Seamless Security on Mobile Devices Textual Password Quantiﬁcation Model Based Usability Evaluation of Secure Rotary Entry Pad Authentication

Mobile devices are vulnerable to Shoulder Surﬁng and Smudge Attacks, which should occur when a user enters a PIN for authentication purposes. This attack can be avoided by implementing a rotary entry pad mechanism. Despite this, several studies have found that using a rotary entry pad reduces user usability. This study uses a Design Research Methodology approach. It will implement a rotary entry pad authentication in the Android operating system as an authentication method to protect the device against Shoulder Surﬁng Attacks and Smudge Attacks. Furthermore, it combined JSON Web Token (JWT) to secure the authentication process from the client to the server. At the end of implementation, it compared with other studies in terms of usability and evaluated it using the TQ-Model, which showed that the usability aspect has improved. Regarding security, we conducted a shoulder surﬁng attack simulation to assess the efﬁcacy of guessing PINs. The results showed that only a limited number of attempts were successful, with two out of ﬁve samples failing to guess any numbers and only one sample successfully guessing six 10-digit PIN combinations out of 10 to the power of 10. The security test results show that shoulder surﬁng attacks are more difﬁcult to perform after implementing the rotary entry pad. The evaluation showed that the JSpinpad performed better, with seven parameters showing improvement, one parameter showing a decline, and ten parameters remaining unchanged.


INTRODUCTION
The authentication system becomes an important part and the first line of defense when an unauthorized party tries accessing data or a device [1]. Today's most popular authentication method is using a numeric password [2] because users do not need to incur additional costs, and it is easy to remember.
The development of technology today focuses a lot on security for touch screen technology, which is often used on mobile devices [3]. However, after the widespread introduction of the mobile operating system a few years ago, many alternatives to device authentication emerged, such as the introduction of the Personal Identification Number (PIN), which is now widely used for information security, as well as other alternatives, such as biometrics, patterns, gestures, and graphical authentication [4,5].
Several authentication methods and schemes have been tested in previous studies. For example, the method of entering a PIN must resist attacks such as recording with devices performed by attackers [6]. However, there are at least three security vulnerabilities in entering a pin code or pattern: Shoulder Surfing Attacks (SSA) and Smudge Attacks. As a result, some users are reluctant to use the security system and leave their devices without authentication [7].
Various methods of entering a PIN have been carried out previously [8], increasing the level of security by placing a button in a different position each time it is activated. Nevertheless, the PIN is still vulnerable to shoulder surfing attacks, where attackers observe when the user enters a PIN by looking directly at it or recording it [9]. Compared to biometric methods, which are still prone to errors, expensive costs, and cannot be changed, most of the following steps require the system to request a PIN code [9]. Another proposed method uses superimposition to produce hybrid image keypads in color [10]. Hybrid images are made by overlapping two images with different frequencies, resulting in an image that appears differently based on viewing distance. They can help prevent shoulder surfing. Rajarajan et al. discussed the PIN-based security authentication scheme by initiating a new scheme called Spinpad [11]. The Spinpad scheme is intended for devices that authenticate users without using the keyboard and use tokens issued by the application using voice. Spinpad does not directly enter its digits, so there is no chance of smudge attacks on this scheme. Spinpad has the advantage of being strong in security schemes to prevent three types of attacks, such as Shoulder Surfing Attacks, Smudge Attacks, and Keylogging Attacks, which have the shape of a two-wheel circle, where the outer circle consists of the numbers 0 to 9. The inner circle consists of ten alphabetic letters. Unfortunately, the Spinpad scheme process requires additional tools, such as earphones/headphones, to get alphabet tokens during the authentication process. This becomes very difficult if the user does not bring the tool or does not have it [11], affecting the practicality and usability of the Spinpad scheme.
Based on the usability aspect, the Spinpad authentication scheme has a weakness in terms of time, and the user takes longer to enter the PIN. Based on these issues, we attempted to improve and create JSpinpad, a better scheme than Spinpad. We use a rotary dialer entry pad phone, also known as a rotary cable phone model that looks like one circular ring with a digit PIN in it, as an improvement model for the Spinpad scheme uses two circular rings. In Spinpad's initial scheme, the alphabetic ring that can rotate clockwise or counterclockwise aims to prevent SSA and Keylogging Attacks where the attacker cannot remember, record, or guess the user's PIN input. The position of the digit PIN on the entry pad of the rotary dialer phone will always change every time the user exits the application after entering the digits PIN, with the goal of preventing the attacker from guessing, remembering, or recording the digits PIN entered and from being seen from the fingerprint marks on the screen.
The verification process on Spinpad does not yet have security validation, whether the process is safe or not, so it is necessary to have a standard or method applied to this process [11]. We use the JSON Web Token (JWT), a security standard used to transmit data compactly and securely as JSON objects [12]. JWT is arguably secure because it can be verified and digitally signed using the HMAC (Hash-based Message Authentication Code) algorithm or a public/private key pair using RSA or ECDSA [13,14]. In the last step of the study, we conduct the usability evaluation. Usability evaluation is commonly used to evaluate the ease of use of a system. Some usability evaluations, such as SUS (System Usability Scale), are used to evaluate a web-based Geographic Information System [15]. Another usability evaluation is TQ-Model (textual passwords-based quantification model), specifically used to analyze knowledge-based authentication schemes of a system [16]. Table 1 shows the differences between this study with several previous studies. This study aims to explore the implementation of a modified Spinpad integrated with a JWT mechanism on the backend, as well as to assess the usability of the resulting application using the TQ-Model evaluation approach.

RESEARCH METHOD
This study uses a Design Research Methodology approach that focuses on the problem analysis process and materials that support the research process. As shown in Figure 1, There are four stages: research clarification, descriptive study I, prescriptive study, and descriptive study II [17]. The first stage is research clarification, which involves gathering evidence and theories that support achieving the research objectives [18]. The collection of evidence and theories will be based on a literature review that supports this research. The literature collected at this stage contains the problems in Spinpad authentication and the solutions implemented to solve these problems. The next stage is Descriptive Study I; in this stage, researchers have clear goals, and then a detailed description will be carried out to determine the factors that must be handled based on the research clarification stage. A prescriptive study will be conducted to solve problems by designing the JSpinpad application [19]. There are four stages, analysis, design, and implementation. The design process will apply the software development method with a prototype software development approach and implement Java as a programming language and MySQL as a storage database.  Figure 2 shows that descriptive study II will conclude with a model evaluation [20] using the TQ-Model and security testing using shoulder surfing attack simulation. This study designs and builds improved authentication to be better than previous research, namely, PIN-based Spinpad schema authentication [11], by improving usability and authentication.

3.
RESULT AND ANALYSIS

Design and Implementation
EA rotary entry pad is implemented into the log-in section of the application to enter the PIN into the PIN password field. On the registration page, the user enters the PIN that will be registered into the application as a credential along with an email. Users cannot reuse emails that are already registered. The user is asked to enter the same PIN twice when registering. The user automatically moves to the log-in page if it has been registered at the registration stage. As shown in Figure 3, the entry rotary dialer model is used to improve the usability aspects of Spinpad's previous research [11]. As shown in Figure 4, the registration page is a page for users to register an account for authentication into an application where users are required to fill in the data in the form of email, password, and password confirmation. Furthermore, the credential data registered is saved in the database. c. JWT Signature contains a predefined signature on the header and payload calculated using an algorithm. data = header + .+ payload hashedData = hash(data) signature=base64urlEncode(hashedData)

Testing and Evaluation
Security testing was conducted to determine whether the JSpinpad as an Entry Pad Rotary Dialer could prevent a humanbased Shoulder Surfing Attack. The application was tested against shoulder surfing attacks using research-based testing [21]. Figure  5 shows that participants were given a video showing the user entering a PIN combination during the authentication process. In addition, testing was performed on the type of SSA recording attacks. There were five samples in the test. First, the sample was given ten video recordings of people entering a pin combination, where one combination was six digits. Then, the sample tries to guess each combination digit entered in the application based on the videotape recorder. The results of the test can be seen in Table 2.
Eighth Combination  -2  ---9 Ninth Combination  -2  2  --10 Tenth  Table 3. It has been tested on three samples by taking the best results from the testing of each sample. The following is the result of data analysis from the Spinpad and JSpinpad TQ-Model measurements in Table 4. The comparison in Table  4 shows the results of measurements for Spinpad and JSpinpad. The results showed that JSpinpad improved the usability aspect of the application. The improvement is shown in the average parameter of the log-in time with a value of minus one (the required log-in time is 21 to 40 seconds) from the previous minus two (log-in time 41 to 60 seconds) because the time required for log-in is reduced by using the rotary entry dialer, physical effort with a value of zero (does not require excessive physical effort) because the method of entering a pin digit does not require carrying any tools and tokens for each authentication, unlike the previous minus one, which requires excessive physical effort every time the user performs the authentication. As shown in Table 4, the mental effort parameter of JSpinpad gets zero value because the user more conveniently remembers six-digit PINs. Compared to Spinpads mental effort parameter gets a minus one because the user must match the registered digit PIN with the received token every time he authenticates. JSpinpad also gets an enhancement score in the requirement for execution parameter, from minus two to zero, because the user does not need to bring any additional devices, such as earphones or headsets, to authenticate, as compared to Spinpad. The results show that JSpinpad performs better because the ten parameters are zero.

CONCLUSION
This study has successfully implemented JSpinpad as a secure mobile-based rotary entry pad authentication by implementing JWT on the backend. JSpinpad improvement follows the initial goal in formulating the problem, i.e., speed and ease of use, by evaluating the TQ-Model on the application. Additionally, it still fulfills the security element because of the use of JWT. The Shoulder Surfing Attack test samples managed to guess the PIN was in small amounts. Two of the five respondents failed to guess the numbers at all. Only 1 of 5 samples successfully guessed six 10-digit PIN combinations (2x1x1x2x2x2) from 10 combinations to the power of 10. For the first time, this study succeeded in conducting a usability evaluation on a mobile-based rotary entry pad authentication mechanism using TQ-Model. The usability evaluation with the JSpinpad shows better results where seven parameters increase, only one parameter is negative, and 10 of 13 are zero. There is a process of randomizing the numbers that each user dials up, and these results indicate that the TQ-Model can be applied appropriately to the JSpinpad. This study shows how to measure the usability of the authentication mechanism using the TQ-Model. The results of this study are expected to be a reference for other studies, especially on the authentication mechanism using a rotary entry pad. Nevertheless, it did not examine the security of randomness pin rotation. Therefore, further research can be carried out by applying a secure randomization algorithm for the pin rotation and re-evaluating its security and usability.