A Shoulder Surfing Resistant Graphical Authentication System

A Shoulder Surfing Resistant Graphical Authentication System


Authentication based on passwords is used largely in applications for computer security and privacy. However, human actions such as choosing bad passwords and inputting passwords in an insecure way are regarded as “the weakest link” in the authentication chain. Rather than arbitrary alphanumeric strings, users tend to choose passwords either short or meaningful for easy memorization. With web applications and mobile apps piling up, people can access these applications anytime and anywhere with various devices. This evolution brings great convenience but also increases the probability of exposing passwords to shoulder surfing attacks. Attackers can observe directly or use external recording devices to collect users’ credentials. To overcome this problem, we proposed a novel authentication system PassMatrix, based on graphical passwords to resist shoulder surfing attacks. With a one-time valid login indicator and circulative horizontal and vertical bars covering the entire scope of pass-images, PassMatrix offers no hint for attackers to figure out or narrow down the password even they conduct multiple camera-based attacks. We also implemented a PassMatrix prototype on Android and carried out real user experiments to evaluate its memorability and usability. From the experimental result, the proposed system achieves better resistance to shoulder surfing attacks while maintaining usability.

PROJECT OUTPUT VIDEO: (Click the below link to see the project output video):


  • Wiedenbeck et al. proposed PassPoints in which the user picks up several points (3 to 5) in an image during the password creation phase and re-enters each of these pre-selected click-points in a correct order within its tolerant square during the login phase. Comparing to traditional PIN and textual passwords, the Pass-Points scheme substantially increases the password space and enhances password memorability.
  • David Kim et al. proposed a visual authentication scheme for tabletop interfaces called ”Color Rings”, where the user is assigned i authentication (key) icons, which are collectively assigned one of the four color-rings: red, green, blue, or pink.


  • Most of the existing system image-based passwords are vulnerable to shoulder surfing attacks (SSAs). This type of attack either uses direct observation, such as watching over someone’s shoulder or applies video capturing techniques to get passwords, PINs, or other sensitive personal information
  • Some of them are not suitable to be applied in mobile devices and most of them can be easily compromised to shoulder surfing attacks if attackers use video capturing techniques like Google Glass.
  • The limitations of usability include issues such as taking more time to log in, passwords being too difficult to recall after a period of time, and the authentication method being too complicated for users without proper education and practice.
  • If observers are able to capture the whole authentication process, the passwords can be cracked easily.
  • A large number of objects will crowd the display and may make objects indistinguishable.
  • These kinds of passwords can be cracked by intersecting the user’s selections in each login because the color of the assigned ring is fixed and a ring can include at most seven icons. Thus, the attacker only requires a limited number of trials to guess the user’s password.


  • In this paper, we present a secure graphical authentication system named PassMatrix that protects users from becoming victims of shoulder surfing attacks when inputting passwords in public through the usage of one-time login indicators.
  • A login indicator is randomly generated for each pass-image and will be useless after the session terminates. The login indicator provides better security against shoulder surfing attacks, since users use a dynamic pointer to point out the position of their passwords rather than clicking on the password object directly.
  • The existing graphical authentication scheme is vulnerable to shoulder surfing attacks. Hence, based on the PassPoints, we add the idea of using one-time session passwords and distracters to develop our PassMatrix authentication system that is resistant to shoulder surfing attacks.


  • The passwords of our PassMatrix are easy to memorize.
  • Users can log into the system with only 1:64 (Median=1) authentication requests on average, and the Total Accuracy of all login trials is 93:33% even after two weeks.
  • Passwords are not exposed to risky environments.
  • The proposed system acts as a secure authentication system and will be able to defend against shoulder surfing attacks and will be applicable to all kinds of devices.


A Shoulder Surfing Resistant Graphical Authentication




  • System : Pentium Dual Core.
  • Hard Disk : 120 GB.
  • Monitor : 15’’ LED
  • Input Devices : Keyboard, Mouse
  • Ram : 1 GB


  • Operating system : Windows 7.
  • Coding Language : Android,JAVA
  • Toolkit : Android 2.3 ABOVE
  • IDE :         Eclipse/Android Studio


Hung-Min Sun, Shiuan-Tung Chen, Jyh-Haw Yeh and Chia-Yun Cheng, “A Shoulder Surfing Resistant Graphical Authentication System”, IEEE Transactions on Dependable and Secure Computing, 2016.

About the Author

Leave a Reply