Abstract
Despite being one of the most crucial parts of online transactions, the most used authentication system, the username and password system, has shown to be weaker than ever. With the increase of processing power within computers, offline password attacks such as dictionary attacks, rainbow tables, and hash tables have become more effective against divulging account information from stolen databases. This has led to alternative solutions being proposed, such as logging in with a social media account or password managers, which do not replace the password entirely. Graphical alternatives have previously proposed, but none of them have become widely used. In a previous paper we proposed our own alternative called “Grid Authentication”, which would allow users to authenticate using a sequence of clicks on a colored Grid, shown to be resistant against offline password attacks. Now we have implemented and tested Grid Authentication’s memorability and recorded user sentiment data. Participants logged in using a newly created password, an 8-character password randomly generated for them, as well as used Grid Authentication scheme for three days each, once per day. We found that overall, Grid Authentication’s memorability was like a user chosen password, and far superior to the randomly generated 8-character password. We also observed that user’s overall sentiment towards Grid Authentication increased significantly after three days of regular use. Despite this, while sentiment over the system was overall positive, users perceived that they remembered the password more easily, perhaps given hints as to why alternative authentication types have not become widely used.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
Keywords
1 Introduction
With the expansion of internet usage, verification of a user’s identity has become a critical process for both privacy and security. The amount of personal information associated with both social media and business accounts has steadily increased as the internet has become more critical for daily activities. The most common verification process used online is the username and password, which allows a user to authenticate themselves with a public alias and a private string of characters. Unfortunately, this method has become vulnerable to cyber-attacks.
As technology has expanded and as both computational and processing power has increased, passwords have become significantly less effective at preventing passwords breaches. Both password breaches, such as the RockYou [1] and LinkedIn [2] breaches, and academic research has allowed us to understand human tendencies when creating passwords [3]. The combination of increased knowledge about password tendencies and database breaches have made offline password attacks extremely effective. Some rigs have even been able to crack all keyboard-typeable 8-character passwords within a single day [4]. Breaching an account can result in first names, last names, phone numbers, bank account numbers, and even credit card information. The username and password scheme must either be significantly reinforced or replaced entirely to ensure future confidentiality of a users’ personal accounts.
Passwords have several critical issues that put users at risk. The primary problem stems from memory. Passwords commonly have words, phrases, and personal information. While this helps users memorize their password, this also gives attackers hints and tools to breach an account. The use of words and phrases within passwords allow offline password attacks such as dictionary attacks and hash tables more effective than if they were made of random characters. Secure passwords often must be long, randomized, contain symbols, and unique. These passwords tend to take a significant time to remember [5]. When a user creates a complex password, they tend to reuse the password over multiple accounts [6]. Alternatively, users may write them their passwords down and leave them in potentially insecure locations [7].
Companies have attempted to mitigate poor password security by creating security standards such as forcing users to create complex passwords and have them constantly change their passwords. At face value, these protocols were thought to help secure the system. Research has observed otherwise. Instead, these measures have led to written down passwords and create passwords easily derived from previous passwords, such as changing a single number [7].
Multiple solutions have been suggested to assist in solving the password crisis. Some solutions, such as social login and password managers fail to solve the problem. They create a bottleneck where if one password is breached, then all accounts can be accessed and pose significant downsides such as privacy issues with social logins [8] and insecure implementation with password managers [9, 10]. Other mechanisms such as fingerprint and iris scanning require significant amounts of processing power and have their own separate privacy issues, requiring companies to store biometric data [11].
Graphical authentication methods may hold a solution. Significant research has been done within this topic. However, despite multiple variations of this type of system, showing users can memorize graphical passwords, these types of alternatives have yet to be widely implemented. In a paper we proposed a graphical system that would prevent offline password attacks while without sacrificing memorability, called Grid Authentication [12]. To understand memorability and user sentiment towards Grid authentication, we recruited users from both offline and through Mechanical Turk. In our experiment, users logged into an experimental system using three methods: a password they chose, a randomly generated password, and Grid authentication. Fifty-five users entered the initial experiment, and 46 users completed the entire experiment.
This paper’s purpose is to show that our system is as memorable as a user-created password and gather user sentiment data on such. The rest of this paper is organized as follows: Sect. 2 covers related works about graphical authentication, Sect. 3 presents our implementation of Grid Authentication, Sect. 4 describes the memory experiment we conducted, Sect. 5 covers the results of the experiment, Sect. 6 offers discussion and interpretation of the results, and Sect. 6 covers the limitation of our study as well as concludes the paper.
2 Related Works
In reviewing other graphical authentication systems, we found three primary categories: locimetric systems, cognometric systems, and drawmetric systems [13]. Cognometric systems primarily focused on users recognizing a preselected target to authenticate themselves. Locimetric systems focus on identifying a specific point within a predefined image. Drawmetric systems require the users to write something freehand or with a guide.
Locimetric authentication systems often was observed to have predictability issues. When focusing on singular points on an image, users projected their focuses into predictable areas [14]. When picking a specific area of an image, it was found that users notice heavily selected brighter areas of a picture, influencing points chosen [15]. Furthermore, users struggled to remember exact locations within the image. Instead, they were able to remember relative locations. An experiment done with Jiminy templates, which used a thin plastic square with small holes found that when placed on a grid of letters, one third of the participants were not able to give exact locations after a month but remembered general locations [16]. GrIDSure, a one-time pin mechanism which used a grid of numbers had similar issues. This system would have users login by entering a pin designated by predetermined locations in a predetermined order. Research observed that the relative shape of the pattern was memorized, but often the specific order was incorrect, further reinforcing the conclusions made within the Jiminy template study. Overall, these systems seem to have both predictability issues and memorability issues.
Cognometric systems rely primarily on user recognition over memorization. Users would remember a target image and recognize it later. Passfaces, a technique that uses a Grid of faces, is a primary example of a Cognometric system. Users would select a face, then choose it amongst distractors to login. This system was shown to be memorable but had no clear advantage over traditional authentication systems [13]. Further studies showed that users tended to select faces of their own gender and race, causing a predictability issue [17]. Another example of this type of system is Déjà Vu [18]. This system used abstract images over faces, and instead of using a single image, they used five selections instead of one. Users seemed to like this system more than passwords after a week of interactions [13], but it was also observed that the results were not fully substantiated [19]. These types of systems, if properly implemented, may make a viable password replacement.
Drawmetric systems have considered to have significantly larger password space than passwords, but fails in both memorability and accuracy. Draw-a-Secret is a clear example of this. It authenticates a user using a sequence of pen strokes on a blank grid, accounting for both the order and locations of where lines were crossed [20]. User evaluation of this method found that this mechanism was less memorable than traditional authentication systems [21]. Scribble-a-Secret is another system which foregoes the grid and uses machine learning to approximate a user’s design instead [22]. The best accuracy ratings they were able to achieve was 2.6% false acceptance rate and a 2.8% false rejection rate. The registration process took significantly longer, requiring a training period. In conclusion, Drawmetric systems are not viable password replacements.
3 Grid Authentication Experiment Design
We created a three-part experiment that took place over ten days to gain insight on user sentiment about Grid authentication and to test its memorability. Users registered with an experimental website that instructed the user to login to their account using various login methods. They are given instructions on the main area of the site each day as shown in Fig. 1. Participants created an account with a username and a password they chose. At this point, they were explicitly instructed to not use passwords and usernames for other accounts. It was also explicitly mentioned that they should not write down any authentication information beyond their username.
This figure is a screenshot of the instruction area of our website that users were presented information.
The first day was an initial day that simply set participants up within the website. Through this, they would familiarize themselves with how they would get instructions. We compared Grid Authentication to both passwords that users would regularly use and randomized passwords that would be harder to break.
A one day waiting period would be initialized before we started them on their first day of logging in. After waiting the initial period, on days one through three, users logged into our website using their user-chosen password. On day three, each user was provided an 8-character password that was randomly generated using all 95-character symbols on the keyboard. To ensure that the difficulty remained consistent between all users, each user was given the same 8-character password. On days four through six, they logged in using this randomized password. On day six, users were introduced to Grid Authentication, implemented as specified in Sect. 4 of this paper. They reregistered on a different portion of the same website using Grid Authentication’s registration process. Finally, on day seven through nine, they logged in using Grid Authentication.
To gain insight on user sentiment we asked users to partake in a survey both after their initial registration and after the experiment. We asked questions about user’s overall opinion on the registration process, the login process, perceived login speed, and their overall sentiment of Grid Authentication.
Since we wanted to see if users could remember a particular password at all, no password reset function was provided within the website. Users were instructed to attempt logging in up until 5 attempts (and were told to contact a support email if they used more attempts). The system recorded if a user attempted to log in, and how many times they attempted to log in. Once the count reached 5 attempts, the user was allowed into the website while being given their displayed password or click sequence in the instruction area.
4 Grid Authentication Implementation
To display a user’s Grid, we use a modal which is accessed through a “log in” button at the top right of the website. Visual examples of both the registration page and login area can be viewed in the Appendix. To implement this system, we created a basic PHP website supported by a MySQL database.
Our design of Grid Authentication primarily comes from our previous paper [12]. Figure 2 depicts both a technical view and a user view of Grid Authentication’s interface. From the technical perspective, Grid Authentication consists of a table structure which contains a set number of characters. Each character is randomly generated via a predetermined mechanism. The total set of characters used to generate the Grid will be referred to as the “character set”. To create a user’s “password” which we will refer to as a “click sequence”, a user would interact with a set of tiles, which would be concatenated together in the order they were interacted with. In the example below, three letters are used per box, and there were 6 user interactions resulting in an 18-character long click sequence. From the user view, we can see that each box is colored, and the characters are hidden. In this implementation of Grid Authentication scheme, users were able to choose their own coloration by using JavaScript color chooser. This allows users to focus on the Grid’s coloration instead of trying to memorize a long string of characters. The set of colors that were chosen for a particular Grid will be further referred to as a “color set”. Finally, for storage purposes, the character set, click sequence, and color set are all associated with an identifier during storage. An example of how Grid Authentication information was stored in an SQL table and an alternative implementation using Firebase is shown in Fig. 3.
A technical and user-view representation of Grid Authentication’s core concept. The numbers within the user view represent clicked locations and are not usually seen during login.
On the top is an SQL entry example of Grid Authentication’s database. On the bottom is a firebase storage example as an alternative to SQL.
The registration and login processes for Grid Authentication act similarly to usernames and passwords. During the registration process, the user creates some set of information they must memorize and correspond it to a username. Then when the user logs in, they must repeat the same task. The main differences from the user perspective is registration adds a level of customization and the users create and enter click sequences instead of traditional password.
However, from the server-side perspective, there are some major differences within the registration process and login process. Figures 4 and 5 explain these processes in detail. As shown in Fig. 4, during registration, a random generation process must occur. Then after the user chooses their tiles, the tile locations must be transferred to the server and the click sequence must be generated and stored. Because of the customizability during the registration, this means that a user cannot log in with a single form. Instead, visitors input their username and are given their corresponding Grid color set. From here, as shown in Fig. 5, the Grid with the appropriate color set is given. The creates their pattern. Individual tiles are converted to their click sequence and is compared to the one within the database. If the converted click sequence is the same as the one stored within the database, the user can log in.
Flow chart of Grid Authentication’s Registration process from server/client point of view.
Flow chart of Grid Authentication's Login process from a server/client point of view.
5 Results
Our study protocol was reviewed and approved by our Institutional Review Board (IRB). In our experiment, we had a total 71 users registered through the website, 49 users registered within the Grid Authentication site, and 46 users completed the entire study. Seventy percent of our participants were male, and 30% were female. A significant percentage of the participants had several of online accounts, over 80% having seven or more accounts. However, this group also tended to use repeated passwords when prompted about their password usage. Fifty-six percent of participants held between 3–6 passwords despite most users having over seven accounts. We asked these questions to reestablish why a password alternative is needed.
5.1 Memory Experiment
Users were generally able to remember their click sequences and user-chosen passwords easily. Randomly generated passwords were harder to remember than the click sequence and user-chosen passwords. Table 1 shows the number of login-attempts and the number of login failures. There was a significant spike in users who forgot their password on day 4 through 6 when the passwords switched to randomly generated, 26 users not able to remember their password on day 4. User chosen passwords and Grid Authentication click sequences had only five instances of users not remembering their passwords throughout the entire experiment. Notably, we observed users of Grid Authentication were more likely to incorrectly log in at least once in comparison to traditional passwords, likely due to the new user experience.
When we asked about login performance within the survey, user opinion lined up with data collected through the website. We asked users how long it took to remember each login mechanism. As shown in Table 2, users claimed that they were able to remember Grid Authentication and chosen passwords were both mostly memorized within one to three hours from choosing their passwords, and most users claimed that they were not able to remember the randomized password at all.
Despite performance being similar between both mechanisms, when asked to participants to rate all three systems in memorability, user-chosen passwords clearly were chosen over Grid Authentication both after registration and after the experiment. Out of 41 responses, 11 users stated Grid Authentication was easiest to remember, 2 users stated the randomized password was easiest to remember, and 28 users stated that their chosen password was easiest to remember. Five users found that Grid Authentication was the hardest system to remember, 36 users found the randomized password was the hardest to remember, and no users found their user-chosen password the hardest to remember. In the middle, 25 users believed that Grid Authentication was the second most memorable, 2 users believed that the randomized password was the second most memorable, and 14 users said that their chosen password was the second most memorable.
As an additional point, we asked participants if their Grid’s coloration assisted them in memorizing their click sequence. Out of 46 responses, 28 participants stated that it significantly helped, 9 users said it somewhat helped, 3 had no opinion, and 6 users stated that coloration did not help in memorizing their click sequence.
5.2 Sentiment Analysis
We asked several questions about user’s reaction to Grid Authentication. First, we specifically asked them to rate Grid Authentication’s naturalness from 0 to 10. As shown in Figs. 6 and 7, initially, most of the 46 users that responded were neutral or positive. The collective group gave an average of 6.282, giving Grid Authentication’s initial rating slightly above neutral. However, there were some users who felt Grid Authentication was completely unnatural. User Sentiment significantly increased post experiment. With 46 responses, the average user rating increased from 6.282 to 8.0 and no users rated Grid Authentication below a 4.
The blue graph shows user’s initial impression how natural Grid Authentication feels, which takes place on day 6. The red graph shows user’s impression on Grid Authentication’s naturalness post experiment, after participants have used Grid Authentication for three days. (Color figure online)
Box and whisker plots for the users’ first impression survey and their post experiment sentiment survey.
In addition to asking users for the overall naturalness of Grid Authentication, we also asked users specifically about the registration process and login process. First, we asked users how easy it was to create an account both after their first login and after the experiment to see if their sentiment changed over time. Out of 48 post-registration responses, 18 users found registration extremely easy, 22 users found it somewhat easy, 6 users rated it neutral, and 2 users rated it as somewhat difficult. Out of 46 post-experiment responses, 18 users felt that the registration process was very easy, 17 found it somewhat easy, 6 users rated it neutral, and 5 users rated it as somewhat difficult. Second, we asked users if the login process felt natural. Out of 48 post-registration responses, 18 stated Grid Authentication’s login process was very natural, 17 users stated it was somewhat natural, 7 felt neutral, and 5 users felt it somewhat unnatural, and 1 user felt it was very unnatural. Responding to the same question again post experiment, positive sentiment about the login process significantly increased over time. Twenty-six users said the login process felt very natural, 15 users said it felt somewhat natural, 2 users were neutral, and three felt that Grid Authentication was somewhat unnatural. Overall, users felt the system was more natural after extended use.
Finally, to see if users felt like their use of Grid Authentication was improving, we asked users about their impressions of improving their login speeds. In the initial impressions survey, we asked users how much they agreed with the following statement: “With practice, I could authenticate with Grid Authentication quickly.” Of 48 responses, 32 users strongly agreed, 12 users somewhat agreed, 3 users were neutral, 1 somewhat disagreed, and 1 strongly disagreed. In post survey, we asked if they had improved their login times. Of 46 responses, 26 believed their speed increased significantly, 15 users felt their speed increase slightly, 2 users stayed neutral, and 3 users said their login times believed their speeds did not improve.
6 Discussion and Conclusion
Overall, we found that users were able to login with Grid Authentication with similar success rates to passwords. However, users still seemed to favor their own user-chosen password over Grid Authentications despite their similar performances. Passwords are already well established, giving users a sense of familiarity. Human nature shows that users tend to prefer systems they are familiar with [23], which makes viable alternative authentication system significantly harder to become mainstream. We can see that as familiarity to us was built up user sentiment regarding the login process increased on average after extended use.
In this experiment, we gave no information to participants on how Grid Authentication functioned internally, so sentiment was only based off visual and functional appearance only. No information about potential security improvements were given, nor were telling users how this system translates on the backend may help increase user’s positive sentiment. For any alternate authentication system to become mainstream, it must be widely available and well supported, such as the Android pattern lock, which now is used on a significant number of phones [24]. Not only does it have to have some advantage over passwords, but it also must be marketed well to get users to interact with it for an extended period.
To summarize, we created a memorability and sentiment experiment for a graphical authentication system. We observed that users were able to remember Grid Authentication click sequences just as well their own created passwords. Despite this, users still felt that Grid Authentication was less memorable than traditional passwords. We also found that users initially had a wide range of opinions, the average naturalness rating of Grid Authentication being just above neutral. The overall naturalness rating increased significantly after three days of interacting with Grid Authentication overall. Lastly, we conclude that to create a viable authentication alternative, in addition to having some advantage over a traditional password, it must be implemented and advertised widely to gain user’s initial interest.
References
Weir, M., Aggarwal, S., Collins, M., Stern, H.: Testing metrics for password creation policies by attacking large sets of revealed passwords. In: Proceedings of CCS (2010)
Walters, R.: Cyber attacks on US companies in 2014. Heritage Found. 4289, 1–5 (2014)
Florencio, D., Herley, C.: A large-scale study of web password habits. In: Proceedings of the 16th International Conference on World Wide Web, pp. 657–666. ACM, May 2007
Goodin, D.: 25-GPU cluster cracks every standard Windows password in, 9 December 2012. https://arstechnica.com/information-technology/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/. Accessed 27 Oct 2018
Yan, J., Blackwell, A., Anderson, R., Grant, A.: Password memorability and security: empirical results. IEEE Secur. Priv. 2(5), 25–31 (2004)
Bonneau, J.: Measuring password re-use empirically. Light Blue Touchpaper (2011)
Zviran, M., Haga, W.J.: Password security: an empirical study. J. Manag. Inf. Syst. 15(4), 161–185 (1999)
Gafni, R., Nissim, D.: To social login or not login? Exploring factors affecting the decision. Issues Informing Sci. Inf. Technol. 11(1), 057–072 (2014)
Silver, D., Jana, S., Boneh, D., Chen, E.Y., Jackson, C.: Password managers: attacks and defenses. In: USENIX Security Symposium, pp. 449–464, August 2014
Belenko, A., Sklyarov, D.: “Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh, Really? Blackhat Europe (2012)
Prabhakar, S., Pankanti, S., Jain, A.K.: Biometric recognition: Security and privacy concerns. IEEE Secur. Priv. 2, 33–42 (2003)
Biocco, P., Anwar, M.: Grid framework to address password memorability issues and offline password attacks. In: Nicholson, D. (ed.) AHFE 2017. AISC, vol. 593, pp. 52–61. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-60585-2_6
De Angeli, A., Coventry, L., Johnson, G., Renaud, K.: Is a picture really worth a thousand words? Exploring the feasibility of graphical authentication systems. Int. J. Hum Comput Stud. 63(1–2), 128–152 (2005)
Renaud, K., De Angeli, A.: My password is here! An investigation into visuo-spatial authentication mechanisms. Interact. Comput. 16(6), 1017–1041 (2004)
Baik, M., Suk, H.J., Lee, J., Choi, K.: Investigation of eye-catching colors using eye tracking. In: IS&T/SPIE Electronic Imaging, p. 86510W. International Society for Optics and Photonics, 14 March 2013
Renaud, K., Smith, E.: Jiminy: helping users to remember their passwords (2001)
Davis, D., Monrose, F., Reiter, M.K.: On user choice in graphical password schemes. In: USENIX Security Symposium, vol. 13, p. 11, August 2004
Dhamija, R., Perrig, A.: Deja Vu-A user study: using images for authentication. In: USENIX Security Symposium, vol. 9, p. 4, August 2000
De Angeli, A., Coutts, M., Coventry, L., Johnson, G.I., Cameron, D., Fischer, M.H.: VIP: a visual approach to user authentication. In: Proceedings of the Working Conference on Advanced Visual Interfaces, pp. 316–323. ACM, May 2002
Jermyn, I.H., Mayer, A., Monrose, F., Reiter, M.K., Rubin, A.D.: The design and analysis of graphical passwords. USENIX Association (1999)
Goldberg, J., Hagman, J., Sazawal, V.: Doodling our way to better authentication. In: CHI 2002 Extended Abstracts on Human Factors in Computing Systems, pp. 868–869. ACM, April 2002
Oka, M., Kato, K., Xu, Y., Liang, L., Wen, F.: Scribble-a-secret: similarity-based password authentication using sketches. In: 19th International Conference on Pattern Recognition, ICPR 2008, pp. 1–4. IEEE, December 2008
Harrison, D.A., Mohammed, S., McGrath, J.E., Florey, A.T., Vanderstoep, S.W.: Time matters in team performance: effects of member familiarity, entrainment, and task discontinuity on speed and quality. Pers. Psychol. 56(3), 633–669 (2003)
Sun, C., Wang, Y., Zheng, J.: Dissecting pattern unlock: the effect of pattern strength meter on pattern selection. J. Inf. Secur. Appl. 19(4–5), 308–320 (2014)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix
Appendix
Grid Authentication website registration
Grid Authentication color application.
Grid Authentication color application (completed).
Grid Authentication click selection.
Grid Authentication website login initial page.
Grid Authentication grid login modal.
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Biocco, P., Anwar, M. (2019). Grid Authentication: A Memorability and User Sentiment Study. In: Moallem, A. (eds) HCI for Cybersecurity, Privacy and Trust. HCII 2019. Lecture Notes in Computer Science(), vol 11594. Springer, Cham. https://doi.org/10.1007/978-3-030-22351-9_1
Download citation
DOI: https://doi.org/10.1007/978-3-030-22351-9_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-22350-2
Online ISBN: 978-3-030-22351-9
eBook Packages: Computer ScienceComputer Science (R0)