Department of Human Factors EngineeringGestures are potential authentication method for touchscreen devices and common tasks such as phone lock. While many studies have indicated gesture passwords can achieve high usability, evaluating their security remains a grey area. Key challenges stem from the small sample sizes in current gesture password studies and the requirement to use similarity-based recognition metrics which prevent the application of traditional entropy assessment methods. To overcome these problems, we perform a large-scale study online (N=2594). With the resulting data set, we develop a novel multi-stage discretization method and n-gram Markov models that enable us to assess the partial guessing entropy of gesture passwords and to create a novel clustering-based dictionary attack. We report then while partial guessing entropy appears to be greater than other common phone lock methods (e.g., Pin, pattern), gestures are highly susceptible to dictionary attack. To improve the security of gesture passwords, we develop a novel gesture password strength meter. Password strength meters has been previously proposed as an effective password policy that can improve the security of other authentication techniques such as passwords or pattern. Using the meter, we propose various mandated compliances in which users are restricted to meet certain level of strength: default (none), weak, fair, and strong. We validate the effectiveness of gesture strength meter designs on security by performing a follow up online study and applying the security framework and attacks established in the first study. The default policy improves the gesture password security with small cost in usability. This thesis concludes that gesture password meters can be an effective technique for improving the security of gesture authentication systems that deserve further study.clos
