A Novel Two-Factor Authentication System Robust Against Shoulder Surfing

Mohammadreza Hazhirpasand Barkadehi, Mehrbakhsh Nilashi, Othman Ibrahim


To stop attackers from accessing protected contents of a website or a mobile application, authentication systems with various forms are presented. One of the challenging barriers in nowadays identification systems is unauthorized bystanders. This attack is mostly applicable on many sorts of authentication systems. To fight with unauthorized eyes, many approaches have been proposed. Each one has its own pros and cons. In this paper, the proposed system is a two-factor authentication in conjunction of smart-phone of owner. To disable malicious softwares to key log keystrokes or take screenshot or observers to memorize your hand movement on keyboard or mouse curse on a virtual keyboard, proposed system came up with a novel way to decrease the effect of these attacks.


User authentication, Two-step authentication, Shoulder surfing attack

Full Text:

Abstract PDF


Abdurrahman, U. A., Kaiiali, M., & Muhammad, J. (2013). A new mobile-based multi-factor authentication scheme using pre-shared number, GPS location and time stamp. 2013 International Conference on Electronics, Computer and Computation, ICECCO 2013, 293–296. https://doi.org/10.1109/ICECCO.2013.6718286

Chakraborty, N., Randhawa, G. S., Das, K., & Mondal, S. (2016). MobSecure: A Shoulder Surfing Safe Login Approach Implemented on Mobile Device. Procedia Computer Science, 93(September), 854–861. https://doi.org/10.1016/j.procs.2016.07.256

Chen, Y., Sun, J., Zhang, R., & Zhang, Y. (2015). Your Song Your Way: Rhythm-Based Two-Factor Authentication for Multi-Touch Mobile Devices. 2015 IEEE Conference on Computer Communications (INFOCOM), 2686–2694. https://doi.org/10.1109/INFOCOM.2015.7218660

Crossman, M. A., & Liu, H. (2016). Two-factor authentication through near field communication. 2016 IEEE Symposium on Technologies for Homeland Security, HST 2016. https://doi.org/10.1109/THS.2016.7568941

De Luca, A., Hertzschuch, K., & Hussmann, H. (2010). ColorPIN – Securing PIN Entry through Indirect Input. Proceedings of the 28th International Conference on Human Factors in Computing Systems - CHI ’10, 1103. https://doi.org/10.1145/1753326.1753490

De Luca, A., von Zezschwitz, E., Pichler, L., & Hussmann, H. (2013). Using fake cursors to secure on-screen password entry. Proceedings of the SIGCHI Conference on Human Factors in Computing Systems - CHI ’13, 2399. https://doi.org/10.1145/2470654.2481331

Gokhale, M. A. S., & Waghmare, V. S. (2016). The Shoulder Surfing Resistant Graphical Password Authentication Technique. Procedia Computer Science, 79, 490–498. https://doi.org/10.1016/j.procs.2016.03.063

Haque, S. A., Islam, S., Islam, M. J., & Grégoire, J. C. (2016). An architecture for client virtualization: A case study. Computer Networks, 100, 75–89. https://doi.org/10.1016/j.comnet.2016.02.020

Kang, J., Nyang, D., & Lee, K. (2014). Two-factor face authentication using matrix permutation transformation and a user password. Information Sciences, 269, 1–20. https://doi.org/10.1016/j.ins.2014.02.011

Lee, M. K., & Nam, H. (2013). Secure and Usable PIN-Entry Method with Shoulder-Surfing Resistance. Communications in Computer and Information Science, 374(PART II), 745–748. https://doi.org/10.1007/978-3-642-39476-8_149

Maheshwari, A., & Mondal, S. (2016). SPOSS: Secure Pin-Based-Authentication Obviating Shoulder Surfing. In I. Ray, M. S. Gaur, M. Conti, D. Sanghi, & V. Kamakoti (Eds.), Information Systems Security: 12th International Conference, ICISS 2016, Jaipur, India, December 16-20, 2016, Proceedings (pp. 66–86). Cham: Springer International Publishing. https://doi.org/10.1007/978-3-319-49806-5_4

Prabhu, S., & Shah, V. (2015). Authentication using session based passwords. Procedia Computer Science, 45(C), 460–464. https://doi.org/10.1016/j.procs.2015.03.079

Shankar, V., Singh, K., & Kumar, A. (2016). IPCT: A scheme for mobile authentication. Perspectives in Science, 8(C), 522–524. https://doi.org/10.1016/j.pisc.2016.06.009

Shen, C., Yu, T., Xu, H., Yang, G., & Guan, X. (2016). User practice in password security: An empirical study of real-life passwords in the wild. Computers and Security, 61, 130–141. https://doi.org/10.1016/j.cose.2016.05.007

Socket.IO. (2017). Retrieved December 3, 2017, from https://socket.io/

Svogor, I., & Kisasondi, T. (2012). Two factor authentication using EEG augmented passwords. Proceedings of the International Conference on Information Technology Interfaces, ITI, 373–378. https://doi.org/10.2498/iti.2012.0441

Wu, T. S., Lee, M. L., Lin, H. Y., & Wang, C. Y. (2014). Shoulder-surfing-proof graphical password authentication scheme. International Journal of Information Security, 13(3), 245–254. https://doi.org/10.1007/s10207-013-0216-7


  • There are currently no refbacks.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.