A Camouflage Text-Based Password Approach for Mobile Devices against Shoulder-Surfing Attack

Authentication in mobile devices is inherently vulnerable to attacks and has the weakness of being susceptible to shoulder-surfing attack. Shoulder-surfing attack is a type of attack that uses direct observation techniques such as looking over someone’s shoulder to get information.)is paper aims to introduce a novel way of concealing the password within a contingent of randomly selected entries. In particular, the traditional password concept where what you input is what you get is redefined by proposing the camouflage characters approach. Based on this approach, three defensive techniques are introduced for mobile devices. By using an Android platform, the introduced techniques are implemented. Experimental studies are conducted in order to evaluate both security and usability perspectives. )e empirical results showed that the proposed approach is reasonably resistant against shoulder-surfing attacks and usable for participants. Moreover, it is possible to choose very short passwords, while insuring that the password remains hidden amongst a large number of key presses. Based on the achieved results, the proposed approach is recommended to be a new avenue in the field of security to produce very simple and yet very complicated passwords, to be observed by the attacker, at the same time.


Introduction
Nowadays, the use of mobile devices has increased at an unanticipated rate. In particular, the landscape of mobile devices, such as smart phones, has significantly changed; that is, mobile devices are now used not only for calling and sending messages but also for several services such as e-mail, social network, and web surfing [1]. In order to perform a trusted communication between these services and the user, the user authentication, which is the process of confirming an alleged identity, is required. is authentication process requires the user to be as accurate as possible; otherwise, the entry will fail. is presents a significant challenge to users and designers of a secure system alike. e user authentication is broadly categorized into three classes [2]: token-based authentication, which is based on something one has such as traditional keys to the doors; biometric-based authentication, which is based on a physiological or behavioral characteristic such as fingerprint and keystroke dynamic; knowledge-based authentication, which is based on something one knows such as text-based passwords. e use of text-based passwords is almost the popular method of the knowledge-based authentication class. However, a number of drawbacks of using text-based password have been raised; for example, a short text-based password can be easily guessed, while long passwords are often hard to remember [3]. To overcome this weakness, a graphical password has been proposed [4] as an alternative to the text-based password, where a user can remember pictures better than text.
Moreover, a wide range of research efforts suggest authentication protocols and techniques such as IllusionPIN (IPIN) [5] and audio and haptic entry systems [6]. e main aim of these methods was to find a way of safeguarding the password entry. Interestingly, both methods, i.e., text-based and graphical passwords, are vulnerable to shoulder-surfing attacks [7], which is a type of attack that uses direct observation techniques such as looking over someone's shoulder to get information. A recent study in [8] stated that text-based passwords created on mobile devices are substantially weaker against shoulder-surfing attacks. Despite the fact that concealing the output on the screen would minimally prevent the attack, an attacker can observe chosen keys on the keyboard.
In this paper, the canonical key entry mechanism is reconsidered. e impetus was to establish a scheme that allows easy, safe, and shoulder-browsing resistant password entry. Typically, a keystroke means only one thing which is the stored value of that key. We argue for a respecification of key functions in login systems. Specifically, the proposed approach uses two master keys: enable and disable. e former enables entering the actual password, whereas the latter disables the actual password. Assigning these functions to the keys adds another layer to the process of selecting a password. To enter a password, firstly, the user enters any number of random camouflage characters.
en, these camouflage characters are followed by the enable key, and this key should be followed by the password. Finally, the user enters the disable key followed by any number of random camouflage characters.
is allows a flexible password entry in terms of choosing a simple entry if needed or choosing a complex combination of characters to hide the actual password. Furthermore, the proposed approach solves one of the main weaknesses of alphanumeric passwords, i.e., having to choose a simple password to remember due to the limited capacity of the human memory (e.g., Yan et al. research work [9]). Since this paper proposes an approach against shoulder-surfing attacks, the brute-forcing attack is beyond the scope of this paper in case of applying one digit as a password. Furthermore, although this approach has been introduced in Alsuhibany's work [10,11] for shared spaces such as tabletops and pattern-based passwords, respectively, this approach is extended here in this paper for creating traditional text-based passwords for mobile devices.
Based on the proposed approach, three defensive techniques are designed and implemented for mobile devices. e first technique allows the user to specify the length of camouflage characters in which the activation and deactivation keys are reflected by a number of characters and have the same length. e second technique allows the user to specify the length of camouflage characters of both keys but with various lengths. e third technique allows the user to specify only one character as an activation key and another as a deactivation key. For testing these techniques, we developed an Android application. en, we conducted an empirical experiment for evaluating the security and usability aspects. e accomplished results showed a statistical significance difference between the three defensive techniques. In particular, the third technique was the best in terms of security and usability aspects. e rest of the paper is organized as follows. Section 2 reviews related works. e proposed approach is explained in Section 3. Section 4 shows the experimental study. e results are presented in Section 5 and discussed in Section 6. Section 7 concludes the paper.

Related Works
Researchers have been trying to boost the usability and security of authentication schemes by minimizing the vulnerability of such systems to shoulder-surfing attacks [12]. For example, Lee et al. [13] proposed a bimodal Personal Identification Number (PIN) entry method using an audio channel. eir proposed framework is different from other methods in which the audio channel only transmits the minimal required data needed for the authentication while most of the information that the user needs is transmitted via the visual channel. A study by Park et al. [14] developed a puzzle authentication method that uses a grid-based authentication scheme in which the user has to pick 4 out of 16 panels and 4 out of 16 positions. Furthermore, Kwon and Hong [15] claim that their black-and-white PIN scheme shows good results in resisting camera-based recording attacks. Moreover, Roth et al. presented in [12] cognitive trapdoor games that make shoulder-surfing attacks harder for a criminal to obtain PINs. Further, Lee and Nam proposed in [16] a method that uses a random mapping between the PIN digits and alphabets given as challenges to the user. Furthermore, the issue of the shoulder-surfing attack on authentication systems is addressed in [5] by proposing the IllusionPIN (IPIN) method, which operates on touchscreen devices. A novel PIN-based authentication mechanism for smartphones called ColorSnakes which uses fake paths on a grid of numbers to disguise user input is introduced in [17]. e results of this study reveal that this mechanism could be used as an additional authentication mechanism alongside current mechanisms. Another novel mechanism is presented in [18] called SwiPIN that allows input of traditional PINs using simple touch gestures like up or down. In addition, DRAW-A-PIN is proposed in [19] that supports the use of PINs. Similarly, a new online finger-drawn PIN authentication method is introduced in [20] which allows a user draw a PIN on a touch interface with their finger. Although the results indicated that a further study is needed to enhance the introduced method. In Binbeshr et al's study [21], a systematic review for PIN-entry methods is presented. e results showed that an evaluation framework needs to be addressed.
Besides, GazeTouchPIN proposed in [22] that combines gaze and touch input as a new secure authentication approach for mobile devices. Also, Kumar et al. presented in [23] a Gaze-Based password entry approach in order to prevent the shoulder-surfing attack. A survey on gaze-based security applications was carried out in [24] that discussed a set of opportunities as well as challenges. Likewise, the gazebased application is reviewed in [25] and classified into three categories: authentication, privacy, and gaze monitoring. An investigation for estimating the gaze of possible attackers is carried out in [26]. To support the gaze-based sensing application, a generalized framework is developed in [27].
In terms of the convenience, Yan et al. [9] stated that many of the deficiencies of textual passwords arise from the limitations of human memory. Moreover, the usability and shoulder-surfing vulnerability of text-based password entry on mobile devices are investigated in [28].
is study provided a set of insights for the security-aware design of onscreen keyboards. Furthermore, evaluations of a number of mobile devices have been performed in [6]. A study by Florencio et al. [29] reported the results of a large-scale study of text-based password. ese results include password strength and length of the chosen password. Furthermore, the password strength and user behavior are investigated in [30] using a large-scale study. Besides, the results of a user survey are discussed in [31] in which actual stories of shoulder surfing on mobile devices from both users and observers are investigated. Likewise, in 2019, a new approach to mask text passwords by distorting them by using graphical filters was proposed; that is, once the password is distorted, it can be difficult to be observed by attackers as they cannot mentally reverse the distortions [32]. Additionally, a hybrid scheme, which combines the advantage aspects of graphical-based and text-based methods, is proposed in [33]. Also, the characters of the text-based password are modified in [34] in order to provide higher entropy levels. A hybrid approach that exploits the advantages of textual and graphical passwords is introduced in [35]. A shoulder-surfing resistance scheme embedded in the textual password is proposed in [36]. e results of this study are promising in terms of both accuracy level and time.
A new one-time password method is proposed by Huang et al. [37]. In this method, they used a two-factor password system that relies on time and sequence numbers. Moreover, Aratani and Kanai [38] proposed an authentication method that used two types of channels. ey used numbers, colors, and input from the device, such as auditory information or vibrations.
Additionally, the CoverPad proposed by Yan et al. [39] for the password entry on touchscreen mobile devices. e EyePassword approach that mitigates the issue of shouldersurfing attacks is presented in [23].
is approach has empirically shown that it requires marginal additional time for any keyboard. A study in [40] examined the feasibility of such smudge attacks on touch screen.
A recent study by Pais et al. [11] introduced a camouflage pattern technique as a shoulder-surfing resistance approach for mobile devices. Despite the camouflage notion is applied in this study, it is implemented only on the pattern password method which is an alternative authentication approach for the password-based authentication scheme. Accordingly, applying camouflage notion on the password-based authentication might enhance its resistance against shouldersurfing attacks. e proposed approach in this paper, therefore, focuses on redefining the concept of alphanumeric passwords. What differentiates our approach is that the sequence of entries is not necessary. In fact, the main strength of this novel approach is that it deliberately marginalizes this sequencing requirement in passwords. Since, in the shared spaces such as tabletops, in one way or another, there is the trade-off between security and usability, and the proposed approach takes into account the compromise between the usability and security. us, the contributions of our paper are as follows: (1) introducing a camouflage text-based password approach for mobile devices against the shoulder-surfing attack; (2) based on this approach, three defensive techniques are designed, implemented, and empirically evaluated.

Camouflage Text-Based Password Approach:
An Overview e camouflage text-based password approach basically redefines the traditional password concept where what you input is what you get. Specifically, the proposed approach uses two master keys: enable (i.e., the activation key) and disable (i.e., the deactivation key). e former enables entering the actual password, whereas the latter disables the actual password. Assigning these functions to keys adds another layer to the process of selecting a password. To enter a password, firstly, the user can enter any number of random Camouflage Characters (CC). en, these camouflage characters are followed by an Activation Key (AK), and this activation key should be followed by the password. Finally, the user enters a Deactivation Key (DK) followed by any number of random CCs. Figure 1 summarizes this mechanism.
is mechanism allows flexible password entry in terms of choosing a simple entry if needed or choosing a complex combination of characters to hide the actual password. Furthermore, the proposed approach solves one of the main weaknesses of alphanumeric passwords, i.e., having to choose a simple password to remember due to the limited capacity of the human memory (e.g., [9]). As stated previously, since this paper proposes an approach against shoulder-surfing attacks, the brute-forcing attack is beyond the scope of this paper in case of applying one digit as a password.
e initial version of this approach was established in [10]. In this paper, however, we extend this approach to be applicable for mobile devices by introducing three defensive techniques. e first technique allows the user to specify the same length of camouflage characters in which the activation and deactivation keys are reflected by a number of characters. e second technique allows the user to specify the length of camouflage characters of both keys but with various lengths. e third technique allows the user to specify only one character as an activation key and another as a deactivation key. In order to define precisely each one of these techniques, the following paragraphs explore these techniques, respectively. Figure 2 shows a screenshot from the first interface of the developed application.
In the first technique (Type 1), the camouflage characters contain the activation and deactivation keys. In particular, once the last character of the first camouflage characters set is written by the user, the keyboard becomes an active amount in which the password can be typed. en, the second camouflage characters set, which reflect the deactivation key, should be written in a specific length like the first set. For example, when a user chooses "5" as a password and "4" as the length of camouflage characters, then the user can login to a system with "398157462." It is important to note that the length of camouflage characters is randomly chosen in the setting stage. Figure 2(b) illustrates the Type 1's Security and Communication Networks interface in which the user is asked to choose an ID, a password, and the length of camouflage characters and then asked to login to the system.
In the second technique (Type 2), the camouflage characters contain the activation and deactivation keys, but with a different length; that is, once the last character of the first camouflage characters is written by the user, the keyboard becomes active in which the password can be typed. en, the second camouflage characters, which reflect the deactivation key, should be written in a specific length that is determined in the setting stage. For example, when a user chooses "55" as a password, "3" as the length of the first camouflage characters (i.e., activation key), and "5" as the length of the second camouflage characters (i.e., deactivation key), then the user can login to a system with "2215537881." It is important to note that the length of camouflage characters in this technique cannot be the same. choose an ID, a password, the length of the activation key, and the length of the deactivation key and then asked to login to the system. Finally, the third technique (Type 3) is different from the above described types in which the activation and deactivation keys are independent from the camouflage characters. Specifically, the user can choose three main elements: an activation key, a password, and a deactivation key. e activation and deactivation keys should be only one digit. Characters other than these elements will be counted as camouflage characters. For example, when a user chooses "555" as a password, "2" as the activation key, and "1" as the deactivation key, then the user can login to a system with "869425551335967", where the camouflage characters can be seen clearly before the activation key and after the deactivation key. Figure 2(d) illustrates the Type 3's interface in which the user is asked to choose an ID, a password, the activation key, and the deactivation key and then asked to login to the system.
Remarkably, Type 3 is comparable with our initial version in [10], and we will highlight this in the result section. Table 1 summarizes the functionality of these techniques.
ese techniques are designed, implemented, and evaluated for mobile devices; that is, we developed an Android application which includes all aforementioned techniques. en, we conducted an empirical experiment for evaluating the security and usability aspects. It is interesting to note that although there are other platforms that can be used for the evaluation purpose such as iOS, Windows Phone, and Symbian, the Android platform takes almost 50% share of the worldwide smart phone market [41].
As stated in [42], the password strength is a combination of length, complexity, and unpredictability. erefore, in the proposed approach, the camouflage characters can generally give the illusion of added complexity and length to a chosen password, whereas the activation and deactivation keys can provide the unpredictability concept. is could have broad implications for a wide range of authentication contexts in general and password entry techniques in particular.

Experimental Study
e aim of this experimental study is to evaluate the security and usability of the proposed defensive techniques on mobile devices. e following describes specific details of the experimental setup and procedure.

Setup.
e experiment involves a number of subjects, thus the design, ID, password, participants, and system are described in this section.

Design.
We performed a within-subject lab study to compare the usability and shoulder-surfing resistance aspects of the proposed defensive techniques. In our study, we focus on the effects of design features of each technique on the efficiency, effectiveness, satisfaction, and shouldersurfing resistance.

ID, Password, and Keys.
e ID, password, and keys (i.e., activation and deactivation keys) are chosen by the users for each smart phone and defensive technique. e main reason for this is to make the experiment as realistic as possible in terms of creating an ID and a password. Moreover, in order to make the comparison of entry time for all types more meaningful, the chosen password and keys should not exceed 15 digits. is stage may potentially cause some confusion on the part of participants as they have to choose three different elements with three different functions.

Participants.
We recruited thirty five participants (4 females and 31 males, aged 21-29 years) from our campus population. e majority of participants had a computer science background.

System.
We developed and implemented an Android application for password enrolment and login according to the description in Section 3. is application then was installed on two Android OS smart phones which are as follows: HTC Smartphone and Samsung Galaxy Tab 3.

Survey.
We deployed an online survey using the Google form. e survey consists of 15 items ranked on a 5point Likert scale: strongly agree, agree, neither agree nor disagree, disagree, and strongly disagree. ese 15 items of the survey result in four scales measuring user satisfaction [43] as follows: perceived usefulness of the technique in completing the given tasks (SysUse), perceived quality of displayed information (InfoQual), interface elements (InterQual), and overall satisfaction with the technique (Overall), that is, each user is asked to complete the survey after using a defensive technique type. erefore, this survey reflects the user satisfaction and had some demographic questions.

Procedure.
e way that we ran the experiment is described, i.e., instructions to subject, procedures of both the usability and shoulder surfing, and collected data.

Instruction.
Subjects were instructed that there are two smart phones that will be utilized. In each one, there are three different defensive techniques that need to be evaluated for both the usability and shoulder-surfing aspects. e subjects were instructed that there are two sessions: the first session is for evaluating the usability, and the second session is for evaluating shoulder surfing. For the usability session, subjects were instructed to choose an ID and a password as well as the activation and deactivation keys. Subjects were instructed to give a feedback regarding each defensive technique through a given survey. For the shoulder-surfing session, subjects were instructed about the danger of shoulder surfing in public places. Subjects were instructed that they will act as shoulder surfers, while the experimenter will play the victim and enter a password for the defensive technique.

Usability Experiment Procedure.
We assessed usability of the proposed defensive technique with a consideration of quantitative and qualitative metrics. A defensive scheme's efficiency is measured by the entry time required for login; the effectiveness is assessed with the login success rate for entering a password. To measure the entry time, the developed application records the entry time automatically. In addition to these quantitative usability results, qualitative usability results are collected via a survey, which provides qualitative data on user's satisfaction based on participants rating on a 5-point Likert scale, as explained previously. us, we derive the following hypothesis for the usability aspect: (i) H 1 : significant difference exists in the entry time between the three different defensive techniques (ii) H 2 : significant difference exists in the login success rate between the three different defensive techniques e experiment began with an introductory session where participants were given a brief explanation of the proposed defensive techniques. Printed information was also supplied to support the briefings. is was followed by a short demo to show how the system works, and a quick hands-on demo took place to ensure that the participants had some experience using the developed application prototype before they engage with the actual task.
For all defensive techniques, the participants were instructed at the beginning to perform the following task: (i) Become familiar with the defensive techniques by allowing the participants to create their own passwords. en, they practice logging to the application several times. In order to ensure a consistent amount of training, each participant was allowed approximately 10 minutes (this amount of time was found to be adequate during a pilot study that we conducted).
Once the training period was over, the participants were instructed to perform the following tasks: (ii) Participants were instructed to login using their own passwords for each smart phone and defensive technique. (iii) Participants were instructed that there are three login attempts per password. e first successful login in these three attempts will be counted as a successful login. (iv) Participants were instructed to complete an online survey regarding the defensive technique they just used.

Shoulder-Surfing Experiment
Procedure. e usability experiment was followed by the shoulder-surfing experiment. We assessed the defensive technique's susceptibility to shoulder surfing with the success rate of the shoulder surfer, i.e., how well the typed password could be reproduced. In order to accomplish this, the proposed methodology in [44] is utilized where a binary metric approach is used to measure the shoulder-surfing success; that is, "1" if the participant entered the correct password within three attempts and "0" otherwise. erefore, we derive the following hypothesis: (i) H 3 : a significant difference exists in the success rate of the shoulder surfer between the three different defensive techniques Furthermore, we followed the common approach of having participants act as shoulder surfers [7,28,[45][46][47][48].
e experimenter acted as the victim to the shoulder-surfing attack throughout this experiment. e reason for having just the experimenter being the victim is to reduce the inconsistency bias produced by two different person's login skills from affecting the results. Furthermore, the experimenter underwent sufficient training to ensure constant speed in writing the passwords. e training proved sufficient as the experimenter managed to conduct the login procedure without any failed attempts. It is important to note that the experimenter was not trying to cover up the device (i.e., the smartphone or tablet) or applying any defense technique other than the one being tested. e purpose of having this scenario is to have a tight control so that the victim has no other protection method, despite the fact that in real life situations smartphone or tablet users might tilt the screen to avoid being seen. For shoulder surfers (i.e., participants), they could choose to stand in right behind the victim or behind the left or right shoulder. After entering a password by the experimenter, each participant tried to enter the observed passwords on the device, with a maximum of three attempts per password.

Collected Data.
e entry time, login success rate, users' satisfaction, and shoulder-surfing success rate were recorded.

Results
In the experimental study, all participants successfully completed their task. We first discuss in Section 5.1 the usability results of the proposed defensive techniques including testing the hypothesis with respect to the efficiency and effectiveness and testing the satisfaction of the participants. We then discuss the shoulder-surfing results of the proposed defensive techniques mainly testing the hypothesis of the shoulder-surfing success rate. 6 Security and Communication Networks

Usability Results.
is section shows the results of testing the efficiency, effectiveness, and satisfaction of the proposed defensive techniques.

Entry Time.
e average time needed to enter the password (this indicates both the password, activation, and deactivation keys) in each of three defensive techniques is shown in Figure 3. From the HTC and Tab bars, we see that Type 2 took longer time than Types 1 and 3. Also, Type 1 took longer time than Type 3. is indicates that there are implications to the applied defensive technique, but we will discuss this more precisely below. In all types, the smartphone (HTC) took more time than the tablet (Tab). e statistical significance of the time entry will be discussed now. Table 2 compares the results of both the HTC and Tab in all defensive techniques with respect to the time needed to enter the password. For this, we provide average (Avg.), standard deviation (SD), maximum (Max), and minimum (Min).
By using the HTC smartphone, we find the following with respect to the average time; it took 20.8 seconds in Type 1, 23.2 seconds in Type 2, and 18.5 seconds in Type 3. An one-way analysis of variance yielded a significant difference among the three proposed techniques (F � 27.8 and P < 0.0005) in which the F value assesses whether the expected values of a quantitative variable within several predefined groups that differ from each other, whereas P refers to the probability of getting a result at least as extreme as the one that was actually observed. is is added in the paper. On the other hand, using the tablet, we find the following: it took 18.8 seconds in Type 1, 21.5 seconds in Type 2, and 16.9 seconds in Type 3. An one-way analysis of variance yielded a significant difference among the three proposed techniques (F � 25.3 and P < 0.0005). Hence, the hypothesis H 1 , where a significant difference exists in the entry time between the three different defensive techniques, was supported.

Login Success Rate.
e login success rate is the average of successful logins over all attempts of one participant. Table 3 shows the mean values as well as the SD per technique for both the HTC smartphone and tablet.
For the HTC smartphone, an one-way analysis of variance yielded a significant difference that exists in the login success rate between all defensive techniques (F � 4.68 and P < 0.1). For the tablet, an one-way analysis of variance yielded a significant difference that exists in the login success rate between all defensive techniques (F � 4.50 and P < 0.1).
ese results supported our hypothesis 2.

Satisfaction.
e survey consists of 15 items, which result in four scales measuring user satisfaction, as we explained previously. Table 4 shows the satisfaction results of each technique.
An one-way analysis of the variance test indicates a significant difference in SysUse in all techniques (F � 28.56 and P < 0.001). Furthermore, a t-test yields a result of t � 3.94 and P < 0.001, indicating that the difference between SysUse in defensive technique 1 and SysUse in defensive technique 2 is definitely statistically significant. For InfoQual scale, an one-way analysis of the variance test indicates a significant difference in all techniques (F � 22.98 and P < 0.001). For the InterQual scale, an one-way analysis of the variance test indicates a significant difference in all techniques (F � 13.60 and P < 0.001). Finally, for the Overall scale, an one-way analysis of the variance test indicates a significant difference in all techniques (F � 59.40 and P < 0.001). Furthermore, Type 3 shows more satisfaction than other types.

Shoulder-Surfing Results.
e shoulder-surfing experiment was performed after the usability experiment. erefore, this section shows the results of the shouldersurfing success rate. e difference in how passwords are entered in all defensive techniques leads to the use of, as mentioned previously, the proposed methodology in [44] as a fair and comparable distance metric between the entered and correct password. Table 5 summarizes the total percentage of correctly guessed passwords for each technique.
A statistical test is conducted for both HTC and Tab devices. In particular, an one-way analysis of the variance test indicates that a significant difference exists in the success rate of the shoulder surfer between all defensive techniques using the HTC device (F � 2.67 and P < 0.01). For Tab device, an one-way analysis of the variance test indicates that a significant difference exists in the success rate of the shoulder surfer between all defensive techniques (F � 5.82 and P < 0.01). e results above show that our hypothesis 3 is supported. Moreover, it can be clearly observed that Type 3 in both devices is more resistant to the shoulder-surfing attack than other types.

Discussion
e accuracy obtained with our experiment indicates that using the camouflage characters can be a defensive mechanism against the shoulder-surfing attack as well as a usable method. In particular, using the proposed approach showed a significant difference among the three proposed techniques; that is, the Type 3 showed the best in the usability experiment with short password entry times, high typing accuracy, and satisfaction. Moreover, this type also showed the best in the success rate of the shoulder surfer with 8.8% compared to 29.4% and 44.1% for types 1 and 2, respectively. It might be worth to note that no hidden factors are included in the proposed techniques, and for example, Bianchi et al. [6] proposed the audio and haptic feedback that can only be available to users, as it cannot be obtained by attackers. However, the proposed camouflage characters approach in general is a challenge for attackers, as shown in our experiments. Moreover, a diversification in using the proposed techniques, along with a better understanding of how they are used, reduces the possibility of deducing the real password. Furthermore, the possible key to gain the advantage of Type 3 may be its functionality, as shown in Table 1, that is, the activation and deactivation keys are independent from the camouflage characters and more importantly, each key has only one digit. Despite this advantage, there might be some cognitive load that needs to be exerted by the person inputting the password as they need to pay attention to which keys are assigned to which roles. However, this might not be a downside as much as a strong feature of the technique since every login now is unique.
It is interesting to note that as stated in [28], the different virtual keywords used on HTC and Tablet devices can affect password entry usability and shoulder-surfing vulnerability; and this can be seen clearly in Tables 2-5.
It seems that the second defensive technique (i.e., Type 2) is extracted from the first defensive technique (i.e., Type 1). Specifically, most of their results whether in the usability aspects or in the success rate of the shoulder surfer are close   Similarly, the impact of the screen size on the usability and security aspects [28] can be reflected by the achieved results. For example, the average time needed to enter the password in the HTC device was more than in the Tab device for all types, as shown in Figure 2. Furthermore, regardless of the defensive technique used, the screen size of the tablet device might have an effect on the vulnerability to the shoulder-surfing attack, as shown in Table 5. ese results can support the results in [49]. e solution of this may be, additionally to use a defensive technique, increasing the attention of users while using devices with a large screen size.
Although creating text-based passwords on mobile devices takes significantly longer [8], we believe that the proposed defensive techniques can be suggested as a way to easy password entry for mobile users. Moreover, the implications for the design of privacy protection mechanisms due to the shoulder-surfing attack in the real world have been investigated in [31]. us, the proposed defensive techniques can be a protection mechanism against this attack. Table 6 compares our results with most related works in terms of security and usability aspects.
It is interesting to note that using the proposed defensive techniques for mobile devices can allow unlocking the mobile with only two key presses, which are the activation key and password (when not being watched), or using as many clicks an user wants when being otherwise without the need to have a separate password for each case. However, on the other side of the coin, it might be slightly complex at the early stage of usage, as users need to get used to it.
Moreover, the proposed defensive techniques provide the ability for designers to manipulate access rights without the need for any further implementations of protocols as the password entry now is not what it used to be. One of the options that can be utilized in this scheme is assigning access rights to the master keys. is allows mobile devices users, for example, to keep their sensitive data safe on their devices; that is, when the master keys are used in a certain sequence, access to the phone is only limited to making calls.

Conclusion and Future Work
e concept of alphanumeric passwords for mobile devices is redefined in this paper by proposing the camouflage character scheme. Based on this scheme, three defensive techniques are introduced. By using an Android platform, the introduced techniques are implemented. In order to evaluate the usability and security levels of the proposed approach, two experimental studies were conducted. e results of this evaluation showed that the Type 3 of the proposed defensive techniques demonstrated higher ratings  in the usability experiments with short password entry times, high typing accuracy, and high scores on its satisfaction survey. In addition, the Type 3 proved also to be the best in resisting shoulder-surfing attacks. Moreover, the results obtained with the Type 3 show the possibility of choosing very short passwords, while insuring that the password remains hidden amongst a large number of key presses. is makes passwords tend to be very long without requiring any extra memory load. Based on the achieved results, the proposed approach is recommended to be a new avenue in the field of security to produce very simple and yet very complicated passwords, to be observed by the attacker, at the same time. e proposed defensive techniques might have an advantage against smudge and thermal attacks. However, it would be investigated as one of our future works.

Data Availability
e data used to support the findings of this study are available upon request to the author.

Conflicts of Interest
e author declares that there are no conflicts of interest regarding the publication of this paper.