3,209 research outputs found
A comprehensive study of the usability of multiple graphical passwords
Recognition-based graphical authentication systems (RBGSs) using
images as passwords have been proposed as one potential solution to the need
for more usable authentication. The rapid increase in the technologies requiring
user authentication has increased the number of passwords that users have to
remember. But nearly all prior work with RBGSs has studied the usability of a
single password. In this paper, we present the first published comparison of the
usability of multiple graphical passwords with four different image types:
Mikon, doodle, art and everyday objects (food, buildings, sports etc.). A longi-tudinal experiment was performed with 100 participants over a period of 8
weeks, to examine the usability performance of each of the image types. The re-sults of the study demonstrate that object images are most usable in the sense of
being more memorable and less time-consuming to employ, Mikon images are
close behind but doodle and art images are significantly inferior. The results of
our study complement cognitive literature on the picture superiority effect, vis-ual search process and nameability of visually complex images
Gathering realistic authentication performance data through field trials
Most evaluations of novel authentication mechanisms have been conducted under laboratory conditions. We argue that the results of short-term usage under laboratory conditions do not predict user performance âin the wildâ, because there is insufficient time between enrolment and testing, the number of authentications is low, and authentication is presented as a primary task, rather then the secondary task as it is âin the wildâ. User generated reports of performance on the other hand provide subjective data, so reports on frequency of use, time intervals, and success or failure of authentication are subject to the vagaries of users â memories. Studies on authentication that provide objective performance data under real-world conditions are rare. In this paper, we present our experiences with a study method that tries to control frequency and timing of authentication, and collects reliable performance data, while maintaining ecological validity of the authentication context at the same time. We describe the development of an authentication server called APET, which allows us to prompt users enrolled in trial cohorts to authenticate at controlled intervals, and report our initial experiences with trials. We conclude by discussing remaining challenges in obtaining reliable performance data through a field trial method such as this one
Multicriteria optimization to select images as passwords in recognition based graphical authentication systems
Usability and guessability are two conflicting criteria in assessing the
suitability of an image to be used as password in the recognition based graph -ical authentication systems (RGBSs). We present the first work in this area that
uses a new approach, which effectively integrates a series of techniques in order
to rank images taking into account the values obtained for each of the dimen -sions of usability and guessability, from two user studies. Our approach uses
fuzzy numbers to deal with non commensurable criteria and compares two
multicriteria optimization methods namely, TOPSIS and VIKOR. The results
suggest that VIKOR method is the most applicable to make an objective state-ment about which image type is better suited to be used as password. The paper
also discusses some improvements that could be done to improve the ranking
assessment
Towards Baselines for Shoulder Surfing on Mobile Authentication
Given the nature of mobile devices and unlock procedures, unlock
authentication is a prime target for credential leaking via shoulder surfing, a
form of an observation attack. While the research community has investigated
solutions to minimize or prevent the threat of shoulder surfing, our
understanding of how the attack performs on current systems is less well
studied. In this paper, we describe a large online experiment (n=1173) that
works towards establishing a baseline of shoulder surfing vulnerability for
current unlock authentication systems. Using controlled video recordings of a
victim entering in a set of 4- and 6-length PINs and Android unlock patterns on
different phones from different angles, we asked participants to act as
attackers, trying to determine the authentication input based on the
observation. We find that 6-digit PINs are the most elusive attacking surface
where a single observation leads to just 10.8% successful attacks, improving to
26.5\% with multiple observations. As a comparison, 6-length Android patterns,
with one observation, suffered 64.2% attack rate and 79.9% with multiple
observations. Removing feedback lines for patterns improves security from
35.3\% and 52.1\% for single and multiple observations, respectively. This
evidence, as well as other results related to hand position, phone size, and
observation angle, suggests the best and worst case scenarios related to
shoulder surfing vulnerability which can both help inform users to improve
their security choices, as well as establish baselines for researchers.Comment: Will appear in Annual Computer Security Applications Conference
(ACSAC
Recommended from our members
NAVI: Novel authentication with visual information
Text-based passwords, despite their well-known drawbacks, remain the dominant user authentication scheme implemented. Graphical password systems, based on visual information such as the recognition of photographs and / or pictures, have emerged as a promising alternative to the aggregate reliance on text passwords. Nevertheless, despite the advantages offered they have not been widely used in practice since many open issues need to be resolved. In this paper we propose a novel graphical password scheme, NAVI, where the credentials of the user are his username and a password formulated by drawing a route on a predefined map. We analyze the strength of the password generated by this scheme and present a prototype implementation in order to illustrate the feasibility of our proposal. Finally, we discuss NAVIâs security features and compare it with existing graphical password schemes as well as text-based passwords in terms of key security features, such aspassword keyspace, dictionary attacks and guessing attacks. The proposed scheme appears to have the same or better performance in the majority of the security features examined
- âŠ