Litcius/Paper detail

Fast and Secure Authentication in Virtual Reality Using Coordinated 3D Manipulation and Pointing

Florian Mathis, John Williamson, Kami Vaniea, Mohamed Khamis

2021ACM Transactions on Computer-Human Interaction90 citationsDOIOpen Access PDF

Abstract

There is a growing need for usable and secure authentication in immersive virtual reality (VR). Established concepts (e.g., 2D authentication schemes) are vulnerable to observation attacks, and most alternatives are relatively slow. We present RubikAuth, an authentication scheme for VR where users authenticate quickly and secure by selecting digits from a virtual 3D cube that leverages coordinated 3D manipulation and pointing. We report on results from three studies comparing how pointing using eye gaze, head pose, and controller tapping impact RubikAuth’s usability, memorability, and observation resistance under three realistic threat models. We found that entering a four-symbol RubikAuth password is fast: 1.69–3.5 s using controller tapping, 2.35–4.68 s using head pose and 2.39 –4.92 s using eye gaze, and highly resilient to observations: 96–99.55% of observation attacks were unsuccessful. RubikAuth also has a large theoretical password space: 45 n for an n -symbols password. Our work underlines the importance of considering novel but realistic threat models beyond standard one-time attacks to fully assess the observation-resistance of authentication schemes. We conclude with an in-depth discussion of authentication systems for VR and outline five learned lessons for designing and evaluating authentication schemes.

Topics & Concepts

PasswordComputer scienceUsabilityUSableAuthentication (law)Human–computer interactionGazeComputer securityVirtual realityChallenge–response authenticationAuthentication protocolArtificial intelligenceMultimediaUser Authentication and Security SystemsGaze Tracking and Assistive TechnologyFace Recognition and Perception