This thought ran through my mind recently when I witnessed an employee - in a very busy ticketing area - casually double-tapping a certain spot on a kiosk's touchscreen. A keyboard opened asking for input of a password. Curiosity led to me continue watching as he proceeded to enter the password and access the local administrative menu. I quickly jotted a note of what I saw for possible future testing.
One night a few weeks later, I was at the airport and found nobody in the ticketing area. A good time for my test...
Years ago I developed kiosk applications for colleges & universities as well as for Sprint retail stores. It's common practice to code in a "hot spot" somewhere on the screen to bring up a keyboard allowing for input of a password to access the admin menu (more examples here and here). It might require a double-tap or triple-tap in a single spot, or a combination of taps in different spots. The admin password itself is often something simple, such as the name of the business, the street number of the building, or the store number (if a retail store).
Moral of the story for kiosk admins: Be aware of shoulder surfing!