Security and usability in click-based authentication systems

al-Khateeb, Haider

January 2011

Web applications widely use text passwords to confirm people‟s identity. However, investigations reveal text passwords have many problems and that there is a need for alternative solutions. For instance, users often forget their passwords, choose passwords which are easy-to-guess or vulnerable to cracking tools. Further, people write passwords down and/or share them with others. In addition, phishing attacks (using fraudulent websites to steal users‟ credentials) continue to cost millions of dollars every year. During the second half of 2009, the Anti-Phishing Working Group (APWG) reported 126,697 unique phishing attacks worldwide. As such, one of this research‟s objectives is to investigate public awareness of, and attitude towards, text password security and usability supported by surveying both up-to-date literature and users. The aim of this research is to develop an alternative solution using visual passwords (VPs) to authenticate users on web applications and investigate its security and usability. A VP can be many things: a set of images used as a login portfolio, click-points inside images or a doodle (signature) drawn by a user. Since text passwords are favoured for their usability over tokens and biometrics, the research scope has been set to investigate alternative ideas which do not require resources additional to standard computer devices used to sustain human-computer interactions, such as mouse and keyboard. VPs have the potential to develop an alternative solution within this scope. A comprehensive survey of the VP schemes found in the literature is conducted followed by a security and usability evaluation in which click-based systems are selected as the most suitable approach to achieve the aims and objectives of this research. Click- iii based systems are VP authentication schemes in which the VP is a sequence of click-points performed on one or more images. Further, user perceptions were investigated to study their acceptance of various authentication mechanisms and techniques. A novel click-based scheme is presented and developed throughout the research to introduce and investigate novel ideas to maintain security and usability simultaneously. It can resist multiple phishing and shoulder-surfing attacks without revealing the full user credentials. Further, the layout is designed to prevent MiTM attacks, also known as the second generation of phishing attacks. The VP is hashed to resist database attacks and the password space is extremely large compared to text passwords to resist brute force attacks. It has dual cues to maintain memorability and password recall is easy even when it is system-generated. Usability is considered through observation and laboratory studies to meet the requirements of HCI-Sec (Secure Human-Computer Interactions) aiming to present a secure scheme people can actually use.

005.8

Guessing human-chosen secrets

Bonneau, Joseph

January 2012

Authenticating humans to computers remains a notable weak point in computer security despite decades of effort. Although the security research community has explored dozens of proposals for replacing or strengthening passwords, they appear likely to remain entrenched as the standard mechanism of human-computer authentication on the Internet for years to come. Even in the optimistic scenario of eliminating passwords from most of today's authentication protocols using trusted hardware devices or trusted servers to perform federated authentication, passwords will persist as a means of 'last-mile' authentication between humans and these trusted single sign-on deputies. This dissertation studies the difficulty of guessing human-chosen secrets, introducing a sound mathematical framework modeling human choice as a skewed probability distribution. We introduce a new metric, alpha-guesswork, which accurately models the resistance of a distribution against all possible guessing attacks. We also study the statistical challenges of estimating this metric using empirical data sets which can be modeled as a large random sample from the underlying probability distribution. This framework is then used to evaluate several representative data sets from the most important categories of human-chosen secrets to provide reliable estimates of security against guessing attacks. This includes collecting the largest-ever corpus of user-chosen passwords, with nearly 70 million, the largest list of human names ever assembled for research, the largest data sets of real answers to personal knowledge questions and the first data published about human choice of banking PINs. This data provides reliable numbers for designing security systems and highlights universal limitations of human-chosen secrets.

005.8

Passwords ; Authentication

Leveraging Motor Learning for a Tangible Password System

Mott, Martez Edward

02 April 2012

No description available.

Computer Science

HCI

Tangible

Passwords

A study of graphical alternatives for user authentication

Jali, Mohd Zalisham

January 2011

Authenticating users by means of passwords is still the dominant form of authentication despite its recognised weaknesses. To solve this, authenticating users with images or pictures (i.e. graphical passwords) is proposed as one possible alternative as it is claimed that pictures are easy to remember, easy to use and has considerable security. Reviewing literature from the last twenty years found that few graphical password schemes have successfully been applied as the primary user authentication mechanism, with many studies reporting that their proposed scheme was better than their predecessors and they normally compared their scheme with the traditional password-based. In addition, opportunities for further research in areas such as image selection, image storage and retrieval, memorability (i.e. the user’s ability to remember passwords), predictability, applicability to multiple platforms, as well as users’ familiarity are still widely possible. Motivated by the above findings and hoping to reduce the aforementioned issues, this thesis reports upon a series of graphical password studies by comparing existing methods, developing a novel alternative scheme, and introducing guidance for users before they start selecting their password. Specifically, two studies comparing graphical password methods were conducted with the specific aims to evaluate users’ familiarity and perception towards graphical methods and to examine the performance of graphical methods in the web environment. To investigate the feasibility of combining two graphical methods, a novel graphical method known as EGAS (Enhanced Graphical Authentication System) was developed and tested in terms of its ease of use, ideal secret combination, ideal login strategies, effect of using smaller tolerances (i.e. areas where the click is still accepted) as well as users’ familiarity. In addition, graphical password guidelines (GPG) were introduced and deployed within the EGAS prototype, in order to evaluate their potential to assist users in creating appropriate password choices. From these studies, the thesis provides an alternative classification for graphical password methods by looking at the users’ tasks when authenticating into the system; namely click-based, choice-based, draw-based and hybrid. Findings from comparative studies revealed that although a number of participants stated that they were aware of the existence of graphical passwords, they actually had little understanding of the methods involved. Moreover, the methods of selecting a series of images (i.e. choice-based) and clicking on the image (i.e. click-based) are actually possible to be used for web-based authentication due to both of them reporting complementary results. With respect to EGAS, the studies have shown that combining two graphical methods is possible and does not introduce negative effects upon the resulting usability. User familiarity with the EGAS software prototype was also improved as they used the software for periods of time, with improvement shown in login time, accuracy and login failures. With the above findings, the research proposes that users’ familiarity is one of the key elements in deploying any graphical method, and appropriate HCI guidelines should be considered and employed during development of the scheme. Additionally, employing the guidelines within the graphical method and not treating them as a separate entity in user authentication is also recommended. Other than that, elements such as reducing predictability, testing with multiple usage scenarios and platforms, as well as flexibility with respect to tolerance should be the focus for future research.

300.285

Modeling the Adversary to Evaluate Password Strength With Limited Samples

Komanduri, Saranga

01 March 2016

In an effort to improve security by preventing users from picking weak passwords, system administrators set password-composition policies, sets of requirements that passwords must meet. Guidelines for such policies have been published by various groups, including the National Institute of Standards and Technology (NIST) in the United States, but this guidance has not been empirically verified. In fact, our research group and others have discovered it to be inaccurate. In this thesis, we provide an improved metric for evaluating the security of password-composition policies, compared to previous machine-learning approaches. We make several major contributions to passwords research. First, we develop a guess-calculator framework that automatically learns a model of adversary guessing from a training set of prior data mixed with samples, and applies this model to a set of test passwords. Second, we find several enhancements to the underlying grammar that increase the power of the learning algorithm and improve guessing efficiency over previous approaches. Third, we use the guesscalculator framework to study the guessability of passwords under various policies and provide methodological and statistical guidance for conducting these studies and analyzing the results. While much of this thesis focuses on an offline-attack threat model in which an adversary can make trillions of guesses, we also provide guidance on evaluating policies under an online-attack model, where the user can only make a small number of guesses before being locked out by the authentication system.

passwords

security

usability

policy

modeling

statistics

Supporting Password-Security Decisions with Data

Ur, Blase Eric

01 September 2016

Despite decades of research into developing abstract security advice and improving interfaces, users still struggle to make passwords. Users frequently create passwords that are predictable for attackers or make other decisions (e.g., reusing the same password across accounts) that harm their security. In this thesis, I use data-driven methods to better understand how users choose passwords and how attackers guess passwords. I then combine these insights into a better password-strength meter that provides real-time, data-driven feedback about the user’s candidate password. I first quantify the impact on password security and usability of showing users different passwordstrength meters that score passwords using basic heuristics. I find in a 2,931-participant online study that meters that score passwords stringently and present their strength estimates visually lead users to create stronger passwords without significantly impacting password memorability. Second, to better understand how attackers guess passwords, I perform comprehensive experiments on password-cracking approaches. I find that simply running these approaches in their default configuration is insufficient, but considering multiple well-configured approaches in parallel can serve as a proxy for guessing by an expert in password forensics. The third and fourth sections of this thesis delve further into how users choose passwords. Through a series of analyses, I pinpoint ways in which users structure semantically significant content in their passwords. I also examine the relationship between users’ perceptions of password security and passwords’ actual security, finding that while users often correctly judge the security impact of individual password characteristics, wide variance in their understanding of attackers may lead users to judge predictable passwords as sufficiently strong. Finally, I integrate these insights into an open-source password-strength meter that gives users data-driven feedback about their specific password. I evaluate this meter through a ten-participant laboratory study and 4,509-participant online study.

Usable security

computer security

passwords

authentication

Lip password-based speaker verification system with unknown language alphabet

Zhou, Yichao

31 August 2018

The traditional security systems that verify the identity of users based on password usually face the risk of leaking the password contents. To solve this problem, biometrics such as the face, iris, and fingerprint, begin to be widely used in verifying the identity of people. However, these biometrics cannot be changed if the database is hacked. What's more, verification systems based on the traditional biometrics might be cheated by fake fingerprint or the photo.;Liu and Cheung (Liu and Cheung 2014) have recently initiated the concept of lip password, which is composed of a password embedded in the lip movement and the underlying characteristics of lip motion [26]. Subsequently, a lip password-based system for visual speaker verification has been developed. Such a system is able to detect a target speaker saying the wrong password or an impostor who knows the correct password. That is, only a target user speaking correct password can be accepted by the system. Nevertheless, it recognizes the lip password based on a lip-reading algorithm, which needs to know the language alphabet of the password in advance, which may limit its applications.;To tackle this problem, in this thesis, we study the lip password-based visual speaker verification system with unknown language alphabet. First, we propose a method to verify the lip password based on the key frames of lip movement instead of recognizing the individual password elements, such that the lip password verification process can be made without knowing the password alphabet beforehand. To detect these key frames, we extract the lip contours and detect the interest intervals where the lip contours have significant variations. Moreover, in order to avoid accurate alignment of feature sequences or detection on mouth status which is computationally expensive, we design a novel overlapping subsequence matching approach to encode the information in lip passwords in the system. This technique works by sampling the feature sequences extracted from lip videos into overlapping subsequences and matching them individually. All the log-likelihood of each subsequence form the final feature of the sequence and are verified by the Euclidean distance to positive sample centers. We evaluate the proposed two methods on a database that contains totally 8 kinds of lip passwords including English digits and Chinese phrases. Experimental results show the superiority of the proposed methods for visual speaker verification.;Next, we propose a novel visual speaker verification approach based on diagonal-like pooling and pyramid structure of lips. We take advantage of the diagonal structure of sparse representation to preserve the temporal order of lip sequences by employ a diagonal-like mask in pooling stage and build a pyramid spatiotemporal features containing the structural characteristic under lip password. This approach eliminates the requirement of segmenting the lip-password into words or visemes. Consequently, the lip password with any language can be used for visual speaker verification. Experiments show the efficacy of the proposed approach compared with the state-of-the-art ones.;Additionally, to further evaluate the system, we also develop a prototype of the lip password-based visual speaker verification. The prototype has a Graphical User Interface (GUI) that make users easy to access.

Improving Password Usability with Visual Techniques

Komanduri, Saranga

13 November 2007

No description available.

passwords

graphical authentication

picture superiority

security indicators

The Impact of Image Synonyms in Graphical-Based Authentication Systems

Sparks, Jonathan William

14 March 2015

Traditional text-based passwords used for authentication in information systems have several known issues in the areas of usability and security. Research has shown that when users generate passwords for systems, they tend to create passwords that are subject to compromise more so than those created randomly by the computer. Research has also shown that users have difficulty remembering highly secure, randomly created, text-based passwords. Graphical-based passwords have been shown to be highly memorable for users when applied to system authentication. However, graphical-based authentication systems require additional cognitive load to recognize and enter a password compared to traditional text-based authentication that is more muscle-memory. This increase in cognitive load causes an increased security risk of shoulder-surfing created from the longer amount of time needed to input a password. Graphical-based authentication systems use the same images for each possible input value. This makes these authentication systems vulnerable to attackers. The attackers use their ability to remember visual information to compromise a graphical-based password. This study conducted research into a graphical-based authentication scheme that implemented pictorial synonyms. The goal is to decrease security risk of graphical-based authentication systems while maintaining (or even increasing) the usability of these systems. To accomplish this goal, a study to evaluate the impact on the cognitive load required using an image synonym authentication system compared to traditional graphical-based authentication schemes. The research found that there was not a significant difference in the areas of user cognitive load, shoulder-surfing threat, and user effectiveness. The research evaluated users' accuracy, cognitive load, and time to authenticate and found to have significant impact of pictorial synonyms on graphical-based authentication systems. The research shows that the accuracy of pictorial synonyms was greater than word password. This appears to due to people's ability to recall pictorial information over text information. Future research should look at the impact of pictorial synonyms on shoulder-surfing attackers and different ages.

Graphical Passwords

Image Synonyms

Passwords

Pictorial Synonyms

Computer Sciences

Computer Security

Novel, robust and cost-effective authentication techniques for online services

Norrington, Peter

January 2009

This thesis contributes to the study of the usability and security of visuo-cognitive authentication techniques, particularly those relying on recognition of abstract images, an area little researched. Many usability and security problems with linguistic passwords (including traditional text-based passwords) have been known for decades. Research into visually-based techniques intends to overcome these by using the extensive human capacity for recognising images, and add to the range of commercially viable authentication solutions. The research employs a mixed methodology to develop several contributions to the field. A novel taxonomy of visuo-cognitive authentication techniques is presented. This is based on analysis and synthesis of existing partial taxonomies, combined with new and extensive analysis of features of existing visuo-cognitive and other techniques. The taxonomy advances consistent terminology, and coherent and productive classification (cognometric, locimetric, graphimetric and manipulometric, based respectively on recognition of, location in, drawing of and manipulation of images) and discussion of the domain. The taxonomy is extensible to other classes of cognitive authentication technique (audio-cognitive, spatio-cognitive, biometric and token-based, etc.). A revised assessment process of the usability and security of visuo-cognitive techniques is proposed (employing three major assessment categories – usability, memorability and security), based on analysis, synthesis and refinement of existing models. The revised process is then applied to the features identified in the novel taxonomy to prove the process‘s utility as a tool to clarify both the what and the why of usability and security issues. The process is also extensible to other classes of authentication technique. iii Cognitive psychology experimental methods are employed, producing new results which show with statistical significance that abstract images are harder to learn and recall than face or object images. Additionally, new experiments and a new application of the chi-squared statistic show that users‘ choices of abstract images are not necessarily random over a group, and thus, like other cognitive authentication techniques, can be attacked by probabilistic dictionaries. A new authentication prototype is designed and implemented, embodying the usability and security insights gained. Testing of this prototype shows good usability and user acceptance, although speed of use remains an issue. A new experiment shows that abstract image authentication techniques are vulnerable to phishing attacks. Further, the testing shows two new results: that abstract image visuo-cognitive techniques are usable on mobile phones; and that such phones are not, currently, necessarily a threat as part of observation attacks on visual passwords.

621.382