Abstract
Users normally tend to reuse the same personalized identification number (PIN) for multiple applications. Direct PIN entries are highly susceptible to shoulder-surfing attacks as attackers can effectively capture user’s PIN entry number with the help of concealed cameras. Indirect PIN entry methods proposed as counter measures are rarely deployed because they demand a heavier cognitive workload for users. To achieve fool-proof security and usability, a practical indirect PIN entry method called SteganoPIN is proposed. The human–machine interface of SteganoPIN comprises two numerical keypads: one shielded or hidden and the other exposed, designed specifically to physically thwart and protect against shoulder-surfing attacks. After locating a long-term PIN in the more usual layout, through the covered permuted keypad, a user generates a one-time password that can safely be entered in plain view of attackers. This enables the user to establish a secure transaction by means of a mobile app to the server by implementing the SteganoPIN method using multi-touch concept that is based on independent variable PIN entry system (Standard PIN, SteganoPIN).