PressPIN : Enabling Secure PIN Authentication on Mobile Devices via Structure-Borne Sounds

PIN authentication is widely used on mobile devices due to its usability and simplicity. However, it is known to be susceptible to shoulder surfing attacks, where an adversary spies the users PIN by direct human observation or camera-based recording. This paper proposes PressPIN, a novel enhanced PIN authenticator on mobile devices by sensing pressures from the users finger. Since pressure-sensitive touch screens are unavailable on most phones, we leverage the structure-borne propagation of sounds to estimate the pressure on the screen. The pressure code is difficult to be inferred by snooping or videotaping, and increases the entropy of passwords. In this way, PressPIN provides a low-cost, user-friendly, and more secure solution resistant to shoulder surfing attacks. Our extensive experiments with 30 participants and three types of smartphones demonstrate that PressPIN can authenticate legitimate users with high accuracy (e.g., as high as 96.7% within two trials), and is robust to various types of attacks (e.g., only 2.5% attack success rate even when the adversary can observe the legitimate users PIN sequence and finger pressing clearly). Additionally, PressPIN requires no additional hardware (e.g., the pressure sensor) and can be readily integrated into existing authentication systems of mobile devices.