NAPTune: fine tuning graphical authentication
Pages 47 - 56
Abstract
Graphical passwords are considered to be a secure and memorable alternative to text passwords. Users of such systems, authenticate themselves by identifying a subset of images from the set of displayed images. However, despite the impressive results of user studies on experimental graphical passwords schemes, their overall commercial adaptations have been relatively low. In this paper, we investigate the reasons behind the low commercial acceptance of graphical passwords and present recommendations to overcome the same. Based on these recommendations, we design a simple graphical password scheme, which we call as NAPTune. NAPTune is aimed to work as a cued recognition based graphical authentication scheme that allows users to choose both text as well as images as their password with the same underlying design and interaction. In doing so, we blend the strengths of Numbers, Alphabets and Pictures (NAP) together to effectively defeat prevalent forms of social hacking. We conducted a user study with 35 participants to evaluate the viability of our proposed design. Results of the study are encouraging which indicates that our proposed design is potentially secure and usable method of authentication.
References
[1]
Adams, A., and Sasse, M. A. 1999. Users are not the enemy. Commun. ACM. 42, 12 (1999), 40--46.
[2]
Bedworth M. A. Theory of Probabilistic One-Time Passwords, http://www.pinoptic.com/downloads/wp002_a_theory_of_potp.pdf
[3]
Brostoff, S., and Sasse, M. A. Are Passfaces more usable than passwords? A field trial investigation. Proceedings of HCI on people and Computers XIV, (HCI 2000), 405--424.
[4]
Brostoff, S., Inglesant, P., Sasse, M. A. Evaluating the usability and security of a graphical one-time PIN system. BCS Conference on Human Computer Interaction HCI2010, Dundee, Scotland, 6 Sep 2010 - 10 Sep 2010.
[5]
Chiasson, S. Usable Authentication and Click based Graphical passwords. Phd Thesis, Carlton University, Ottawa, Canada. Jan. 2009.
[6]
Chiasson, S., van Oorschot, P. C., and Biddle, R. Graphical Password Authentication Using Cued Click-points. In 12th European Symposium On Research In Computer Security (ESORICS), 2007.
[7]
Cranor, L., and Garfinkel, S. 2005. Security and Usability: Designing Systems that People can use. O'reilly Media.
[8]
Davis, D., Monrose, F., and Reiter, M. K. 2004. On user choice in graphical password schemes. In Proceedings of the 13th Conference on USENIX Security Symposium - Volume 13 (2004). 11--11.
[9]
Dhamija, R. 2000. Hash visualization in user authentication. In CHI '00 Extended Abstracts on Human Factors in Computing Systems CHI '00. ACM, 279--280.
[10]
De Angeli, A., Coventry, L., Johnson, G., and Renaud, K. Is a picture really worth a thousand words? Exploring the feasibility of graphical authentication systems. International Journal of Human-Computer Studies, 63(1--2): 128--152, 2005.
[11]
Dhamija, R., and Perrig, A. 2000. Déjà Vu: a user study using images for authentication. In Proceedings of the 9th Conference on USENIX Security Symposium - Volume 9 (2000). 4--4.
[12]
Dhamija, R., Tygar, J. D., and Hearst, M. 2006. Why phishing works. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems CHI '06. ACM, 581--590.
[13]
Dhamija, R., and Dusseault, L. 2008. The Seven Flaws of Identity Management: Usability and Security Challenges. IEEE Security and Privacy 6, 2 (Mar. 2008), 24--29.
[14]
Dirik, A. E., Memon, N., and Birget, J. 2007. Modeling user choice in the PassPoints graphical password scheme. In Proceedings of the 3rd Symposium on Usable Privacy and Security (2007). SOUPS '07, 20--28.
[15]
Dunphy, P., and Yan, Y. Do background images improve "Draw a Secret" graphical passwords? In 14th ACM Conference on Computer and Communications Security (CCS), October 2007.
[16]
Feldmeier, D. C., and Karn, P. R. 1990. UNIX Password Security - Ten Years Later. In Proceedings of the 9th Annual international Cryptology Conference on Advances in Cryptology (1989). 44--63.
[17]
Florencio, D., and Herley, C. 2007. A large-scale study of web password habits. In Proceedings of the 16th international Conference on World Wide Web (2007). WWW '07. ACM, 657--666.
[18]
Four letter words in Scrabble, http://www.scrabble.org.au/words/fours.htm
[19]
Goldwasser, S., Micali, S., and Rackoff, C. 1985. The knowledge complexity of interactive proof-systems. In Proceedings of the seventeenth annual ACM symposium on Theory of computing (STOC '85). ACM, New York, NY, USA, 291--304.
[20]
Hayashi, E., Dhamija, R., Christin, N., and Perrig, A. 2008. Use Your Illusion: secure authentication usable anywhere. In Proceedings of the 4th Symposium on Usable Privacy and Security (2008). SOUPS '08, 35--45.
[21]
Internet Picture Dictionary http://www.pdictionary.com/. Last accessed December 2010.
[22]
Jagatic, T. N., Johnson, N. A., Jakobsson, M., and Menczer, F. 2007. Social phishing. Commun. ACM 50, 10 (Oct. 2007), 94--100.
[23]
Jermyn, I., Mayer, A., Monrose, F., Reiter, M. K., and Rubin, A. D. 1999. The design and analysis of graphical passwords. In Proceedings of the 8th Conference on USENIX Security Symposium. 8(1999). 1--1.
[24]
Khot R. A., Srinathan K., Kumaraguru, P. Marasim: A Novel Jigsaw Based Authentication Scheme using Tagging, To appear, In the Proceedings of 29th Conference on Human Factors in Computing systems (CHI 2011). ACM.
[25]
Kinjo, H., and Snodgrass, J. G. 2000. Does the generation effect occur for pictures? Amer. J. of Psych. 6(2000), 156--163.
[26]
Knopf, M., Mack, A., Lenel, S., and Ferrante, S. Memory for action events: findings in neurological patients, Scandinavian Journal of Psychology. 46(2005), 11--19.
[27]
Kumar, M., Garfinkel, T., Boneh, D., and Winograd, T. 2007. Reducing shoulder-surfing by using gaze-based password entry. In Proceedings of the 3rd symposium on Usable privacy and security (SOUPS '07). ACM, 13--19.
[28]
Malware. http://en.wikipedia.org/wiki/Malware/.
[29]
Morris, R., and Thompson, K. Password security: A case history. Communications of the ACM (CACM Nov 1979), 594--497.
[30]
Nali, D., and Thorpe, J. Analyzing user choice in graphical passwords. Technical report, TR-04-01, School of Computer Science, Carleton University, May 2004.
[31]
Nelson, D. L., Reed, U. S., & Walling, J. R. (1976). Pictorial superiority effect. Journal of Experimental Psychology: Human Learning & Memory, 2, 523--528.
[32]
Paivio, A. Mind and its evolution: a dual coding theoretical approach. Lawrence Erlbaum: Mahwah, N. J., 2006.
[33]
Panjwani, S., and Cutrell, E. 2010. Usably secure, low-cost authentication for mobile banking. In Proceedings of the Sixth Symposium on Usable Privacy and Security (SOUPS '10). ACM, New York, NY, USA, Article 4, 12 pages.
[34]
Pering, T., Sundar, M., Light, J., and Want, R. 2003. Photographic Authentication through Untrusted Terminals. IEEE Pervasive Computing 2, 1 (Jan. 2003), 30--36.
[35]
Provos, N., Mavrommatis, N., Abu Rajab, M., and Monrose, F. All your iFrames point to us. In 17th USENIX Security Symposium, 2008.
[36]
Renaud, K. 2009. On user involvement in production of images used in visual authentication. J. Vis. Lang. Comput. 20, 1 (Feb. 2009), 1--15.
[37]
Renaud, K. and De Angeli, A. 2009. Visual passwords: cureall or snake-oil? Commun. ACM 52, 12 (Dec. 2009), 135--140.
[38]
Roth, V., Richter, K., and Freidinger, R. 2004. A PIN-entry method resilient against shoulder surfing. In Proceedings of the 11th ACM conference on Computer and communications security (CCS '04). ACM, New York, NY, USA, 236--245.
[39]
Ross, B., Jackson, C., Miyake, N., Boneh, D., and Mitchell, J. Stronger password authentication using browser extensions. In 14th USENIX Security Symposium, Baltimore, August 2005.
[40]
RSA SecureID, http://www.rsa.com/node.aspx?id=1156, Last accessed December 2010.
[41]
Schneier, B.: Secret and lies: Digital security in Networked World. John Wiley and Sons (2000)
[42]
Shepard, R. Recognition memory for words, sentences, and pictures. Journal of Verbal Learning & Verbal Behavior. 6(1967), 156--163.
[43]
Standing, L. Learning 10,000 pictures. Quarterly Journal of Experimental Psychology 25 (1973), 207--222.
[44]
Tao, H., and Adams, C. Pass-go: A proposal to improve the usability of graphical passwords. Int'l Journal of Network Security. 7(2008), 272--292.
[45]
Tari, F., Ozok, A. A., and Holden, S. H. 2006. A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords. In Proceedings of the Second Symposium on Usable Privacy and Security (2006). SOUPS '06, 56--66.
[46]
Tullis, T. S., and Tedesco, D. P. 2005. Using personal photos as pictorial passwords. In CHI '05 Extended Abstracts on Human Factors in Computing Systems (2005). CHI '05. ACM, 1841--1844.
[47]
Tulving, E., and Watkins, M. Continuity between recall and recognition. American Journal of Psychology, 86(4): 739--748, 1973.
[48]
Weinshall, D. Cognitive Authentication Schemes Safe Against Spyware. In Proc. 2006 IEEE Symposium on Security and Privacy (S&P), May 2006.
[49]
Wiedenbeck, S., Waters, J., Birget, J., Brodskiy, A., and Memon, N. 2005. PassPoints: design and longitudinal evaluation of a graphical password system. Int. J. Hum.-Comput. Stud. 63, 1--2 (Jul. 2005), 102--127.
[50]
Yan, J., Blackwell, A., Anderson, R., and Grant, A. 2004. Password Memorability and Security: Empirical Results. IEEE Security and Privacy 2, 5 (Sep. 2004), 25--31.
Index Terms
- NAPTune: fine tuning graphical authentication
Recommendations
Pictures at the ATM: exploring the usability of multiple graphical passwords
CHI '07: Proceedings of the SIGCHI Conference on Human Factors in Computing SystemsUsers gain access to cash, confidential information and services at Automated Teller Machines (ATMs) via an authentication process involving a Personal Identification Number (PIN). These users frequently have many different PINs, and fail to remember ...
Design and evaluation of a shoulder-surfing resistant graphical password scheme
AVI '06: Proceedings of the working conference on Advanced visual interfacesWhen users input their passwords in a public place, they may be at risk of attackers stealing their password. An attacker can capture a password by direct observation or by recording the individual's authentication session. This is referred to as ...
Evaluating the effect of user guidelines on creating click-draw based graphical passwords
RACS '12: Proceedings of the 2012 ACM Research in Applied Computation SymposiumGraphical passwords have become one of the possible alternatives for traditional text-based passwords in the aspect of user authentication on computers and networks. In general, this image-based authentication can be classified into three categories ...
Comments
Information & Contributors
Information
Published In
April 2011
130 pages
ISBN:9781450307291
DOI:10.1145/2407796
- Conference Chair:
- Sanjay Tripathi,
- Program Chairs:
- K. V. Dinesha,
- Muralidhar Koteshwar
Copyright © 2011 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
- The International Institute of Information Technology Bangalore: The International Institute of Information Technology Bangalore
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 07 April 2011
Check for updates
Author Tags
Qualifiers
- Research-article
Conference
IndiaHCI '11
Sponsor:
- The International Institute of Information Technology Bangalore
IndiaHCI '11: 3rd International conference on Human Computer Interaction
April 7 - 10, 2011
Bangalore, India
Acceptance Rates
Overall Acceptance Rate 33 of 93 submissions, 35%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 163Total Downloads
- Downloads (Last 12 months)2
- Downloads (Last 6 weeks)0
Reflects downloads up to 03 Oct 2024
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in