Fast and Secure Authentication in Virtual Reality Using Coordinated 3D Manipulation and Pointing

There is a growing need for usable and secure authentication in immersive virtual reality (VR). Established concepts (e.g., 2D authentication schemes) are vulnerable to observation attacks, and most alternatives are relatively slow. We present RubikAuth, an authentication scheme for VR where users authenticate quickly and secure by selecting digits from a virtual 3D cube that leverages coordinated 3D manipulation and pointing. We report on results from three studies comparing how pointing using eye gaze, head pose, and controller tapping impact RubikAuth's usability, memorability, and observation resistance under three realistic threat models. We found that entering a four-symbol RubikAuth password is fast: 1.69-3.5 s using controller tapping, 2.35-4.68 s using head pose and 2.39-4.92 s using eye gaze, and highly resilient to observations: 96-99.55% of observation attacks were unsuccessful. RubikAuth also has a large theoretical password space: 45(n) for an n-symbols password. Our work underlines the importance of considering novel but realistic threat models beyond standard one-time attacks to fully assess the observation-resistance of authentication schemes. We conclude with an in-depth discussion of authentication systems for VR and outline five learned lessons for designing and evaluating authentication schemes.

Automated summary

RubikAuth is a fast and secure authentication scheme for virtual reality, where users select numbers from a virtual 3D cube for authentication. The scheme is highly resilient to observation attacks, with a large theoretical password space.