Shoulder surfing is the term used to describe one person observing another person’s computer or mobile device screen and keyboard to obtain sensitive information. Direct observation can be done by simply looking over someone’s shoulder – hence shoulder surfing – or using binoculars, video cameras (hidden or visible), and other optical devices.
Typically the objective of shoulder surfing is to view and steal sensitive information like username and password combinations that can be later used to access a user’s account. Credit card numbers, personal identification numbers (PIN), sensitive personal information used in response to security questions (like middle name and birth date used for password recovery) are also targeted.
Shoulder surfing can be done by someone with malicious intent, in which case it can result in a security breach. Seeing a password or responses to security questions allows an attacker to access an account or reset a password. Shoulder surfing can also be done by a curious or nosy bystander, in which case it is simply an intrusion on privacy. Having your bank balances, paycheck, or medical history viewed by a nosy guy at the airport is considered by most to be unpleasant.
If you’ve ever had an IT person help you troubleshoot a problem on your PC or install a new app, then you might be familiar with the uneasy feeling when you’re asked to enter your password as the IT guy is looking at you doing this. This is shoulder surfing, only without the malicious intent.
Protecting against shoulder surfing is not always easy. Simple methods like adding a privacy screen protector can help limit the field of view to your screen, but it will not protect your keystrokes from being observed. More elaborate and expensive methods include gaze-based password entry, which makes it hard to observe password entry, but is very rare and used only in extraordinary situations.
Adding two-factor authentication will make it harder for an attacker to use stolen passwords or security questions but will not prevent shoulder surfing.
Passwordless authentication eliminates the use of passwords and therefore takes away the risk associated with stolen passwords altogether, including those stolen using the shoulder surfing technique. That said, it will not prevent shoulder surfing from stealing other sensitive data like responses to security questions or its unpleasant intrusions on privacy.