Wearable augmented reality (AR) devices provide users a way to utilize computing resources while taking advantage of the world around them through context sensitivity. These AR devices, utilizing traditional technologies such as wi-fi and webbrowsers, often rely on users to enter an alphanumeric username and password via a keyboard mechanism provided by the device. We explore the security of a head-worn wearable AR device and keyboard mechanism available in the Microsoft Hololens. Specifically, we explore the feasibility of password compromise through a shoulder surfing attack, the unknown observation of a user during the password entry process. We find that from a set of commonly used passwords, it is relatively easy to identify the password the user entered through recorded observation of the process. Additionally, when it was attempted to obfuscate the finger used to select the character in the AR keyboard, it was still possible to develop a guess as to what password was entered, as the user’s head motions used in the character selection process were still observable.
Kreider, Christopher, "THE DISCOVERABILITY OF PASSWORD ENTRY USING VIRTUAL KEYBOARDS IN AN AUGMENTED REALITY WEARABLE: AN INITIAL PROOF OF CONCEPT" (2018). SAIS 2018 Proceedings. 23.