Seamless Security on Mobile Devices Textual Password Quantification Model Based Usability Evaluation of Secure Rotary Entry Pad Authentication

  • Herman Kabetta Politeknik Siber dan Sandi Negara
  • Hermawan Setiawan Politeknik Siber dan Sandi Negara
  • Fetty Amelia Politeknik Siber dan Sandi Negara
  • Muhammad Qolby Fawzan Politeknik Siber dan Sandi Negara
Keywords: JSON Web Token, Mobile Device, Rotary Entry Pad, Shoulder Surfing Attack, TQ-Model, Usability Evaluation


Mobile devices are vulnerable to shoulder surfing and smudge attacks, which should occur when a user enters a PIN for authentication purposes. This attack can be avoided by implementing a rotary entry pad mechanism. Despite this, several studies have found that using a rotary entry pad reduces user usability. This study uses a Design Research Methodology approach. It will implement a rotary entry pad authentication in the Android operating system as an authentication method to protect the device against Shoulder Surfing Attacks and Smudge Attacks. Furthermore, it combined JSON Web Token (JWT) to secure the authentication process from the client to the server. At the end of implementation, it compared with other studies in terms of usability and evaluated it using the TQ-Model, which showed that the usability aspect has improved. Regarding security, we conducted a shoulder surfing attack simulation to assess the efficacy of guessing PINs. The results showed that only a limited number of attempts were successful, with two out of five samples failing to guess any numbers and only one sample successfully guessing six 10-digit PIN combinations out of 10 to the power of 10. The security test results show that shoulder surfing attacks are more difficult to perform after implementing the rotary entry pad. The evaluation showed that the JSpinpad performed better, with seven parameters showing improvement, one parameter showing a decline, and ten parameters remaining unchanged.


Download data is not yet available.

Author Biographies

Herman Kabetta, Politeknik Siber dan Sandi Negara

Department of Cryptographic Engineering

Hermawan Setiawan, Politeknik Siber dan Sandi Negara

Department of Cryptographic Engineering

Fetty Amelia, Politeknik Siber dan Sandi Negara

Department of Cryptographic Hardware Engineering

Muhammad Qolby Fawzan, Politeknik Siber dan Sandi Negara

Department of Cryptographic Engineering


[1] C. Shen, T. Yu, H. Xu, G. Yang, and X. Guan, “User practice in password security: An empirical study of real-life passwords in the wild,” Comput. Secur., vol. 61, pp. 130–141, 2016, doi: 10.1016/j.cose.2016.05.007.
[2] A. Huang, S. Gao, J. Chen, L. Xu, and A. Nathan, “High Security User Authentication Enabled by Piezoelectric Keystroke Dynamics and Machine Learning,” IEEE Sens. J., vol. 20, no. 21, pp. 13037–13046, 2020, doi: 10.1109/JSEN.2020.3001382.
[3] T. M. Ibrahim et al., “Recent advances in mobile touch screen security authentication methods: A systematic literature review,” Comput. Secur., vol. 85, pp. 1–24, 2019, doi: 10.1016/j.cose.2019.04.008.
[4] P. Markert, D. V. Bailey, M. Golla, M. Dürmuth, and A. J. Aviv, “On the Security of Smartphone Unlock PINs,” ACM Trans. Priv. Secur., vol. 24, no. 4, 2021, doi: 10.1145/3473040.
[5] D. H. Nyang et al., “Two-Thumbs-Up: Physical protection for PIN entry secure against recording attacks,” Comput. Secur., vol. 78, pp. 1–15, 2018, doi: 10.1016/j.cose.2018.05.012.
[6] M. Shahzad, A. X. Liu, and A. Samuel, “Secure unlocking of mobile touch screen devices by simple gestures,” Proc. 19th Annu. Int. Conf. Mob. Comput. Netw. - MobiCom ’13, p. 39, 2013.
[7] A. Souza, Í. Cunha, and L. B Oliveira, “NomadiKey: User authentication for smart devices based on nomadic keys,” Int. J. Netw. Manag., vol. 28, no. 1, pp. 1–19, 2018, doi: 10.1002/nem.1998.
[8] W. Z. Khan, M. Y. Aalsalem, and Y. Xiang, “A Graphical Password Based System for Small Mobile Devices,” vol. 8, no. 5, pp. 145–154, 2011.
[9] A. De Luca, K. Hertzschuch, and H. Hussmann, “ColorPIN - Securing PIN entry through indirect input,” Conf. Hum. Factors Comput. Syst. - Proc., vol. 2, no. January 2010, pp. 1103–1106, 2010, doi: 10.1145/1753326.1753490.
[10] F. Binbeshr, M. L. Mat Kiah, L. Y. Por, and A. A. Zaidan, “A systematic review of PIN-entry methods resistant to shoulder-surfing attacks,” Comput. Secur., vol. 101, p. 102116, 2021, doi: 10.1016/j.cose.2020.102116.
[11] D. K. Yadav, B. Ionascu, S. V. K. Ongole, A. Roy, and N. Memon, “Design and analysis of shoulder surfing resistant PIN based authentication mechanisms on google glass,” Lect. Notes Comput. Sci. (including Subser. Lect. Notes Artif. Intell. Lect. Notes Bioinformatics), vol. 8976, pp. 281–297, 2015, doi: 10.1007/978-3-662-48051-9_21.
[12] S. Rajarajan, R. Kalita, T. Gayatri, and P. Priyadarsini, “SpinPad: A Secured PIN Number Based User Authentication Scheme,” 2018 Int. Conf. Recent Trends Adv. Comput., pp. 53–59, 2018.
[13] S. Ahmed and Q. Mahmood, “An authentication based scheme for applications using JSON web token,” IEEE Sens. J., vol. 16, no. 1, pp. 254–264, 2016, doi: 10.1109/JSEN.2015.2475298.
[14] S. Z. Nizamani, S. R. Hassan, and R. A. Shaikh, “TQ-Model: A New Evaluation Model for Knowledge-Based Authentication Schemes,” Arab. J. Sci. Eng., vol. 45, no. 4, pp. 2763–2778, 2020, doi: 10.1007/s13369-019-04137-6.
[15] S. Dalimunthe, J. Reza, and A. Marzuki, “View of The Model for Storing Tokens in Local Storage (Cookies) Using JSON Web Token (JWT) with HMAC (Hash-based Message Authentication Code) in E-Learning Systems,” vol. 3, no. 2, pp. 149–155, 2022.
[16] S. Sciancalepore, G. Piro, D. Caldarola, G. Boggia, and G. Bianchi, “On the Design of a Decentralized and Multiauthority Access Control Scheme in Federated and Cloud-Assisted Cyber-Physical Systems,” IEEE Internet Things J., vol. 5, no. 6, pp. 5190–5204, 2018, doi: 10.1109/JIOT.2018.2864300.
[17] L. T. M. Blessing and A. Chakrabarti, DRM, a Design Research Methodology. 20189.
[18] I. Khairunisa and H. Kabetta, “PHP Source Code Protection Using Layout Obfuscation and AES-256 Encryption Algorithm,” Proc. - IWBIS 2021 6th Int. Work. Big Data Inf. Secur., pp. 133–138, 2021, doi: 10.1109/IWBIS53353.2021.9631842.
[19] M. L. Kambanou and T. Sakao, “Using Lifecycle Costing (Lcc) To Select Circular Measures: A discussion and practical approach,” no. Lcc, 2020.
[20] Y. Rosmansyah, M. Achiruzaman, and A. B. Hardi, “A 3D multiuser virtual learning environment for online training of agriculture surveyors,” J. Inf. Technol. Educ. Res., vol. 18, pp. 481–507, 2019, doi: 10.28945/4455.
[21] D. H. Nyang, A. Mohaisen, and J. Kang, “Keylogging-resistant visual authentication protocols,” IEEE Trans. Mob. Comput., vol. 13, no. 11, pp. 2566–2579, 2014, doi: 10.1109/TMC.2014.2307331.
How to Cite
Kabetta, H., Setiawan, H., Amelia, F., & Fawzan, M. (2023). Seamless Security on Mobile Devices Textual Password Quantification Model Based Usability Evaluation of Secure Rotary Entry Pad Authentication. MATRIK : Jurnal Manajemen, Teknik Informatika Dan Rekayasa Komputer, 22(2), 299-308.