Abstract
We present CipherCard, a physical token that defends
against shoulder-surfing attacks on user authentication on
touchscreen devices. Placed over a touchscreen pin-pad,
CipherCard remaps a user’s touch points on the physical
token to different locations on the pin-pad (i.e. as a
substitution cipher). It translates a visible user password
into a different system password received by a touchscreen,
hiding the system password from observers. CipherCard
enhances authentication security through Two-Factor
Authentication (TFA), in that both the correct user
password and a specific card are needed for authentication.
We explore the design space of CipherCard, and describe
three implemented variations each with unique capabilities.
Based on user feedback, we discuss the security and
usability implications of CipherCard, and describe several
avenues for continued exploration.
Refereed
No