Authentication for wearable devices

Developed and evaluated numerous authentication methods for wearables like smartwatches. Explored their security and usability through comprehensive user studies.

IllusionPIN: Shoulder-Surfing Resistant Authentication Using Hybrid Images

IllusionPIN is a new PIN-based authentication method that is resilient against shoulder-surfing and surveillance video threats. IllusionPIN deploys a hybrid-image keyboard that appears one way to the close-up user and differently to an observer at a distance of three feet or greater.

Cross-platform Phishing

Explored a new and highly deceptive phishing attack that first exploits the trust between difference platforms/services to bypass spam filtering and second, leverages the trust between users and the services they used to phish them. For example, a Github user receives an email sent by Github notifying about a pull request on a project of the user’s interest will likely to click on a link embedded in the email. This email not only can be triggered by any malicious adversary but it can also be customized to embed phishing links or even innerHTML. Our pilot study, which showed 100% delivery rate and 100% click-through rate.

Finger-drawn PIN Authentication

Draw-A-PIN, a new authentication mechanism for mobile devices which allow users to their PIN on a touch screen instead of typing it. Our method offers better security by utilizing drawing traits or behavioral biometrics as an additional authentication factor beyond just the secrecy of the PIN. In addition, Draw-A-PIN inherently provides acceptability and usability by leveraging user familiarity with PINs.

Verification Code Phishing Attack

We investigated a phishing attack in which attackers bypass 2-factor authentication by luring users to forward verification codes delivered via SMS messages to them. We found an attack that can lure 50% of the users to give up their verification codes. We found that our robust messaging approach reduces the success of the most effective social engineering attack to 8%, or a sixth of its success against Google’s standard second-factor verification code messages.




I’ll try to release all data of my research. Please reach out to me if you’re interested in any data set from my publications.

Finger-drawn PIN Authentication (Draw-A-PIN) dataset

This is the data set collected and used in the Draw-A-PIN paper. Download link:

“Kid on The Phone” dataset

This is the data set collected and used in the “Kid on The Phone” paper. Download link: