Towards a metric for recognition-based graphical password security

Recognition-based graphical password (RBGP) schemes are not easily compared in terms of security. Current research uses many different measures which results in confusion as to whether RBGP schemes are secure against guessing and capture attacks. If it were possible to measure all RBGP schemes in a common way it would provide an easy comparison between them, allowing selection of the most secure design. This paper presents a discussion of potential attacks against recognition-based graphical password (RBGP) authentication schemes. As a result of this examination a preliminary measure of the security of a recognition-based scheme is presented. The security measure is a 4-tuple based on distractor selection, shoulder surfing, intersection and replay attacks. It is aimed to be an initial proposal and is designed in a way which is extensible and adjustable as further research in the area develops. Finally, an example is provided by application to the PassFaces scheme

NAVI: Novel authentication with visual information

Text-based passwords, despite their well-known drawbacks, remain the dominant user authentication scheme implemented. Graphical password systems, based on visual information such as the recognition of photographs and / or pictures, have emerged as a promising alternative to the aggregate reliance on text passwords. Nevertheless, despite the advantages offered they have not been widely used in practice since many open issues need to be resolved. In this paper we propose a novel graphical password scheme, NAVI, where the credentials of the user are his username and a password formulated by drawing a route on a predefined map. We analyze the strength of the password generated by this scheme and present a prototype implementation in order to illustrate the feasibility of our proposal. Finally, we discuss NAVI’s security features and compare it with existing graphical password schemes as well as text-based passwords in terms of key security features, such aspassword keyspace, dictionary attacks and guessing attacks. The proposed scheme appears to have the same or better performance in the majority of the security features examined

A new graphical password scheme resistant to shoulder-surfing

Shoulder-surfing is a known risk where an attacker can capture a password by direct observation or by recording the authentication session. Due to the visual interface, this problem has become exacerbated in graphical passwords. There have been some graphical schemes resistant or immune to shoulder-surfing, but they have significant usability drawbacks, usually in the time and effort to log in. In this paper, we propose and evaluate a new shoulder-surfing resistant scheme which has a desirable usability for PDAs. Our inspiration comes from the drawing input method in DAS and the association mnemonics in Story for sequence retrieval. The new scheme requires users to draw a curve across their password images orderly rather than click directly on them. The drawing input trick along with the complementary measures, such as erasing the drawing trace, displaying degraded images, and starting and ending with randomly designated images provide a good resistance to shoulder-surfing. A preliminary user study showed that users were able to enter their passwords accurately and to remember them over time

Shoulder Surfing Resistant Graphical Authentication Scheme for Web Based Applications

Since the design and development of the first graphical authentication pioneered by Blonder in 1996, numerous research has been conducted on this area to be used in different scenarios especially on the Internet. One of the major motivators is the picture superiority which as studies have shown, states that images/pictures provide higher memorability as opposed to Text based authentication. However, graphical authentication is still faced with some challenges. In this paper, a shoulder surfing resistant graphical authentication scheme is proposed to tackle a major issue related to the graphical authentication schemes developed. The proposed scheme provides a high level of resistance to shoulder surfing attacks, mitigating the need to upload pictures and aids in finding chosen objects in the scheme. However, the schemes has some vulnerabilities which implies that there may not be a perfect graphical authentication scheme; each scheme has its merits and demerits making it a suitable candidate for different environment and/or event depending on its architecture

GazeTouchPass: Multimodal Authentication Using Gaze and Touch on Mobile Devices

We propose a multimodal scheme, GazeTouchPass, that combines gaze and touch for shoulder-surfing resistant user authentication on mobile devices. GazeTouchPass allows passwords with multiple switches between input modalities during authentication. This requires attackers to simultaneously observe the device screen and the user's eyes to find the password. We evaluate the security and usability of GazeTouchPass in two user studies. Our findings show that GazeTouchPass is usable and significantly more secure than single-modal authentication against basic and even advanced shoulder-surfing attacks

ColorDots: An Intersection Analysis Resistant Graphical Password Scheme for the Prevention of Shoulder-surfing Attack

In an increasingly mobile world, the combination of mobile computing devices, publicly accessible Wi-Fi hotspots, and camera phones pose a significant threat to alphanumeric passwords in public environments. Graphical passwords, introduced as an alternative to alphanumerical passwords, help prevent successful shoulder-surfing attacks – covertly observing or recording a password login session, however, most cannot prevent intersection analysis on the data collected through shoulder-surfing. ColorDots is a new graphical password scheme designed to be easy to use and learn, to prevent successful shoulder-surfing attacks, and to hinder intersection analysis. A software implementation of ColorDots is tested, and the results analyzed. This study showed the ColorDots graphical password scheme does prevent shoulder-surfing, and hinders intersection analysis on digital recordings of multiple shoulder-surfing attacks. Furthermore, ColorDots may be just as convenient to use as alphanumeric passwords, while improving password security in public environments

A Shoulder-Surfing Resistant Scheme Embedded in Traditional Passwords

Typing passwords is vulnerable to shoulder-surfing attacks. We proposed a shoulder-surfing resistant scheme embedded in traditional textual passwords in this study. With the proposed scheme, when the password field is on focus, a pattern appears in it as a hint to tell the user how to enter a password. Following the hint, the user needs to skip some characters while typing the password. The characters to be skipped are randomly selected so that an observer will not be able to see the whole password even if the authentication procedure was recorded. We evaluated the proposed scheme in a usability study. Compared to traditional passwords, our scheme achieved a similar level of accuracy while only required marginal additional time to authenticate users. Participants also expressed significantly higher acceptance of the new technique for security-sensitive applications and gave it significantly higher ratings in perceived security, shoulders-surfing resistance, camera-recording resistance, and guess-attack resistance