More and more services and information are being stored on the cloud. Since anybody can access an Internet terminal, it is critical to provide appropriate security mechanisms. One popular approach is to strengthen the protocol and encryption algorithm, which is now being actively investigated in the security field. Another potentially effective approach is to enhance the user interface for security systems. Since security is ultimately a human-computer interaction problem, we believe that there are many interesting opportunities related to the latter approach.
In this paper, we present an example of applying an innovative user interface method to enhance security. Our target problem domain is shoulder surfing when an individual is typing a password or personal identification number (PIN) using a software keyboard and an indirect input device such as a mouse or track pad. Such typed key sequences are readily visible to potential attackers standing behind the user or observing the screen via video camera. A method to defend against shoulder surfing is clearly important. One of the conventional methods is to change the key assignment each time the keyboard appears on the screen and to reveal the assignment only at the beginning.
However, this method does not work if a video camera is recording the screen. Several other methods have been proposed [9, 13, 15], but they are all either too complicated or require the user to memorize extra information in addition to the password
itself.
Our method, called Cursor Camouflage, shows multiple independently moving dummy cursors on the screen so as to make it difficult for an attacker to identify which software key the user is actually typing (Figure 1). The user can identify the real cursor
by observing the correlation between the hand motion and the cursor motion, but it is difficult for an attacker to do so because the correlation is not easy to observe. This method has a certain resistance to video recording and does not require the user to
