HapticLock: Eyes-Free Authentication for Mobile Devices

HapticLock uses non-visual interaction modalities for discreet eyes-free PIN entry. Users select PIN digits by swiping up or down (a), with Morse Code vibration patterns (b) for feedback about the currently selected digit. Users confirm selection with a double tap (c), to move to the next digit, continuing until the PIN is complete.

Overview

Smartphones provide access to increasing amounts of personal and sensitive information, yet are often only secured using methods that are prone to observational attacks. In a paper at the 2021 ACM International Conference on Multimodal Interaction, we present HapticLock, a novel haptic-only authentication method for mobile devices that uses non-visual interaction modalities for discreet PIN entry that is difficult to attack by shoulder surfing.

HapticLock touchscreen gestures: (a) swipe up or down to increase or decrease digit, respectively; (b) double tap to confirm digit; (c) two-finger tap to remove most recent digit; (d) long-press to check how many digits are entered.

We evaluated HapticLock in two studies. First, a usability experiment (N=20) finds that HapticLock enables effective PIN entry in secure conditions: e.g., in 23.5s with 98.3% success rate for a four-digit PIN entered from a random start digit. Second, a shoulder surfing experiment (N=15) finds that HapticLock is highly resistant to observational attacks. Even when interaction is highly visible, attackers need to guess the first digit when PIN entry begins with a random number, yielding a very low success rate for shoulder surfing. Furthermore, a device can be hidden from view during authentication.

Our use of haptic interaction modalities gives privacy-conscious mobile device users a usable and secure authentication alternative for sensitive situations. HapticLock is slower than normal PIN entry via touchscreen keyboard, which makes it unsuitable for high frequency usage (e.g., each time a smartphone needs unlocked). Our intention was to explore a secure alternative for privacy-conscious users who are accessing sensitive information, for infrequent but high-risk transactions, or authenticating in the presence of others. The benefits of eyes-free PIN entry are a worthy trade-off in such scenarios.

This work is described in a full paper at the 2021 ACM International Conference on Multimodal Interaction. This project was carried out by Gloria, one of my undergraduate students in the 2020-2021 academic year.

    HapticLock: Eyes-Free Authentication for Mobile Devices
    G. Dhandapani, J. Ferguson, and E. Freeman.
    In Proceedings of 23rd ACM International Conference on Multimodal Interaction – ICMI ’21, 195-202. 2021.

Video