Graphical One-Time Password (GOTPass): A usability evaluation

Journal has two ISSNs: 1939-3555 (Print), 1939-3547 (Online)Complying with a security policy often requires users to create long and complex passwords to protect their accounts. However, remembering such passwords is difficult for many and may lead to insecure practices, such as choosing weak passwords or writing them down. In addition, they are vulnerable to various types of attacks, such as shoulder surfing, replay, and keylogger attacks (Gupta, Sahni, Sabbu, Varma, & Gangashetty, 2012) One-Time Passwords (OTPs) aim to overcome such problems (Gupta et al., 2012); however, most implemented OTP techniques require special hardware, which not only adds cost, but there are also issues regarding its availability (Brostoff, Inglesant, & Sasse, 2010). In contrast, the use of graphical passwords is an alternative authentication mechanism designed to aid memorability and ease of use, often forming part of a multifactor authentication process. This article is complementary to the earlier work that introduced and evaluated the security of the new hybrid user-authentication approach: Graphical One-Time Password (GOTPass) (Alsaiari et al., 2015). The scheme aims to combine the usability of recognition-based and draw-based graphical passwords with the security of OTP. The article presents the results of an empirical user study that investigates the usability features of the proposed approach, as well as pretest and posttest questionnaires. The experiment was conducted during three separate sessions, which took place over five weeks, to measure the efficiency, effectiveness, memorability, and user satisfaction of the new scheme. The results showed that users were able to easily create and enter their credentials as well as remember them over time. Participants carried out a total of 1,302 login attempts with a 93% success rate and an average login time of 24.5s

Shoulder Surfing Resistant Graphical Authentication Scheme for Web Based Applications

Since the design and development of the first graphical authentication pioneered by Blonder in 1996, numerous research has been conducted on this area to be used in different scenarios especially on the Internet. One of the major motivators is the picture superiority which as studies have shown, states that images/pictures provide higher memorability as opposed to Text based authentication. However, graphical authentication is still faced with some challenges. In this paper, a shoulder surfing resistant graphical authentication scheme is proposed to tackle a major issue related to the graphical authentication schemes developed. The proposed scheme provides a high level of resistance to shoulder surfing attacks, mitigating the need to upload pictures and aids in finding chosen objects in the scheme. However, the schemes has some vulnerabilities which implies that there may not be a perfect graphical authentication scheme; each scheme has its merits and demerits making it a suitable candidate for different environment and/or event depending on its architecture

A novel hybrid textual-graphical authentication scheme with better security, memorability, and usability

Despite numerous efforts, developing an authentication scheme that offers strong security while offering memorability and usability remains a grand challenge. In this paper, we propose a textual-graphical hybrid authentication scheme that improves the security, memorability and usability inadequacies of existing authentication schemes. This has been achieved by combining a range of mechanisms together, in a novel manner, to address weaknesses of the existing security schemes. Firstly, two dynamically selectable modes of password entry (Easy Login, and Secure Login) provide a trade-off between usability and security, allowing the user to dynamically switch to any of these methods in real-time based on the security of the surrounding environment (e.g., secure home environment versus insecure public places) or the criticality of the user account (e.g., a bank account). The other mechanisms included a novel use of the drawmetric mechanism for setting the password to improve memorability, multistep authentication, a novel adaptation of one-time password (OTP) concept using a random selection of password elements, random placement of password elements in different steps, assigning random numbers to the password elements to increase security, and use of simple addition to improve security. We have implemented and analysed the proposed scheme for its security against brute-force attacks, dictionary, shoulder surfing, random guessing, phishing or forming, keystroke/mouse logger, and multiple recording attacks. We have also investigated its usability and memorability, reporting various trends of password elements used and the respective authentication times. Moreover, we have compared the proposed scheme with eight other well-known authentication schemes in terms of its resilience and authentication time. The results and analyses demonstrate the effectiveness of the proposed scheme. We believe that a range of novel methods introduced in this proposed scheme opens several doors for innovation in security techniques

GRAPHICAL ONE-TIME PASSWORD AUTHENTICATION

Complying with a security policy often requires users to create long and complex passwords to protect their accounts. However, remembering such passwords appears difficult for many and may lead to insecure practices, such as choosing weak passwords or writing them down. One-Time Passwords (OTPs) aim to overcome such problems; however, most implemented OTP techniques require special hardware, which not only adds costs, but also raises issues regarding availability. This type of authentication mechanism is mostly adopted by online banking systems to secure their clients’ accounts. However, carrying around authentication tokens was found to be an inconvenient experience for many customers. Not only the inconvenience, but if the token was unavailable, for any reason, this would prevent customers from accessing their accounts securely. In contrast, there is the potential to use graphical passwords as an alternative authentication mechanism designed to aid memorability and ease of use. The idea of this research is to combine the usability of recognition-based and draw-based graphical passwords with the security of OTP. A new multi-level user-authentication solution known as: Graphical One-Time Password (GOTPass) was proposed and empirically evaluated in terms of usability and security aspects. The usability experiment was conducted during three separate sessions, which took place over five weeks, to assess the efficiency, effectiveness, memorability and user satisfaction of the new scheme. The results showed that users were able to easily create and enter their credentials as well as remember them over time. Eighty-one participants carried out a total of 1,302 login attempts with a 93% success rate and an average login time of 24.5 seconds. With regard to the security evaluation, the research simulated three common types of graphical password attacks (guessing, intersection, and shoulder-surfing). The participants’ task was to act as attackers to try to break into the system. The GOTPass scheme showed a high resistance capability against the attacks, as only 3.3% of the 690 total attempts succeeded in compromising the system.King Abdulaziz City for Science and Technolog