ColorDots: An Intersection Analysis Resistant Graphical Password Scheme for the Prevention of Shoulder-surfing Attack

In an increasingly mobile world, the combination of mobile computing devices, publicly accessible Wi-Fi hotspots, and camera phones pose a significant threat to alphanumeric passwords in public environments. Graphical passwords, introduced as an alternative to alphanumerical passwords, help prevent successful shoulder-surfing attacks – covertly observing or recording a password login session, however, most cannot prevent intersection analysis on the data collected through shoulder-surfing. ColorDots is a new graphical password scheme designed to be easy to use and learn, to prevent successful shoulder-surfing attacks, and to hinder intersection analysis. A software implementation of ColorDots is tested, and the results analyzed. This study showed the ColorDots graphical password scheme does prevent shoulder-surfing, and hinders intersection analysis on digital recordings of multiple shoulder-surfing attacks. Furthermore, ColorDots may be just as convenient to use as alphanumeric passwords, while improving password security in public environments

Investigation of the shoulder surfing risk in relation to mobile working

Reading in a public place and realising that the newspaper or book is also of interest to a casual observer is not a new phenomenon. While the term ‘Shoulder surfing’ is used in the context of this situation in the days of mobile computing, its antecedence in times of reading physical media. However, the development of both mobile computing and widely available internet connectivity means that the variety of documents available for casual observation has increased. This research demonstrated that sensitive material is viewed, and therefore displayed, in public places where they could be seen by unauthorised viewers, or shoulder surfers. Experimentation demonstrated that with the development of mobile technology not only are these documents visible to a casual observer, they can be duplicated by a smartphone camera and thereby leaked. This risk should, therefore, be considered by any organisation whose staff work on potentially sensitive information outside the protected corporate environment

A STUDY OF GRAPHICAL ALTERNATIVES FOR USER AUTHENTICATION

Merged with duplicate record 10026.1/1124 on 27.02.2017 by CS (TIS)Merged with duplicate record 10026.1/1124 Submitted by Collection Services ([email protected]) on 2012-08-07T10:49:43Z No. of bitstreams: 1 JALI MZ_2011.pdf: 7019966 bytes, checksum: e2aca7edf5e11df083ec430aedac512f (MD5) Approved for entry into archive by Collection Services([email protected]) on 2012-08-07T10:50:20Z (GMT) No. of bitstreams: 1 JALI MZ_2011.pdf: 7019966 bytes, checksum: e2aca7edf5e11df083ec430aedac512f (MD5) Made available in DSpace on 2012-08-07T10:50:20Z (GMT). No. of bitstreams: 1 JALI MZ_2011.pdf: 7019966 bytes, checksum: e2aca7edf5e11df083ec430aedac512f (MD5) Previous issue date: 2011Authenticating users by means of passwords is still the dominant form of authentication despite its recognised weaknesses. To solve this, authenticating users with images or pictures (i.e. graphical passwords) is proposed as one possible alternative as it is claimed that pictures are easy to remember, easy to use and has considerable security. Reviewing literature from the last twenty years found that few graphical password schemes have successfully been applied as the primary user authentication mechanism, with many studies reporting that their proposed scheme was better than their predecessors and they normally compared their scheme with the traditional password-based. In addition, opportunities for further research in areas such as image selection, image storage and retrieval, memorability (i.e. the user’s ability to remember passwords), predictability, applicability to multiple platforms, as well as users’ familiarity are still widely possible. Motivated by the above findings and hoping to reduce the aforementioned issues, this thesis reports upon a series of graphical password studies by comparing existing methods, developing a novel alternative scheme, and introducing guidance for users before they start selecting their password. Specifically, two studies comparing graphical password methods were conducted with the specific aims to evaluate users’ familiarity and perception towards graphical methods and to examine the performance of graphical methods in the web environment. To investigate the feasibility of combining two graphical methods, a novel graphical method known as EGAS (Enhanced Graphical Authentication System) was developed and tested in terms of its ease of use, ideal secret combination, ideal login strategies, effect of using smaller tolerances (i.e. areas where the click is still accepted) as well as users’ familiarity. In addition, graphical password guidelines (GPG) were introduced and deployed within the EGAS prototype, in order to evaluate their potential to assist users in creating appropriate password choices. From these studies, the thesis provides an alternative classification for graphical password methods by looking at the users’ tasks when authenticating into the system; namely click-based, choice-based, draw-based and hybrid. Findings from comparative studies revealed that although a number of participants stated that they were aware of the existence of graphical passwords, they actually had little understanding of the methods involved. Moreover, the methods of selecting a series of images (i.e. choice-based) and clicking on the image (i.e. click-based) are actually possible to be used for web-based authentication due to both of them reporting complementary results. With respect to EGAS, the studies have shown that combining two graphical methods is possible and does not introduce negative effects upon the resulting usability. User familiarity with the EGAS software prototype was also improved as they used the software for periods of time, with improvement shown in login time, accuracy and login failures. With the above findings, the research proposes that users’ familiarity is one of the key elements in deploying any graphical method, and appropriate HCI guidelines should be considered and employed during development of the scheme. Additionally, employing the guidelines within the graphical method and not treating them as a separate entity in user authentication is also recommended. Other than that, elements such as reducing predictability, testing with multiple usage scenarios and platforms, as well as flexibility with respect to tolerance should be the focus for future research

Security and usability in password authentication

This thesis investigates the human-factor problems in password authentication and proposes some usable solutions to these problems by focusing on both forms of knowledge based authentication: textual passwords and graphical passwords. It includes a range of empirical studies to examine users' password-related behaviour and practices in authentication, and helps users to adopt secure password behaviour. This thesis consists of two parts. The first part focuses on traditional text-based passwords. Design flaws and usability issues of existing text-password mechanisms used by many organisations cause employees to adopt insecure password practices. The first work in this thesis investigates the reasons for employees' lack of motivation regarding password protection against security failures. An empirical study is conducted to identify the factors causing employees’ insecure behaviours in organisations, and several persuasion strategies are tested to persuade employees to use passwords more safely. The results of the study revealed that some persuasion strategies are effective in motivating users to adopt good password practices. The study also found that the failure of password policies and authentication schemes deployed by organisations is a common problem among the organisations. Considering the results of the first study, in the second work of this thesis, a password guideline/advice study is conducted to help users to create stronger and more memorable passwords. A password guideline including a number of password creation methods and a persuasive message is proposed, and its effectiveness in improving the strength of user-chosen passwords is evaluated. The results show that the users who received the proposed guideline produced stronger and more memorable passwords than the users followed the usual password restrictions while creating their passwords. The results also demonstrate that the given password creation methods can be helpful and inspirational for users to create their own encryption formula. All these works reveal the weaknesses of user-chosen textual passwords and inefficacy of existing text-based password mechanisms. Although these studies show that text-based password mechanisms can be strengthened, they are still problematic where usability is concerned. Thus, the second part of this thesis focuses on another form of knowledge-based authentication: graphical passwords. A novel hybrid authentication scheme integrating text and images is introduced to minimise the brute force and shoulder surfing attacks which text and graphical passwords suffer. In the last work of this thesis, the proposed hybrid scheme is implemented and evaluated. The evaluation shows that the proposed scheme provides security and usability at the same time, and it also makes the password creation process enjoyable for users. In summary, the thesis contributes to the analysis of some key security and usability problems which arise in knowledge-based authentication. A series of empirical studies has been conducted. Based on their results, usable solutions to the human-factor problems in password-based authentication are proposed and evaluated

Exploring human factors issues & possible countermeasures in password authentication

PhD ThesisThis thesis is concerned with usable security. It describes a series of experiments to understand users’ behaviour in the domain of password authentication. The thesis is comprised of two parts. Part 1 reports on experiments into how different persuasion strategies can be used to increase the strength of users’ password. Existing research indicates that the lack of persuasive elements in password guidelines may lead to a lack of motivation to produce strong passwords. Thus, an experimental study involving seventy-five participants was conducted to evaluate the effectiveness of a range of persuasion strategies on password strength. In addition this experiment explores how personality variables affect the susceptibility of users to persuasion. The results showed that passwords created by users who received password guidelines that include a persuasion strategy produce stronger passwords than a control group. In terms of the personality variables, the result shows that there are certain personality types that tend to produce slightly better passwords than others; but it is difficult to draw a firm conclusion about how personality affects susceptibility to persuasion. The second part of this thesis presents an innovative alternative to text-based passwords, namely, graphical password schemes. Graphical passwords take advantage of the superior ability of humans to remember graphics and pictures over text and numbers. Research shows that graphical password schemes are a promising alternative, but that they are susceptible to shoulder surfing attacks, resulting in scepticism about adoption. Thus in part 2 of the thesis, three innovative shoulder surfing defence techniques are proposed and implemented in a small-scale prototype with a specific focus given to one type of graphical password; The Draw-A-Secret (DAS) scheme. The results of two separate experimental studies involving sixty-five and thirty participants respectively to evaluate the proposed defence techniques from the perspectives of security and usability are presented. The results show that the technique which, on theoretical grounds, was expected to be quite effective, provides little protection. A second technique which did provide the best overall shoulder surfing defence; created usability problems. But a third technique provided a reasonable shoulder surfing defence and good usability simultaneously; a good balance which the other two techniques did not achieve. The proposed defence techniques and experimental results are directly relevant to other graphical password schemes of the same category with slight modification to suit the requirements of the scheme intended. In summary, the thesis contributes to the discussion of some key usability problems which exist around password authentication domains. All the proposed countermeasures are evaluated through a series of experimental studies which present several intriguing discussions and promising findings

GRAPHICAL ONE-TIME PASSWORD AUTHENTICATION

Complying with a security policy often requires users to create long and complex passwords to protect their accounts. However, remembering such passwords appears difficult for many and may lead to insecure practices, such as choosing weak passwords or writing them down. One-Time Passwords (OTPs) aim to overcome such problems; however, most implemented OTP techniques require special hardware, which not only adds costs, but also raises issues regarding availability. This type of authentication mechanism is mostly adopted by online banking systems to secure their clients’ accounts. However, carrying around authentication tokens was found to be an inconvenient experience for many customers. Not only the inconvenience, but if the token was unavailable, for any reason, this would prevent customers from accessing their accounts securely. In contrast, there is the potential to use graphical passwords as an alternative authentication mechanism designed to aid memorability and ease of use. The idea of this research is to combine the usability of recognition-based and draw-based graphical passwords with the security of OTP. A new multi-level user-authentication solution known as: Graphical One-Time Password (GOTPass) was proposed and empirically evaluated in terms of usability and security aspects. The usability experiment was conducted during three separate sessions, which took place over five weeks, to assess the efficiency, effectiveness, memorability and user satisfaction of the new scheme. The results showed that users were able to easily create and enter their credentials as well as remember them over time. Eighty-one participants carried out a total of 1,302 login attempts with a 93% success rate and an average login time of 24.5 seconds. With regard to the security evaluation, the research simulated three common types of graphical password attacks (guessing, intersection, and shoulder-surfing). The participants’ task was to act as attackers to try to break into the system. The GOTPass scheme showed a high resistance capability against the attacks, as only 3.3% of the 690 total attempts succeeded in compromising the system.King Abdulaziz City for Science and Technolog

Security and usability in a hybrid property based graphical authentication system

Alphanumeric text and PINs continue to be the dominant authentication methods in spite of the numerous concerns by security researchers of their inability to properly address usability and security flaws and to effectively combine usability and security. These flaws have, however, contributed to the growing research interest in the development and use of graphical authentication systems as alternatives to text based systems. Graphical passwords or graphical authentication systems are password systems that use images rather than characters or numbersin user authentication. The picture superiority effect, a belief that humans are better able to memorise images than text, has very much influenced the proliferation of and support for graphical authentication systems. In spite of their growing acceptance, however, empirical studies have shown that graphical authentication systems have also inherited some of the flaws of text based passwords. Theseflaws include predictability, vulnerability to observational attacks and the inability of systems to efficiently combine security with usability. Hence there is a continued quest among usable security researchers to find that hypothetical system that has both strong usability and strong security. In this research, a novel concept for hybrid graphical authentication systems is developed. This consists of a class of systems that are called ‘property based authentication systems’ which adopt the use of image properties for user authentication, rather than specific images as used in existing systems. Image properties are specified contents of images which gives the image a set of characteristics. Several implementations of these systems have been developed and evaluated. Significant empirical performance studies have been conducted to evaluate these systems in terms of usability and security. The usability evaluations conducted evaluate thesystems in terms effectiveness, efficiency and user satisfaction, while security evaluations measure their susceptibility to common attacks. The results from these studies suggests that property based systems have better usability and security when compared to commonly known and well researched graphical authentication systems