Putting ‘pressure’ on mobile authentication

Using a 4 digit passcode as authentication is popular among most smartphone users. However, this type of authentication is highly susceptible to a brute force or shoulder surfing attack. Further, it is not uncommon for close family members or friends to already be aware of this secret passcode. The key limitation of such an approach is that it is solely dependent on `what a user knows´. We present an authentication mechanism that overcomes this limitation by including an additional factor of `what a user is´. In our scheme, in addition to knowing the passcode, we capture the behaviour in which the passcode is entered. We model this behaviour in terms of the pressure applied on the screen by the user as well the duration the screen is pressed for. A key challenge of this approach is to ensure security without forgoing usability. This is particularly hard given the constraints of mobile computing. We tested our authentication mechanism through a user study of 10 participants and initial results show that our approach is both secure and usable.