Security researchers have tested the first prototypes of a secure authentication system that could one day replace PIN entry at cash points.
Called Undercover, the system was developed by Carnegie Mellon University researcher Nicolas Christin and two graduate students, one associated with Sharp and the other with Mitsubishi. The researchers detailed the scheme in a recently published study.
The challenge was to get around the factors that make PIN entry so vulnerable - for instance, the fact that anyone with sharp eyes or a set of concealed cameras can easily observe what keys a user is tapping.
To deal with such "observation attacks", Undercover conceals not the user's response, but the challenge to which they are responding, or at least part of it.
The prototype entry system Christin decided upon uses a motor-controlled trackball and a keypad with five colour-coded keys. The user places his left hand on the trackball, concealing it.
The system's challenge is to display on a screen a set of five images, one of which may be an image from a portfolio that the user has previously provided - for instance, a photo of a pet or a holiday snap. The user is asked to identify their own image, or to press a key signalling that none of the images are theirs.
The motor rotates the concealed trackball in a particular direction, which indicates the values assigned to the colour-coded keys - something that, in theory, no onlooker would be able to observe. The user then enters their response on the keypad.
The advantage of this system is that it makes an observation attack drastically more difficult, the researchers said. "We have reduced the problem from hiding the complete challenge to hiding one (or a few) bit(s) of information," they wrote.
The researchers carried out tests on 38 users, using both a standard PIN system and Undercover, where cameras recorded the users' movements. This allowed the researchers to discover all 38 PINs, even those of the more security-conscious users who covered one hand with the other.
On the other hand, the observation attack was only able to crack the Undercover system in a few cases, due to users involuntarily revealing the motion of the trackball for instance.
On the other hand, Undercover's style of authentication is undoubtedly more cumbersome to use - authentication took 25 seconds at a minimum, compared to a median time of 3.2 seconds for PIN entry.
Overall, the researchers found that the system proved usable, with some aspects looking particularly promising for future authentication systems.
"Our results show that users can authenticate within times comparable to that of graphical password schemes, with relatively low error rates, while being considerably better protected against observation attacks," they wrote. "The degree of complexity that two independent sensory signals can present while being successfully reassembled by a majority of people comes a bit as a surprise."
The researchers will present their work at a Computer Human Interaction (CHI) conference in Florence, Italy in April.