Fast and secure authentication in virtual reality using coordinated 3D manipulation and pointing

Mathis, F., Williamson, J. H. , Vaniea, K. and Khamis, M. (2021) Fast and secure authentication in virtual reality using coordinated 3D manipulation and pointing. ACM Transactions on Computer-Human Interaction, 28(1), 6. (doi: 10.1145/3428121)

[img] Text
223922.pdf - Accepted Version



There is a growing need for usable and secure authentication in immersive virtual reality (VR). Established concepts (e.g., 2D authentication schemes) are vulnerable to observation attacks, and most alternatives are relatively slow. We present RubikAuth, an authentication scheme for VR where users authenticate quickly and secure by selecting digits from a virtual 3D cube that leverages coordinated 3D manipulation and pointing. We report on results from three studies comparing how pointing using eye gaze, head pose, and controller tapping impact RubikAuth’s usability, memorability, and observation resistance under three realistic threat models. We found that entering a four-symbol RubikAuth password is fast: 1.69–3.5 s using controller tapping, 2.35–4.68 s using head pose and 2.39 –4.92 s using eye gaze, and highly resilient to observations: 96–99.55% of observation attacks were unsuccessful. RubikAuth also has a large theoretical password space: 45n for an n-symbols password. Our work underlines the importance of considering novel but realistic threat models beyond standard one-time attacks to fully assess the observation-resistance of authentication schemes. We conclude with an in-depth discussion of authentication systems for VR and outline five learned lessons for designing and evaluating authentication schemes.

Item Type:Articles
Additional Information:This publication was supported by the University of Edinburgh and the University of Glasgow jointly funded PhD studentships , by the Erasmus+ internship grant from the LMUMunich, and by the Royal Society of Edinburgh (award number #65040).
Glasgow Author(s) Enlighten ID:Khamis, Dr Mohamed and Mathis, Mr Florian and Williamson, Dr John
Authors: Mathis, F., Williamson, J. H., Vaniea, K., and Khamis, M.
College/School:College of Science and Engineering > School of Computing Science
Journal Name:ACM Transactions on Computer-Human Interaction
Journal Abbr.:TOCHI
Publisher:ACM Association for Computing Machinery
ISSN (Online):1557-7325
Copyright Holders:Copyright © 2021 The Authors
First Published:First published in ACM Transactions on Computer-Human Interaction 28(1):6
Publisher Policy:Reproduced in accordance with the copyright policy of the publisher

University Staff: Request a correction | Enlighten Editors: Update this record

Project CodeAward NoProject NamePrincipal InvestigatorFunder's NameFunder RefLead Dept
309501RSE EnterpriseMohamed KhamisThe Royal Society of Edinburgh (ROYSOCED)65040Computing Science
310627TAPS: Assessing, Mitigating and Raising Awareness of the Security and Privacy Risks of Thermal ImagingMohamed KhamisEngineering and Physical Sciences Research Council (EPSRC)EP/V008870/1Computing Science