Sequential Gestural Passcodes on Google Glass
Abdullah Ali · 2015 · ASSETS '15: Proceedings of the 17th International ACM SIGACCESS Conference on Computers & Accessibility · doi:10.1145/2700648.2811326
Summary
This poster paper presents a prototype authentication system using Google Glass to help people with visual impairments access online accounts while protecting against shoulder surfing attacks. The author identifies two intersecting problems: blind users face difficulties entering alphanumeric passwords due to screen reader issues with login forms, and all computer users are vulnerable to shoulder surfing—observers watching password entry to steal credentials. Strong passwords that resist guessing are also hard to memorize, compounding the challenge. The proposed solution leverages Google Glass's unique form factor for accessible, private authentication. Users authenticate by performing a sequence of directional gestures (forward, back, up, down) on the Glass touchpad. Feedback is delivered privately through the bone-conduction earpiece, completely obscured from observers. Critically, the authentication gestures are identical to those used for normal Glass navigation, increasing ambiguity—an observer cannot easily distinguish authentication from ordinary device use. The system comprises three components. The Google Glass application captures gesture sequences, stores passcodes locally, and provides audio feedback; it can be launched via voice command or touchpad navigation. A web server stores account URLs and passwords and manages one-time-use authentication tokens. A browser extension detects active password fields on web pages, checks for valid tokens, retrieves the corresponding password from the server, and fills the field automatically. After successful password retrieval, the token is immediately destroyed, preventing replay attacks.
Key findings
The paper positions this work against prior accessible authentication research. Kuber et al. developed tactile authentication for blind users that improved security against shoulder surfers, but their system required mouse interaction, which proved problematic for the target population. Wobbrock's TapSongs used rhythm-based tap sequences on a single binary sensor as passcodes, demonstrating that non-alphanumeric authentication is viable. Bailey et al. previously used Google Glass for authentication but relied heavily on the visual display, making their approach inaccessible to blind users. The design offers several advantages for blind users. The Glass touchpad is easy to locate by touch and does not require visual targeting. Audio feedback eliminates dependence on screen readers or visual confirmation. The same wearable device works across multiple computers and accounts, providing a universal authentication method that travels with the user. The gesture vocabulary is simple (four directions) but can be combined into arbitrarily long sequences for security. The system was in prototype stage at publication, with user testing planned. The proposed evaluation would distribute Google Glass devices to blind participants for extended use (weeks) across home and work/school computers, with regular usability feedback and entry/exit interviews.
Relevance
This work addresses an underexplored intersection of accessibility and security. Authentication systems are often designed without considering how blind users interact with login forms, screen readers, and password managers. The observation that security threats like shoulder surfing may actually be reduced when using devices with private feedback channels (bone-conduction audio, head-mounted displays) suggests that accessible design and security can be complementary rather than competing goals. For practitioners, the core insight is valuable: wearable devices with private output modalities offer opportunities for authentication that neither standard keyboards nor touchscreens can match. While Google Glass itself is no longer consumer-available, the conceptual framework applies to other head-mounted wearables and earbuds with gesture controls. The one-time token architecture also demonstrates how to bridge wearable authentication with existing web infrastructure.
Tags: blindness · authentication · security · wearable computing · gesture interaction · Google Glass · password · shoulder surfing