A comprehensive study of the usability of multiple graphical passwords

Recognition-based graphical authentication systems (RBGSs) using images as passwords have been proposed as one potential solution to the need for more usable authentication. The rapid increase in the technologies requiring user authentication has increased the number of passwords that users have to remember. But nearly all prior work with RBGSs has studied the usability of a single password. In this paper, we present the first published comparison of the usability of multiple graphical passwords with four different image types: Mikon, doodle, art and everyday objects (food, buildings, sports etc.). A longi-tudinal experiment was performed with 100 participants over a period of 8 weeks, to examine the usability performance of each of the image types. The re-sults of the study demonstrate that object images are most usable in the sense of being more memorable and less time-consuming to employ, Mikon images are close behind but doodle and art images are significantly inferior. The results of our study complement cognitive literature on the picture superiority effect, vis-ual search process and nameability of visually complex images

Gathering realistic authentication performance data through field trials

Most evaluations of novel authentication mechanisms have been conducted under laboratory conditions. We argue that the results of short-term usage under laboratory conditions do not predict user performance “in the wild”, because there is insufficient time between enrolment and testing, the number of authentications is low, and authentication is presented as a primary task, rather then the secondary task as it is “in the wild”. User generated reports of performance on the other hand provide subjective data, so reports on frequency of use, time intervals, and success or failure of authentication are subject to the vagaries of users ’ memories. Studies on authentication that provide objective performance data under real-world conditions are rare. In this paper, we present our experiences with a study method that tries to control frequency and timing of authentication, and collects reliable performance data, while maintaining ecological validity of the authentication context at the same time. We describe the development of an authentication server called APET, which allows us to prompt users enrolled in trial cohorts to authenticate at controlled intervals, and report our initial experiences with trials. We conclude by discussing remaining challenges in obtaining reliable performance data through a field trial method such as this one

A Human-Cognitive Perspective of Users’ Password Choices in Recognition-Based Graphical Authentication

Graphical password composition is an important part of graphical user authentication which affects the strength of the chosen password. Considering that graphical authentication is associated with visual search, perception, and information retrieval, in this paper we report on an eye-tracking study (N = 109) that aimed to investigate the effects of users’ cognitive styles toward the strength of the created passwords and shed light into whether and how the visual strategy of the users during graphical password composition is associated with the passwords’ strength. For doing so, we adopted Witkin’s Field Dependence-Independence theory, which underpins individual differences in visual information and cognitive processing, as graphical password composition tasks are associated with visual search. The analysis revealed that users with different cognitive processing characteristics followed different patterns of visual behavior during password composition which affected the strength of the created passwords. The findings underpin the need of considering human-cognitive characteristics as a design factor in graphical password schemes. The paper concludes by discussing implications for improving recognition-based graphical passwords through adaptation and personalization techniques based on individual cognitive characteristics

A qualititative approach to HCI research

Whilst science has a strong reliance on quantitative and experimental methods, there are many complex, socially based phenomena in HCI that cannot be easily quantified or experimentally manipulated or, for that matter, ethically researched with experiments. For example, the role of privacy in HCI is not obviously reduced to numbers and it would not be appropriate to limit a person's privacy in the name of research. In addition, technology is rapidly changing – just think of developments in mobile devices, tangible interfaces and so on – making it harder to abstract technology from the context of use if we are to study it effectively. Developments such as mediated social networking and the dispersal of technologies in ubiquitous computing also loosen the connection between technologies and work tasks that were the traditional cornerstone of HCI. Instead, complex interactions between technologies and ways of life are coming to the fore. Consequently, we frequently find that we do not know what the real HCI issues are before we start our research. This makes it hard, if not actually impossible, to define the variables necessary to do quantitative research, (see Chapter 2). Within HCI, there is also the recognition that the focus on tasks is not enough to design and implement an effective system. There is also a growing need to understand how usability issues are subjectively and collectively experienced and perceived by different user groups (Pace, 2004; Razavim and Iverson, 2006). This means identifying the users' emotional and social drives and perspectives; their motivations, expectations, trust, identity, social norms and so on. It also means relating these concepts to work practices, communities and organisational social structures as well as organisational, economic and political drivers. These issues are increasingly needed in the design, development and implementation of systems to be understood both in isolation and as a part of the whole. HCI researchers are therefore turning to more qualitative methods in order to deliver the research results that HCI needs.With qualitative research, the emphasis is not on measuring and producing numbers but instead on understanding the qualities of a particular technology and how people use it in their lives, how they think about it and how they feel about it. There are many varied approaches to qualitative research within the social sciences depending on what is being studied, how it can be studied and what the goals of the research are.Within HCI, though, grounded theory has been found to provide good insights that address well the issues raised above (Pace, 2004; Adams, Blandford and Lunt, 2005; Razavim and Iverson, 2006). The purpose of this chapter is to give an overview of how grounded theory works as a method. Quantitative research methods adopt measuring instruments and experimental manipulations that can be repeated by any researcher (at least in principle) and every effort is made to reduce the influence of the researcher on the researched, which is regarded as a source of bias or error. In contrast, in qualitative research, where the goal is understanding rather than measuring and manipulating, the subjectivity of the researcher is an essential part of the production of an interpretation. The chapter therefore discusses how the influence of the researcher can be ameliorated through the grounded theory methodology whilst also acknowledging the subjective input of the researcher through reflexivity. The chapter also presents a case study of how grounded theory was used in practice to study people's use and understanding of computer passwords and related security

Authentication Schemes\u27 Impact on Working Memory

Authentication is the process by which a computing system validates a user’s identity. Although this process is necessary for system security, users view authentication as a frequent disruption to their primary tasks. During this disruption, primary task information must be actively maintained in working memory. As a result, primary task information stored in working memory is at risk of being lost or corrupted while users authenticate. For over two decades, researchers have focused on developing more memorable passwords by replacing alphanumeric text with visual graphics (Biddle et al., 2012). However, very little attention has been given to the impact authentication has on working memory. A recent exploratory study suggests that working memory can be disrupted during graphical authentication (Still & Cain, 2019). In this study, we take the next step by controlling for task difficulty and contrasting performance with conventional password-based authentication. Baddeley’s model was employed to examine the impact of authentication on verbal, visuospatial, and central executive working memory (Baddeley & Hitch, 1974). Our findings may help designers select authentication systems that minimize adverse effects on users’ critical primary task performance. For instance, we revealed that conventional passwords do not have a greater negative impact on verbal primary task information compared to graphical passcodes. We also replicated findings reported by Still and Cain (2019), where visuospatial was least impaired by authentication. These findings are not intuitive, highlighting the need for further investigation of how authentication impacts primary task information in working memory

Account Recovery Methods for Two-Factor Authentication (2FA): An Exploratory Study

System administrators have started to adopt two-factor authentication (2FA) to increase user account resistance to cyber-attacks. Systems with 2FA require users to verify their identity using a password and a second-factor authentication device to gain account access. This research found that 60% of users only enroll one second-factor device to their account. If a user’s second factor becomes unavailable, systems are using different procedures to ensure its authorized owner recovers the account. Account recovery is essentially a bypass of the system’s main security protocols and needs to be handled as an alternative authentication process (Loveless, 2018). The current research aimed to evaluate users’ perceived security for four 2FA account recovery methods. Using Renaud’s (2007) opportunistic equation, the present study determined that a fallback phone number recovery method provides user accounts with the most cyber-attack resistance followed by system-generated recovery codes, a color grid pattern, and graphical passcode. This study surveyed 103 participants about authentication knowledge, general risk perception aptitude, ability to correctly rank the recovery methods in terms of their attackr esistance, and recovery method perceptions. Other survey inquires related to previous 2FA, account recovery, and cybersecurity training experiences. Participants generally performed poorly when asked to rank the recovery methods by security strength. Results suggested that neither risk numeracy, authentication knowledge, nor cybersecurity familiarity impacted users’ ability to rank recovery methods by security strength. However, the majority of participants ranked either generated recovery codes, 39%, or a fallback phone number, 25%, as being most secure. The majority of participants, 45%, preferred the fallback phone number for account recovery, 38% expect it will be the easiest to use, and 46% expect it to be the most memorable. However, user’s annotative descriptions for recovery method preferences revealed that users are likely to disregard the setup instructions and use their phone number instead of an emergency contact number. Overall, this exploratory study offers information that researchers and designers can deploy to improve user’s 2FA- and 2FA account recovery- experiences