A study of graphical alternatives for user authentication

Jali, Mohd Zalisham

January 2011

Authenticating users by means of passwords is still the dominant form of authentication despite its recognised weaknesses. To solve this, authenticating users with images or pictures (i.e. graphical passwords) is proposed as one possible alternative as it is claimed that pictures are easy to remember, easy to use and has considerable security. Reviewing literature from the last twenty years found that few graphical password schemes have successfully been applied as the primary user authentication mechanism, with many studies reporting that their proposed scheme was better than their predecessors and they normally compared their scheme with the traditional password-based. In addition, opportunities for further research in areas such as image selection, image storage and retrieval, memorability (i.e. the user’s ability to remember passwords), predictability, applicability to multiple platforms, as well as users’ familiarity are still widely possible. Motivated by the above findings and hoping to reduce the aforementioned issues, this thesis reports upon a series of graphical password studies by comparing existing methods, developing a novel alternative scheme, and introducing guidance for users before they start selecting their password. Specifically, two studies comparing graphical password methods were conducted with the specific aims to evaluate users’ familiarity and perception towards graphical methods and to examine the performance of graphical methods in the web environment. To investigate the feasibility of combining two graphical methods, a novel graphical method known as EGAS (Enhanced Graphical Authentication System) was developed and tested in terms of its ease of use, ideal secret combination, ideal login strategies, effect of using smaller tolerances (i.e. areas where the click is still accepted) as well as users’ familiarity. In addition, graphical password guidelines (GPG) were introduced and deployed within the EGAS prototype, in order to evaluate their potential to assist users in creating appropriate password choices. From these studies, the thesis provides an alternative classification for graphical password methods by looking at the users’ tasks when authenticating into the system; namely click-based, choice-based, draw-based and hybrid. Findings from comparative studies revealed that although a number of participants stated that they were aware of the existence of graphical passwords, they actually had little understanding of the methods involved. Moreover, the methods of selecting a series of images (i.e. choice-based) and clicking on the image (i.e. click-based) are actually possible to be used for web-based authentication due to both of them reporting complementary results. With respect to EGAS, the studies have shown that combining two graphical methods is possible and does not introduce negative effects upon the resulting usability. User familiarity with the EGAS software prototype was also improved as they used the software for periods of time, with improvement shown in login time, accuracy and login failures. With the above findings, the research proposes that users’ familiarity is one of the key elements in deploying any graphical method, and appropriate HCI guidelines should be considered and employed during development of the scheme. Additionally, employing the guidelines within the graphical method and not treating them as a separate entity in user authentication is also recommended. Other than that, elements such as reducing predictability, testing with multiple usage scenarios and platforms, as well as flexibility with respect to tolerance should be the focus for future research.

300.285

Graphical one-time password authentication

Alsaiari, Hussain

January 2016

Complying with a security policy often requires users to create long and complex passwords to protect their accounts. However, remembering such passwords appears difficult for many and may lead to insecure practices, such as choosing weak passwords or writing them down. One-Time Passwords (OTPs) aim to overcome such problems; however, most implemented OTP techniques require special hardware, which not only adds costs, but also raises issues regarding availability. This type of authentication mechanism is mostly adopted by online banking systems to secure their clients’ accounts. However, carrying around authentication tokens was found to be an inconvenient experience for many customers. Not only the inconvenience, but if the token was unavailable, for any reason, this would prevent customers from accessing their accounts securely. In contrast, there is the potential to use graphical passwords as an alternative authentication mechanism designed to aid memorability and ease of use. The idea of this research is to combine the usability of recognition-based and draw-based graphical passwords with the security of OTP. A new multi-level user-authentication solution known as: Graphical One-Time Password (GOTPass) was proposed and empirically evaluated in terms of usability and security aspects. The usability experiment was conducted during three separate sessions, which took place over five weeks, to assess the efficiency, effectiveness, memorability and user satisfaction of the new scheme. The results showed that users were able to easily create and enter their credentials as well as remember them over time. Eighty-one participants carried out a total of 1,302 login attempts with a 93% success rate and an average login time of 24.5 seconds. With regard to the security evaluation, the research simulated three common types of graphical password attacks (guessing, intersection, and shoulder-surfing). The participants’ task was to act as attackers to try to break into the system. The GOTPass scheme showed a high resistance capability against the attacks, as only 3.3% of the 690 total attempts succeeded in compromising the system.

005.8

The Impact of Image Synonyms in Graphical-Based Authentication Systems

Sparks, Jonathan William

14 March 2015

Traditional text-based passwords used for authentication in information systems have several known issues in the areas of usability and security. Research has shown that when users generate passwords for systems, they tend to create passwords that are subject to compromise more so than those created randomly by the computer. Research has also shown that users have difficulty remembering highly secure, randomly created, text-based passwords. Graphical-based passwords have been shown to be highly memorable for users when applied to system authentication. However, graphical-based authentication systems require additional cognitive load to recognize and enter a password compared to traditional text-based authentication that is more muscle-memory. This increase in cognitive load causes an increased security risk of shoulder-surfing created from the longer amount of time needed to input a password. Graphical-based authentication systems use the same images for each possible input value. This makes these authentication systems vulnerable to attackers. The attackers use their ability to remember visual information to compromise a graphical-based password. This study conducted research into a graphical-based authentication scheme that implemented pictorial synonyms. The goal is to decrease security risk of graphical-based authentication systems while maintaining (or even increasing) the usability of these systems. To accomplish this goal, a study to evaluate the impact on the cognitive load required using an image synonym authentication system compared to traditional graphical-based authentication schemes. The research found that there was not a significant difference in the areas of user cognitive load, shoulder-surfing threat, and user effectiveness. The research evaluated users' accuracy, cognitive load, and time to authenticate and found to have significant impact of pictorial synonyms on graphical-based authentication systems. The research shows that the accuracy of pictorial synonyms was greater than word password. This appears to due to people's ability to recall pictorial information over text information. Future research should look at the impact of pictorial synonyms on shoulder-surfing attackers and different ages.

Graphical Passwords

Image Synonyms

Passwords

Pictorial Synonyms

Computer Sciences

Computer Security

Cued Click-Point Memorability

Svensson, Rickard

January 2015

The Safety of passwords has been in question for over 40 years, long before the Internet. While improvements have been made to ensure security nothing has changed with passwords since the emergence of the Internet. Passwords need to be long and complex to be secure and users should not reuse their passwords. In a world where there are thousands of services on the internet requiring authentication to keep passwords safe users will have to remember a lot of passwords. Studies show however that users are prone to both create bad passwords but to also reuse their passwords on different sites. A lot of different alternatives to passwords has been proposed but none has become dominant. Is there a good alternative to text-based passwords? Can a graphical password be that alternative? The purpose of this thesis is to create a prototype of a CCP-like system and to conduct a memorability and usability test with it. The test results suggest that CCP is easy to use for users new to the concept of graphical passwords. A CCP-password also seems memorable with most participants recalling their passwords after a week with ease. PCCP can be a good substitute for passwords since it is easy to use, easy to remember and potentially more secure than text-based passwords.

User Authentication

Graphical Passwords

Cued Click-Points

Computer Sciences

Datavetenskap (datalogi)

Multi-factor Authentication Mechanism Based on Browser Fingerprinting and Graphical HoneyTokens

Jonsson, Dillon, Marteni, Amin

January 2022

Multi-factor authentication (MFA) offers a wide range of methods and techniques available today. The security benefits of using MFA are almost indisputable, however, users are reluctant to adopt the technology. While many new MFA solutions are being proposed, there is a lack of consideration for user sentiment in the early stages of development. In an attempt to balance security and usability, this report investigates the feasibility of a new authentication mechanism that uses browser fingerprinting, graphical passwords, and honeytokens. This was evaluated by conducting a limited literature review, producing a prototype, interviews with test users, and security experts, as well as ensuring feasibility through a requirements checklist. The results of this research provides evidence that this mechanism is feasible, and appealing to end users. However, more investigation is required in order to ensure the mechanism's viability in a real-world deployment.

Multi-factor Authentication

Browser Fingerprinting

Graphical Passwords

Honeytokens

Computer Sciences

Datavetenskap (datalogi)

A shoulder-surfing resistant graphical password system

Alesand, Elias, Sterneling, Hanna

January 2017

The focus of this report is to discuss graphical password systems and how they can contribute to handle security problems that threaten authentication processes. One such threat is shoulder-surfing attacks, which are also reviewed in this report. Three already existing systems that are claimed to be shoulder-surfing resilient are described and a new proposed system is presented and evaluated through a user study. Moreover, the system is compared to the mentioned existing systems to further evaluate the usability, memorability and the time it takes to authenticate. The user study shows that test subjects are able to remember their chosen password one week after having registered and signed in once. It is also shown that the average time to sign in to the system after five minutes of practice is within a range of 3.30 to 5.70 seconds. The participants in the experiments gave the system an average score above 68 on the System Usability Scale, which is the score of an average system.

shoulder-surfing

resistant

graphical password system

guessing attacks

graphical passwords

recognition-based

recall-based

pure recall-based

password

security

password space

pictorial superiority effect

brute-force attack

dictionary attack

hot-spots

memorability

graphical components

authentication

Computer Sciences

Datavetenskap (datalogi)