Text-based passwords, such as personal identification number (PIN) and Android screen pattern locks, are the most commonly used identity authentication method in smartphones. However, text-based passwords are unable to prevent shoulder-surfing attacks; by directly looking at the passwords entered by users, attackers are able to steal the users’ passwords, which poses significant threats to the users.
In this study, a new authentication mechanism was introduced. Such a method enabled users to send out misleading information to attackers when the former entered its text-based passwords; the latter was unable to decipher the true passwords by simply recording or looking at them. The misleading information was the pressure values (i.e., pressures exerted by the users) measured by pressure sensors embedded under the smartphone touchscreens. The systems detected each pressure value entered by the users and determined whether it was to be saved (i.e., as a true password) or omitted (i.e., as misleading information). Regarding this authentication method, because attackers were unable to know the users’ pressure values, they were unable to differentiate between true and misleading information and thus had no way of knowing the users’ actual passwords. In the end, our authentication mechanism improved the deficiency of current text-based passwords and enhanced system security.