Fast and Secure Authentication in Virtual Reality Using Coordinated 3D Manipulation and Pointing

Abstract: There is a growing need for usable and secure authentication in immersive virtual reality (VR). Established concepts (e.g., 2D authentication schemes) are vulnerable to observation attacks, and most alternatives are relatively slow. We present RubikAuth, an authentication scheme for VR where users authenticate quickly and secure by selecting digits from a virtual 3D cube that leverages coordinated 3D manipulation and pointing. We report on results from three studies comparing how pointing using eye gaze, head … Show more

“…74 1. Attackers' confidence together with their notably low successful attack rate on eye gaze is inline with prior work that emphasises the high resistance to observations of gaze-based authentication [28,46,61,68]. When comparing attackers' confidence between the two study types, we found a significant three-way interaction effect (input method × threat model × study type), F 1.399,47.582 = 10.485, p<0.05.…”

“…Participants of the security study also took part in a draw to receive an additional £7.50 based on their observation performance. This compensation method was also used in CueAuth [52] and is commonly used to motivate participants in security studies [29,67,68]. Participants could optionally share photos of any notes they took during the security study for an additional compensation of £0.5.…”

RepliCueAuth: Validating the Use of a Lab-Based Virtual Reality Setup for Evaluating Authentication Systems

“…74 1. Attackers' confidence together with their notably low successful attack rate on eye gaze is inline with prior work that emphasises the high resistance to observations of gaze-based authentication [28,46,61,68]. When comparing attackers' confidence between the two study types, we found a significant three-way interaction effect (input method × threat model × study type), F 1.399,47.582 = 10.485, p<0.05.…”

“…Participants of the security study also took part in a draw to receive an additional £7.50 based on their observation performance. This compensation method was also used in CueAuth [52] and is commonly used to motivate participants in security studies [29,67,68]. Participants could optionally share photos of any notes they took during the security study for an additional compensation of £0.5.…”

RepliCueAuth: Validating the Use of a Lab-Based Virtual Reality Setup for Evaluating Authentication Systems

“…There are also prototype systems that were not built to transition into practice, but rather to shed light on users' perception of different authentication concepts on doors (Mecke et al, 2018) or on mobile devices (Prange et al, 2020). USEC researchers have also built prototype systems to investigate the extent to which security systems from mobile devices can be adapted for virtual reality applications (George et al, 2017) or to study the impact of different input techniques and threat models on users' security (Mathis, Williamson, et al, 2021). In these cases, the primary research goal is not necessarily to transition the prototype into practice but rather to make significant contributions to USEC's research field, facilitate learning, and inspire potential future research.…”

Prototyping Usable Privacy and Security Systems: Insights from Experts

“…Other work by Gleeson et al [21] showed that different hand gestures performed by a robot can be interpreted with high accuracy by observers. There are some additional works where the visual identification of human gestural movements plays an important role (e.g., when observing user interactions to assess a system's security [1,43]). Abdrabou et al [1], for example, studied to what extent hand gestures and multimodal approaches (e.g., eye gaze + hand gestures) can be leveraged for user authentication and concluded that user interactions based on hand gestures only are easier to observe than multimodal approaches.…”

“…For example, what we know from the real world when another human is looking over someone's shoulder, also defined as "shoulder-surfing" [12], could happen in a similar way in virtual environments. Researchers recently looked into adapting established real-world authentication schemes for VR [19,51] or proposed novel VR authentication schemes [18,43]. Being able to use abstract avatars instead of more realistic avatars can be particularly helpful for such "shouldersurfing" investigations in VR: they likely reduce the required effort, expertise, and amount of additional hardware that is required.…”

Observing Virtual Avatars: The Impact of Avatars’ Fidelity on Identifying Interactions