(ProQuest: ... denotes non-US-ASCII text omitted.)

Taejin Kim 1 and Jeong Hyun Yi 1 and Changho Seo 2

Academic Editor:Jongsung Kim

1, School of Computer Science and Engineering, Soongsil University, Seoul 156-743, Republic of Korea
2, Department of Applied Mathematics, Kongju National University, Kongju 314-701, Republic of Korea

Received 7 November 2013; Accepted 3 February 2014; 9 March 2014

This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

1. Introduction

A smart phone is different from feature phones in that it has a mobile OS that makes it possible to freely install and remove applications just as for personal computers. Because of this, a variety of services can be provided in addition to basic functions such as calling and messaging. However, malware also occurs in smart phones, just as for personal computers. This malware could expose information in the smart phone, and consequently invade privacy or cause financial damage.

Among these types of malware, spyware could exist which leaks the authentication screen and touch coordinates of the user. When the authentication screen and touch coordinates are exposed, it is effectively a Recording Attack [1]. The Recording Attack is a type of Shoulder-Surfing Attack [2] where the attacker records the entire user authentication process including ID and password input for a service. If a spyware records and sends this process to an attacker's server, the password of the user can be easily taken. Although many authentication methods have been developed in order to prevent Shoulder-Surfing Attacks, these are only for those attacks where an attacker simply views the authentication process over a shoulder and remembers the password. In order to resist such attacks, these methods only momentarily expose the screen information that is provided during the authentication process or increase the amount of data that has to be remembered by the attacker. However, these methods are limited because they cannot perfectly protect against a Recording Attack, which records the entire authentication screen.

Therefore, this paper proposes an authentication method devised such that the password cannot be easily taken even when the entire authentication screen is recorded and exposed. This method generates and authenticates a one-time...