research-article

A closer look at recognition-based graphical passwords on mobile devices

Authors:

Andreas P. Heiner,

N. AsokanAuthors Info & Claims

SOUPS '10: Proceedings of the Sixth Symposium on Usable Privacy and Security

Article No.: 3, Pages 1 - 12

https://doi.org/10.1145/1837110.1837114

Published: 14 July 2010 Publication History

Abstract

Graphical password systems based on the recognition of photographs are candidates to alleviate current over-reliance on alphanumeric passwords and PINs. However, despite being based on a simple concept -- and user evaluations consistently reporting impressive memory retention -- only one commercial example exists and overall take-up is low. Barriers to uptake include a perceived vulnerability to observation attacks; issues regarding deployability; and the impact of innocuous design decisions on security not being formalized. Our contribution is to dissect each of these issues in the context of mobile devices -- a particularly suitable application domain due to their increasing significance, and high potential to attract unauthorized access. This produces: 1) A novel yet simple solution to the intersection attack that permits greater variability in login challenges; 2) Detailed analysis of the shoulder surfing threat that considers both simulated and human testing; 3) A first look at image processing techniques to contribute towards automated photograph filtering. We operationalize our observations and gather data in a field context where decentralized mechanisms of varying entropy were installed on the personal devices of participants. Across two working weeks success rates collected from users of a high entropy version were similar to those of a low entropy version at 77%, and login durations decreased significantly across the study.

References

[1]

A. D. Angeli, L. Coventry, G. Johnson, and K. Renaud. Is a picture really worth a thousand words? exploring the feasibility of graphical authentication systems. Int. J. Hum.-Comput. Stud., 63(1--2):128--152, 2005.

Digital Library

[2]

S. Brostoff and A. Sasse. Are Passfaces more usable than passwords? A field trial investigation. In HCI 2000: Proceedings of People and Computers XIV - Usability or Else, pages 405--424. Springer, 2000.

[3]

A. P. Bryan Parno, Cynthia Kuo. Phoolproof phishing prevention. In Financial Cryptography, volume 4107 of Lecture Notes in Computer Science, pages 1--19. Springer, February 2006.

Digital Library

[4]

J. Canny. A computational approach to edge detection. IEEE Trans. Pattern Anal. Mach. Intell., 8(6):679--698, 1986.

Digital Library

[5]

S. Chiasson, R. Biddle, and P. C. van Oorschot. A second look at the usability of click-based graphical passwords. In SOUPS '07: Proceedings of the 3rd symposium on Usable privacy and security, pages 1--12, New York, NY, USA, 2007. ACM.

Digital Library

[6]

N. Clarke and S. Furnell. Authentication of users on mobile telephones - a survey of attitudes and practices. Computers and Security, 24(7):519--527, 2005.

Digital Library

[7]

D. Davis, F. Monrose, and M. K. Reiter. On user choice in graphical password schemes. In SSYM'04: Proceedings of the 13th conference on USENIX Security Symposium, Berkeley, CA, USA, 2004. USENIX Association.

Digital Library

[8]

R. Dhamija and A. Perrig. Déjà Vu: a user study using images for authentication. In SSYM'00: Proceedings of the 9th conference on USENIX Security Symposium, Berkeley, CA, USA, 2000. USENIX Association.

Digital Library

[9]

A. E. Dirik, N. Memon, and J.-C. Birget. Modeling user choice in the PassPoints graphical password scheme. In SOUPS '07: Proceedings of the 3rd symposium on Usable privacy and security, pages 20--28, New York, NY, USA, 2007. ACM.

Digital Library

[10]

J. Duncan and G. W. Humphreys. Visual search and stimulus similarity. Psychological review, 96(3):433--458, July 1989.

[11]

P. Dunphy, J. Nicholson, and P. Olivier. Securing Passfaces for Description. In SOUPS '08: Proceedings of the 3rd symposium on Usable privacy and security, New York, NY, USA, 2008. ACM.

Digital Library

[12]

P. Dunphy and J. Yan. Is FacePIN secure and usable? In SOUPS '07: Proceedings of the 3rd symposium on Usable privacy and security, pages 165--166, New York, NY, USA, 2007. ACM.

Digital Library

[13]

K. M. Everitt, T. Bragin, J. Fogarty, and T. Kohno. A comprehensive study of frequency, interference, and training of multiple graphical passwords. In CHI '09: Proceedings of the 27th international conference on Human factors in computing systems, pages 889--898, New York, NY, USA, 2009. ACM.

Digital Library

[14]

J. Flatley. Mobile phone theft, plastic card and identity fraud: Findings from the 2005/06 british crime survey. Home Office Statistical Bulletin, 2005.

[15]

P. Golle and D. Wagner. Cryptanalysis of a cognitive authentication scheme (extended abstract). In SP '07: Proceedings of the 2007 IEEE Symposium on Security and Privacy, pages 66--70, Washington, DC, USA, 2007. IEEE Computer Society.

Digital Library

[16]

V. Harrington and P. Mayhew. Mobile phone theft. Home Office Research Study 235, 2001.

[17]

E. Hayashi, R. Dhamija, N. Christin, and A. Perrig. Use your illusion: secure authentication usable anywhere. In SOUPS '08: Proceedings of the 4th symposium on Usable privacy and security, pages 35--45, New York, NY, USA, 2008. ACM.

Digital Library

[18]

L. N. Hoang, P. Laitinen, and N. Asokan. Secure roaming with identity metasystems. In IDtrust 2008, Proceedings of the 7th Symposium on Identity and Trust on the Internet, pages 36--47, March 2008.

Digital Library

[19]

Ian Jermyn and Alain Mayer and Fabian Monrose and Michael K. Reiter and Aviel D. Rubin. The design and analysis of graphical passwords. In SSYM'99: Proceedings of the 8th Conference on USENIX Security Symposium, Berkeley, CA, USA, 1999. USENIX Association.

Digital Library

[20]

A. K. Karlson, A. B. Brush, and S. Schechter. Can i borrow your phone?: understanding concerns when sharing mobile phones. In CHI '09: Proceedings of the 27th international conference on Human factors in computing systems, pages 1647--1650, New York, NY, USA, 2009. ACM.

Digital Library

[21]

D. Kim, P. Dunphy, P. Briggs, J. Hook, J. Nicholson, J. Nicholson, and P. Olivier. Multi-touch authentication on tabletops. In CHI '10: Proceedings of the 28th international conference on Human factors in computing systems, pages 1093--1102, New York, NY, USA, 2010. ACM.

Digital Library

[22]

J. Kjeldskov, M. B. Skov, B. S. Als, and R. T. Høegh. Is it worth the hassle? exploring the added value of evaluating the usability of context-aware mobile systems in the field. In Mobile HCI, pages 61--73. Springer-Verlag, 2004.

[23]

D. V. Klein. "foiling the cracker" -- A survey of, and improvements to, password security. In Proceedings of the second USENIX Workshop on Security, pages 5--14, 1990.

[24]

C. M. Nielsen, M. Overgaard, M. B. Pedersen, J. Stage, and S. Stenild. It's worth the hassle!: the added value of evaluating the usability of mobile systems in the field. In NordiCHI '06: Proceedings of the 4th Nordic conference on Human-computer interaction, pages 272--280, New York, NY, USA, 2006. ACM.

Digital Library

[25]

Passfaces Corporation. The Science Behind Passfaces. Company white paper.

[26]

T. Pering, M. Sundar, J. Light, and R. Want. Photographic authentication through untrusted terminals. IEEE Pervasive Computing, 2(1):30--36, 2003.

Digital Library

[27]

K. Renaud and E. Olsen. Dynahand: Observation-resistant recognition-based web authentication. Technology and Society Magazine, IEEE, 26(2):22--31, Summer 2007.

[28]

Y. Rogers, K. Connelly, L. Tedesco, W. Hazlewood, A. Kurtz, R. Hall, J. Hursey, and T. Toscos. Why it's worth the hassle: The value of in-situ studies when designing ubicomp. pages 336--353, 2007.

Digital Library

[29]

M. A. Sasse, S. Brostoff, and D. Weirich. Transforming the 'Weakest Link' - a Human/Computer Interaction Approach to Usable and Effective Security. BT Technology Journal, 19(3):122--131, 2001.

Digital Library

[30]

W. Schneider and R. M. Shiffrin. Controlled and automatic human information processing: I. detection, search, and attention. Psychological Review, 84:1--66, 1977.

[31]

R. Shepard. Recognition memory for words, sentences and pictures. Journal of Verbal Learning and Verbal Behavior, 6:156--163, 1967.

[32]

Sourceforge. 'perceptualdiff' (2008) last accessed 02/12/2008. http://pdiff.sourceforge.net/.

[33]

X. Suo, Y. Zhu, and G. S. Owen. Graphical Passwords: A Survey. In ACSAC '05: Proceedings of the 21st Annual Computer Security Applications Conference, pages 463--472, Washington, DC, USA, 2005. IEEE Computer Society.

Digital Library

[34]

T. Takada, T. Onuki, and H. Koike. Awase-e: Recognition-based image authentication scheme using users' personal photographs. Innovations in Information Technology, 2006, pages 1--5, Nov. 2006.

[35]

J. Thorpe and P. V. Oorschott. Human-Seeded Attacks and Exploiting Hot-Spots in Graphical Passwords. In 16th USENIX Security Symposium, Aug. 6--10, 2007.

Digital Library

[36]

T. S. Tullis and D. P. Tedesco. Using personal photos as pictorial passwords. In CHI '05: CHI '05 extended abstracts on Human factors in computing systems, pages 1841--1844, New York, NY, USA, 2005. ACM.

Digital Library

[37]

E. Uzun, K. Karvonen, and N. Asokan. Usability analysis of secure pairing methods. In Proceedings of the Usable Security 2007 (USEC 07) Workshop, volume 4886 of Lecture Notes in Computer Science, pages 307--324, Lowlands, Scarborough, Trinidad/Tobago, February 2007. Springer.

Digital Library

[38]

J. Z. Wang, J. Li, and G. Wiederhold. Simplicity: Semantics-sensitive integrated matching for picture libraries. IEEE Transactions on Pattern Analysis and Machine Intelligence, 23:947--963, 2001.

Digital Library

[39]

D. Weinshall. Cognitive authentication schemes safe against spyware (short paper). In SP '06: Proceedings of the 2006 IEEE Symposium on Security and Privacy, pages 295--300, Washington, DC, USA, 2006. IEEE Computer Society.

Digital Library

[40]

S. Wiedenbeck, J. Waters, J.-C. Birget, A. Brodskiy, and N. Memon. PassPoints: design and longitudinal evaluation of a graphical password system. Int. J. Hum.-Comput. Stud., 63(1--2):102--127, 2005.

Digital Library

Cited By

Farzand HAbraham MBrewster SKhamis MMarky K(2024)A Systematic Deconstruction of Human-Centric Privacy & Security Threats on Mobile PhonesInternational Journal of Human–Computer Interaction10.1080/10447318.2024.236151941:2(1628-1651)Online publication date: 12-Jun-2024
https://doi.org/10.1080/10447318.2024.2361519
Olade ILiang HFleming C(2023)Story-based authentication for mobile devices using semantically-linked imagesInternational Journal of Human-Computer Studies10.1016/j.ijhcs.2022.102967171:COnline publication date: 1-Mar-2023
https://dl.acm.org/doi/10.1016/j.ijhcs.2022.102967
Düzgün RMayer PVolkamer M(2022)Shoulder-Surfing Resistant Authentication for Augmented RealityNordic Human-Computer Interaction Conference10.1145/3546155.3546663(1-13)Online publication date: 8-Oct-2022
https://dl.acm.org/doi/10.1145/3546155.3546663
Show More Cited By

Index Terms

A closer look at recognition-based graphical passwords on mobile devices
1. Security and privacy
  1. Security services
    1. Access control
    2. Authentication
  2. Systems security
    1. Operating systems security

Recommendations

Shoulder surfing defence for recall-based graphical passwords
SOUPS '11: Proceedings of the Seventh Symposium on Usable Privacy and Security

Graphical passwords are often considered prone to shoulder-surfing attacks, where attackers can steal a user's password by peeking over his or her shoulder in the authentication process. In this paper, we explore shoulder surfing defence for recall-...
A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords
SOUPS '06: Proceedings of the second symposium on Usable privacy and security

Previous research has found graphical passwords to be more memorable than non-dictionary or "strong" alphanumeric passwords. Participants in a prior study expressed concerns that this increase in memorability could also lead to an increased ...
Security implications of password discretization for click-based graphical passwords
WWW '13: Proceedings of the 22nd international conference on World Wide Web

Discretization is a standard technique used in click-based graphical passwords for tolerating input variance so that approximately correct passwords are accepted by the system. In this paper, we show for the first time that two representative ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

SOUPS '10: Proceedings of the Sixth Symposium on Usable Privacy and Security

July 2010

236 pages

ISBN:9781450302647

DOI:10.1145/1837110

General Chair:
Lorrie Faith Cranor
Carnegie Mellon University

Copyright © 2010 Copyright is held by the author/owner.

Sponsors

Carnegie Mellon University: Carnegie Mellon University

In-Cooperation

SIGCHI: ACM Special Interest Group on Computer-Human Interaction

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 14 July 2010

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SOUPS '10

Sponsor:

Carnegie Mellon University

SOUPS '10: Symposium on Usable Privacy and Security

July 14 - 16, 2010

Washington, Redmond, USA

Acceptance Rates

Overall Acceptance Rate 15 of 49 submissions, 31%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

76
Total Citations
View Citations
1,209
Total Downloads

Downloads (Last 12 months)16
Downloads (Last 6 weeks)5

Reflects downloads up to 02 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Farzand HAbraham MBrewster SKhamis MMarky K(2024)A Systematic Deconstruction of Human-Centric Privacy & Security Threats on Mobile PhonesInternational Journal of Human–Computer Interaction10.1080/10447318.2024.236151941:2(1628-1651)Online publication date: 12-Jun-2024
https://doi.org/10.1080/10447318.2024.2361519
Olade ILiang HFleming C(2023)Story-based authentication for mobile devices using semantically-linked imagesInternational Journal of Human-Computer Studies10.1016/j.ijhcs.2022.102967171:COnline publication date: 1-Mar-2023
https://dl.acm.org/doi/10.1016/j.ijhcs.2022.102967
Düzgün RMayer PVolkamer M(2022)Shoulder-Surfing Resistant Authentication for Augmented RealityNordic Human-Computer Interaction Conference10.1145/3546155.3546663(1-13)Online publication date: 8-Oct-2022
https://dl.acm.org/doi/10.1145/3546155.3546663
Zhou LWang KLai JZhang D(2021)Behaviors of Unwarranted Password Identification via Shoulder-Surfing during Mobile Authentication2021 IEEE International Conference on Intelligence and Security Informatics (ISI)10.1109/ISI53945.2021.9624730(1-3)Online publication date: 2-Nov-2021
https://dl.acm.org/doi/10.1109/ISI53945.2021.9624730
Katsini CAvouris NFidas C(2020)CogniPGA: Longitudinal Evaluation of Picture Gesture Authentication with Cognition-Based Interventioni-com10.1515/icom-2019-001118:3(237-257)Online publication date: 14-Jan-2020
https://doi.org/10.1515/icom-2019-0011
Torres Jde los Santos SAlepis EPatsakis C(2020)User Behavioral Biometrics and Machine Learning Towards Improving User Authentication in SmartphonesInformation Systems Security and Privacy10.1007/978-3-030-49443-8_12(250-271)Online publication date: 28-Jun-2020
https://doi.org/10.1007/978-3-030-49443-8_12
Teh PLing HCheong SAhmed P(2019)Mobile Embedded SystemMultigenerational Online Behavior and Media Use10.4018/978-1-5225-7909-0.ch023(425-452)Online publication date: 2019
https://doi.org/10.4018/978-1-5225-7909-0.ch023
Constantinides AFidas CBelk MPitsillides A(2019)“I Recall this Picture”: Understanding Picture Password Selections based on Users’ Sociocultural ExperiencesIEEE/WIC/ACM International Conference on Web Intelligence10.1145/3350546.3352557(408-412)Online publication date: 14-Oct-2019
https://dl.acm.org/doi/10.1145/3350546.3352557
Constantinides AFidas CBelk MPitsillides APapadopoulos GSamaras GWeibelzahl SJannach DSantos O(2019)On the Personalization of Image Content in Graphical Passwords based on Users' Sociocultural ExperiencesAdjunct Publication of the 27th Conference on User Modeling, Adaptation and Personalization10.1145/3314183.3324966(199-202)Online publication date: 6-Jun-2019
https://dl.acm.org/doi/10.1145/3314183.3324966
Bošnjak LBrumen B(2019)Shoulder surfingInternational Journal of Human-Computer Studies10.1016/j.ijhcs.2019.04.003130:C(1-20)Online publication date: 1-Oct-2019
https://dl.acm.org/doi/10.1016/j.ijhcs.2019.04.003
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten