This work addresses the vulnerability of password-based authentication in virtual reality (VR) to keystroke inference attacks, for which existing defenses offer limited efficacy. The paper proposes VRSafe, a novel QWERTY virtual keyboard scheme that introduces, for the first time in VR, a controlled decoy keystroke obfuscation strategy. During user input, VRSafe dynamically injects deceptive keystrokes to obscure genuine keypresses while incorporating a lightweight malicious login detection module to identify credential theft attempts in real time. Experimental results demonstrate that VRSafe substantially reduces attackers’ inference accuracy with only minor usability overhead, achieving high detection rates and low computational resource consumption.

Password-based authentication is one of the most commonly used methods for verifying user identities, and its widespread usage continues in virtual reality (VR) applications. As a result, various forms of attacks on password-based authentication in traditional environments such as keystroke inference and shoulder surfing, are still effective in VR applications. While keystroke inference attacks on virtual keyboards have been studied extensively, few efforts have developed an effective and cost-efficient defense strategy to mitigate keystroke inferences in VR. To address this gap, this paper presents a novel QWERTY keyboard called \textit{VRSafe} that is resilient to keystroke inference attacks. The proposed keyboard carefully introduces false positive keystrokes into the information collected by attackers during the typing process, making the inference of the original password difficult. \textit{VRSafe} also incorporates a novel malicious login detector that can effectively identify unauthorized login attempts using credentials inferred from keystroke inference attacks with high detection rate and minimal time and memory cost. The proposed design is evaluated through both simulation experiments and a real-world user study, and the results show that \textit{VRSafe} can significantly reduce the accuracy of keystroke inference attacks while incurring a modest overhead from a usability standpoint.