Came across another interesting bit on Dark Reading about a new type of authentication, actually more of a prototype, one which is expected to solve the problems generated from everything from keylogging malware to spyware to shoulder surfing. The system is called Undercover, and instead of hiding the users input, it hides the authentication questions.
I know, you're probably saying, Whatchoo talking 'bout Willis? The system was developed by Nicolas Christin and two graduate students at Carnegie Mellon University (where there has never been a highly publicized breach that I can recall). "I am a bit nervous every time I withdraw money from an ATM," Christin said. "Crooks can see me type my 'secret' PIN and very easily figure out what it is, which becomes a big problem if they also gain access to my card number."
The system enlists a combination of visual and tactile signals in the authentication process, working with a trackball controlled by Lego Mindstorm NXT robot and displays a set of images to the user and asks if any belongs to the image portfolio that the user had previously selected. To combat shoulder surfing, the user's hand has to fully cover the trackball for it to function,.
The folks at CMU tested this system against a PIN system with 38 users, and we're able to hack all of the PIN authentications, but were rarely able to hack the Undercover method (in this test, it seems like the researcher were instructed to directly observe the person authenticating themselves).
More detail is expected in April.