research-article

Use Your Illusion: secure authentication usable anywhere

Authors:

Rachna Dhamija,

Nicolas Christin,

Adrian PerrigAuthors Info & Claims

SOUPS '08: Proceedings of the 4th symposium on Usable privacy and security

Pages 35 - 45

https://doi.org/10.1145/1408664.1408670

Published: 23 July 2008 Publication History

Abstract

In this paper, we propose and evaluate Use Your Illusion, a novel mechanism for user authentication that is secure and usable regardless of the size of the device on which it is used. Our system relies on the human ability to recognize a degraded version of a previously seen image. We illustrate how distorted images can be used to maintain the usability of graphical password schemes while making them more resilient to social engineering or observation attacks. Because it is difficult to mentally "revert" a degraded image, without knowledge of the original image, our scheme provides a strong line of defense against impostor access, while preserving the desirable memorability properties of graphical password schemes.

Using low-fidelity tests to aid in the design, we implement prototypes of Use Your Illusion as i) an Ajax-based web service and ii) on Nokia N70 cellular phones. We conduct a between-subjects usability study of the cellular phone prototype with a total of 99 participants in two experiments. We demonstrate that, regardless of their age or gender, users are very skilled at recognizing degraded versions of self-chosen images, even on small displays and after time periods of one month. Our results indicate that graphical passwords with distorted images can achieve equivalent error rates to those using traditional images, but only when the original image is known.

References

[1]

Flickr. http://www.flickr.com.

[2]

Phoney finance. The Economist. October 26, 2006. http://www.economist.com/finance/displaystory.cfm?story_id=8089667.

[3]

R. Anderson. Why cryptosystems fail. In Proc. ACM CCS, pages 215--227, Nov. 1993.

Digital Library

[4]

G. Blonder. United states patent, 1996. United States Patent 5559961.

[5]

G. H. Bower, M. B. Karlin, and A. Dueck. Comprehension and memory for pictures. Memory and Cognition, 2:216--220, 1975.

[6]

S. Brostoff and M. Sasse. Are passfaces more usable than passwords? A field trial investigation. In Proceedings of HCI 2000, pages 405--424, Sept. 2000.

[7]

M. Burton, S. Wilson, M. Cowan, and V. Bruce. Face recognition in poor quality video: Evidence from security surveillance. Psychological Science, 10:243--248, 1999.

[8]

R. Dhamija and A. Perrig. Déjà vu: A user study, using images for authentication. In Proc. 9th USENIX Security Symp., Aug. 2000.

Digital Library

[9]

R. Dhamija and J. D. Tygar. The battle against phishing: Dynamic security skins. In Proc. 1st Symp. on Usable Privacy and Security, 2005.

Digital Library

[10]

A. Goldstein and J. E. Chance. Visual recognition memory for complex configurations. Perception and Psychophysics, 9:237--241, 1970.

[11]

P. Golle and D. Wagner. Cryptanalysis of a cognitive authentication scheme. In Proc. of the 2007 IEEE Symposium on Security and Privacy, 2007.

Digital Library

[12]

R. L. Gregory. The Intelligent Eye. 1970.

[13]

A. Harada, T. Isarida, T. Mizuno, and M. Nishigaki. A user authentication system using schema of visual memory. In Proc. BioADIT'06, pages 338--345, Jan. 2006.

Digital Library

[14]

Z. Henderson, V. Bruce, and M. Burton. Matching the faces of robbers captured on video. Applied Cognitive Psychology, 15:445--464, 2001.

[15]

G. J. Holzmann. Beyond Photography: The Digital Darkroom. Prentice Hall, June 1988.

Digital Library

[16]

I. Jermyn, A. Mayer, F. M. M. Reiter, and A. Rubin. The design and analysis of graphical passwords. In Proc. 8th USENIX Security Symp., Aug. 1999.

Digital Library

[17]

H. Kinjo and J. G. Snodgrass. Does the generation effect occur for pictures? Amer. J. of Psych., 6:156--163, 2000.

[18]

T. Matsumoto, H. Matsumoto, K. Yamada, and S. Hoshino. Impact of artificial gummy fingers on fingerprint systems. In Proc. SPIE: Optical Security and Counterfeit Deterrence Techniques IV, volume 4677, pages 275--289, Jan. 2002.

[19]

W. Moncur and G. Leplâtre. Pictures at the ATM: exploring the usability of multiple graphical passwords. In Proc. ACM CHI, pages 887--894, Apr. 2007.

Digital Library

[20]

F. Monrose, D. Davis, and M. Reiter. On user choice to graphical password schemes. In Proc. of the 13th USENIX Security Symp., pages 151--164, San Diego, CA, Aug. 2004.

Digital Library

[21]

Real User Corporation. The science behind Passfaces, 2001. http://www.realusers.com.

[22]

H. Sasamoto, N. Christin, and E. Hayashi. Undercover: Authentication usable in front of prying eyes. In Proceedings of 2008 ACM Symposium on Computer-Human Interaction (CHI'08), Florence, Italy, Apr. 2008. To appear.

Digital Library

[23]

R. Shepard. Recognition memory for words, sentences and pictures. J. Verbal Learning and Verbal Behavior, 113(1):95--121, 1967.

[24]

Sony Corporation. Overview of FeliCa. http://www.sony.net/Products/felica/abt/dvs.html.

[25]

L. Standing, J. Conezio, and R. N. Haber. Perception and memory for pictures: single trial learning of 2,500 visual stimuli. Psychonomic Sci., 19(2):73--74, 1970.

[26]

A. Stubblefield and D. Simon. Inkblot authentication. Technical Report MSR-TR-2004-85, Aug. 2004.

[27]

J. Thorpe and P. van Oorschot. Graphical dictionaries and the memorable space of graphical passwords. In Proc. 13th USENIX Security Symp., Aug. 2004.

Digital Library

[28]

J. Thorpe and P. van Oorschot. Towards secure design choices for implementing graphical passwords. In Proc. 20th ACSAC, Dec. 2004.

Digital Library

[29]

J. Thorpe and P. van Oorschot. Human-seeded attacks and exploiting hot-spots in graphical passwords. In Proc. 16th USENIX Security Symp., Aug. 2007.

Digital Library

[30]

D. Weinshall. Cognitive authentication schemes safe against spyware. In Proc. IEEE Symp. Sec. and Privacy, May 2006.

Digital Library

[31]

S. Wiedenbeck, J. Waters, J.-C. Birget, A. Brodskiy, and N. Memon. Authentication using graphical passwords: Basic results. In HCI International, July 2005.

[32]

S. Wiedenbeck, J. Waters, J.-C. Birget, A. Brodskiy, and N. Memon. Authentication using graphical passwords: effects of tolerance and image choice. In Proc. of the 1st Symp. Usable Privacy and Security, pages 1--12, July 2005.

Digital Library

Cited By

Lewis BKirupaharan PRanalli TVenkatasubramanian K(2024)A3C: An Image-Association-Based Computing Device Authentication Framework for People with Upper Extremity ImpairmentsACM Transactions on Accessible Computing10.1145/365252217:2(1-37)Online publication date: 28-May-2024
https://dl.acm.org/doi/10.1145/3652522
Sathya KEsther JKavitha SKamalakumari J(2024)Facetpass- Intelligent Facial Recognition Authentication System Security and Usability2024 2nd International Conference on Artificial Intelligence and Machine Learning Applications Theme: Healthcare and Internet of Things (AIMLA)10.1109/AIMLA59606.2024.10531549(1-6)Online publication date: 15-Mar-2024
https://doi.org/10.1109/AIMLA59606.2024.10531549
Binbeshr FSiong KPor LImam MAl-Saggaf AAbudaqa A(2024)A systematic review of graphical password methods resistant to shoulder-surfing attacksInternational Journal of Information Security10.1007/s10207-024-00956-324:1Online publication date: 18-Dec-2024
https://doi.org/10.1007/s10207-024-00956-3
Show More Cited By

Index Terms

Use Your Illusion: secure authentication usable anywhere

Recommendations

Authentication using graphical passwords: effects of tolerance and image choice
SOUPS '05: Proceedings of the 2005 symposium on Usable privacy and security

Graphical passwords are an alternative to alphanumeric passwords in which users click on images to authenticate themselves rather than type alphanumeric strings. We have developed one such system, called PassPoints, and evaluated it with human users. ...
A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords
SOUPS '06: Proceedings of the second symposium on Usable privacy and security

Previous research has found graphical passwords to be more memorable than non-dictionary or "strong" alphanumeric passwords. Participants in a prior study expressed concerns that this increase in memorability could also lead to an increased ...
Using image saliency and regions of interest to encourage stronger graphical passwords
ACSAC '16: Proceedings of the 32nd Annual Conference on Computer Security Applications

A graphical password guiding image serves as a visual prompt to improve password memorability. However, passwords may be easily guessed if the guiding image contains hotspots, or commonly chosen (e.g., 'clickable') points that are predictable via ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

SOUPS '08: Proceedings of the 4th symposium on Usable privacy and security

July 2008

145 pages

ISBN:9781605582764

DOI:10.1145/1408664

General Chair:
Lorrie Faith Cranor
Carnegie Mellon University

Copyright © 2008 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 23 July 2008

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SOUPS '08

SOUPS '08: The fourth Symposium on Usable Privacy and Security

July 23 - 25, 2008

Pennsylvania, Pittsburgh, USA

Acceptance Rates

Overall Acceptance Rate 15 of 49 submissions, 31%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

100
Total Citations
View Citations
1,195
Total Downloads

Downloads (Last 12 months)21
Downloads (Last 6 weeks)2

Reflects downloads up to 07 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Lewis BKirupaharan PRanalli TVenkatasubramanian K(2024)A3C: An Image-Association-Based Computing Device Authentication Framework for People with Upper Extremity ImpairmentsACM Transactions on Accessible Computing10.1145/365252217:2(1-37)Online publication date: 28-May-2024
https://dl.acm.org/doi/10.1145/3652522
Sathya KEsther JKavitha SKamalakumari J(2024)Facetpass- Intelligent Facial Recognition Authentication System Security and Usability2024 2nd International Conference on Artificial Intelligence and Machine Learning Applications Theme: Healthcare and Internet of Things (AIMLA)10.1109/AIMLA59606.2024.10531549(1-6)Online publication date: 15-Mar-2024
https://doi.org/10.1109/AIMLA59606.2024.10531549
Binbeshr FSiong KPor LImam MAl-Saggaf AAbudaqa A(2024)A systematic review of graphical password methods resistant to shoulder-surfing attacksInternational Journal of Information Security10.1007/s10207-024-00956-324:1Online publication date: 18-Dec-2024
https://doi.org/10.1007/s10207-024-00956-3
Dr. G. V. Satyanarayana Akshitha Chikka Prasanth Chintapalli Suguna Chandaka Suguna Chandaka Ravi Teja Chintala (2023)Graphical Password AuthenticationInternational Journal of Advanced Research in Science, Communication and Technology10.48175/IJARSCT-9250(541-551)Online publication date: 20-Apr-2023
https://doi.org/10.48175/IJARSCT-9250
Ray PGiri DMeng WHore S(2023)GPOD: An Efficient and Secure Graphical Password Authentication System by Fast Object DetectionMultimedia Tools and Applications10.1007/s11042-023-17571-483:19(56569-56618)Online publication date: 12-Dec-2023
https://doi.org/10.1007/s11042-023-17571-4
Chenchev I(2023)Framework for Multi-factor Authentication with Dynamically Generated PasswordsAdvances in Information and Communication10.1007/978-3-031-28073-3_39(563-576)Online publication date: 2-Mar-2023
https://doi.org/10.1007/978-3-031-28073-3_39
Shao SLi JShao PZhu X(2022)An Image Encryption Scheme with the Associated Thumbnail2022 8th International Conference on Systems and Informatics (ICSAI)10.1109/ICSAI57119.2022.10005351(1-8)Online publication date: 10-Dec-2022
https://doi.org/10.1109/ICSAI57119.2022.10005351
Kawamura TEbihara TWakatsuki NZempo K(2022)EYEDi: Graphical Authentication Scheme of Estimating Your Encodable Distorted Images to Prevent Screenshot AttacksIEEE Access10.1109/ACCESS.2021.313809310(2256-2268)Online publication date: 2022
https://doi.org/10.1109/ACCESS.2021.3138093
Ye XZhang YZhao RLan RXiang Y(2022)PRA-TPEJournal of Visual Communication and Image Representation10.1016/j.jvcir.2022.10358987:COnline publication date: 1-Aug-2022
https://dl.acm.org/doi/10.1016/j.jvcir.2022.103589
Yang GHu QAsghar M(2022)TIM: Secure and usable authentication for smartphonesJournal of Information Security and Applications10.1016/j.jisa.2022.10337471(103374)Online publication date: Dec-2022
https://doi.org/10.1016/j.jisa.2022.103374
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten