• Proceedings of the Korea Information Processing Society Conference
• /
• 2010.11a
• /
• pp.1138-1141
• /
• 2010

모바일 기기나 ATM에서의 사용자 인증에는 PIN(Personal Identification Number)이 주로 사용된다. 그 이유는, PIN은 사용자가 외우기 쉽고 단순한 UI(User Interface)로 구현이 가능하다는 장점이 있기 때문이다. 하지만 PIN은 어깨너머 공격에 취약하다는 단점이 있다. 기존의 연구들은 이미지 기반, 인식 기반, PIN과 이미지의 혼합방식을 이용한 다양한 사용자 인증 방법들을 제안하였다. 하지만 이들 연구는 모바일의 작은 화면을 고려하지 않아 구현이 어렵거나, 어깨너머 공격에 취약하거나, 사용자에게 기억에 대한 부담을 증가시키는 등의 문제점이 있다. 본 논문에서는 PIN과 패턴 이미지를 결합하여 모바일 기기에 적합하면서, 어깨너머 공격에 대해 기존의 방법들에 비해 안전하고 사용자가 외워야 하는 기호(숫자, 이미지 등)가 적은 사용자 인증 방법을 제안한다.

• Journal of Convergence for Information Technology
• /
• v.10 no.8
• /
• pp.144-151
• /
• 2020

User-authentication process is necessary in Fintech Service. Especially, authentication on smartphones are carried out through PIN which is inputted through virtual keypads on touch screen. Attacker can analogize password by watching touched letter and position over the shoulder or using high definition cameras. To prevent password spill, various research of virtual keypad techniques are ongoing. It is hard to design secure keypad which assures safety by fluctuative keypad and enhance convenience at once. Also, to reconfirm user whether password is wrongly pressed, the inputted information is shown on screen. This makes the password easily exposed through high definition cameras or Google Class during recording. This research analyzed QWERTY based secure keypad's merits and demerits. And through these features, creating Tetris shaped keypad and piece them together on Android environment, and showing inputted words as Tetris shape to users through smart-screen is suggested for the ways to prevent password spill by recording.

• Journal of Convergence for Information Technology
• /
• v.12 no.3
• /
• pp.38-45
• /
• 2022

Due to the development of fintech technology, financial transactions using smart phones are being activated. The password for user authentication during financial transactions is entered through the virtual keypad displayed on the screen of the smart phone. When the password is entered, the attacker can find out the password by capturing it with a high-resolution camera or spying over the shoulder. A virtual keypad with security applied to prevent such an attack is difficult to input on a small touch-screen, and there is still a vulnerability in peeping attacks. In this paper, the entire keypad is divided into several groups and displayed on a small screen, touching the group to which the character to be input belongs, and then touching the corresponding character within the group. The proposed method selects the group to which the character to be input belongs, and displays the keypad in the group on a small screen with no more than 10 keypads, so that the size of the keypad can be enlarged more than twice compared to the existing method, and the location is randomly placed, hence location of the touch attacks can be blocked.

• Journal of the Korea Society of Computer and Information
• /
• v.22 no.9
• /
• pp.65-71
• /
• 2017

This paper proposes a smart phone authentication method based on user's behavior and habit that is an authentication method against shoulder surfing attack and brute force attack. As smart phones evolve not only storage of personal data but also a key means of financial services, the importance of personal information security in smart phones is growing. When user authentication of smart phone, pattern authentication method is simple to use and memorize, but it is prone to leak and vulnerable to attack. Using the features of the smart phone pattern method of the user, the pressure applied when touching the touch pad with the finger, the size of the area touching the finger, and the time of completing the pattern are used as feature vectors and applied to user authentication security. First, a smart phone user models and stores three parameter values as prototypes for each section of the pattern. Then, when a new authentication request is made, the feature vector of the input pattern is obtained and compared with the stored model to decide whether to approve the access to the smart phone. The experimental results confirm that the proposed technique shows a robust authentication security using subjective data of smart phone user based on habits and behaviors.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.25 no.5
• /
• pp.1085-1095
• /
• 2015

In music theory, the triton is defined as a musical interval composed of three adjacent whole tones(or six semitones), which generates a harmonic and melodic dissonance. The triton paradox is an auditory illusion which is heard as ascending by some people and as descending by others. In this paper we examine an emerging non-static biometric technique that aims to identify users based on analyzing uniqueness and consistency through the user experiences. We also propose some authentication schemes which provides protection against key logging, shoulder surfing, and brute force attacks.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.12 no.9
• /
• pp.4560-4575
• /
• 2018

Since smartphone contains various personal data, security is one of the important aspects in smartphone technologies. Up to now, various authentication techniques have been proposed to protect smartphones. The pattern lock on the Android system is one of the most widely used authentication methods for low-cost devices but it is known to be vulnerable to smudge attack or shoulder surfing attack. LG's smartphone uses its own technique, which is called "Knock Code." The knock code completes the authentication by touching the user defined area in turn on the screen. In this paper, we propose the new, enhanced version of knock code by adding the sliding operation and by using flexible area recognition. We conducted security analysis, which shows that under the same password size, the search space is overwhelmingly larger than the original algorithm. Also, by using the sliding operation, the proposed scheme shows resilience against smudge attacks. We implemented the prototype of our scheme. Experimental results show that compared with the original Knock Code and Android pattern lock, our scheme is more convenient while providing better security.

• The Journal of the Korea institute of electronic communication sciences
• /
• v.12 no.5
• /
• pp.915-922
• /
• 2017

The rapid increase in users of mobile smart devices has greatly expanded their range of activities. Compare to conventional mobile devices, smart devices have higher security requirements because they manage and use various kind of confidential information of the owners. However, the cation schemes provided by conventional smart devices are vulnerable to recent attacks such as shoulder surfing, recording, and smudge attacks, which are the social engineering attacks among the types of security attacks targeting the smart devices. In this paper, we propose a novel authentication method that is robust against social engineering attacks but sufficiently considering user's convenience. The proposed method is robust by using combination of a graphical authentication method and a text-based authentication method. Furthermore, our method is easier to memorize the password compare to the conventional graphical authentication methods.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.28 no.2
• /
• pp.369-383
• /
• 2018

User authentication using PIN input or lock pattern is widely used as a user authentication method of smartphones. However, it is vulnerable to shoulder surfing attacks and because of low complexity of PIN and lock pattern, it has low security. To complement these problems, keystroke dynamics have been used as an authentication method for complex authentication and researches on this have been in progress. However, many studies have used imposter data in classifier training and validation. When keystroke dynamics authentications are actually applied in reality, it is realistic to use only legitimate user data for training, and using other people's data as imposter training data may result in problems such as leakage of authentication data and invasion of privacy. In response, in this paper, we experiment and obtain the optimal ratio of the thresholds for distance based classification. By suggesting the optimal ratio, we try to contribute to the real applications of keystroke authentications.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.21 no.11
• /
• pp.2109-2114
• /
• 2017

Personal Identification Number (PIN) is the most common user-authentication method for the access control of private and commercial applications. The users need to enter PIN information to the applications whenever the users get access to the private services. However, the process imposes a burden on the users and is vulnerable to the potential shoulder-surfing attacks. In order to resolve both problems, we present a continuous authentication method for both smartphone and smartwatch, namely, synchronized authentication. First we analyze the previous smartwatch based authentication and point-out some shortcomings. In the proposed method, we verify the validity of user by analyzing the combined acceleration data of both smartphone and smartwatch. If the monitored sensor data shows the high correlations between them, the user is successfully authenticated. For the authentication test, we used the Samsung Galaxy Note5 and Sony Smartwatch2.

• KIPS Transactions on Computer and Communication Systems
• /
• v.7 no.5
• /
• pp.127-136
• /
• 2018

In this paper, we propose a PIN entry method that combines with machine learning technique on smartphone. We use not only a PIN but also touch time intervals and locations as factors to identify whether the user is correct or not. In the user registration phase, a remote server was used to train/create a machine learning model using data that collected from end-user device (i.e. smartphone). In the user authentication phase, the pre-trained model and the saved PIN was used to decide the authentication success or failure. We examined that there is no big inconvenience to use this technique (FRR: 0%) and more secure than the previous PIN entry techniques (FAR : 0%), through usability and security experiments, as a result we could confirm that this technique can be used sufficiently. In addition, we examined that a security incident is unlikely to occur (FAR: 5%) even if the PIN is leaked through the shoulder surfing attack experiments.