Challenge-response PIN authentication system to withstand shoulder surfing and recording attacks

Personal Identification Number (PIN) authentication remains widely used despite its vulnerability to shoulder surfing and recording attacks, due to the repeated exposure of static PINs in traditional systems. To address this, we propose a novel visual challenge-response PIN authentication system that generates a one-time PIN (OTP) for each session using a lightweight addition modulo 10 operation. Unlike prior approaches, our system requires no extra hardware, completes authentication in a single round, and maintains compatibility with regular PIN entry. We evaluate two design variants, TablePIN and RegularPIN, in a controlled user study with 30 participants. The results show 100% resistance to shoulder surfing attacks and over 80% resistance to recording attacks for hard PINs, with usability metrics including average login times under 15 s and success rates above 90%. User feedback indicates a strong preference for using the system in high-security contexts. We also introduce a PIN strength checker, which complements the system by helping prevent the use of weak, easily guessable PINs. Overall, the proposed system achieves a strong balance between usability and enhanced security, making it a viable alternative to traditional PIN authentication methods.