Research has brought forth a variety of authentication systems to mitigate observation attacks. However, there is little work about shoulder surfing situations in the real world. We present results user survey (N=174) which we investigate actual stories on mobile devices from both users and observers. Our analysis indicates that mainly occurs an opportunistic, non-malicious way. It usually does not have serious consequences, but evokes negative feelings for parties, resulting coping...

For the past 20 years, researchers have investigated use of eye tracking in security applications. We present a holistic view on gaze-based In particular, we canvassed literature and classify utility gaze applications into a) authentication, b) privacy protection, c) monitoring during critical tasks. This allows us to chart several research directions, most importantly 1) conducting field studies implicit explicit authentication due recent advances tracking, 2) protection tasks which are...

In order to make the factory of future vision a reality, various requirements need be met. There is continuously qualify human worker about new and changing technology trends since most flexible entity in production system. This demands introducing novel approaches for knowledge-delivery skill transfer. paper introduces design, implementation evaluation an advanced virtual training system, which has been developed EU-FP7 project VISTRA. The domain interest automotive manufacturing it one...

PINs and patterns remain among the most widely used knowledge-based authentication schemes. As thermal cameras become ubiquitous affordable, we foresee a new form of threat to user privacy on mobile devices. Thermal allow performing attacks, where heat traces, resulting from authentication, can be reconstruct passwords. In this work investigate in details viability exploiting imaging infer We present study (N=18) evaluated how properties influence their attacks resistance. found that are...

Virtual reality (VR) headsets are enabling a wide range of new opportunities for the user.For example, in near future users may be able to visit virtual shopping malls and virtually join international conferences.These many other scenarios pose questions with regards privacy security, particular authentication within environment.As first step towards seamless VR authentication, this paper investigates direct transfer well-established concepts (PIN, Android unlock patterns) into VR.In pilot...

We propose a multimodal scheme, GazeTouchPass, that combines gaze and touch for shoulder-surfing resistant user authentication on mobile devices. GazeTouchPass allows passwords with multiple switches between input modalities during authentication. This requires attackers to simultaneously observe the device screen user's eyes find password. evaluate security usability of in two studies. Our findings show is usable significantly more secure than single-modal against basic even advanced attacks.

Gaze-based interaction using smooth pursuit eye movements (Pursuits) is attractive given that it intuitive and overcomes the Midas touch problem. At same time, tracking becoming increasingly popular for VR applications. While Pursuits was shown to be effective in several contexts, never explored in-depth before. In a user study (N=26), we investigated how parameters are specific settings influence performance of Pursuits. For example, found robust against different sizes virtual 3D targets....

There is a growing need for usable and secure authentication in immersive virtual reality (VR). Established concepts (e.g., 2D schemes) are vulnerable to observation attacks, most alternatives relatively slow. We present RubikAuth, an scheme VR where users authenticate quickly by selecting digits from 3D cube that leverages coordinated manipulation pointing. report on results three studies comparing how pointing using eye gaze, head pose, controller tapping impact RubikAuth’s usability,...

"Virtual-Physical Perceptual Manipulations" (VPPMs) such as redirected walking and haptics expand the user's capacity to interact with Virtual Reality (VR) beyond what would ordinarily physically be possible. VPPMs leverage knowledge of limits human perception effect changes in physical movements, becoming able (perceptibly imperceptibly) nudge their actions enhance interactivity VR. We explore risks posed by malicious use VPPMs. First, we define, conceptualize demonstrate existence Next,...

Fundamental to Augmented Reality (AR) headsets is their capacity visually and aurally sense the world around them, necessary drive positional tracking that makes rendering 3D spatial content possible. This requisite sensing also opens door for more advanced AR-driven activities, such as augmented perception, volumetric capture biometric identification - activities with potential expose bystanders significant privacy risks. Existing Privacy-Enhancing Technologies (PETs) often safeguard...

Cross-reality systems empower users to transition along the reality-virtuality continuum or collaborate with others experiencing different manifestations of it. However, prototyping these is challenging, as it requires sophisticated technical skills, time, and often expensive hardware. We present VRception, a concept toolkit for quick easy cross-reality systems. By simulating all levels entirely in Virtual Reality, our overcomes asynchronicity realities, eliminating obstacles. Our VRception...

Virtual reality (VR) users are often around bystanders, i.e. people in the real world VR user may want to interact with. To facilitate bystander-VR interactions, technology-mediated awareness systems have been introduced increase a user's of bystanders. However, while prior works found effective means facilitating it is unclear when and why one system should be used over another. We reviewed, selected, breadth bystander from literature investigated their usability, how they could...

Although mobile devices provide access to a plethora of sensitive data, most users still only protect them with PINs or patterns, which are vulnerable side-channel attacks (e.g., shoulder surfing). How-ever, prior research has shown that privacy-aware willing take further steps their private data. We propose GazeTouchPIN, novel secure authentication scheme for combines gaze and touch input. Our multimodal approach complicates shoulder-surfing by requiring attackers ob-serve the screen as...

In this paper we show how reading text on large display can be used to enable gaze interaction in public space. Our research is motivated by the fact that much of content displays includes text. Hence, researchers and practitioners could greatly benefit from users being able spontaneously interact as well implicitly calibrate an eye tracker while simply particular, adapt Pursuits, a technique correlates users' movements with moving on-screen targets. While prior work abstract objects or dots...

While first-generation mobile gaze interfaces required special-purpose hardware, recent advances in computational estimation and the availability of sensor-rich powerful devices is finally fulfilling promise pervasive eye tracking eye-based interaction on off-the-shelf devices. This work provides first holistic view past, present, future handheld To this end, we discuss how research developed from building hardware prototypes, to accurate unmodified smartphones tablets. We then implications...

Field studies on public displays can be difficult, expensive, and time-consuming. We investigate the feasibility of using virtual reality (VR) as a test-bed to evaluate deployments displays. Specifically, we whether results from field studies, conducted in space, would match corresponding real-world setting. report two empirical user where compared audience behavior around display world real display. found that powerful research tool, both observed largely similar between settings. discuss...

With the increasing adoption of virtual reality (VR) in public spaces, protecting users from observation attacks is becoming essential to prevent attackers accessing context-sensitive data or performing malicious payment transactions VR. In this work, we propose RubikBiom, a knowledge-driven behavioural biometric authentication scheme for We show that hand movement patterns performed during interactions with knowledge-based (e.g., when entering PIN) can be leveraged establish an additional...

Evaluating novel authentication systems is often costly and time-consuming. In this work, we assess the suitability of using Virtual Reality (VR) to evaluate usability security real-world systems. To end, conducted a replication study built virtual replica CueAuth [52], recently introduced scheme, report on results from: (1) lab-based in-VR (N=20) evaluating user performance; (2) an online (N=22) system's observation resistance through avatars; (3) comparison between our those previously...

Dark patterns are deceptive designs that influence a user’s interactions with an interface to benefit someone other than the user. Prior work has identified dark in windows, icons, menus, and pointer (WIMP) interfaces ubicomp environments, but how can manifest Augmented Virtual Reality (collectively XR) requires more attention. We therefore conducted 10 co-design workshops 20 experts XR design. Our participants co-designed 42 scenarios containing patterns, based on application archetypes...

Immersive Virtual Reality (IVR) is a growing 3D environment, where social and commercial applications will require user authentication. Similarly, smart homes in the real world (RW), offer an opportunity to authenticate third dimension. For both environments, there gap understanding which elements of dimension can be leveraged improve usability security In particular, investigating transferability findings between these environments would help towards how rapid prototyping authentication...

Virtual reality (VR) headsets are enabling a wide range of new opportunities for the user. For example, in near future users may be able to visit virtual shopping malls and virtually join international conferences. These many other scenarios pose new questions with regards privacy security, particular authentication users within environment. As first step towards seamless VR authentication, this paper investigates the direct transfer well-established concepts (PIN, Android unlock...

There is a growing need for usable and secure authentication in virtual reality (VR). Established concepts (e.g., 2D graphical PINs) are vulnerable to observation attacks, proposed alternatives relatively slow. We present RubikAuth, novel scheme VR where users authenticate quickly by selecting digits from 3D cube that manipulated with handheld controller. report two studies comparing how pointing using gaze, head pose, controller tapping impacts RubikAuth's usability resistance under three...

Extended Reality (AR/VR/MR) technology is becoming increasingly affordable and capable, ever more interwoven with everyday life. HCI research has focused largely on innovation around XR technology, exploring new use cases interaction techniques, understanding how this used appropriated etc. However, equally important the investigation consideration of risks posed by such advances, specifically in contributing to vulnerabilities attack vectors regards security, safety, privacy that are unique...

Extended-Reality (XR) devices are packed with sensors that allow tracking of users (e.g., behaviour, actions, eye-gaze) and their surroundings people, places, objects). As a consequence, XR pose significant risks to privacy, security, our ability understand influence the behaviour - will be amplified by ever-increasing adoption. This necessitates addressing these concerns before becomes ubiquitous. We conducted three focus groups thirteen experts from industry academia interested in XR,...