article

On designing usable and secure recognition-based graphical authentication mechanisms

Authors:

Martin Mihajlov,

Borka Jerman-BlaičAuthors Info & Claims

Interacting with Computers, Volume 23, Issue 6

Pages 582 - 593

https://doi.org/10.1016/j.intcom.2011.09.001

Published: 01 November 2011 Publication History

Abstract

In this article we present the development of a new, web-based, graphical authentication mechanism called ImagePass. The authentication mechanism introduces a novel feature based on one-time passwords that increases the security of the system without compromising its usability. Regarding usability, we explore the users' perception of recognition-based, graphical authentication mechanisms in a web environment. Specifically, we investigate whether the memorability of recognition-based authentication keys is influenced by image content. We also examine how the frequency of use affects the usability of the system and whether user training via mnemonic instructions improves the graphical password recognition rate. The design and development process of the proposed system began with a study that assessed how the users remember abstract, face or single-object images, and showed that single-object images have a higher memorability rate. We then proceeded with the design and development of a recognition-based graphical authentication mechanism, ImagePass, which uses single-objects as the image content and follows usable security guidelines. To conclude the research, in a follow-up study we evaluated the performance of 151 participants under different conditions. We discovered that the frequency of use had a great impact on users' performance, while the users' gender had a limited task-specific effect. In contrast, user training through mnemonic instructions showed no differences in the users' authentication metrics. However, a post-study, focus-group analysis revealed that these instructions greatly influenced the users' perception for memorability and the usability of the graphical authentication. In general, the results of these studies suggest that single-object graphical authentication can be a complementary replacement for traditional passwords, especially in ubiquitous environments and mobile devices.

References

[1]

Graphical passwords: learning from the first twelve years. ACM Computing Surveys. v44. 4

Digital Library

[2]

Graphical Password. US Patent 5559961. Lucent Technologies, Inc., New Jersey.

[3]

Boroditsky, M. Passlogix Password Schemes. <http://www.passlogix.com> (accessed December, 2009).

[4]

Comprehension and memory of pictures. Memory and Cognition. v2. 216-220.

[5]

Brostoff, S., Sasse, M.A., 2000. Are passfaces more usable than passwords: a field trial investigation. In: Proceedings of the British HCI Group 2000 Annual Conference, pp. 405-410.

[6]

Brostoff, S., Sasse, M.A., 2001. Safe and sound: a safety-critical approach to security. In: Proceedings of the 2001 Workshop on New Security Paradigms, New Mexico, 2001, pp. 41-50.

Digital Library

[7]

Dual coding: a cognitive model for psychoanalytic research. Journal of the American Psychoanalitics Association. v33. 571-607.

[8]

Use Your Memory. BBC Books, Essex, England.

[9]

Influencing users towards better passwords: persuasive cued click-points. In: Human Computer Interaction (HCI), British Computer Society, Liverpool, England.

[10]

User interface design affects security: patterns in click-based graphical passwords. International Journal of Information Security, Springer. v8 i6. 387-398.

Digital Library

[11]

Davis, D., Monrose, F., Reiter, M.K., 2004. On user choice in graphical password schemes. In: Proceedings of the 13th USENIX Security Symposium, pp. 151-164.

Digital Library

[12]

Is a picture really worth a thousand words? Exploring the feasibility of graphical authentication systems. International Journal of Human-Computer Studies. v63 i1-2. 128-152.

Digital Library

[13]

Dhamija, R., Perrig, A., 2000. Deja Vu: a user study using images for authentication. In: Proceedings of the 9th Usenix Security Symposium.

Digital Library

[14]

Dirik, A., Menon, N., Birget, J., 2007. Modeling user choice in the passpoints graphical password scheme. In: Proceedings of the 3rd ACM Symposium on Usable Privacy and Security (SOUPS), Pittsburgh, USA.

Digital Library

[15]

Dunphy, P., Yan, J., 2007. Do background images improve "Draw a Secret" graphical passwords? In: Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS).

Digital Library

[16]

Dunphy, P., Heiner, A.P., Asokan, N., 2010. A closer look at recognition-based graphical passwords on mobile devices. In: Proceedings of the 6th ACM Symposium on Usable Privacy and Security (SOUPS).

Digital Library

[17]

A structural model of end user computing satisfaction and user performance. Journal of Information & Management. v30 i2. 65-73.

Digital Library

[18]

Everitt, K., Bragin, T., Fogarty, J., Kohno, T., 2009. A comprehensive study of frequency, interference, and training of multiple graphical passwords. In: Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI 2009).

Digital Library

[19]

Friedman, B., Nissenbaum, H., Hurley, D., Howe, D.C., Felten, E., 2002. User's conceptions of risks and harms on the web: a comparative study. In: Proceedings of CHI 2002, Minneapolis, Minnesota.

Digital Library

[20]

Gao, H., Guo, X., Chen, X., Wang, L., Liu, X., 2008. Yagp: yet another graphical password strategy. In: Proceedings of the Annual Computer Security Applications Conference, 2008.

Digital Library

[21]

Security and Usability. O'Reilly Publishing.

[22]

Garfinkel, S., 2003. Email-based identification and authentication: an alternative to PKI? In: IEEE Security and Privacy.

Digital Library

[23]

Gutmann, P., Grigg, I., 2005. Security usability. In: IEEE Security and Privacy. IEEE Computer Society.

Digital Library

[24]

Hayashi, E., Dhamija, R., Christin, N., Perrig, A., 2008. Use your illusion: secure authentication usable anywhere. In: Proceedings of the 4th Symposium on Usable Privacy and Security, New York, USA, pp. 35-45.

Digital Library

[25]

Millennials Rising. Vintage Books, New York.

[26]

Jermyn, I., Mayer, A., Monrose, F., Reiter, M., Rubin, A., 1999. The design and analysis of graphical passwords. In: Proceedings of the 8th USENIX Security Symposium.

Digital Library

[27]

Josang, A., Patton, M.A., 2003. User interface requirements for authentication of communication. In: Proceedings of the 4th Australasian User Interface Conference on User interfaces, Adelaide, Australia, pp. 75-80.

Digital Library

[28]

Mihajlov, M., Jerman-Blazic, B., Saikayasit, R., 2010. ImagePass - developing a graphical authentication mechanism based on usable security. In: Proceedings of Human Factors in Information Security Inagural Conference. Elsevier, London, UK.

[29]

The Psychology of Everyday Things. Basic Books, New York.

[30]

Fundamental Concepts of the Software Quality Engineer. ASQ Quality Press.

[31]

Real User Corporation. Two Factor Authentication, Graphical Passwords - Passfaces. <http://www.passfaces.com> (accessed November 2008).

[32]

Quantifying the quality of web authentication mechanisms. A usability perspective. Journal of Web Engineering. v3 i2. 95-123.

Digital Library

[33]

Guidelines for designing graphical authentication mechanism interfaces. International Journal of Information and Computer Security. v3 i1. 60-85.

Digital Library

[34]

Saltzer, J., Schroeder, M., 1975. The protection of information in computer systems. In: Proceedings of the IEEE 63-9. IEEE Press, pp. 1278-1308.

[35]

Secrets and Lies. Wiley.

[36]

Usability and security - an appraisal of usability issues in information security methods. Computers & Security. v20 i7. 620-634.

[37]

Smart card evolution. Communications of the ACM. v45 i7. 83-88.

Digital Library

[38]

Recognition memory for words, sentences and pictures. Journal of Verbal Learnings and Verbal Behavior. v6. 156-163.

[39]

Stobert, E., Forget, A., Chiasson, S., van Oorschot, P.C., Biddle, R., 2010. Exploring usability effects of increasing security in click-based graphical passwords. In: Annual Computer Security Applications Conference (ACSAC), Austin, USA.

Digital Library

[40]

Stubblefield, A., Simon, D., 2004. Inkblot Authentication. Microsoft Technical Report 85.

[41]

Awase-e: recognition-based image authentication scheme using users' personal photographs. Innovations in Information Technology. 1-5.

[42]

Grown Up Digital: How the Net Generation is Changing Your World. McGraw-Hill.

Digital Library

[43]

Tari, F., Ozok, A., Holden, S., 2006. A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords. In: Proceedings of the 2nd ACM Symposium on Usable Privacy and Security (SOUPS), Pittsburgh, USA, pp. 1-5.

Digital Library

[44]

Thorpe, J., van Oorschot, P.C., 2004. Graphical dictionaries and the memorable space of graphical passwords. In: Proceedings of the 13th USENIX Security Symposium.

Digital Library

[45]

Thorpe, J., van Oorschott, P.C., 2007. Human-seeded attacks and exploiting hot-spots in graphical passwords. In: Proceedings of the 16th USENIX Security Symposium.

Digital Library

[46]

Passdoodles: A Lightweight Authentication Method. MIT Research Science Institute.

[47]

Wiedenbeck, S., Waters, J., Birget, J. C., Brodski, A., Memon, N., 2005. Authentication using graphical passwords: Effects of tolerance and image choice. In: Proceedings of the 1st ACM Symposium on Usable Privacy and Security (SOUPS). Carnegie-Mellon University.

Digital Library

[48]

PassPoints: design and longitudinal evaluation of a graphical password system. International Journal of Human-Computer Studies. v63. 102-127.

Digital Library

[49]

Wu, M., Garfinkel, S., Miller, R., 2003. Secure Web authentication with mobile phones. In: Proceedings of Student Oxygen Workshop, Cambridge, England.

Cited By

Constantinides CConstantinides ABelk MFidas CPitsillides A(2021)A Comparative Study among Different Computer Vision Algorithms for Assisting Users in Picture Password CompositionAdjunct Proceedings of the 29th ACM Conference on User Modeling, Adaptation and Personalization10.1145/3450614.3464474(357-362)Online publication date: 21-Jun-2021
https://dl.acm.org/doi/10.1145/3450614.3464474
Ndako Adama VOyebisi Oyefolahan INdunagu JLamas DNeves Cabral Domingos LOgunyemi AOrji RBidwell NMboya A(2021)Pure Recall-Based Graphical User Authentication Schemes: Perspectives from a Closer LookProceedings of the 3rd African Human-Computer Interaction Conference: Inclusiveness and Empowerment10.1145/3448696.3448721(141-145)Online publication date: 8-Mar-2021
https://dl.acm.org/doi/10.1145/3448696.3448721
Constantinides ABelk MFidas CPitsillides A(2021)Understanding Insider Attacks in Personalized Picture Password SchemesHuman-Computer Interaction – INTERACT 202110.1007/978-3-030-85610-6_42(722-731)Online publication date: 30-Aug-2021
https://dl.acm.org/doi/10.1007/978-3-030-85610-6_42
Show More Cited By

On designing usable and secure recognition-based graphical authentication mechanisms
1. Human-centered computing
2. Security and privacy
  1. Security services

Recommendations

Recognition-Based Graphical Authentication with Single-Object Images
DESE '11: Proceedings of the 2011 Developments in E-systems Engineering

Getting users to abandon text-based passwords has been a rather difficult task. Several alternatives to textual passwords have been proposed including authentication based on images. Research shows that graphical authentication mechanisms have some ...
Guidelines for designing graphical authentication mechanism interfaces

The password era is drawing to a close. The latest technology is being released without keyboards, which makes password entry insecure and arduous. Furthermore, everyone is straining under the burden of multiple passwords and Personal Identification ...
Story-based authentication for mobile devices using semantically-linked images
Abstract
We introduce SemanticLock, a simple, fast, and memorable single-factor graphical authentication approach for mobile devices. SemanticLock uses a set of graphical images as password tokens that allow the construction of a semantically ...
Highlights
- Users of PIN and Swipe style passwords pick simple patterns.
- Story-based ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Interacting with Computers

Interacting with Computers Volume 23, Issue 6

November, 2011

58 pages

ISSN:0953-5438

EISSN:1873-7951

Issue’s Table of Contents

Copyright © British Informatics Society Limited. © 2011.

Publisher

Elsevier Science Inc.

United States

Publication History

Published: 01 November 2011

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

17
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 22 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Constantinides CConstantinides ABelk MFidas CPitsillides A(2021)A Comparative Study among Different Computer Vision Algorithms for Assisting Users in Picture Password CompositionAdjunct Proceedings of the 29th ACM Conference on User Modeling, Adaptation and Personalization10.1145/3450614.3464474(357-362)Online publication date: 21-Jun-2021
https://dl.acm.org/doi/10.1145/3450614.3464474
Ndako Adama VOyebisi Oyefolahan INdunagu JLamas DNeves Cabral Domingos LOgunyemi AOrji RBidwell NMboya A(2021)Pure Recall-Based Graphical User Authentication Schemes: Perspectives from a Closer LookProceedings of the 3rd African Human-Computer Interaction Conference: Inclusiveness and Empowerment10.1145/3448696.3448721(141-145)Online publication date: 8-Mar-2021
https://dl.acm.org/doi/10.1145/3448696.3448721
Constantinides ABelk MFidas CPitsillides A(2021)Understanding Insider Attacks in Personalized Picture Password SchemesHuman-Computer Interaction – INTERACT 202110.1007/978-3-030-85610-6_42(722-731)Online publication date: 30-Aug-2021
https://dl.acm.org/doi/10.1007/978-3-030-85610-6_42
Pietron AHan T(2020)A Case Study of Graphical Passwords in a Chinese UniversityAdjunct Publication of the 28th ACM Conference on User Modeling, Adaptation and Personalization10.1145/3386392.3399558(175-180)Online publication date: 14-Jul-2020
https://dl.acm.org/doi/10.1145/3386392.3399558
Constantinides APietron ABelk MFidas CHan TPitsillides A(2020)A Cross-cultural Perspective for Personalizing Picture PasswordsProceedings of the 28th ACM Conference on User Modeling, Adaptation and Personalization10.1145/3340631.3394859(43-52)Online publication date: 7-Jul-2020
https://dl.acm.org/doi/10.1145/3340631.3394859
Boonkrong S(2019)An Analysis of Numerical Grid-Based AuthenticationProceedings of the 9th International Conference on Information Communication and Management10.1145/3357419.3357434(127-131)Online publication date: 23-Aug-2019
https://dl.acm.org/doi/10.1145/3357419.3357434
Constantinides ABelk MFidas CSamaras GMitrovic TZhang JChen LChin D(2018)On Cultural-centered Graphical PasswordsProceedings of the 26th Conference on User Modeling, Adaptation and Personalization10.1145/3209219.3209254(245-249)Online publication date: 3-Jul-2018
https://dl.acm.org/doi/10.1145/3209219.3209254
Katsini CRaptis GFidas CAvouris NCatarci TNorman KMecella M(2018)Does image grid visualization affect password strength and creation time in graphical authentication?Proceedings of the 2018 International Conference on Advanced Visual Interfaces10.1145/3206505.3206546(1-5)Online publication date: 29-May-2018
https://dl.acm.org/doi/10.1145/3206505.3206546
Katsini CFidas CRaptis GBelk MSamaras GAvouris NMandryk RHancock MPerry MCox A(2018)Influences of Human Cognition and Visual Behavior on Password Strength during Picture Password CompositionProceedings of the 2018 CHI Conference on Human Factors in Computing Systems10.1145/3173574.3173661(1-14)Online publication date: 21-Apr-2018
https://dl.acm.org/doi/10.1145/3173574.3173661
Velsquez ICaro ARodrguez A(2018)Authentication schemes and methodsInformation and Software Technology10.1016/j.infsof.2017.09.01294:C(30-37)Online publication date: 1-Feb-2018
https://dl.acm.org/doi/10.1016/j.infsof.2017.09.012
Show More Cited By

View Options

View options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Issue’s Table of Contents