Enlighten Publications

In this section

Fast and secure authentication in virtual reality using coordinated 3D manipulation and pointing

Mathis, F., Williamson, J. H. , Vaniea, K. and Khamis, M. (2021) Fast and secure authentication in virtual reality using coordinated 3D manipulation and pointing. ACM Transactions on Computer-Human Interaction, 28(1), 6. (doi: 10.1145/3428121)

Text
223922.pdf - Accepted Version
12MB

Abstract

There is a growing need for usable and secure authentication in immersive virtual reality (VR). Established concepts (e.g., 2D authentication schemes) are vulnerable to observation attacks, and most alternatives are relatively slow. We present RubikAuth, an authentication scheme for VR where users authenticate quickly and secure by selecting digits from a virtual 3D cube that leverages coordinated 3D manipulation and pointing. We report on results from three studies comparing how pointing using eye gaze, head pose, and controller tapping impact RubikAuth’s usability, memorability, and observation resistance under three realistic threat models. We found that entering a four-symbol RubikAuth password is fast: 1.69–3.5 s using controller tapping, 2.35–4.68 s using head pose and 2.39 –4.92 s using eye gaze, and highly resilient to observations: 96–99.55% of observation attacks were unsuccessful. RubikAuth also has a large theoretical password space: 45n for an n-symbols password. Our work underlines the importance of considering novel but realistic threat models beyond standard one-time attacks to fully assess the observation-resistance of authentication schemes. We conclude with an in-depth discussion of authentication systems for VR and outline five learned lessons for designing and evaluating authentication schemes.

Item Type:	Articles
Additional Information:	This publication was supported by the University of Edinburgh and the University of Glasgow jointly funded PhD studentships , by the Erasmus+ internship grant from the LMUMunich, and by the Royal Society of Edinburgh (award number #65040).
Status:	Published
Refereed:	Yes
Glasgow Author(s) Enlighten ID:	Khamis, Dr Mohamed and Mathis, Mr Florian and Williamson, Dr John
Authors:	Mathis, F., Williamson, J. H., Vaniea, K., and Khamis, M.
College/School:	College of Science and Engineering > School of Computing Science
Journal Name:	ACM Transactions on Computer-Human Interaction
Journal Abbr.:	TOCHI
Publisher:	ACM Association for Computing Machinery
ISSN:	1073-0516
ISSN (Online):	1557-7325
Copyright Holders:	Copyright © 2021 The Authors
First Published:	First published in ACM Transactions on Computer-Human Interaction 28(1):6
Publisher Policy:	Reproduced in accordance with the copyright policy of the publisher

University Staff: Request a correction | Enlighten Editors: Update this record

Funder and Project Information

Project Code	Award No	Project Name	Principal Investigator	Funder's Name	Funder Ref	Lead Dept
309501		RSE Enterprise	Mohamed Khamis	The Royal Society of Edinburgh (ROYSOCED)	65040	Computing Science
310627		TAPS: Assessing, Mitigating and Raising Awareness of the Security and Privacy Risks of Thermal Imaging	Mohamed Khamis	Engineering and Physical Sciences Research Council (EPSRC)	EP/V008870/1	Computing Science

Deposit and Record Details

ID Code:	223922
Depositing User:	Dr Mohamed Khamis
Datestamp:	08 Oct 2020 12:41
Last Modified:	04 Apr 2022 13:34
Date of acceptance:	5 October 2020
Date of first online publication:	January 2021
Date Deposited:	21 October 2020
Data Availability Statement:	No