Details of a prototype multi-cursor system designed to improve the security of on-screen password entry have been posted onto DigInfo, the Tokyo based news site that promotes cutting edge technology from Japan. Many banks now use screen based key entry to defeat screen loggers, but such systems can be vulnerable to shoulder surfing or malicious screen capture software.
The prototype software presents multiple cursors on the PC screen with only the authorized user knowing which one is real. To anyone looking over their shoulder, it is almost impossible which numbers are being clicked on by which cursor, according to the developers.
“At first sight, it looks as if the user will get confused which cursor is real. But when you try this system, it’s surprisingly easy to understand which one is your cursor. Observers though, don’t know which cursor you’re using.” said Keita Watanabe, a researcher for the Igarishi Design Interface Project at the Japan Science and Technology Project.
However the efficacy of the system is heavily dependent on the number of fake cursors used, with 20 cursors providing a 99% failure rate, according to the researchers.
“The problem was, if you moved the cursor quickly while there were just a few dummy cursors, onlookers could figure out which is the real cursor. So, we’ve created a system called Symmetric Cursors, where the dummy cursors move in a different way. Here, ten soft keys are arranged in a circle. With this system, even if you move your cursor quickly, you don’t have just one cursor standing out, like there was before. In terms of speed, all the cursors are the same. So you can enter numbers after using the mouse direction to find out which is the real cursor.” said Watanabe.
The research is continuing and the developers say that they want to find out more about how users recognize the real cursor using eye trackers and biometrics.
See the multi-cursor system in action on YouTube
Author Rob Waugh, We Live Security