Comparing the usability of doodle and Mikon images to be used as authenticators in graphical authentication systems

Recognition-based graphical authentication systems rely on the recognition of authenticator images by legitimate users for authentication. This paper presents the results of a study that compared doodle images and Mikon images as authenticators in recognition based graphical authentication systems taking various usability dimensions into account. The results of the usability evaluation, with 20 participants, demonstrated that users preferred Mikon to doodle images as authenticators in recognition based graphical authentication mechanisms. Furthermore, participants found it difficult to recognize doodle images during authentication as well as associate them with something meaningful. Our findings also show the need to consider the security offered by the images, especially their predictability

Shoulder Surfing Resistant Graphical Authentication Scheme for Web Based Applications

Since the design and development of the first graphical authentication pioneered by Blonder in 1996, numerous research has been conducted on this area to be used in different scenarios especially on the Internet. One of the major motivators is the picture superiority which as studies have shown, states that images/pictures provide higher memorability as opposed to Text based authentication. However, graphical authentication is still faced with some challenges. In this paper, a shoulder surfing resistant graphical authentication scheme is proposed to tackle a major issue related to the graphical authentication schemes developed. The proposed scheme provides a high level of resistance to shoulder surfing attacks, mitigating the need to upload pictures and aids in finding chosen objects in the scheme. However, the schemes has some vulnerabilities which implies that there may not be a perfect graphical authentication scheme; each scheme has its merits and demerits making it a suitable candidate for different environment and/or event depending on its architecture

State of Alternative Authentication Research in Scotland

Research into graphical authentication has yet to be meaningfully transferred into industry. This is the case globally, but is concerning in Scotland as considerable research into the area has been published and presented by academics in SICSA universities (e.g. University of Glasgow, Glasgow Caledonian University, Napier University). The lack of knowledge transfer is particularly perplexing given the interest of industry in improving digital security. There are several explanations for the lack of progress, but a prominent issue is the inconsistency in reporting scientific data pertaining to graphical authentication. There is no framework for the reporting of field investigations into graphical authentication solutions. This situation not only hinders knowledge transfer into industry but the progress of research into alternative authentication solutions. Industry and researchers require metrics and strong qualitative data to utilise and progress research in the area. Consequently, the Scottish Informatics and Computer Science Alliance (SICSA) has provided financial support for a research exchange for me to visit and work with Prof. Melanie Volkamer. The primary aim of the proposed exchange is to develop a field evaluation framework for graphical authentication solutions to ensure consistent reporting of scientific data. The Center for Advanced Security Research at Technische Universität Darmstadt has an established track record of transferring knowledge into industry. Notably, Prof. Melanie Volkamer from the Technische Universität Darmstadt, along with Dr Karen Renaud and myself at the University of Glasgow have collaborated and made progress in transferring knowledge of graphical authentication research into industry

Facelock: familiarity-based graphical authentication

Authentication codes such as passwords and PIN numbers are widely used to control access to resources. One major drawback of these codes is that they are difficult to remember. Account holders are often faced with a choice between forgetting a code, which can be inconvenient, or writing it down, which compromises security. In two studies, we test a new knowledge-based authentication method that does not impose memory load on the user. Psychological research on face recognition has revealed an important distinction between familiar and unfamiliar face perception: When a face is familiar to the observer, it can be identified across a wide range of images. However, when the face is unfamiliar, generalisation across images is poor. This contrast can be used as the basis for a personalised ‘facelock’, in which authentication succeeds or fails based on image-invariant recognition of faces that are familiar to the account holder. In Study 1, account holders authenticated easily by detecting familiar targets among other faces (97.5% success rate), even after a one-year delay (86.1% success rate). Zero-acquaintance attackers were reduced to guessing (<1% success rate). Even personal attackers who knew the account holder well were rarely able to authenticate (6.6% success rate). In Study 2, we found that shoulder-surfing attacks by strangers could be defeated by presenting different photos of the same target faces in observed and attacked grids (1.9% success rate). Our findings suggest that the contrast between familiar and unfamiliar face recognition may be useful for developers of graphical authentication systems

Graphical Authentication System Using Image Panels

The use of alphanumeric usernames and passwords is the most widely used technique for authentication. It is found that this technique has serious drawbacks. For instance, users frequently select passwords that are simple to remember. On the other hand, it may be challenging to recollect a complicated password. The creation of an OTP is another option, but it can take some time and comes with a risk (losing it in the allotted time). These existing methodologies have some disadvantages. A graphical authentication is the best to remember and hard to guess. So, a graphical authentication technique is proposed to address the problems of low security, shoulder surfing, dictionary and brute force attacks. In this methodology, the user must register by providing the required information and by selecting a panel from 3-5 images. This methodology is tested using entropy and proved that this approach is efficient than the existing methods.

Gathering realistic authentication performance data through field trials

Most evaluations of novel authentication mechanisms have been conducted under laboratory conditions. We argue that the results of short-term usage under laboratory conditions do not predict user performance “in the wild”, because there is insufficient time between enrolment and testing, the number of authentications is low, and authentication is presented as a primary task, rather then the secondary task as it is “in the wild”. User generated reports of performance on the other hand provide subjective data, so reports on frequency of use, time intervals, and success or failure of authentication are subject to the vagaries of users ’ memories. Studies on authentication that provide objective performance data under real-world conditions are rare. In this paper, we present our experiences with a study method that tries to control frequency and timing of authentication, and collects reliable performance data, while maintaining ecological validity of the authentication context at the same time. We describe the development of an authentication server called APET, which allows us to prompt users enrolled in trial cohorts to authenticate at controlled intervals, and report our initial experiences with trials. We conclude by discussing remaining challenges in obtaining reliable performance data through a field trial method such as this one

Multicriteria optimization to select images as passwords in recognition based graphical authentication systems

Usability and guessability are two conflicting criteria in assessing the suitability of an image to be used as password in the recognition based graph -ical authentication systems (RGBSs). We present the first work in this area that uses a new approach, which effectively integrates a series of techniques in order to rank images taking into account the values obtained for each of the dimen -sions of usability and guessability, from two user studies. Our approach uses fuzzy numbers to deal with non commensurable criteria and compares two multicriteria optimization methods namely, TOPSIS and VIKOR. The results suggest that VIKOR method is the most applicable to make an objective state-ment about which image type is better suited to be used as password. The paper also discusses some improvements that could be done to improve the ranking assessment

A Shoulder Surfing Resistant Graphical Authentication System

Authentication based on passwords is used largely in applications for computer security and privacy. However, human actions such as choosing bad passwords and inputting passwords in an insecure way are regarded as ”the weakest link” in the authentication chain. Rather than arbitrary alphanumeric strings, users tend to choose passwords either short or meaningful for easy memorization. With web applications and mobile apps piling up, people can access these applications anytime and anywhere with various devices. This evolution brings great convenience but also increases the probability of exposing passwords to shoulder surfing attacks. Attackers can observe directly or use external recording devices to collect users’ credentials. To overcome this problem, we proposed a novel authentication system PassMatrix, based on graphical passwords to resist shoulder surfing attacks. With a one-time valid login indicator and circulative horizontal and vertical bars covering the entire scope of pass-images, PassMatrix offers no hint for attackers to figure out or narrow down the password even they conduct multiple camera-based attacks. We also implemented a PassMatrix prototype on Android and carried out real user experiments to evaluate its memorability and usability. From the experimental result, the proposed system achieves better resistance to shoulder surfing attacks while maintaining usability

Towards a metric for recognition-based graphical password security

Recognition-based graphical password (RBGP) schemes are not easily compared in terms of security. Current research uses many different measures which results in confusion as to whether RBGP schemes are secure against guessing and capture attacks. If it were possible to measure all RBGP schemes in a common way it would provide an easy comparison between them, allowing selection of the most secure design. This paper presents a discussion of potential attacks against recognition-based graphical password (RBGP) authentication schemes. As a result of this examination a preliminary measure of the security of a recognition-based scheme is presented. The security measure is a 4-tuple based on distractor selection, shoulder surfing, intersection and replay attacks. It is aimed to be an initial proposal and is designed in a way which is extensible and adjustable as further research in the area develops. Finally, an example is provided by application to the PassFaces scheme