Fraud and identity theft account for large financial loses each year. One critical component present at virtually all login terminals used today is the traditional text password or numerical PIN. Compromising this authentication component is a critical, yet increasingly feasible, step for criminals looking to gain access to sensitive information. To increase usability and security, graphical password schemes have been proposed that rely on users' innate ability to recognize pictures for authentication.

Sparked by the general ubiquity of cell phones with video recording technology, our research aims to identify the susceptibility of the Passfaces graphical password system to camera based shoulder surfing attacks while introducing a novel defense to combat recording devices. First, we survey several graphical password schemes in the context of the shoulder surfing attack vector. We then propose a method of subverting video recording capabilities by using high frequency contrast inversion. By preventing cameras from successfully correcting elementary settings in response to contrast inversion, little useful information is extracted from the system.

We mate the contrast inversion defense to an already proven user input method, a ‘cognitive trapdoor game’, and place these mechanisms within a graphical password system. A technological study evaluates the effectiveness of these mechanisms against a variety of recording devices, while a user study evaluates how these mechanisms impact the usability benefits of a graphical password system. We believe our system increases the resource investment for a camera based shoulder surfing attack, yet can be used in most authentication terminals without extensive modifications.