Understanding Attacking Behaviors Toward Password-based Mobile User Authentication


Lina Zhou and Kanlun Wang, UNC Charlotte; Jianwei Lai, Illinois State University; Dongsong Zhang, UNC Charlotte


Password-based mobile user authentication is vulnerable to a variety of security threats. Shoulder surfing is the key to those security threats. Despite a large body of research on password security with mobile devices, existing studies have focused on shaping the security behavior of mobile users by enhancing the strengths of user passwords or by establishing secure password composition policies. There is little understanding of how an attacker actually goes about observing the password of a target user. This study empirically examines attackers' behaviors in observing password-based mobile user authentication sessions across the three observation attempts. It collects data through a longitudinal user study and analyzes the data collected through a system log. The results reveal several behavioral patterns of attackers. The findings suggest that attackers are strategic in deploying attacks of shoulder surfing. The findings have implications for enhancing users' password security and refining organizations' password composition policies.

    author = {Zhou, Lina and Wang, Kanlun and Lai, Jianwei and Zhang, Dongsong},
    title = {{Understanding Attacking Behaviors Toward Password-based Mobile User Authentication}},
    booktitle = {Who Are You?! Adventures in Authentication Workshop},
    year = {2021},
    series = {WAY~'21},
    pages = {1--5},
    address = {Virtual Conference},
    month = aug,
    publisher = {}
} % No publisher