Traditional authentication schemes, such as textual passwords, PINs, and graphical passwords suffer from the shoulder surfing issue, namely an attacker can steal a password by looking over the victim's shoulder when a password is entered. Losing password credentials from shoulder surfing often results in financial loses, critical information leaking, and other serious consequences.
Pressure passwords, which encode the variations of pressure along a period as a password, can effectively resist shoulder surfing because it is hard to measure pressure visually, even at a proximity or with a desired observing angle.
U.S. Pat. No. 6,509,847 to Glen J. Anderson, issued on Jan. 21, 2003, for example, discloses a method for inputting an access code via temporal variations in the amount of pressure applied to a touch interface. In this invention, the temporal pressure variation is converted to a digital code which can be compared with a stored code template.
Similarly, U.S. Patent application US20120126941, by Henry Dunstan COGGILL, Slough (GB), published on May 24, 2012, teaches another pressure password for a touchscreen device. Under this scheme, a user is required to press multiple touch regions as a password.
However, current pressure password authentication methods suffer from common usability and security drawbacks:
First, current pressure passwords are difficult to remember. The variation of pressure is often very abstract, and can be a challenge for a user to remember. Because of this, users might choose simple passwords, such as short passwords or with simple rhythms. These simple passwords are subject to brute force attacks.
Second, current pressure passwords are not secure. The action of pressing a touch interface or changing the pressure is still subject to be detected by an advanced attacker. For example, when a user presses a touch interface with his or her fingers, the color of the finger tips and/or the angles of the finger joints may change accordingly. An advanced attacker can then measure the interval between each pressure change, and get the whole password. In many cases, an attacker may have a video recorded for the process when a password is entered, then the password is subject to be stolen by replaying the video for multiple times.