------------------------------------------------
64 thentication ?, p. 15 , 2020.
65 %
27
28 \ bibitem { three } % 3 rd bib item ----------------------------------------------------------
--------------------------------------------
66
29 D. Wang , Z. Zhang , P. Wang , J. Yan , and X. Huang ,
67 \ bibitem { eight } % 8 th bib item
Target -
30 ed Online Password Guessing : An Underestimated --------------------------------------------
68 C. Castelluccia , M. Durmuth , and D. Perito ,
Threat ,
31 in Proceedings of the 2016 ACM SIGSAC Conference Adaptive Pass -
69 word - Strength Meters from Markov Models , p. 14.
on
70 %
32 Computer and Communications Security , New York , NY
, ----------------------------------------------------------
33 USA , Oct . 2016 , pp . 1242 1254. doi :
71
34 10.1145/2976749.2978339.
72 \ bibitem { nine } % 9 th bib item
35 %
--------------------------------------------
------------------------------------------------------------------------------------------
73 B. Ur et al ., Poster : The Art of Password Creation

36
.
74 %
37 \ bibitem { four } % 4 th bib item
-------------------------------------------- ----------------------------------------------------------
38 E. Conrad , Chapter 9 - Domain 9: Operations
75
Security , in
39 Eleventh Hour CISSP , E. Conrad , Ed . Boston : 76 \ bibitem { ten } % 10 th bib item
Syngress , --------------------------------------------
77 C. Herley and P. Van Oorschot , A Research ----------------------------------------------------------
Agenda Ac -
78 knowledging the Persistence of Passwords , IEEE 114
Security 115 \ bibitem { fifteen } % 15 th bib item
79 Privacy , vol . 10 , no . 1, pp . 28 36 , Jan . 2012 , --------------------------------------------
doi : 116 A. De Luca , E. von Zezschwitz , L. Pichler , and H.
80 10.1109/ MSP .2011.150. Huss -
81 % 117 mann , Using fake cursors to secure on - screen
------------------------------------------------------------------------------------------
password en -
118 try , in Proceedings of the SIGCHI Conference on
82 Human
83 \ bibitem { eleven } % 11 th bib item 119 Factors in Computing Systems - CHI 13 , Paris ,
-------------------------------------------- France ,
84 J. Yan , A. Blackwell , R. Anderson , and A. Grant , 120 2013 , p. 2399. doi : 10.1145/2470654.2481331.
Password 121 %
85 memorability and security : empirical results , ----------------------------------------------------------
IEEE Security
86 Privacy , vol . 2, no . 5, pp . 25 31 , Sep . 2004 , 122
doi : 123 \ bibitem { sixteen } % 16 th bib item
87 10.1109/ MSP .2004.81. --------------------------------------------
88 % 124 M. Khamis , F. Alt , M. Hassib , E. von Zezschwitz , R
------------------------------------------------------------------------------------------
.
125 Hasholzner , and A. Bulling , GazeTouchPass :
89 Multimodal
90 \ bibitem { twelve } % 12 th bib item 126 Authentication Using Gaze and Touch on Mobile
-------------------------------------------- Devices , in Proceedings of the 2016 CHI
91 O. Wiese and V. Roth , See you next time : a Conference Extended Ab -
model for mod - 127 stracts on Human Factors in Computing Systems , New
92 ern shoulder surfers , in Proceedings of the 18 York ,
th International 128 NY , USA , May 2016 , pp . 2156 2164. doi :
93 Conference on Human - Computer Interaction with 129 10.1145/2851581.2892314.
Mobile 130 %
94 Devices and Services , New York , NY , USA , Sep . ----------------------------------------------------------
2016 , pp .
95 453 464. doi : 10.1145/2935334.2935388. 131
96 % 132 \ bibitem { seventeen } % 17 th bib item
------------------------------------------------------------------------------------------
--------------------------------------------
133 F. Schaub , M. Walch , B. K n i n g s , and M. Weber ,
97 Exploring
98 \ bibitem { thirteen } % 13 th bib item 134 the design space of graphical passwords on
-------------------------------------------- smartphones , in
99 H. Khan , U. Hengartner , and D. Vogel , 135 Proceedings of the Ninth Symposium on Usable
Evaluating Attack Privacy and
100 and Defense Strategies for Smartphone PIN Shoulder 136 Security - SOUPS 13 , Newcastle , United Kingdom ,
Surf - 2013 , p.
101 ing , in Proceedings of the 2018 CHI Conference 137 1. doi : 10.1145/2501604.2501615.
on Human 138 %
102 Factors in Computing Systems - CHI 18 , Montreal ----------------------------------------------------------
QC ,
103 Canada , 2018 , pp . 1 10. doi : 139
10.1145/3173574.3173738. 140 \ bibitem { eighteen } % 18 th bib item
104 % --------------------------------------------
------------------------------------------------------------------------------------------
141 P. Dunphy , A. P. Heiner , and N. Asokan , A
closer look at
105 142 recognition - based graphical passwords on mobile
106 \ bibitem { fourteen } % 14 th bib item devices , in
-------------------------------------------- 143 Proceedings of the Sixth Symposium on Usable
107 F. Tari , A. A. Ozok , and S. H. Holden , A Privacy and
comparison of 144 Security , New York , NY , USA , Jul . 2010 , pp . 1
108 perceived and real shoulder - surfing risks between 12. doi :
alphanu - 145 10.1145/1837110.1837114.
109 meric and graphical passwords , in Proceedings 146 %
of the second ----------------------------------------------------------
110 symposium on Usable privacy and security - SOUPS
06 , 147
111 Pittsburgh , Pennsylvania , 2006 , p. 56. doi : 148 \ bibitem { nineteen } % 19 th bib item
112 10.1145/1143120.1143128. --------------------------------------------
113 % 149 O. Wiese and V. Roth , Pitfalls of Shoulder
 Surfing Studies , 180 %
150 Jan . 2015. doi : 10.14722/ usec .2015.23007 ----------------------------------------------------------
151 %
------------------------------------------------------------------------------------------
181
182 \ bibitem { twenty four } % 24 th bib item
152 --------------------------------------------
153 \ bibitem { twenty } % 20 th bib item 183 D. L. Hintzman , Repetition and Memory 11
-------------------------------------------- Preparation of
154 W. Meng , Y. Wang , D. S. Wong , S. Wen , and Y. Xiang 184 this chapter was supported by a grant GB -40360
, from the Na -
155 TouchWB : Touch behavioral user authentication 185 tional Science Foundation . Special thanks are due
based on to Michael
156 web browsing on smartphones , Journal of Network 186 J. Hacker and James V. Hinrichs for making their
and un -
157 Computer Applications , vol . 117 , pp . 1 9, Sep . 187 published data available to the author ., in
2018 , doi : Psychology of
158 10.1016/ j. jnca .2018.05.010. 188 Learning and Motivation , vol . 10 , G. H. Bower , Ed .
159 % Academ -
------------------------------------------------------------------------------------------
189 ic Press , 1976 , pp . 47 91. doi : 10.1016/ S 0079 -
190 7421(08) 60464 -8
160 191 %
161 \ bibitem { twenty one } % 21 st bib item ----------------------------------------------------------
--------------------------------------------
162 S. Sen and K. Muralidharan , Putting 192
pressure on mobile 193 \ bibitem { twenty five } % 25 th bib item
163 authentication , in 2014 Seventh International --------------------------------------------
Conference on 194 S. A. Alsuhibany , M. Almushyti , N. Alghasham , and
164 Mobile Computing and Ubiquitous Networking ( ICMU ) , F.
Jan . 195 Alkhudhayr , The impact of using different
165 2014 , pp . 56 61. doi : 10.1109/ ICMU .2014.6799058. keyboards on
166 % 196 free - text keystroke dynamics authentication for
------------------------------------------------------------------------------------------
Arabic lan -
197 guage , Information \& Computer Security , vol .
167 27 , no . 2, pp .
168 \ bibitem { twenty two } % 22 th bib item 198 221 232 , Jan . 2019 , doi : 10.1108/ ICS
-------------------------------------------- -09 -2017 -0062.
169 L. B o n j a k and B. Brumen , Shoulder surfing : 199 %
From an ex - ----------------------------------------------------------
170 perimental study to a comparative framework ,
International 200
171 Journal of Human - Computer Studies , vol . 130 , pp . 1 201 \ bibitem { twenty six } % 26 th bib item
20 , Oct . --------------------------------------------
172 2019 , doi : 10.1016/ j. ijhcs .2019.04.003. 202 K. Vertanen and P. O. Kristensson ,
173 % Complementing text
------------------------------------------------------------------------------------------
203 entry evaluations with a composition task , ACM
Trans .
174 204 Comput .- Hum . Interact ., vol . 21 , no . 2, p.
175 \ bibitem { twenty three } % 23 th bib item 8:1 -8:33 , Feb .
-------------------------------------------- 205 2014 , doi : 10.1145/2555691.
176 N. Cowan , The magical number 4 in short - term 206 %
memory : A ----------------------------------------------------------
177 reconsideration of mental storage capacity ,
Behavioral and 207
178 Brain Sciences , vol . 24 , no . 1, pp . 87 114 , Feb . 208 \ end { thebibliography }
2001 , doi :
179 10.1017/ S 0140525 X 01003922.