research-article

Open access

Picture Gesture Authentication: Empirical Analysis, Automated Attacks, and Scheme Evaluation

Authors:

Hongxin HuAuthors Info & Claims

ACM Transactions on Information and System Security (TISSEC), Volume 17, Issue 4

Article No.: 14, Pages 1 - 37

https://doi.org/10.1145/2701423

Published: 13 April 2015 Publication History

Abstract

Picture gesture authentication has been recently introduced as an alternative login experience to text-based password on touch-screen devices. In particular, the newly on market Microsoft Windows 8™ operating system adopts such an alternative authentication to complement its traditional text-based authentication. We present an empirical analysis of picture gesture authentication on more than 10,000 picture passwords collected from more than 800 subjects through online user studies. Based on the findings of our user studies, we propose a novel attack framework that is capable of cracking passwords on previously unseen pictures in a picture gesture authentication system. Our approach is based on the concept of selection function that models users’ thought processes in selecting picture passwords. Our evaluation results show the proposed approach could crack a considerable portion of picture passwords under different settings. Based on the empirical analysis and attack results, we comparatively evaluate picture gesture authentication using a set of criteria for a better understanding of its advantages and limitations.

References

[1]

Bogdan Alexe, Thomas Deselaers, and Vittorio Ferrari. 2012. Measuring the objectness of image windows. IEEE Transactions Pattern Analysis and Machine Intelligence (2012), 2189--2202.

Digital Library

[2]

Adam J. Aviv, Katherine Gibson, Evan Mossop, Matt Blaze, and Jonathan M. Smith. 2010. Smudge attacks on smartphone touch screens. In Proceedings of the 4th USENIX Conference on Offensive Technologies. USENIX Association, 1--7.

Digital Library

[3]

Dana H. Ballard. 1981. Generalizing the hough transform to detect arbitrary shapes. Pattern Recognition 13, 2 (1981), 111--122.

[4]

Kemal Bicakci, Nart Bedin Atalay, Mustafa Yuceel, Hakan Gurbaslar, and Burak Erdeniz. 2009. Towards usable solutions to graphical password hotspot problem. In Proceedings of the 33rd IEEE International Conference on Computer Software and Applications Conference, Vol. 2. IEEE, 318--323.

Digital Library

[5]

Robert Biddle, Sonia Chiasson, and Paul C. Van Oorschot. 2011. Graphical passwords: Learning from the first twelve years. Computer Surveys 44, 4 (2011).

Digital Library

[6]

Joseph Bonneau. 2012a. Guessing human-chosen secrets. University of Cambridge.

[7]

Joseph Bonneau. 2012b. The science of guessing: Analyzing an anonymized corpus of 70 million passwords. In Proceedings of the 2012 IEEE Symposium on Security and Privacy. IEEE, 538--552.

Digital Library

[8]

Joseph Bonneau, Cormac Herley, Paul C. van Oorschot, and Frank Stajano. 2012a. The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes. Technical Report UCAM-CL-TR-817. University of Cambridge, Computer Laboratory.

[9]

Joseph Bonneau, Cormac Herley, Paul C. van Oorschot, and Frank Stajano. 2012b. The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In Proceedings of the 2012 IEEE Symposium on Security and Privacy. IEEE, 553--567.

Digital Library

[10]

Joseph Bonneau, Sören Preibusch, and Ross Anderson. 2012c. A birthday present every eleven wallets&quest; The security of customer-chosen banking PINs. In Proceedings of the the 16th International Conference on Financial Cryptography.

[11]

Joseph Bonneau, Sören Preibusch, and Ross Anderson. 2012d. A birthday present every eleven wallets&quest; The security of customer-chosen banking PINs. Financial Cryptography and Data Security (2012), 25--40.

[12]

Ali Borji, Dicky N. Sihite, and Laurent Itti. 2012. Salient object detection: A benchmark. In Proceedings of the 2012 European Conference on Computer Vision. Springer, 414--429.

[13]

Ali Borji, Hamed R. Tavakoli, Dicky N. Sihite, and Laurent Itti. 2013. Analysis of scores, datasets, and models in visual saliency prediction. In Proceedings of the 2013 IEEE International Conference on Computer Vision. IEEE, 921--928.

Digital Library

[14]

Sacha Brostoff and M. Angela Sasse. 2000. Are Passfaces more usable than passwords&quest; A field trial investigation. People and Computers (2000), 405--424.

[15]

John Canny. 1986. A computational approach to edge detection. IEEE Transactions on Pattern Analysis and Machine Intelligence 6 (1986), 679--698.

Digital Library

[16]

Claude Castelluccia, Markus Dürmuth, and Daniele Perito. 2012. Adaptive password-strength meters from Markov models. In Proceedings of the 19th Network and Distributed System Security Symposium.

[17]

Sonia Chiasson, Alain Forget, Robert Biddle, and Paul C. van Oorschot. 2009. User interface design affects security: Patterns in click-based graphical passwords. International Journal of Information Security 8, 6 (2009), 387--398.

Digital Library

[18]

Sonia Chiasson, Elizabeth Stobert, Alain Forget, Robert Biddle, and Paul C. Van Oorschot. 2012. Persuasive cued click-points: Design, implementation, and evaluation of a knowledge-based authentication mechanism. IEEE Transactions on Dependable and Secure Computing 9, 2 (2012), 222--235.

Digital Library

[19]

Sonia Chiasson, Paul van Oorschot, and Robert Biddle. 2007. Graphical password authentication using cued click points. In Proceedings of the 12th European Symposium on Research in Computer Security. Springer, 359--374.

Digital Library

[20]

Darren Davis, Fabian Monrose, and Michael K. Reiter. 2004. On user choice in graphical password schemes. In Proceedings of the 13th Conference on USENIX Security Symposium. USENIX Association, 11--23.

Digital Library

[21]

Antonella De Angeli, Lynne Coventry, Graham Johnson, and Karen Renaud. 2005. Is a picture really worth a thousand words&quest; Exploring the feasibility of graphical authentication systems. International Journal of Human-Computer Studies 63, 1 (2005), 128--152.

Digital Library

[22]

Rachna Dhamija and Adrian Perrig. 2000. Déjà Vu: A user study using images for authentication. In Proceedings of the 9th Conference on USENIX Security Symposium. USENIX Association.

Digital Library

[23]

Ahmet Emir Dirik, Nasir Memon, and Jean-Camille Birget. 2007. Modeling user choice in the PassPoints graphical password scheme. In Proceedings of the 3rd Symposium on Usable Privacy and Security. ACM, 20--28.

Digital Library

[24]

Paul Dunphy and Jeff Yan. 2007. Do background images improve draw a secret graphical passwords&quest; In Proceedings of the 14th ACM Conference on Computer and Communications Security. ACM, 36--47.

Digital Library

[25]

Uriel Feige, László Lovász, and Prasad Tetali. 2004. Approximating min sum set cover. Algorithmica 40, 4 (2004), 219--234.

Digital Library

[26]

Pedro F. Felzenszwalb, Ross B. Girshick, David McAllester, and Deva Ramanan. 2010. Object detection with discriminatively trained part-based models. IEEE Transactions on Pattern Analysis and Machine Intelligence 32, 9 (2010), 1627--1645.

Digital Library

[27]

Alain Forget, Sonia Chiasson, and Robert Biddle. 2010. Shoulder-surfing resistance with eye-gaze entry in cued-recall graphical passwords. In Proceedings of the 28th International Conference on Human Factors in Computing Systems. ACM, 1107--1110.

Digital Library

[28]

Haichang Gao, Xuewu Guo, Xiaoping Chen, Liming Wang, and Xiyang Liu. 2008. Yagp: Yet another graphical password strategy. In Proceedings of the 24th Annual Computer Security Applications Conference. IEEE, 121--129.

Digital Library

[29]

Ross B. Girshick, Pedro F. Felzenszwalb, and David McAllester. 2010. Discriminatively Trained Deformable Part Models, Release 5. Retrieved from http://people.cs.uchicago.edu/rbg/latent-release5/.

[30]

Brian Honan. 2012. Visual Data Security White Paper. Retrieved from http://www.visualdatasecurity.eu/wp-content/uploads/2012/07/Visual-Data-Security-White-Paper.pdf.

[31]

Dawei Hong, Jean-Camille Birget, and Nasir Memon. 2006. Graphical passwords based on robust discretization. IEEE Transactions on Information Forensics and Security 1, 3 (2006), 395--399.

Digital Library

[32]

Ian Jermyn, Alain Mayer, Fabian Monrose, Michael K. Reiter, and Aviel D. Rubin. 1999. The design and analysis of graphical passwords. In Proceedings of the 8th USENIX Security Symposium. USENIX Association, 1--14.

Digital Library

[33]

Huaizu Jiang, Jingdong Wang, Zejian Yuan, Yang Wu, Nanning Zheng, and Shipeng Li. 2013. Salient object detection: A discriminative regional feature integration approach. In Proceedings of the 2013 IEEE Conference on Computer Vision and Pattern Recognition. IEEE, 2083--2090.

Digital Library

[34]

Jeff Johnson, Steve Seixeiro, Zachary Pace, Giles Van der Bogert, Sean Gilmour, Levi Siebens, and Ken Tubbs. US Patent 163201, 2012. Picture gesture authentication. (US Patent 163201, 2012).

[35]

Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Richard Shay, Timothy Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Julio Lopez. 2012. Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 523--537.

Digital Library

[36]

Microsoft. 2013. Microsoft by the Numbers. Retrieved from http://www.microsoft.com/en-us/news/bythenumbers/ms_numbers.pdf.

[37]

Zach Pace. 2011a. Signing in with a Picture Password. Retrieved from http://blogs.msdn.com/b/b8/archive/2011/12/16/signing-in-with-a-picture-password.aspx.

[38]

Zach Pace. 2011b. Signing into Windows 8 with a Picture Password. Retrieved from http://www.youtube.com/watch&quest;v=Ek9N2tQzHOA.

[39]

Ashwini Rao, Birendra Jha, and Gananand Kini. 2013. Effect of grammar on security of long passwords. In Proceedings of the 3rd ACM Conference on Data and Application Security and Privacy. ACM, 317--324.

Digital Library

[40]

Karen Renaud. 2009. Guidelines for designing graphical authentication mechanism interfaces. International Journal of Information and Computer Security 3, 1 (2009), 60--85.

Digital Library

[41]

Amirali Salehi-Abari, Julie Thorpe, and Paul C. van Oorschot. 2008. On purely automated attacks and click-based graphical passwords. In Proceedings of the 24th Annual Computer Security Applications Conference. IEEE, 111--120.

Digital Library

[42]

Stuart Schechter, Cormac Herley, and Michael Mitzenmacher. 2010. Popularity is everything: A new approach to protecting passwords from statistical-guessing attacks. In Proceedings of the 5th USENIX conference on Hot Topics in Security. USENIX Association, 1--8.

Digital Library

[43]

Stuart E. Schechter, Rachna Dhamija, Andy Ozment, and Ian Fischer. 2007. The emperor’s new security indicators. In Proceedings of the 2007 IEEE Symposium on Security and Privacy. IEEE, 51--65.

Digital Library

[44]

Xiaoyuan Suo, Ying Zhu, and G. Scott Owen. 2005. Graphical passwords: A survey. In Proceedings of the 21st Annual Computer Security Applications Conference. IEEE, 10--19.

Digital Library

[45]

Satoshi Suzuki. 1985. Topological structural analysis of digitized binary images by border following. Computer Vision, Graphics, and Image Processing 30, 1 (1985), 32--46.

[46]

Hai Tao and Carlisle Adams. 2008. Pass-Go: A proposal to improve the usability of graphical passwords. International Journal of Network Security 7, 2 (2008), 273--292.

[47]

Julie Thorpe, Muath Al-Badawi, Brent MacRae, and Amirali Salehi-Abari. 2014. The presentation effect on graphical passwords. In Proceedings of the 32nd Annual ACM Conference on Human Factors in Computing Systems. ACM, 2947--2950.

Digital Library

[48]

Julie Thorpe and Paul Van Oorschot. 2004. Towards secure design choices for implementing graphical passwords. In Proceedings of the 20th Annual Computer Security Applications Conference. IEEE, 50--60.

Digital Library

[49]

Julie Thorpe and Paul Van Oorschot. 2007. Human-seeded attacks and exploiting hot-spots in graphical passwords. In Proceedings of 16th USENIX Security Symposium. USENIX Association, 8.

Digital Library

[50]

Julie Thorpe and Paul C. van Oorschot. 2004. Graphical dictionaries and the memorable space of graphical passwords. In Proceedings of the 13th Conference on USENIX Security Symposium. USENIX Association, 135--150.

Digital Library

[51]

Sebastian Uellenbeck, Markus Dürmuth, Christopher Wolf, and Thorsten Holz. 2013. Quantifying the security of graphical passwords: The case of Android unlock patterns. In Proceedings of the 20th ACM Conference on Computer and Communications Security. ACM, 161--172.

Digital Library

[52]

Paul C. Van Oorschot, Amirali Salehi-Abari, and Julie Thorpe. 2010. Purely automated attacks on PassPoints-style graphical passwords. IEEE Transactions on Information Forensics and Security 5, 3 (2010), 393--405.

Digital Library

[53]

Paul C. van Oorschot and Julie Thorpe. 2008. On predictive models and user-drawn graphical passwords. ACM Transactions on Information and System Security 10, 4 (2008), 5.

Digital Library

[54]

Paul C. van Oorschot and Julie Thorpe. 2011. Exploiting predictability in click-based graphical passwords. Journal of Computer Security 19, 4 (2011), 669--702.

Digital Library

[55]

Christopher Varenhorst, M. V. Kleek, and Larry Rudolph. 2004. Passdoodles: A lightweight authentication method. MIT Research Science Institute (2004).

[56]

Rafael Veras, Christopher Collins, and Julie Thorpe. 2014. On the semantic patterns of passwords and their security impact. In Proceedings of the Network and Distributed System Security Symposium.

[57]

Paul Viola and Michael J. Jones. 2004. Robust real-time face detection. International Journal of Computer Vision 57, 2 (2004), 137--154.

Digital Library

[58]

Roman Weiss and Alexander De Luca. 2008. PassShapes: Utilizing stroke based authentication to increase password memorability. In Proceedings of the 5th Nordic Conference on Human-Computer Interaction: Building Bridges. ACM, 383--392.

Digital Library

[59]

Susan Wiedenbeck, Jim Waters, Jean-Camille Birget, Alex Brodskiy, and Nasir Memon. 2005a. Authentication using graphical passwords: Effects of tolerance and image choice. In Proceedings of the Symposium on Usable Privacy and Security. ACM, 1--12.

Digital Library

[60]

Susan Wiedenbeck, Jim Waters, Jean-Camille Birget, Alex Brodskiy, and Nasir Memon. 2005b. PassPoints: Design and longitudinal evaluation of a graphical password system. International Journal of Human-Computer Studies 63, 1 (2005), 102--127.

Digital Library

[61]

Qiang Yan, Jin Han, Yingjiu Li, and Robert H. Deng. 2012. On limitations of designing leakage-resilient password systems: Attacks, principles and usability. In Proceedings of the 19th Network and Distributed System Security Symposium.

[62]

John C. Yuille. 1983. Imagery, Memory, and Cognition. Lawrence Erlbaum Associates, Inc.

[63]

Nur Haryani Zakaria, David Griffiths, Sacha Brostoff, and Jeff Yan. 2011. Shoulder surfing defence for recall-based graphical passwords. In Proceedings of the 7th Symposium on Usable Privacy and Security. ACM, 6--17.

Digital Library

[64]

Yinqian Zhang, Fabian Monrose, and Michael K. Reiter. 2010. The security of modern password expiration: An algorithmic framework and empirical analysis. In Proceedings of the 17th ACM Conference on Computer and Communications Security. ACM, 176--186.

Digital Library

[65]

Ziming Zhao, Gail-Joon Ahn, Jeongjin Seo, and Hongxin Hu. 2013. On the security of picture gesture authentication. In Proceedings of the 22nd USENIX Security Symposium. USENIX Association, 383--398.

Digital Library

Cited By

Ying JZhu TLiu QXiong CWeng ZChen TFu LLv MWu HWang TChen Y(2024)TrapCog: An Anti-Noise, Transferable, and Privacy-Preserving Real-Time Mobile User Authentication System With High AccuracyIEEE Transactions on Mobile Computing10.1109/TMC.2023.326507123:4(2832-2848)Online publication date: 1-Apr-2024
https://dl.acm.org/doi/10.1109/TMC.2023.3265071
Constantinides ABelk MFidas CBeumers RVidal DHuang WBowles JWebber TSilvina APitsillides A(2023)Security and Usability of a Personalized User Authentication Paradigm: Insights from a Longitudinal Study with Three Healthcare OrganizationsACM Transactions on Computing for Healthcare10.1145/35646104:1(1-40)Online publication date: 27-Feb-2023
https://dl.acm.org/doi/10.1145/3564610
Tian YZhou HDu HXu CHou JRen DLi X(2023)BackLip: Passphrase-Independent Lip-reading User Authentication with Backscatter Signals2023 IEEE/ACM 31st International Symposium on Quality of Service (IWQoS)10.1109/IWQoS57198.2023.10188767(1-10)Online publication date: 19-Jun-2023
https://doi.org/10.1109/IWQoS57198.2023.10188767
Show More Cited By

Index Terms

Picture Gesture Authentication: Empirical Analysis, Automated Attacks, and Scheme Evaluation
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

On the security of picture gesture authentication
SEC'13: Proceedings of the 22nd USENIX conference on Security

Computing devices with touch-screens have experienced unprecedented growth in recent years. Such an evolutionary advance has been facilitated by various applications that are heavily relying on multi-touch gestures. In addition, picture gesture ...
Unconditionally secure ring authentication
ASIACCS '07: Proceedings of the 2nd ACM symposium on Information, computer and communications security

We propose ring authentication in unconditionally secure setting. In a ring authentication system a sender can choose a set of users and construct an authenticated message for a receiver such that the receiver can verify authenticity of the message with ...
Practical Anonymous Password Authentication and TLS with Anonymous Client Authentication
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

Anonymous authentication allows one to authenticate herself without revealing her identity, and becomes an important technique for constructing privacy-preserving Internet connections. Anonymous password authentication is highly desirable as it enables ...

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Information and System Security

ACM Transactions on Information and System Security Volume 17, Issue 4

April 2015

127 pages

ISSN:1094-9224

EISSN:1557-7406

DOI:10.1145/2756875

Editor:
Gene Tsudik
University of California at Irvine, USA

Issue’s Table of Contents

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 April 2015

Accepted: 01 December 2014

Revised: 01 November 2014

Received: 01 February 2014

Published in TISSEC Volume 17, Issue 4

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Funding Sources

Global Research Laboratory Project through the National Research Foundation (NRF-2014K1A1A2043029)

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

34
Total Citations
View Citations
866
Total Downloads

Downloads (Last 12 months)126
Downloads (Last 6 weeks)20

Reflects downloads up to 18 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Ying JZhu TLiu QXiong CWeng ZChen TFu LLv MWu HWang TChen Y(2024)TrapCog: An Anti-Noise, Transferable, and Privacy-Preserving Real-Time Mobile User Authentication System With High AccuracyIEEE Transactions on Mobile Computing10.1109/TMC.2023.326507123:4(2832-2848)Online publication date: 1-Apr-2024
https://dl.acm.org/doi/10.1109/TMC.2023.3265071
Constantinides ABelk MFidas CBeumers RVidal DHuang WBowles JWebber TSilvina APitsillides A(2023)Security and Usability of a Personalized User Authentication Paradigm: Insights from a Longitudinal Study with Three Healthcare OrganizationsACM Transactions on Computing for Healthcare10.1145/35646104:1(1-40)Online publication date: 27-Feb-2023
https://dl.acm.org/doi/10.1145/3564610
Tian YZhou HDu HXu CHou JRen DLi X(2023)BackLip: Passphrase-Independent Lip-reading User Authentication with Backscatter Signals2023 IEEE/ACM 31st International Symposium on Quality of Service (IWQoS)10.1109/IWQoS57198.2023.10188767(1-10)Online publication date: 19-Jun-2023
https://doi.org/10.1109/IWQoS57198.2023.10188767
Kaur MGarg P(2022)A Review of Authentication Techniques used for Security in Cloud Computing2022 Seventh International Conference on Parallel, Distributed and Grid Computing (PDGC)10.1109/PDGC56933.2022.10053251(187-191)Online publication date: 25-Nov-2022
https://doi.org/10.1109/PDGC56933.2022.10053251
Ahvanooey MZhu MLi QMazurczyk WChoo KGupta BConti M(2022)Modern Authentication Schemes in Smartphones and IoT Devices: An Empirical SurveyIEEE Internet of Things Journal10.1109/JIOT.2021.31380739:10(7639-7663)Online publication date: 15-May-2022
https://doi.org/10.1109/JIOT.2021.3138073
Constantinides CConstantinides ABelk MFidas CPitsillides A(2021)A Comparative Study among Different Computer Vision Algorithms for Assisting Users in Picture Password CompositionAdjunct Proceedings of the 29th ACM Conference on User Modeling, Adaptation and Personalization10.1145/3450614.3464474(357-362)Online publication date: 21-Jun-2021
https://dl.acm.org/doi/10.1145/3450614.3464474
Katsini CRaptis GCen AGamagedara Arachchilage NNacke L(2021)Eye-GUAna: Higher Gaze-Based Entropy and Increased Password Space in Graphical User Authentication Through GamificationACM Symposium on Eye Tracking Research and Applications10.1145/3448018.3458615(1-7)Online publication date: 25-May-2021
https://dl.acm.org/doi/10.1145/3448018.3458615
Raptis GKatsini CCen AArachchilage NNacke LKitamura YQuigley AIsbister KIgarashi TBjørn PDrucker S(2021)Better, Funner, Stronger: A Gameful Approach to Nudge People into Making Less Predictable Graphical Password ChoicesProceedings of the 2021 CHI Conference on Human Factors in Computing Systems10.1145/3411764.3445658(1-17)Online publication date: 6-May-2021
https://dl.acm.org/doi/10.1145/3411764.3445658
Abuhamad MAbusnaina ANyang DMohaisen D(2021)Sensor-Based Continuous Authentication of Smartphones’ Users Using Behavioral Biometrics: A Contemporary SurveyIEEE Internet of Things Journal10.1109/JIOT.2020.30200768:1(65-84)Online publication date: 1-Jan-2021
https://doi.org/10.1109/JIOT.2020.3020076
Wang ZZhou NChen FFeng XLiu FGuo YChen D(2021)Smart_Auth: User Identity Authentication Based on Smartphone Motion Sensors2021 6th International Conference on Image, Vision and Computing (ICIVC)10.1109/ICIVC52351.2021.9526964(480-485)Online publication date: 23-Jul-2021
https://doi.org/10.1109/ICIVC52351.2021.9526964
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Figures

Tables

Media

View Issue’s Table of Contents