[2] Attackers do not need any technical skills in order to perform this method, and keen observation of victims' surroundings and the typing pattern is sufficient.
A hidden camera allows the attacker to capture the whole login process and other confidential data of the victim, which ultimately could lead to financial loss or identity theft.
The relative motion and position of the center of the pupil and the glint are used to estimate the gaze vector, which is then mapped to coordinates on the screen plane.
Researchers proposed ways to counter shoulder surfing on mobile devices by leveraging the front-facing camera for gaze-based password entry.
[10] This anti-shoulder surfing security method was developed based on survey results of users' affinity of choices,[11] and through observation on the way children paint pictures.
Swipe Scheme is implemented in Microsoft Windows 8, and in later versions, it is known as Picture Password; however it has drawn criticism for requiring the user to use a secure enough gesture.
Despite the common belief that nondictionary passwords are the most secure type of password-based authentication, the results demonstrate that it is, in fact, the most vulnerable configuration to shoulder-surfing.
Personal identification number (or PIN for short) is used to authenticate oneself in various situations, while withdrawing or depositing money from an automatic teller machine, unlocking a phone, a door, a laptop or a PDA.
Another example used in ATMs and some entry systems is that of the use of metal PIN pads, making thermal camera attacks nearly impossible due to their material,[19] shielding, reflectivity or internal heating.
[20] A user could wear a virtual reality headset to mitigate the issues of shoulder surfing; however, gesture controls, buttons pressed, and voice commands could still be attacked.