cLock: Single-Handed Two-Factor Authentication in VR Using Wrist Rotation and Multi-Finger Tapping

As Virtual Reality (VR) devices become increasingly shared among users, there is a pressing need for authentication methods that balance security, usability, and privacy while accommodating VR's unique interaction constraints. This paper presents cLock, a novel single-handed two-factor authentication technique in VR that allows users to enter PINs with multiple cursors on a virtual circular numpad through wrist rotation and finger tapping. We first optimized the UI design of cLock by comparing participants' input performance with different UI parameters. We then extracted spatiotemporal behavioral features of both fingers and palm during PIN entry, which facilitated cLock's authentication algorithm. In the usability evaluation with four input postures, cLock achieved significantly faster authentication speed than laser and touch-based baselines, without sacrificing accuracy. Meanwhile, it was most preferred by participants in terms of privacy, social acceptance and physical effort. A following evaluation of security demonstrated that cLock achieved a deciphering rate of only $1 / 8$ of the baselines against shoulder-surfing within 1 m. Even in scenarios of password leakage, cLock could still achieve an FAR of 2.3% and FRR of 3.2% with 20 registered users. A final 11-day study verified the longitudinal stability of cLock.