CueAuth

Secure authentication on situated displays (e.g., to access sensitive information or to make purchases) is becoming increasinglyimportant. A promising approach to resist shoulder surfing attacks is to employ cues that users respond to while authenticating;this overwhelms observers by requiring them to observe both the cue itself as well as users’ response to the cue. Althoughpreviouswork proposed a variety of modalities, such as gaze and mid-air gestures, to further improve security, an understanding of how they compare with regard to usability and security is still missing as of today. In this paper, we rigorously comparemodalities for cue-based authentication on situated displays. In particular, we provide the first comparison between touch,mid-air gestures, and calibration-free gaze using a state-of-the-art authentication concept. In two in-depth user studies (N=37)we found that the choice of touch or gaze presents a clear trade-off between usability and security. For example, while gazeinput is more secure, it is also more demanding and requires longer authentication times. Mid-air gestures are slightly slowerand more secure than touch but users hesitate to use them in public. We conclude with three significant design implicationsfor authentication using touch, mid-air gestures, and gaze and discuss how the choice of modality creates opportunities andchallenges for improved authentication in public.