Vault Lock

Chalmers University, Gothenburg · Kamil Mudy · mudy@student.chalmers.se · Andreas Månsson · andrmans@student.chalmers.se

VaultLock is a new innovate locking mechanism based on the old classic vault door knobs that is meant to protect your notes. Our goal with creating this new way of unlocking is to help protect you against shoulder surfing. The design approach taken in this project was design for the real world which attempts to solve the challenge of digital authentication and access and is further explained in the design section below. Our preliminary empirical research shows that the locking mechanism protects against shoulder surfers to a better degree than the standard pin-code system. Keep your notes safe today by downloading VaultLock right now!

Design Approach & Strategy

Design Approach - Design for the Real World

Design for the real world attempts to target a problem existing in the real world and tries to find a way to solve it. To help guide our design and strategy we formulated a research question and in order to answer it the following techniques were used:

  • Desk research
  • Empirical research
  • Iterating development
The research question we formulated is as follows: Can we reduce the risk of shoulder surfing while still maintaining desirability? The preliminary studies we made can be read in empirical research section below and our results can be read in final design section below.

Strategy

During our desk reasearch we found some valuable information in the article Evaluating attack and defense strategies for pin shoulder-surfing by Khan, H et al., which claims that one of the biggest defenses is to hide the input overall from the potential attackers. This pointed us in the direction of looking at how we can tell the user that he/she is performing actions without looking at the screen, which in turn led us to haptic feedback for the unlocking process.

Couple the haptic feedback together with our innovate authentaction solution, the user with a little bit of training, is able to unlock the application without looking at the screen. This goes in line with what was said in the aforementioned paragraph.

Empirical research

Empirical research was done before the development of VaultLock with the help of our prototypes. Our observational study was done with our digital prototype and the participation/empathy study was done with our native prototype.

Observations

Question to be answered: Is VaultLock desirable?
5 participants, 3 Follow-up questions at the end

Using observation technique to investigate desirability among potential users, the participants were asked to use the prototype and fill in a made up password, which was repeated with three different passwords, to let them get used to the idea. After the experiment, the participants were asked questions related to ease of use, practicality and whether they could see themselves using it or not.

Results

This showed us that the idea was desirable and was a precursor before development of VaultLock. The big factor that was important according to our users was to implement haptic feedback for each turn of the knob, which we brought with us in development.

Participation/Empathy

Question to be answered: Does it help against shoulder surfing?
2 participants

Using participation/empathy technique to investigate the viability of fighting shoulder surfing. Each participant got to be both the shoulder surfer and the victim with both of the unlocking mechanisms that was investigated (regular pin-code and the VaultLock). Each locking mechanism was used 5 times by each person.

Results

Regular pin-code replicated 7/10 times. Vault lock replicated 5/10 times.

Obviously more research is nescessary due to the limited amount of time to do this research and due to the limited number of participants for the study. But we can preliminary point and say that it seems to be safer than the ordinary pin-code. However it might be because of the novelty of VaultLock and not that it is safer in practicality.

Digital Prototype

Digital Prototype

The beginning

The digital prototype was the first prototype that was done in order to visualize the idea. The prototype is quite primitive and not detailed. It includes only the locking mechansim, since the locking mechansim was originally suppose to be used to unclock the phone. In later iterations and in the actual end product we chose to use this mechansim as a way to authenticate into our app which would store the users most important notes/documents. The prototype can be found by following this link: Digital Protoype


Making of digital prototype

Native Prototype

Native Prototype

The continuation

This is the native prototype that was created to test the concept of the vault lock. The prototype is super lightweight with the only functionality being that the cog wheel turns with the help of dragging the finger on the screen. The main reason behind making the native prototype, apart from testing the concept, was to test whether or not there would be any difference in shoulder surfing regarding this type of interaction. Further developing the native prototype there will be feedback in terms of vibrations for each number turner, snap to defined locations (1, 2, 3, 4 etc) instead of free turning and more.

The prototype that was showcased on GitHub before has been further developed into an app


Native Prototype

Final Design

App flow

The flow of the application is built as shown below.

As can be seen in the figure below, the flow of the application is as follows:

  • We start at the lock screen (lockFragment) when starting the application.
  • If we have not set a password before (first time starting the application), we get the set lock screen (lockNotSetFragment).
  • After the lock screen, we end up in the main screen of the application (menuFragment), this is where you can view your notes.
  • If you want to create a new note, then you press the floating action button (FAB) and you will end up in the create note screen (createNoteFragment).
  • From the main screen of the application you can also press the three dot menu in the toolbar to go to set lock screen, to possibly change your unlocking sequence.

Results

Here we go through the results of our findings

At the beginning of development, the authentication method was heavily prioritized since it was the primary focus of our project. However due to additional requirements, regarding what the authentication mechanism was protecting, our efforts went even more towards development then what was first planned. This affected the time nescessary to perform empirical research to properly answer the research question that we had formulated.

What we can say, due to our preliminary empirical research, we do belive that it is possible to reduce the risk of shoulder surfing whilst maintaining desirability. However more empirical research is needed to conclude such a statement and given more time we would perform more research.

Discarded ideas

Discarded ideas

We started our project with three ideas but, due to research and time constraints we had to settle on one. The first idea that was dicarded was a a method of authentication that included taps on the back of the phone. By using the gyroscope on the phone we would differentiate ordinary use from taps on the back of the phone.

The second idea that was discarded was a reimagining of the ordinary pin code. The user could use short or long taps on the number while dialling the pin code. We would programatically discern a long and a short tap to add another layer of security. This idea was inspired by morse code.

Discarded Ideas

Learnings and resources

Technologies used and learned

software, frameworks and libraries used and learned during the project.

Below you will find the technologies that we used and learned during this project. We started with a blank slate, not knowing Android Studio, Kotlin or Figma. We would definitely recommend using Figma for prototyping, its fast and easy to pickup and can make a lot of work for you for a low effort. If you are interested in app development for Android phones we wholeheartedly would recommend using Android studio together with Google codelabs. They make sure to hold your hand through the whole process.

  • Android studio - Development of app
    • Kotlin
  • HTML & CSS - Developing this site
  • Figma - Prototyping

We would suggest, if you are familiar with Java, to stick with Java in android studio instead of using Kotlin. Kotlin is not hard by any measure, but our opinion is that if you know Java, it just makes more sense.

References

Research papers and articles that we used when developing our ideas.
  • C. Shen, Y. Li, Y. Chen, X. Guan and R. A. Maxion, "Performance Analysis of Multi-Motion Sensor Behavior for Active Smartphone Authentication," in IEEE Transactions on Information Forensics and Security, vol. 13, no. 1, pp. 48-62, Jan. 2018, doi: 10.1109/TIFS.2017.2737969.
  • Khan, H., Hengartner, U., & Vogel, D. (2018, April). Evaluating attack and defense strategies for smartphone pin shoulder surfing. In Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems (pp. 1-10).
  • Marques, D., Guerreiro, T., Duarte, L., & Carriço, L. (2013). Under the table: tap authentication for smartphones. BCS HCI.