Graphical Passwords

In this article we present the development of a new, web-based, graphical authentication mechanism called ImagePass. The authentication mechanism introduces a novel feature based on one-time passwords that increases the security of the system without compromising its usability. Regarding usability, we explore the users’ perception of recognition-based, graphical authentication mechanisms in a web environment. Specifically, we investigate whether the memorability of recognition-based authentication keys is influenced by image content. We also examine how the frequency of use affects the usability of the system and whether user training via mnemonic instructions improves the graphical password recognition rate. The design and development process of the proposed system began with a study that assessed how the users remember abstract, face or single-object images, and showed that single-object images have a higher memorability rate. We then proceeded with the design and development of a recognition-based graphical authentication mechanism, ImagePass, which uses single-objects as the image content and follows usable security guidelines. To conclude the research, in a follow-up study we evaluated the performance of 151 participants under different conditions. We discovered that the frequency of use had a great impact on users’ performance, while the users’ gender had a limited task-specific effect. In contrast, user training through mnemonic instructions showed no differences in the users’ authentication metrics. However, a post-study, focus-group analysis revealed that these instructions greatly influenced the users’ perception for memorability and the usability of the graphical authentication. In general, the results of these studies suggest that single-object graphical authentication can be a complementary replacement for traditional passwords, especially in ubiquitous environments and mobile devices.

Getting users to abandon text-based passwords has been a rather difficult task. Several alternatives to textual passwords have been proposed including authentication based on images. Research shows that graphical authentication mechanisms have some advantages, but they lack the necessary qualities to move them from isolated to mass market environments. This paper builds on current research and previous papers and presents the second iteration of ImagePass, a novel graphical authentication mechanism that follows usable security guidelines. Based on ambitious usability tests this approach has been demonstrated as a feasible authentication alternative for desktop and mobile environments.

Researchers have developed various graphical authentication mechanisms, with varied results in different environments. However, it has been difficult to get users to abandon traditional text-passwords in favor of something unfamiliar, therefore limiting graphical passwords to isolated environments rather than mass market solutions. Current studies show that while dominant on the usability side, because of their intuitiveness and potential password space, graphical authentication mechanisms are not necessarily more secure. This paper presents the development of a graphical authentication prototype by following usable security guidelines. Codenamed ImagePass, the prototype is a mechanism that uses image recognition as the basis for the authentication process.

Existing graphical authentication methods take into account the fact that users are more capable of remembering pictures instead of text. Graphical authentication schemes are expected to be less vulnerable to specific hacker attack techniques that have greatly improved in recent years. The usability aspect of a graphical authentication product refers to the extent that a product can be used by users to achieve goals with effectiveness, efficiency and satisfaction in a specified context of use. This paper describes a prototype system providing graphical authentication of mobile devices over the Internet, covering both usability and security aspects. Color images are assigned to the mobile users and authentication is achieved by modifying the Red-Green-Blue (RGB) color intensity values of the assigned image.

Users gain access to cash, confidential information and services at Automated Teller Machines (ATMs) via an authentication process involving a Personal Identification Number (PIN). These users frequently have many different PINs, and fail to remember them without recourse to insecure behaviours. This is not a failing of users. It is a usability failing in the ATM authentication mechanism.
This paper describes research executed to evaluate whether users find multiple graphical passwords more memorable than multiple PINs. The research also investigates the success of two memory augmentation strategies in increasing memorability of graphical passwords. The results demonstrate that multiple graphical passwords are substantially more effective than multiple PIN numbers. Memorability is further improved by the use of mnemonics to aid their recall.
This study will be of interest to HCI practitioners and information security researchers exploring approaches to usable security.

The password the almost universal authentication solution yet is buckling under the strain. It demonstrates insufficiency and weakness due to poor choice, reuse and ease of transfer. Graphical passwords, biometrics, and hardware tokens have been suggested as alternatives. Industry has, unfortunately, not embraced these alternatives. One possible explanation is the complexity of the choice process. To support authentication decision-markers we suggest a framework called ACCESS (Authentication ChoiCE Support System) which captures requirements, consults a knowledge base of existing authentication mechanisms and their properties, and suggests those mechanisms that match the specified requirements.

As users can only make informed choices when the proposals being discussed are meaningful to them, enabling users to envision and make sense of those proposals is an essential element of all approaches to system design. The focus of this study is the conceptualization of a graphical authentication mechanism appropriate for ubiquitous environments. Therefore, the experiment presented in this paper uses the paper prototyping method is used to effectively simulate graphical authentication and distinguish the user preference between two system approaches in ubiquitous environments. Complementary, both a high fidelity paper and a mobile prototype is used in order to evaluate popular graphical authentication concepts which are based on separate cognitive functions: recall and recognition. This experiment uses a between group design where each participant evaluates a prototype for both authentication concepts in the same medium. The results of the study demonstrate that recognition-based graphical authentication mechanisms are more suitable for ubiquitous environments than recall-based systems.

Abstract—Shoulder-surfing is a known risk where an attacker
can capture a password by direct observation or by recording
the authentication session. Due to the visual interface, this
problem has become exacerbated in graphical passwords.
There have been some graphical schemes resistant or immune
to shoulder-surfing, but they have significant usability
drawbacks, usually in the time and effort to log in. In this
paper, we propose and evaluate a new shoulder-surfing
resistant scheme which has a desirable usability for PDAs. Our
inspiration comes from the drawing input method in DAS and
the association mnemonics in Story for sequence retrieval. The
new scheme requires users to draw a curve across their
password images orderly rather than click directly on them.
The drawing input trick along with the complementary
measures, such as erasing the drawing trace, displaying
degraded images, and starting and ending with randomly
designated images provide a good resistance to shouldersurfing.
A preliminary user study showed that users were able
to enter their passwords accurately and to remember them
over time.

In this article we present the development of a new, web-based, graphical authentication mechanism called ImagePass. The authentication mechanism introduces a novel feature based on one-time passwords that increases the security of the system without compromising its usability. Regarding usability, we explore the users’ perception of recognition-based, graphical authentication mechanisms in a web environment. Specifically, we investigate whether the memorability

This research examined factors which affected password creation using images on a grid. The experiment was carried out with 1,069 participants, by simulating a game of recalling pictures and using a questionnaire to gather users' feedback. A mixed-model experimental design was employed in this research. There were two experimental groups. The participants were randomly assigned into a group. The participants in the first group would have to memorize and recall human images, while the participants in the second group would have to do with images of objects instead. There were two kinds of grids, including a square and a non-square form. The participants would have to remember five images which were displayed on a grid. They would have to finish 6 trials and then they were asked to answer the questionnaire. The results indicated that a factor of image types (human and object images) did not affect the number of recalled pictures on any type of grid forms. However, the results showed that a factor of different grid forms did affect the number of recalled pictures. The participants could recall more pictures displayed on the square grids than displayed on the non-square grids significantly. Interestingly, in the further analysis of a grid size of between a 4x4 square and a 5x5 square form, there was no effect of a grid-size factor on the number of recalled pictures.