graphical passwords

EECE 571B “Computer Security”

Konstantin Beznosov

1

R. Biddle, S. Chiasson, P.C. van Oorschot. “Graphical Passwords: Learning from the First Twelve Years,” ACM Computing Surveys 44(4), 2012.

2

what’s graphical passwords and why§ why not text passwords?

§ hard to memorize but easy to guess

§ knowledge-based authentication§ are hoped to

§ leverage human memory for visual information§ dual-coding theory

– verbal and non-verbal memory are processed and represented differently in the mind

– textual symbols are given meaning cognitively associated with the text (e.g., “X”)

– more difficult cognitive task due to additional processing for verbal memory

§ facilitate the use of less predictable passwords

3

Figure 1: Draw-A-Secret [58]

Figure 2: Pass-Go [116]

YAGP (Yet Another Graphical Password), a modificationto DAS where approximately correct drawings can be ac-cepted, based on Levenshtein distance string matching and“trend quadrants” looking at the direction of pen strokes. Asconsequences of this approximation algorithm, a finer gridmay be used, but the original password must be stored in asystem-accessible manner (rather than hashed) to allow forcomparison with the user’s input.

Passdoodle [47, 129] is similar to DAS, allowing users tocreate a freehand drawing as a password, but uses morecomplex matching process without a visible grid. The use ofadditional characteristics such as pen colour, number of penstrokes, and drawing speed were suggested to add variabilityto the doodles. Later, Govindarajulu and Madhvanath [51]separately proposed a web-based password manager using a“master doodle” instead of a master password.

The three Passdoodle studies focus on users’ ability torecall and reproduce their doodles, and on the matchingalgorithms used to identify similar entries. While usabilitymetrics such as login times or success rates are not reported,the scheme would likely require training of the recognitionalgorithm during password creation, to build an accuratemodel of the password. Passdoodle passwords (the draw-ings themselves or a characterization thereof) must appar-ently be stored in a manner accessible to the system, asopposed to hashed, since the recognition algorithm requiresboth original and entered doodles to test if they are su�-ciently similar.

Weiss and De Luca [134] proposed PassShapes, a similarsystem. Passwords are translated into alphanumeric charac-ters based on 8 stroke directions, recognized at 45� intervals.During login, PassShapes can be drawn in a di↵erent size orlocation on the screen and still be translated into correctoutput provided the stroke direction is accurate. The pass-

word space is reduced since only 8 possible choices can bemade with each stroke, giving a theoretical password spaceof size similar to PINs if the number of strokes is similar tothe number of digits in a PIN. Lab-based studies show thatmemorability and login times for system-assigned 7 strokepasswords are acceptable according to the authors, but nosecurity analysis has been reported.The Pass-Go scheme (see Figure 2) designed by Tao and

Adams [116] was motivated by an expected DAS usabil-ity issue: the di�culty of accurately duplicating sketcheswhose lines cross near grid lines or grid line intersections.It is named for the ancient board game Go, which involvesstrategically placing tokens on the intersection points of agrid. In Pass-Go, users draw their password using grid in-tersection points (instead of grid cells in DAS). The user’smovements are snapped to grid-lines and intersections, elim-inating the impact of small variations in the trace. Surpris-ingly, Pass-Go is the only recall-based graphical passwordsystem to date for which testing in a field study has beenreported. Results of the 167 participant study showed thatlogin success rates were acceptable (as judged by the study’sauthors) at 78%; no login times were reported. The theoret-ical password space of Pass-Go is larger than for DAS, dueto a finer grid (more squares); allowing diagonal movements(DAS encodes only horizontal and vertical movements); andpen colour as an additional parameter. The designers sug-gest using a finer grid to further increase the theoreticalpassword space. Users selected longer passwords and usedcolour, both resulting in greater password complexity thanin DAS. Thus in Pass-Go, some dictionary attacks (as ex-plained in Section 9) may be less e↵ective but attacks whichexploit patterns [23,126], for example, remain a concern.A similar scheme was proposed by Orozco et al. [81], us-

ing a haptic input device that measures pen pressure whileusers draw their password. Although intended to help pro-tect against shoulder-surfing (an observer would have dif-ficulty distinguishing variances in pen pressure), their userstudy showed that users applied very little pen pressure andhardly lifted the pen while drawing. The di↵erences were sosmall that the use of haptics did not increase the di�cultyof guessing passwords. Por et al. [88] proposed modifyingPass-Go to include background images to aid memorability,optionally highlighting the user’s input to facilitate pass-word entry at times when shoulder-surfing is not a threat,and adding decoy input traces to confuse an observer.GrIDsure [52], a commercial product, displays digits in a

5 ⇥ 5 grid. Users select and memorize a pattern consistingof an ordered subset of the 25 grid squares, and enter thecorresponding digits therein using a keyboard. On subse-quent logins, digits are randomly displayed within the gridcells and users enter the new sequence of digits found withinthe cells of their memorized pattern. The system must storethe user’s pattern itself in a recoverable manner (i.e., stor-ing it as the equivalent of a password, rather than a hashedpassword) to allow verification of the user’s input, whichwill vary across logins. GrIDsure was user-tested on PDAsbrought to participants’ home or work locations [19]. Withpasswords of length 4, users achieved a login success rate of87% on first attempt. Of the subset of participants takingpart in two studies, two years apart, 12% were able to recalltheir password on the first attempt. Initial security analysisby Weber [132] reported grIDsure passwords as much moresecure than traditional PINs, especially against shoulder-

4

Figure 3: Passfaces system. Left: sample panel from

the original system [30]. Right: panel with decoys

similar to the image from the user’s portfolio [39].

Dunphy et al. [39] investigated whether Passfaces couldbe made less vulnerable to social engineering attacks whereattackers convince users to describe the images in their port-folio. They found that in 8% of 158 login attempts, partici-pants could log in based on verbal descriptions of the images.They further found that participants were less likely (statis-tically significant) to correctly identify the portfolio imagewithin a panel when decoys were strategically selected tobe similar to the portfolio image. Alternatively, social engi-neering attacks could prompt users to take photographs orscreenshots of their images for sharing, especially since allportfolio images are revealed with each login.

Comparing shoulder-surfing risks between Passfaces, textpasswords, and PINs in a lab study, Tari et al. [117] foundthat Passfaces using keypad entry rather than a mouse wassignificantly less vulnerable to shoulder-surfing than eventext passwords or PINs. If Passfaces uses a keyboard forpassword entry, then malware attacks would need both akeystroke logger and screen scraping software to gain enoughknowledge for password entry; with regular mouse entry,only a screen scraper is needed. For further resistance againstshoulder-surfing, Dunphy et al. [37] proposed and tested aversion of Passfaces using eye-gaze as input at a simulatedATM machine. After initial “play” and “enrollment” phases,they found that participants improved in their ability to en-ter their passwords over time and that login took an averageof 20 seconds for passwords consisting of 5 panels of 9 faces.

Everitt et al. [41] evaluated Passfaces for multiple pass-word interference in a 5 week study where users receivedemail prompts asking them to log on to 4 di↵erent ficti-tious“accounts”according to di↵erent schedules. Those whologged in more frequently and those who practiced each newpassword individually for several days in succession weremore successful at remembering their passwords.

5.2 Other recognition-based schemesStory (see Figure 4) was proposed by Davis, Monrose and

Reiter [30] as a comparison system for Face. Users first selecta sequence of images for their portfolio. To log in, users arepresented with one panel of images and they must identifytheir portfolio images from among decoys. Story introduceda sequential component: users must select images in thecorrect order. To aid memorability, users were instructed tomentally construct a story to connect the everyday images intheir set. In the test system, a password involved selectinga sequence of 4 images from a panel of 9 images, for a fullpassword space of 9 · 8 · 7 · 6 = 3024 ⇡ 212 passwords.

Story was user-tested along with Face in a field study.

Figure 4: Story system [30].

Figure 5: Deja Vu [33].

The authors [30] found that user choices in Story were morevaried but still displayed exploitable patterns, such as di↵er-ences between male and female choices. Users had more dif-ficulty remembering Story passwords (⇡ 85% success rate)and most frequently made ordering errors. Surveys with par-ticipants revealed that they were unlikely to have formulateda story as a memory aid, despite the designers’ intentions;this may explain the high number of ordering errors. Dif-ferent instructions or more user experience might possiblyresult in greater usage of a story strategy.In Deja Vu [33] (see Figure 5), users select and memo-

rize a subset of “random art” images from a larger samplefor their portfolio. To log in, users must recognize imagesbelonging to their pre-defined portfolio from a set of decoyimages; in the test system, a panel of 25 images was dis-played, 5 of which belonged to the user’s portfolio. Usersmust identify all images from their portfolio and only onepanel is displayed. Images of random art are used to makeit more di�cult for users to write down their password orshare it with others by describing their images. The au-thors suggest that a fixed set of 10000 images su�ces, butthat “attractive” images should be hand-selected to increasethe likelihood that images have similar probabilities of beingselected by users.The theoretical password space has

�NM

�passwords, for N

images in the panel, and M portfolio images shown. Forexample,

�255

�= 53130 ⇡ 216. Deja Vu was asserted [33] to

be resistant to dictionary attacks because few images in theuser study were selected by more than one user. This claimremains to be rigorously tested. Participants found it dif-ficult to describe their portfolio images and those with thesame image gave di↵erent descriptions from each other. Thismay stop social engineering attacks trying to gather enoughinformation to log in by tricking the user to verbalize a pass-

6

Figure 6: Cognitive Authentication scheme [133].

word. Similarly, it would seem di�cult to identify imagesbelonging to a particular user based on knowing other infor-mation about that user; however, problems resulting frompredictable user choice remain possible, such as users select-ing images that include their favourite colour.

Weinshall [133] proposed the Cognitive Authenticationscheme (see Figure 6) intended to be safe against spywareand shoulder-surfing. Keyboard input is used rather thana mouse and users must recognize images from their pre-viously memorized portfolio. The login task involves com-puting a path through a panel of images starting from thetop-left corner, based on whether particular images belongto the user’s portfolio: move down if you stand on a pic-ture from your portfolio, move right otherwise. On reachingthe panel’s right or bottom edge, identify the correspondinglabel for that row or column. A multiple-choice questionis presented, which includes the label for the path’s cor-rect end-point. Users perform several such rounds, each ona di↵erent panel. After each round, the system computesthe cumulative probability that the correct answer was notentered by chance. When the probability passes a certainthreshold, login succeeds. This tolerates some user error. Ifthe threshold is not passed by a certain number of rounds,the login fails.

Users receive a system-assigned portfolio containing a largenumber (about 100) of randomly chosen images, and exten-sive initial training to memorize it. No times are reported forthis training phase. Average login time is 1.5 to 3 minutes.In a user study with 9 participants, a 95% login success rateis reported, with users logging in over a period of 10 weeks.

Although the main claim [133] of resisting shoulder-surfingwas proven false [48] (see Section 9), the scheme o↵ers inter-esting lessons. The number of di↵erent passwords possiblefrom a user’s viewpoint is

�NM

�, based on unique collections

of images. N is the number of images in a panel, M thenumber of portfolio images displayed; N=80, M=30 gives�8030

�= 273 passwords. However, the redundancy which en-

codes the user’s portfolio images into row and column labelsapparently results in a many-to-one mapping of image setsonto system passwords, reducing the password space. Forexample, for exactly 5 rounds and 4 di↵erent multiple choiceanswers, there are 45 = 210 distinct system passwords. Dic-tionary and personalized attacks have no advantage overexhaustive attacks, due to the random assignment of im-ages. It appears impossible to verbalize enough informationto convey a password to an attacker to allow successful login,making such social engineering attacks also improbable.

Other recognition-based systems have been proposed, with

Figure 7: PassPoints password example [139]. The

5 numbered boxes (not ordinarily visible to users)

illustrate the tolerance area around click-points.

similar usability and security profiles as those above. Wetherefore mention them only briefly. In the VIP system [31,71], a panel of images is displayed. Users must select imagesfrom their portfolio among decoys. Di↵erent configurationsallow for multiple rounds or sequencing of images. In thePhotographic Authentication system [86], users initially pro-vide their own set of digital photos and must identify thesefrom among decoys, with panels of 4 images, and 10 rounds.The decoy images are randomly selected from the images col-lected from other users. Use Your Illusion [54] also requiresthat users select portfolio images from panels of decoys; theselected images are distorted after original selection. Theidea is that the legitimate user can still recognize the im-ages despite distortion, while the distortion creates di�cul-ties for others. The distortion is intended to protect againstsocial engineering and shoulder-surfing attacks. In the Con-vex Hull Click Scheme [140], users select and memorize aportfolio of images, and must recognize these images fromamong decoys displayed, over several rounds. The imagesare small icons and several dozen are randomly positionedon the screen. Each panel contains at least 3 of the user’sicons. Users must identify their icons, visualize the trian-gle they form, and click anywhere within this triangle. Thisdesign is intended to protect against shoulder-surfing, butcomes at a cost of longer login times. In Bicakci et al.’s [14]GPI (Graphical Password with Icons) and GPIS (Graphi-cal Password with Icons suggested by the System) systems,users log in by selecting their 6 icons, in order, from a panelof 150 icons. The theoretical password space of these twoschemes is similar to most cued-recall schemes at 243 (seebelow). The two systems di↵er only in how passwords areset. GPI allows users to choose any 6 icons as their pass-word. In GPIS, passwords are suggested by the system butusers may shu✏e until they find an acceptable password,reducing (but not eliminating) problems with user choice.

Renaud [95] ran a field study comparing di↵erent types ofuser involvement in selecting portfolio images for recognition-based schemes. Users could select images from a photoarchive, take their own photos, or draw doodles that weresubsequently scanned and converted to JPEG format. Re-sults show a significant increase in login success rates whenuser portfolios contain self-drawn doodles rather than eithertype of photos. The memorability improvements, however,need to be balanced with the additional risk of personalizedattacks if attackers know a user’s drawing style or recognizepersonally-identifiable features within the doodles.

7

Figure 3: Passfaces system. Left: sample panel from

the original system [30]. Right: panel with decoys

similar to the image from the user’s portfolio [39].

Dunphy et al. [39] investigated whether Passfaces couldbe made less vulnerable to social engineering attacks whereattackers convince users to describe the images in their port-folio. They found that in 8% of 158 login attempts, partici-pants could log in based on verbal descriptions of the images.They further found that participants were less likely (statis-tically significant) to correctly identify the portfolio imagewithin a panel when decoys were strategically selected tobe similar to the portfolio image. Alternatively, social engi-neering attacks could prompt users to take photographs orscreenshots of their images for sharing, especially since allportfolio images are revealed with each login.

Comparing shoulder-surfing risks between Passfaces, textpasswords, and PINs in a lab study, Tari et al. [117] foundthat Passfaces using keypad entry rather than a mouse wassignificantly less vulnerable to shoulder-surfing than eventext passwords or PINs. If Passfaces uses a keyboard forpassword entry, then malware attacks would need both akeystroke logger and screen scraping software to gain enoughknowledge for password entry; with regular mouse entry,only a screen scraper is needed. For further resistance againstshoulder-surfing, Dunphy et al. [37] proposed and tested aversion of Passfaces using eye-gaze as input at a simulatedATM machine. After initial “play” and “enrollment” phases,they found that participants improved in their ability to en-ter their passwords over time and that login took an averageof 20 seconds for passwords consisting of 5 panels of 9 faces.

Everitt et al. [41] evaluated Passfaces for multiple pass-word interference in a 5 week study where users receivedemail prompts asking them to log on to 4 di↵erent ficti-tious“accounts”according to di↵erent schedules. Those whologged in more frequently and those who practiced each newpassword individually for several days in succession weremore successful at remembering their passwords.

5.2 Other recognition-based schemesStory (see Figure 4) was proposed by Davis, Monrose and

Reiter [30] as a comparison system for Face. Users first selecta sequence of images for their portfolio. To log in, users arepresented with one panel of images and they must identifytheir portfolio images from among decoys. Story introduceda sequential component: users must select images in thecorrect order. To aid memorability, users were instructed tomentally construct a story to connect the everyday images intheir set. In the test system, a password involved selectinga sequence of 4 images from a panel of 9 images, for a fullpassword space of 9 · 8 · 7 · 6 = 3024 ⇡ 212 passwords.

Story was user-tested along with Face in a field study.

Figure 4: Story system [30].

Figure 5: Deja Vu [33].

The authors [30] found that user choices in Story were morevaried but still displayed exploitable patterns, such as di↵er-ences between male and female choices. Users had more dif-ficulty remembering Story passwords (⇡ 85% success rate)and most frequently made ordering errors. Surveys with par-ticipants revealed that they were unlikely to have formulateda story as a memory aid, despite the designers’ intentions;this may explain the high number of ordering errors. Dif-ferent instructions or more user experience might possiblyresult in greater usage of a story strategy.In Deja Vu [33] (see Figure 5), users select and memo-

rize a subset of “random art” images from a larger samplefor their portfolio. To log in, users must recognize imagesbelonging to their pre-defined portfolio from a set of decoyimages; in the test system, a panel of 25 images was dis-played, 5 of which belonged to the user’s portfolio. Usersmust identify all images from their portfolio and only onepanel is displayed. Images of random art are used to makeit more di�cult for users to write down their password orshare it with others by describing their images. The au-thors suggest that a fixed set of 10000 images su�ces, butthat “attractive” images should be hand-selected to increasethe likelihood that images have similar probabilities of beingselected by users.The theoretical password space has

�NM

�passwords, for N

images in the panel, and M portfolio images shown. Forexample,

�255

�= 53130 ⇡ 216. Deja Vu was asserted [33] to

be resistant to dictionary attacks because few images in theuser study were selected by more than one user. This claimremains to be rigorously tested. Participants found it dif-ficult to describe their portfolio images and those with thesame image gave di↵erent descriptions from each other. Thismay stop social engineering attacks trying to gather enoughinformation to log in by tricking the user to verbalize a pass-

6

3

security considerations§ guessing attacks

§ exhaustive search§ guessing higher probability passwords§ online or offline (with plain-text equivalent)

§ capture attacks§ shoulder-surfing§ phishing (possibly with MITM)§ key loggers and/or screen scrapers

4

4

overview of graphical password schemes

5

recall based graphical password schemes

6

overview§ user recalls and reproduces a secret drawing§ drawnmetric systems§ difficult memory task without memory prompts or cues§ additionally, personalized attacks

7

7

Draw-A-Secret§ password: sequence of coordinates

of the grid cells passed through§ (2,2), (3,2), (3,3), (2,3), (2,2), (2, 1), (5,5)

§ participants tended to § draw symmetric images § with few (1-3) pen strokes§ place drawing in the centre

§ login success rate: 57-80%§ theoretical password space: 58 bits (for 5x5 grid with

password max length of 12).

8

22

Chapter 3 Design and analysis of a new grid-based

scheme

In this chapter, we review the DAS scheme and related work, point out its drawbacks,

and then discuss the design of a novel graphical password scheme, Pass-Go.

3.1 Review of DAS and relevant works

Figure 17 DAS example password [Jermyn et al. 1999]

In DAS, a user draws lines on a grid and the display shows the actual trace, as shown in

Figure 17. The password is encoded by a sequence of grid cells, represented by two-

dimensional coordinate pairs, with “penup” events, represented by distinguished

coordinate pairs, inserted into the place where a pen is lifted from the display surface, or

a mouse button is released. For example, the password in Figure 17 can be encoded as:

(2,2), (3,2), (3,3), (2,3), (2,2), (2, 1), (5,5)

where (5,5) is the special coordinate pair used to signify a penup event. Some basic

terminology has been defined as follows:

8

other recall-based schemes

9

background DAS

can provide a larger password space than most existing

graphical password schemes. YAGP can also prevent the brute force attacks

effectively. The experiment results show that users

tend to set a graphical password at the average length

of 100. If the attacker wants to break the correct password by a brute force attack, in the worst case it

may take approximate 8100 times for successful

authentication, which is an impractical process.

YAGP obtains a good performance in resisting shoulder surfing. First, YAGP is a position-free

scheme, the user can draw his graphical password

anywhere on the canvas, which makes shoulder surfing

a difficult task. For example, the user can make a drawing in a small corner where it is harder to peep.

Second, the stroke sequence cannot be reflected by the

graph in YAGP, and authentication process sees it as a

critical checking factor. This property ensures that the peeper still cannot sign in even if he glimpses the

images, because he could not recall the correct stroke

sequence set by the legal user. Finally, YAGP takes

into account the drawing trends, which means it records the user drawing style to a certain extent.

Therefore, the security is greatly enhanced as

personality is hard to imitate.

As a consequence, YAGP has credible security both in the password space and resisting shoulder surfing.

Figure 15. The YAGP system Interface (48!64 density grid).

4. Preliminary Experiments

Experiments were performed to evaluate the

proposed YAGP strategy. For the study, we targeted a population of experienced computer users. The

participants were 30 university members, including 4

teachers and 26 college students. The majority of the

students were studying for their Master’s degrees. The average age of the participants was 26 years old. All of

the users were familiar with PCs.

The proposed YAGP system is implemented using

C++ language and is available at https://sourceforge.net/projects/yagp-xidian/. To ensure

the security of user graphical passwords stored in

YAGP, DES encryption is adopted in the

implementation. The interface has a grid canvas with a granularity of 48×64 as illustrated in Fig.15.

4.1. Grid Granularity Selection

The grid canvas adopted by YAGP is a 3.5 inch

canvas widely used in PDA devices with a width-to-

length ratio of 3:4. A grid granularity of 5×5 is used in DAS. However, such a rough granularity is not precise

enough to express complex graphical passwords. A

fine-grained grid is used in YAGP. Experiments were

carried out on five groups of granularity (15×20, 30×40, 48×64, 60×80, and 120×160). Results show

that a grid of 48×64 is the most suitable choice for

security and usability.

The first stage experiments of grid granularity selection lasted 7 days approximately. As an

introduction, the 30 participants were given ten

minutes to become familiar with the YAGP system.

First, each participant was asked to draw graphical passwords in a 15×20 grid canvas, and then redraw the

graphical passwords to authenticate. At the same time,

every participant peeked at his neighbors’ graphical

password and attempted to attack. Both the legal user and the attacker could redraw a maximum of three

times, and the greatest similarity of each participant’s

drawing to the original image was recorded. The

experiments were carried out several times with grid of different density. According to the similarity of each

participant’s redrawing, the distribution of participants

is calculated and shown in Table2. The total number in

the table showed the participants who have a similarity value successfully. Some people failed on the

equivalent stroke numbers or substring numbers that

must be obtained on register and authentication phases,

so they didn’t get a score. Table 2 shows that under the circumstance of 15×20

grid, only 20 of 30 legal users can redraw their

graphical passwords, as such a coarse grained grid

cannot represent the graphical password information well. We also found that, in general, fine-grained grids

achieve better validation results. But that is not to say,

the finer grained the grid, the better the validation. We

can see from the table, the validated number under a density of 120×160 grid is lower than that in 48×64.

The reason is that too dense a grid makes the drawing

trend more changeable, and therefore harder to recall

accurately. After numerous experiments, a compromise was achieved with a 48×64 grid.

117127

YAGP

Figure 1: An Example of a Passdoodle

not for authentication to personal workstations but to the technology spreading throughout

our lives.

The issue of recognition prevents widespread use of the passdoodle. The length and

identifiable features of the doodle set the limits of the system. Only a finite amount of

computer di!erentiable doodles can be made. The doodle here is used as the sole means

of identification. To maintain security the system cannot simply authenticate a user as the

user whose recorded doodle is most similar, a minimum threshold of likeliness and similarity

must be set. This prevents the use of blatant guessing to authenticate as a random user.

However speed and accuracy remain top priorities for the system. A complicated recog-

nition design requiring a hundred training samples and a minute of computation to authen-

ticate negates the purpose of the original pervasive design. The proposed system uses a

combination of doodle velocity and distribution mapping to recognize and authenticate a

doodle.

2 Methods

The doodle recognition system must allow for natural di!erences in the user’s doodle, but

still maintain enough accuracy to distinguish between di!erent users. However, one of the

di"culties that arise is that the passdoodle system identifies and confirms the identity of the

2

Passdodle

activated. As these different functions of the human memory are also located in different physiologic parts of the brain it is reasonable to assume that this simultaneous storage can have a positive effect on the overall memory performance. In this study we could collect insights that indicate that PassShapes are indeed very memorable especially when the repeated drawing strategy is used.

4.2 User study 2: Usability Knowing that an authentication method is easy to remember still does not qualify it as an appropriate interaction method. Thus it was necessary to conduct a user study on the performance of the PassShapes concept regarding user convenience. As authentication is occurring very often in our daily lives it is important that the authentication process can be executed fast and effortless. Also very important for the authentication with PassShapes is a robust detection of the drawn PassShapes. A PassShape detection algorithm should recognize as many PassShapes as possible – regardless the artistic talent of the single user. In order to find out the capabilities of the new approach a user study considering the usability was conducted.

Figure 7: A user performing a task during the study.

User Study Design For the usability evaluation, an intra-subject factorial design has been chosen. The independent variables were method (seven-stroke PassShapes and five-digit PINs) and task (log-on, change password). Therewith, the two most common tasks regarding authentication have been chosen. Therefore, each participant had to perform four sets during the user study (method x task = 4). The order of the sets was evenly distributed amongst the participants. The dependent variables measured in the experiment were input errors and time. Additionally, following the think-aloud technique, the participants were asked to speak out what they are thinking while performing the interaction.

Hypothesis For the usability study, two hypotheses regarding the error rate and interaction speed were stated: (H3) Due to their common usage, entering PINs will be slightly faster than entering PassShapes, but PassShape performance times will be acceptable. (H4) The participants will not have any major problems performing the tasks with PassShapes and thus the error rate will be low. Participants The study has been performed with twelve participants with an average age of 29. Half of the participants were female. The youngest participant was 27 years old, while the oldest one was 30 years.

Figure 8: top left: the user-drawn PassShape; top-right:

the extraction of the edges; bottom-left: stroke-detection with the edges; bottom-right: internal

representation of the detected PassShape Procedure Every participant had to complete the previously mentioned four sets of interaction. The first set was a normal log-on process. The PIN had to be entered and the PassShape had to be drawn, respectively. The second task was a ‘change-password’-task: at first the ‘old’ PIN or PassShape had to be entered and then the ‘new’ ones had to be entered twice, as usual, for confirmation. The time needed for entering was measured and the input errors were counted. Again five-digit PINs and seven-stroke PassShapes were used. Figure 7 shows a user performing a task with the prototype. Prototype To conduct this study a prototype was implemented in Java. It was set up on a Tablet-PC with a capacitive touch screen. A stylus was used to draw the PassShapes. The implemented algorithm tried to extract the edges of the

PassShapes

45

Also, to simulate a real application environment, we did not make any effort to

encourage attendance: attendance was not required, recorded, or marked, and the

date/time of the tutorial was not pre-announced. We estimate the attendance rate on the

day of the tutorial was approximately 80%. Our password scheme was then explained.

Ways to draw dots and lines on the grid along with one or two sample passwords were

demonstrated. One sample password used in the tutorial is given in Figure 25. Some basic

concepts, such as password length, stroke-count and “stars” were clarified, in order for

them to understand the policies they were going to face. Students were not given

suggestions about how to choose a secure password or any mnemonic strategy. Existing

analysis on grid-based schemes (such as that symmetric and small stroke-count

passwords might be subject to dictionary attack) was not mentioned.

Figure 25 Sample password used in the tutorial

They were informed that a FAQ page (see detail in Appendix C) was available on the

website in case they need help. A link to the website was given on the course webpage

for those students who did not attend the tutorial. (It may also be worth mentioning that

the first language of the author of the thesis is not English, so a better understanding may

be expected if the tutorial had been given by a fluent English speaker.)

Each participant had to login with a common initial password to change their

password, and then the website content becomes available. The length of a password

must be at least eight, which is considered as a basic requirement. Participants were

Pass-GOGrIDsure Android screen unlock

9

summary of recall based schemes

10

Table 1: Recall-based systems (summary).

Scheme Andro

idscreen

unlock

GrIDsu

re

PassShapes

DAS

BDAS

PassGo

YAGP

Hapticpassword

Passdoodle

Theoretical # # H# H# H# space (bits) 18 18 21 58 58 77 300 i.d. i.d.

User choice * * * i.d. * * *resilienceVariant no yes no no no no no no noresponseServer 0 0 0 0 1 0 0 0 0probes

Paper study – – 3⇥/1.5wk 1⇥ 2⇥/1wk – – 2⇥/1wk2⇥/1wk 2⇥/1wk

Lab study – � 11wk – – – 3⇥/2wk 1⇥ 1⇥� 1.5wk 3⇥/1.5wk

Field study – – – – – 13wk – – –Web study – – – – – – – – –Login time – – 6s – – – – – –Success rate – 87% 63-100% 57-80% 50-80% 78% 87-96% – 38-46%Interference – – – – – – – – –studied

Table 2: Recognition-based systems (summary).

Scheme Cognitive

Auth

entication

Use

Your

Illusion

Sto

ry

Passfaces

/Face

VIP

(type1)

Deja

Vu

Photo

gra

phic

Auth

entication

ConvexHull

Click

GPI/GPIS

Theoretical #/ # # # # # H# H# H#space (bits) 10/73 11 12 13 13 16 20 32 43

User choice i.d. / * * * * /*resilienceVariant yes no no no no no yes yes noresponseServer many 1 1 1 1 1 many many 1probes

Paper study – – – – – – – – –Lab study 13⇥/ 10wk 4⇥/4wk – – 2⇥/1wk 2⇥/1wk 1⇥ 2⇥/1wk 2⇥/1wk

– 3⇥/4wkField study – – �16wk �16wk �16wk – – – –

10wkWeb study – – – 1-5mth – – – –

5wkLogin time 90-180s 12-26s – 14-88s 5-†6s 32-36s †40s 72s †18s/†19sSuccess rate >95% 89-100% †85% 72-100% †11-95% 90-100% †95-100% 90% 83%/74%Interference – – – yes yes – – – –studied

11

10

recognition based graphical password schemes

11

overview§ user recognizes images from her portfolio§ cognometric or searchmetric systems§ exceptional ability to recognize images§ password space comparable to 4-5 digit PINs§ security

§ phishing more difficult§ shoulder-surfing is of particular concern

§ perform some action rather than selecting images– more time consuming and less usable

§ plain-text equivalent concerns

12

12

PassFaces§ user must select “her” image at each round§ password space: |images||rounds|, 13 bits for

4 rounds and 9 images§ predictable passwords -> system selected passwords§ keyboard or eye-gaze for selecting images

13

Figure 3: Passfaces system. Left: sample panel from

the original system [30]. Right: panel with decoys

similar to the image from the user’s portfolio [39].

Dunphy et al. [39] investigated whether Passfaces couldbe made less vulnerable to social engineering attacks whereattackers convince users to describe the images in their port-folio. They found that in 8% of 158 login attempts, partici-pants could log in based on verbal descriptions of the images.They further found that participants were less likely (statis-tically significant) to correctly identify the portfolio imagewithin a panel when decoys were strategically selected tobe similar to the portfolio image. Alternatively, social engi-neering attacks could prompt users to take photographs orscreenshots of their images for sharing, especially since allportfolio images are revealed with each login.

Comparing shoulder-surfing risks between Passfaces, textpasswords, and PINs in a lab study, Tari et al. [117] foundthat Passfaces using keypad entry rather than a mouse wassignificantly less vulnerable to shoulder-surfing than eventext passwords or PINs. If Passfaces uses a keyboard forpassword entry, then malware attacks would need both akeystroke logger and screen scraping software to gain enoughknowledge for password entry; with regular mouse entry,only a screen scraper is needed. For further resistance againstshoulder-surfing, Dunphy et al. [37] proposed and tested aversion of Passfaces using eye-gaze as input at a simulatedATM machine. After initial “play” and “enrollment” phases,they found that participants improved in their ability to en-ter their passwords over time and that login took an averageof 20 seconds for passwords consisting of 5 panels of 9 faces.

Everitt et al. [41] evaluated Passfaces for multiple pass-word interference in a 5 week study where users receivedemail prompts asking them to log on to 4 di↵erent ficti-tious“accounts”according to di↵erent schedules. Those whologged in more frequently and those who practiced each newpassword individually for several days in succession weremore successful at remembering their passwords.

5.2 Other recognition-based schemesStory (see Figure 4) was proposed by Davis, Monrose and

Reiter [30] as a comparison system for Face. Users first selecta sequence of images for their portfolio. To log in, users arepresented with one panel of images and they must identifytheir portfolio images from among decoys. Story introduceda sequential component: users must select images in thecorrect order. To aid memorability, users were instructed tomentally construct a story to connect the everyday images intheir set. In the test system, a password involved selectinga sequence of 4 images from a panel of 9 images, for a fullpassword space of 9 · 8 · 7 · 6 = 3024 ⇡ 212 passwords.

Story was user-tested along with Face in a field study.

Figure 4: Story system [30].

Figure 5: Deja Vu [33].

The authors [30] found that user choices in Story were morevaried but still displayed exploitable patterns, such as di↵er-ences between male and female choices. Users had more dif-ficulty remembering Story passwords (⇡ 85% success rate)and most frequently made ordering errors. Surveys with par-ticipants revealed that they were unlikely to have formulateda story as a memory aid, despite the designers’ intentions;this may explain the high number of ordering errors. Dif-ferent instructions or more user experience might possiblyresult in greater usage of a story strategy.In Deja Vu [33] (see Figure 5), users select and memo-

rize a subset of “random art” images from a larger samplefor their portfolio. To log in, users must recognize imagesbelonging to their pre-defined portfolio from a set of decoyimages; in the test system, a panel of 25 images was dis-played, 5 of which belonged to the user’s portfolio. Usersmust identify all images from their portfolio and only onepanel is displayed. Images of random art are used to makeit more di�cult for users to write down their password orshare it with others by describing their images. The au-thors suggest that a fixed set of 10000 images su�ces, butthat “attractive” images should be hand-selected to increasethe likelihood that images have similar probabilities of beingselected by users.The theoretical password space has

�NM

�passwords, for N

images in the panel, and M portfolio images shown. Forexample,

�255

�= 53130 ⇡ 216. Deja Vu was asserted [33] to

be resistant to dictionary attacks because few images in theuser study were selected by more than one user. This claimremains to be rigorously tested. Participants found it dif-ficult to describe their portfolio images and those with thesame image gave di↵erent descriptions from each other. Thismay stop social engineering attacks trying to gather enoughinformation to log in by tricking the user to verbalize a pass-

6

13

other recognition-based schemes

14

Figure 3: Passfaces system. Left: sample panel from

the original system [30]. Right: panel with decoys

similar to the image from the user’s portfolio [39].

Dunphy et al. [39] investigated whether Passfaces couldbe made less vulnerable to social engineering attacks whereattackers convince users to describe the images in their port-folio. They found that in 8% of 158 login attempts, partici-pants could log in based on verbal descriptions of the images.They further found that participants were less likely (statis-tically significant) to correctly identify the portfolio imagewithin a panel when decoys were strategically selected tobe similar to the portfolio image. Alternatively, social engi-neering attacks could prompt users to take photographs orscreenshots of their images for sharing, especially since allportfolio images are revealed with each login.

Comparing shoulder-surfing risks between Passfaces, textpasswords, and PINs in a lab study, Tari et al. [117] foundthat Passfaces using keypad entry rather than a mouse wassignificantly less vulnerable to shoulder-surfing than eventext passwords or PINs. If Passfaces uses a keyboard forpassword entry, then malware attacks would need both akeystroke logger and screen scraping software to gain enoughknowledge for password entry; with regular mouse entry,only a screen scraper is needed. For further resistance againstshoulder-surfing, Dunphy et al. [37] proposed and tested aversion of Passfaces using eye-gaze as input at a simulatedATM machine. After initial “play” and “enrollment” phases,they found that participants improved in their ability to en-ter their passwords over time and that login took an averageof 20 seconds for passwords consisting of 5 panels of 9 faces.

Everitt et al. [41] evaluated Passfaces for multiple pass-word interference in a 5 week study where users receivedemail prompts asking them to log on to 4 di↵erent ficti-tious“accounts”according to di↵erent schedules. Those whologged in more frequently and those who practiced each newpassword individually for several days in succession weremore successful at remembering their passwords.

5.2 Other recognition-based schemesStory (see Figure 4) was proposed by Davis, Monrose and

Reiter [30] as a comparison system for Face. Users first selecta sequence of images for their portfolio. To log in, users arepresented with one panel of images and they must identifytheir portfolio images from among decoys. Story introduceda sequential component: users must select images in thecorrect order. To aid memorability, users were instructed tomentally construct a story to connect the everyday images intheir set. In the test system, a password involved selectinga sequence of 4 images from a panel of 9 images, for a fullpassword space of 9 · 8 · 7 · 6 = 3024 ⇡ 212 passwords.

Story was user-tested along with Face in a field study.

Figure 4: Story system [30].

Figure 5: Deja Vu [33].

The authors [30] found that user choices in Story were morevaried but still displayed exploitable patterns, such as di↵er-ences between male and female choices. Users had more dif-ficulty remembering Story passwords (⇡ 85% success rate)and most frequently made ordering errors. Surveys with par-ticipants revealed that they were unlikely to have formulateda story as a memory aid, despite the designers’ intentions;this may explain the high number of ordering errors. Dif-ferent instructions or more user experience might possiblyresult in greater usage of a story strategy.In Deja Vu [33] (see Figure 5), users select and memo-

rize a subset of “random art” images from a larger samplefor their portfolio. To log in, users must recognize imagesbelonging to their pre-defined portfolio from a set of decoyimages; in the test system, a panel of 25 images was dis-played, 5 of which belonged to the user’s portfolio. Usersmust identify all images from their portfolio and only onepanel is displayed. Images of random art are used to makeit more di�cult for users to write down their password orshare it with others by describing their images. The au-thors suggest that a fixed set of 10000 images su�ces, butthat “attractive” images should be hand-selected to increasethe likelihood that images have similar probabilities of beingselected by users.The theoretical password space has

�NM

�passwords, for N

images in the panel, and M portfolio images shown. Forexample,

�255

�= 53130 ⇡ 216. Deja Vu was asserted [33] to

be resistant to dictionary attacks because few images in theuser study were selected by more than one user. This claimremains to be rigorously tested. Participants found it dif-ficult to describe their portfolio images and those with thesame image gave di↵erent descriptions from each other. Thismay stop social engineering attacks trying to gather enoughinformation to log in by tricking the user to verbalize a pass-

6

Story

Figure 3: Passfaces system. Left: sample panel from

the original system [30]. Right: panel with decoys

similar to the image from the user’s portfolio [39].

Dunphy et al. [39] investigated whether Passfaces couldbe made less vulnerable to social engineering attacks whereattackers convince users to describe the images in their port-folio. They found that in 8% of 158 login attempts, partici-pants could log in based on verbal descriptions of the images.They further found that participants were less likely (statis-tically significant) to correctly identify the portfolio imagewithin a panel when decoys were strategically selected tobe similar to the portfolio image. Alternatively, social engi-neering attacks could prompt users to take photographs orscreenshots of their images for sharing, especially since allportfolio images are revealed with each login.

Comparing shoulder-surfing risks between Passfaces, textpasswords, and PINs in a lab study, Tari et al. [117] foundthat Passfaces using keypad entry rather than a mouse wassignificantly less vulnerable to shoulder-surfing than eventext passwords or PINs. If Passfaces uses a keyboard forpassword entry, then malware attacks would need both akeystroke logger and screen scraping software to gain enoughknowledge for password entry; with regular mouse entry,only a screen scraper is needed. For further resistance againstshoulder-surfing, Dunphy et al. [37] proposed and tested aversion of Passfaces using eye-gaze as input at a simulatedATM machine. After initial “play” and “enrollment” phases,they found that participants improved in their ability to en-ter their passwords over time and that login took an averageof 20 seconds for passwords consisting of 5 panels of 9 faces.

Everitt et al. [41] evaluated Passfaces for multiple pass-word interference in a 5 week study where users receivedemail prompts asking them to log on to 4 di↵erent ficti-tious“accounts”according to di↵erent schedules. Those whologged in more frequently and those who practiced each newpassword individually for several days in succession weremore successful at remembering their passwords.

5.2 Other recognition-based schemesStory (see Figure 4) was proposed by Davis, Monrose and

Reiter [30] as a comparison system for Face. Users first selecta sequence of images for their portfolio. To log in, users arepresented with one panel of images and they must identifytheir portfolio images from among decoys. Story introduceda sequential component: users must select images in thecorrect order. To aid memorability, users were instructed tomentally construct a story to connect the everyday images intheir set. In the test system, a password involved selectinga sequence of 4 images from a panel of 9 images, for a fullpassword space of 9 · 8 · 7 · 6 = 3024 ⇡ 212 passwords.

Story was user-tested along with Face in a field study.

Figure 4: Story system [30].

Figure 5: Deja Vu [33].

The authors [30] found that user choices in Story were morevaried but still displayed exploitable patterns, such as di↵er-ences between male and female choices. Users had more dif-ficulty remembering Story passwords (⇡ 85% success rate)and most frequently made ordering errors. Surveys with par-ticipants revealed that they were unlikely to have formulateda story as a memory aid, despite the designers’ intentions;this may explain the high number of ordering errors. Dif-ferent instructions or more user experience might possiblyresult in greater usage of a story strategy.In Deja Vu [33] (see Figure 5), users select and memo-

rize a subset of “random art” images from a larger samplefor their portfolio. To log in, users must recognize imagesbelonging to their pre-defined portfolio from a set of decoyimages; in the test system, a panel of 25 images was dis-played, 5 of which belonged to the user’s portfolio. Usersmust identify all images from their portfolio and only onepanel is displayed. Images of random art are used to makeit more di�cult for users to write down their password orshare it with others by describing their images. The au-thors suggest that a fixed set of 10000 images su�ces, butthat “attractive” images should be hand-selected to increasethe likelihood that images have similar probabilities of beingselected by users.The theoretical password space has

�NM

�passwords, for N

images in the panel, and M portfolio images shown. Forexample,

�255

�= 53130 ⇡ 216. Deja Vu was asserted [33] to

be resistant to dictionary attacks because few images in theuser study were selected by more than one user. This claimremains to be rigorously tested. Participants found it dif-ficult to describe their portfolio images and those with thesame image gave di↵erent descriptions from each other. Thismay stop social engineering attacks trying to gather enoughinformation to log in by tricking the user to verbalize a pass-

6

Déjà vu

Figure 6: Cognitive Authentication scheme [133].

word. Similarly, it would seem di�cult to identify imagesbelonging to a particular user based on knowing other infor-mation about that user; however, problems resulting frompredictable user choice remain possible, such as users select-ing images that include their favourite colour.

Weinshall [133] proposed the Cognitive Authenticationscheme (see Figure 6) intended to be safe against spywareand shoulder-surfing. Keyboard input is used rather thana mouse and users must recognize images from their pre-viously memorized portfolio. The login task involves com-puting a path through a panel of images starting from thetop-left corner, based on whether particular images belongto the user’s portfolio: move down if you stand on a pic-ture from your portfolio, move right otherwise. On reachingthe panel’s right or bottom edge, identify the correspondinglabel for that row or column. A multiple-choice questionis presented, which includes the label for the path’s cor-rect end-point. Users perform several such rounds, each ona di↵erent panel. After each round, the system computesthe cumulative probability that the correct answer was notentered by chance. When the probability passes a certainthreshold, login succeeds. This tolerates some user error. Ifthe threshold is not passed by a certain number of rounds,the login fails.

Users receive a system-assigned portfolio containing a largenumber (about 100) of randomly chosen images, and exten-sive initial training to memorize it. No times are reported forthis training phase. Average login time is 1.5 to 3 minutes.In a user study with 9 participants, a 95% login success rateis reported, with users logging in over a period of 10 weeks.

Although the main claim [133] of resisting shoulder-surfingwas proven false [48] (see Section 9), the scheme o↵ers inter-esting lessons. The number of di↵erent passwords possiblefrom a user’s viewpoint is

�NM

�, based on unique collections

of images. N is the number of images in a panel, M thenumber of portfolio images displayed; N=80, M=30 gives�8030

�= 273 passwords. However, the redundancy which en-

codes the user’s portfolio images into row and column labelsapparently results in a many-to-one mapping of image setsonto system passwords, reducing the password space. Forexample, for exactly 5 rounds and 4 di↵erent multiple choiceanswers, there are 45 = 210 distinct system passwords. Dic-tionary and personalized attacks have no advantage overexhaustive attacks, due to the random assignment of im-ages. It appears impossible to verbalize enough informationto convey a password to an attacker to allow successful login,making such social engineering attacks also improbable.

Other recognition-based systems have been proposed, with

Figure 7: PassPoints password example [139]. The

5 numbered boxes (not ordinarily visible to users)

illustrate the tolerance area around click-points.

similar usability and security profiles as those above. Wetherefore mention them only briefly. In the VIP system [31,71], a panel of images is displayed. Users must select imagesfrom their portfolio among decoys. Di↵erent configurationsallow for multiple rounds or sequencing of images. In thePhotographic Authentication system [86], users initially pro-vide their own set of digital photos and must identify thesefrom among decoys, with panels of 4 images, and 10 rounds.The decoy images are randomly selected from the images col-lected from other users. Use Your Illusion [54] also requiresthat users select portfolio images from panels of decoys; theselected images are distorted after original selection. Theidea is that the legitimate user can still recognize the im-ages despite distortion, while the distortion creates di�cul-ties for others. The distortion is intended to protect againstsocial engineering and shoulder-surfing attacks. In the Con-vex Hull Click Scheme [140], users select and memorize aportfolio of images, and must recognize these images fromamong decoys displayed, over several rounds. The imagesare small icons and several dozen are randomly positionedon the screen. Each panel contains at least 3 of the user’sicons. Users must identify their icons, visualize the trian-gle they form, and click anywhere within this triangle. Thisdesign is intended to protect against shoulder-surfing, butcomes at a cost of longer login times. In Bicakci et al.’s [14]GPI (Graphical Password with Icons) and GPIS (Graphi-cal Password with Icons suggested by the System) systems,users log in by selecting their 6 icons, in order, from a panelof 150 icons. The theoretical password space of these twoschemes is similar to most cued-recall schemes at 243 (seebelow). The two systems di↵er only in how passwords areset. GPI allows users to choose any 6 icons as their pass-word. In GPIS, passwords are suggested by the system butusers may shu✏e until they find an acceptable password,reducing (but not eliminating) problems with user choice.Renaud [95] ran a field study comparing di↵erent types of

user involvement in selecting portfolio images for recognition-based schemes. Users could select images from a photoarchive, take their own photos, or draw doodles that weresubsequently scanned and converted to JPEG format. Re-sults show a significant increase in login success rates whenuser portfolios contain self-drawn doodles rather than eithertype of photos. The memorability improvements, however,need to be balanced with the additional risk of personalizedattacks if attackers know a user’s drawing style or recognizepersonally-identifiable features within the doodles.

7

Cognitive Authentication Scheme

One additional risk associated with usingpublic infrastructure is that an assailant canpotentially capture all information beingentered and displayed, not just data fromthe authentication process. For example,when users check the status of their bankaccounts, they are potentially compromis-ing both their account balance and accountnumber. However, it is generally only nec-essary to display the account balance, notboth. Such casual data, such as the bankaccount balance without the account num-ber, could be suitably protected with a pho-tographic-authentication scheme because itis private but not high security.

A highly secure authentication techniquewould be overkill for such a terminalbecause secure authentication in itself doesnot guarantee the security of the dataaccessed. Photographic authenticationaims to be “secure enough” for casual databy providing the necessary level of securitywithout compromising ease of use. Ideally,the complete system would not even allowa user to access high-security data throughan untrusted terminal. In other words, justbecause you already showed your badgeto enter work doesn’t mean you shouldleave your wallet on your desk.

The popularity of digital photographyhas recently exploded because of the wide-spread availability of affordable consumer-grade cameras and computers capable ofmanipulating photographs. As a result,many people have substantial personal dig-ital photograph collections. Furthermore,as cameras become more affordable andeasier to use, more people will possess largepersonal image collections, and digital stor-age capacities are rapidly increasing, pro-viding ample space to save images. For theusers who have them, these images canform a convenient authentication systemthat doesn’t require much configuration.

The Personal Server4—the mobile devicethat inspired this article—provides amobile user experience by wirelessly con-

necting with PCs and displays foundnearby in the environment, rather thanusing a small-screen display on the deviceitself. Developing secure authenticationtechniques that do not require the user tojuggle small devices, such as an authenti-cation key, is an important step in makingsuch systems usable and widely accepted.

Security overviewTheoretically, the photographic-authen-

tication implementation presented here isabout as secure as a six-digit password. Thismeans that there is about a 1 in 106 chancethat random guessing will be successful, asmaller chance than that of the personalidentification numbers (PINs) of present-day ATM machines, which have a 1 in 104

chance of being randomly guessed, assum-ing you have the ATM card. In contrast,strong-text passwords, or even the weakpasswords typically used on the Web, aremany thousands of times more secure whensubjected to a randomized guessing attack—approximately 1012 combinations for a six-character alphanumeric-punctuationpassword. The real vulnerability of photo-

graph-based authentication is not numeric,but cognitive. In a cognitive attack, theattacker uses knowledge about the user.

Another technique would be to requireusers to carry a portable electronic device,such as a PDA5 or SecurID card (www.rsasecurity.com/products/securid) as atrusted authentication mechanism thatwould let them safely log in to an untrustedterminal using a one-time key generated bythe device. Although attractive from a secu-rity standpoint, this technique is quite com-plicated from a user’s perspective: Usersmust retrieve the device, activate it, andmanually type in the appropriate code.Additionally, they must not forget, lose, orbreak the device. In contrast, photographicauthentication is streamlined: Users sim-ply walk up to a terminal and select froma few sequences of images presented tothem on the screen.

Photographic authentication is well suitedto providing access through semitrusted oruntrusted terminals where a user mightwant to access information only a few timeswhile not implicitly trusting the access point.Photographic authentication is also well

JANUARY–MARCH 2003 PERVASIVEcomputing 31

Figure 1. Prototype photographic-authentication Web browser interface.Users must select the images that belongto them.

Photographic Authentication

Fig.1. GPI interface (left) and GPIS interface (right). In GPI user selects the click-points whereas in GPIS the system selects and displays them (sizes are scaled down to fit into the page, best viewed in color)

To overcome these problems, first we used colored-icons that were drawn stylistically similar. Second, we refer to a category norm study to select the objects that icons represent [15]. This study reports the word lists that are generated by participants as category instances given a category. For each word and for each category, they gave the probability of the word to be included in the category list. Using this measure, we selected popular instances of categories and use icons of them. By this way, we aimed to normalize the familiarity of each object and each icon to minimize the hotspot problem.

Fig.2. The PassPoints [24] interface

In GPI and GPIS interfaces (Figure 1) there are 150 icons selected from 15 categories (animals, car brands, cartoon characters, electronic devices, clothes, fruits,

music instruments, kitchen utensils, office equipment, vegetables, weapons, sports, hand tools, vehicles, and fast food). Icons that belong to the same category are

320

Graphical Passwords with Icons

14

summary of recognition based schemes

15

Table 1: Recall-based systems (summary).

Scheme Andro

idscreen

unlock

GrIDsu

re

PassShapes

DAS

BDAS

PassGo

YAGP

Hapticpassword

Passdoodle

Theoretical # # H# H# H# space (bits) 18 18 21 58 58 77 300 i.d. i.d.

User choice * * * i.d. * * *resilienceVariant no yes no no no no no no noresponseServer 0 0 0 0 1 0 0 0 0probes

Paper study – – 3⇥/1.5wk 1⇥ 2⇥/1wk – – 2⇥/1wk2⇥/1wk 2⇥/1wk

Lab study – � 11wk – – – 3⇥/2wk 1⇥ 1⇥� 1.5wk 3⇥/1.5wk

Field study – – – – – 13wk – – –Web study – – – – – – – – –Login time – – 6s – – – – – –Success rate – 87% 63-100% 57-80% 50-80% 78% 87-96% – 38-46%Interference – – – – – – – – –studied

Table 2: Recognition-based systems (summary).

Scheme Cognitive

Auth

entication

Use

Your

Illusion

Sto

ry

Passfaces

/Face

VIP

(type1)

Deja

Vu

Photo

gra

phic

Auth

entication

ConvexHull

Click

GPI/GPIS

Theoretical #/ # # # # # H# H# H#space (bits) 10/73 11 12 13 13 16 20 32 43

User choice i.d. / * * * * /*resilienceVariant yes no no no no no yes yes noresponseServer many 1 1 1 1 1 many many 1probes

Paper study – – – – – – – – –Lab study 13⇥/ 10wk 4⇥/4wk – – 2⇥/1wk 2⇥/1wk 1⇥ 2⇥/1wk 2⇥/1wk

– 3⇥/4wkField study – – �16wk �16wk �16wk – – – –

10wkWeb study – – – 1-5mth – – – –

5wkLogin time 90-180s 12-26s – 14-88s 5-†6s 32-36s †40s 72s †18s/†19sSuccess rate >95% 89-100% †85% 72-100% †11-95% 90-100% †95-100% 90% 83%/74%Interference – – – yes yes – – – –studied

11

15

cued-recall based graphical password schemes

16

overview§ user remembers and targets specific locations within an

image§ image provides cues

§ easier than pure recall

§ cue should be helpful only to legitimate users

17

17

PassPoints§ password: sequence of any n user-selected click-points

§ password space: 243 for n=5§ login success rate: 55-90%§ image choice impacts usability§ memory interference from multiple passwords§ hotspots affect security

18

Figure 6: Cognitive Authentication scheme [133].

word. Similarly, it would seem di�cult to identify imagesbelonging to a particular user based on knowing other infor-mation about that user; however, problems resulting frompredictable user choice remain possible, such as users select-ing images that include their favourite colour.

Weinshall [133] proposed the Cognitive Authenticationscheme (see Figure 6) intended to be safe against spywareand shoulder-surfing. Keyboard input is used rather thana mouse and users must recognize images from their pre-viously memorized portfolio. The login task involves com-puting a path through a panel of images starting from thetop-left corner, based on whether particular images belongto the user’s portfolio: move down if you stand on a pic-ture from your portfolio, move right otherwise. On reachingthe panel’s right or bottom edge, identify the correspondinglabel for that row or column. A multiple-choice questionis presented, which includes the label for the path’s cor-rect end-point. Users perform several such rounds, each ona di↵erent panel. After each round, the system computesthe cumulative probability that the correct answer was notentered by chance. When the probability passes a certainthreshold, login succeeds. This tolerates some user error. Ifthe threshold is not passed by a certain number of rounds,the login fails.

Users receive a system-assigned portfolio containing a largenumber (about 100) of randomly chosen images, and exten-sive initial training to memorize it. No times are reported forthis training phase. Average login time is 1.5 to 3 minutes.In a user study with 9 participants, a 95% login success rateis reported, with users logging in over a period of 10 weeks.

Although the main claim [133] of resisting shoulder-surfingwas proven false [48] (see Section 9), the scheme o↵ers inter-esting lessons. The number of di↵erent passwords possiblefrom a user’s viewpoint is

�NM

�, based on unique collections

of images. N is the number of images in a panel, M thenumber of portfolio images displayed; N=80, M=30 gives�8030

�= 273 passwords. However, the redundancy which en-

codes the user’s portfolio images into row and column labelsapparently results in a many-to-one mapping of image setsonto system passwords, reducing the password space. Forexample, for exactly 5 rounds and 4 di↵erent multiple choiceanswers, there are 45 = 210 distinct system passwords. Dic-tionary and personalized attacks have no advantage overexhaustive attacks, due to the random assignment of im-ages. It appears impossible to verbalize enough informationto convey a password to an attacker to allow successful login,making such social engineering attacks also improbable.

Other recognition-based systems have been proposed, with

Figure 7: PassPoints password example [139]. The

5 numbered boxes (not ordinarily visible to users)

illustrate the tolerance area around click-points.

similar usability and security profiles as those above. Wetherefore mention them only briefly. In the VIP system [31,71], a panel of images is displayed. Users must select imagesfrom their portfolio among decoys. Di↵erent configurationsallow for multiple rounds or sequencing of images. In thePhotographic Authentication system [86], users initially pro-vide their own set of digital photos and must identify thesefrom among decoys, with panels of 4 images, and 10 rounds.The decoy images are randomly selected from the images col-lected from other users. Use Your Illusion [54] also requiresthat users select portfolio images from panels of decoys; theselected images are distorted after original selection. Theidea is that the legitimate user can still recognize the im-ages despite distortion, while the distortion creates di�cul-ties for others. The distortion is intended to protect againstsocial engineering and shoulder-surfing attacks. In the Con-vex Hull Click Scheme [140], users select and memorize aportfolio of images, and must recognize these images fromamong decoys displayed, over several rounds. The imagesare small icons and several dozen are randomly positionedon the screen. Each panel contains at least 3 of the user’sicons. Users must identify their icons, visualize the trian-gle they form, and click anywhere within this triangle. Thisdesign is intended to protect against shoulder-surfing, butcomes at a cost of longer login times. In Bicakci et al.’s [14]GPI (Graphical Password with Icons) and GPIS (Graphi-cal Password with Icons suggested by the System) systems,users log in by selecting their 6 icons, in order, from a panelof 150 icons. The theoretical password space of these twoschemes is similar to most cued-recall schemes at 243 (seebelow). The two systems di↵er only in how passwords areset. GPI allows users to choose any 6 icons as their pass-word. In GPIS, passwords are suggested by the system butusers may shu✏e until they find an acceptable password,reducing (but not eliminating) problems with user choice.Renaud [95] ran a field study comparing di↵erent types of

user involvement in selecting portfolio images for recognition-based schemes. Users could select images from a photoarchive, take their own photos, or draw doodles that weresubsequently scanned and converted to JPEG format. Re-sults show a significant increase in login success rates whenuser portfolios contain self-drawn doodles rather than eithertype of photos. The memorability improvements, however,need to be balanced with the additional risk of personalizedattacks if attackers know a user’s drawing style or recognizepersonally-identifiable features within the doodles.

7

Fig.1. GPI interface (left) and GPIS interface (right). In GPI user selects the click-points whereas in GPIS the system selects and displays them (sizes are scaled down to fit into the page, best viewed in color)

To overcome these problems, first we used colored-icons that were drawn stylistically similar. Second, we refer to a category norm study to select the objects that icons represent [15]. This study reports the word lists that are generated by participants as category instances given a category. For each word and for each category, they gave the probability of the word to be included in the category list. Using this measure, we selected popular instances of categories and use icons of them. By this way, we aimed to normalize the familiarity of each object and each icon to minimize the hotspot problem.

Fig.2. The PassPoints [24] interface

In GPI and GPIS interfaces (Figure 1) there are 150 icons selected from 15 categories (animals, car brands, cartoon characters, electronic devices, clothes, fruits,

music instruments, kitchen utensils, office equipment, vegetables, weapons, sports, hand tools, vehicles, and fast food). Icons that belong to the same category are

32017

Hot-spotting Observed [2007]

Halo’s diameter is 5 times the number of underlying clicks

Could attackers exploit hot spots to guess passwords?

–  How would they determine (likely) hot-spots? 18

other cued-recall based schemes

19

4 Cued Click Points

dictates the next image. If they dislike the resulting images, they could create anew password involving di!erent click-points to get di!erent images.

Fig. 1. CCP passwords can be regarded as a choice-dependent path of images

We envision that CCP fits into an authentication model where a user hasa client device (which displays the images) to access an online server (whichauthenticates the user). We assume that the images are stored server-side withclient communication through SSL/TLS. For further discussion, see Section 6.

For implementation, CCP initially functions like PassPoints. During pass-word creation, a discretization method (e.g., see [1]) is used to determine aclick-point’s tolerance square and corresponding grid. For each click-point in asubsequent login attempt, this grid is retrieved and used to determine whetherthe click-point falls within tolerance of the original point. With CCP, we furtherneed to determine which next-image to display.

Similar to the PassPoints studies, our example system had images of size451x331 pixels and tolerance squares of 19x19 pixels. If we used robust dis-cretization [1], we would have 3 overlapping candidate grids each containingapproximately 400 squares and in the simplest design, 1200 tolerance squaresper image (although only 400 are used in a given grid). We use a functionf(username, currentImage, currentT oleranceSquare) that uniquely maps eachtolerance square to a next-image. This suggests a minimum set of 1200 imagesrequired at each stage. One argument against using fewer images, and havingmultiple tolerance squares map to the same next-image, is that this could po-tentially result in misleading implicit feedback in (albeit rare) situations whereusers click on an incorrect point yet still see the correct next-image.

Each of the 1200 next-images would have 1200 tolerance squares and thusrequire 1200 next-images of their own. The number of images would quicklybecome quite large. So we propose re-using the image set across stages. By re-using images, there is a slight chance that users see duplicate images. Duringthe 5 stages in password creation, the image indices i1, ..., i5 for the images inthe password sequence are each in the range 1 ! ij ! 1200. When computingthe next-image index, if any is a repeat (i.e., the next ij is equal to ik for some

Cued Click-Points (CCP)Figure 8: Persuasive Cued Click-Points. During

password creation, users select a click-point from

the highlighted viewport or press the shu✏e button

to relocate the viewport.

Figure 9: Inkblots from the Inkblot Authentication

user study [111].

feedback if they enter an incorrect click-point during login,seeing an image that they do not recognize. At this pointthey can restart password entry to correct the error. Thisimplicit feedback [27] is not helpful to an attacker not know-ing the expected image sequence.

In a lab-based user study [27] of CCP, users successfullylogged in on the first attempt, without errors or restarts,in 96% of trials. On average, participants took 25 secondsto create a password, and 7 seconds to login. Analysis ofuser choice revealed that users tended to select click-pointsfalling within known hotspots [22], but that simple patternsof click-points were eliminated (cf. PassPoints above) [23].

Persuasive Cued Click-Points (PCCP) [22] is a variationof CCP designed to persuade users to select more randompasswords. It functions like CCP, but during password cre-ation the image is dimmed except for a small square view-port area randomly positioned on the image. Users select aclick-point from within this viewport (see Figure 8), or maypress a “shu✏e” button to randomly reposition the viewportuntil a suitable location is found. On subsequent logins, im-ages are displayed in their normal format with no dimmingor viewport. Common wisdom that users choose the path-of-least-resistance here means selecting a click-point withinthe first or first few viewports. The design intent of theviewport is to flatten the distribution of click-points acrossmultiple users, reducing hotspots.

In a lab study [22], login success rates were similar to CCP.

Participants took 50 seconds on average to create a password(an increase mainly due to participants who shu✏ed repeat-edly, though most shu✏ed relatively infrequently), and 8seconds to log in. A later two-week study [110] comparingPCCP configured with di↵erent image sizes and numbers ofclick-points, found both manipulations had similar e↵ectson usability. PCCP reportedly [23] removes major concernsrelated to common patterns and hotspots.As mentioned earlier, proposed implementations of Pass-

Points, CCP, and PCCP use a grid-based discretization al-gorithm to determine whether login click-points are withintolerance. In system-side storage for verification, these pass-words can be hashed; additional information such as a grididentifier (for each click-point), however, is stored in a man-ner accessible to the system, to allow the system to use theappropriate grid to verify login attempts. It is unclear ifattackers gaining access to the server-side storage can usethese grid identifiers to their advantage.Inkblot Authentication [111] (see Figure 9) is not strictly

a graphical password system, but uses images as a cue fortext password entry. During password creation, users areshown a series of computer-generated “inkblots” and askedto type the first and last letter of the word/phrase that bestdescribes the inkblot. The letter pairs form the password.The inkblots are displayed in shu✏ed order as cues duringlogin, and users enter each of their 2-character responses.The same shu✏ed order is used for each subsequent login.It was suggested that with time, users would memorize theirpassword and would no longer need to rely on the inkblots ascues. Twenty-five users in a lab study were presented with 10inkblots and created a corresponding password. After oneday, 80% of users entered their entire password correctly;72% were successful after one week. With only one excep-tion, when users made mistakes, it was on only one of their10 character-pairs. The resulting passwords were relativelystrong (20 characters long with no recognizable words; al-though some letters were more popular than others). It isclaimed that inkblots are abstract enough that an attackerseeing the inkblots would not have an advantage in guessinga user’s password.Similarly, Jiminy [96, 97] is a graphical tool for remem-

bering text passwords. A grid of alphanumeric characters isplaced over an image and users are provided with colouredtemplates that contain several openings. To log in, usersselect the appropriate template, “anchor” it to the correctlocation on the image, then enter the sequence of charactersvisible through the openings. Instead of remembering theirtext password, users remember the position of the templateon the image. Several users in paper-based and web-basedstudies selected the same anchor points, indicating that thesecurity impact of hotspots in this scheme is in doubt.Alsulaiman and El Saddik [2] proposed a 3D scheme where

users navigate a 3D world and perform actions interpretedas their password. Much like the 2D graphical passwordsabove, the 3D environment acts as a cue to prompt usersto perform their actions. The designers envision that userscould perform various actions such as clicking on certainareas, typing or drawing on a virtual surface, supplying abiometric, or interacting with parts of the virtual world (liketurning on a light switch). A prototype system implements asmall portion of the scheme (users can walk through a virtualart gallery and enter text passwords at virtual computersor select pictures as part of a graphical password). Detail

9

Persuasive CCP

Figure 8: Persuasive Cued Click-Points. During

password creation, users select a click-point from

the highlighted viewport or press the shu✏e button

to relocate the viewport.

Figure 9: Inkblots from the Inkblot Authentication

user study [111].

feedback if they enter an incorrect click-point during login,seeing an image that they do not recognize. At this pointthey can restart password entry to correct the error. Thisimplicit feedback [27] is not helpful to an attacker not know-ing the expected image sequence.

In a lab-based user study [27] of CCP, users successfullylogged in on the first attempt, without errors or restarts,in 96% of trials. On average, participants took 25 secondsto create a password, and 7 seconds to login. Analysis ofuser choice revealed that users tended to select click-pointsfalling within known hotspots [22], but that simple patternsof click-points were eliminated (cf. PassPoints above) [23].

Persuasive Cued Click-Points (PCCP) [22] is a variationof CCP designed to persuade users to select more randompasswords. It functions like CCP, but during password cre-ation the image is dimmed except for a small square view-port area randomly positioned on the image. Users select aclick-point from within this viewport (see Figure 8), or maypress a “shu✏e” button to randomly reposition the viewportuntil a suitable location is found. On subsequent logins, im-ages are displayed in their normal format with no dimmingor viewport. Common wisdom that users choose the path-of-least-resistance here means selecting a click-point withinthe first or first few viewports. The design intent of theviewport is to flatten the distribution of click-points acrossmultiple users, reducing hotspots.

In a lab study [22], login success rates were similar to CCP.

Participants took 50 seconds on average to create a password(an increase mainly due to participants who shu✏ed repeat-edly, though most shu✏ed relatively infrequently), and 8seconds to log in. A later two-week study [110] comparingPCCP configured with di↵erent image sizes and numbers ofclick-points, found both manipulations had similar e↵ectson usability. PCCP reportedly [23] removes major concernsrelated to common patterns and hotspots.As mentioned earlier, proposed implementations of Pass-

Points, CCP, and PCCP use a grid-based discretization al-gorithm to determine whether login click-points are withintolerance. In system-side storage for verification, these pass-words can be hashed; additional information such as a grididentifier (for each click-point), however, is stored in a man-ner accessible to the system, to allow the system to use theappropriate grid to verify login attempts. It is unclear ifattackers gaining access to the server-side storage can usethese grid identifiers to their advantage.Inkblot Authentication [111] (see Figure 9) is not strictly

a graphical password system, but uses images as a cue fortext password entry. During password creation, users areshown a series of computer-generated “inkblots” and askedto type the first and last letter of the word/phrase that bestdescribes the inkblot. The letter pairs form the password.The inkblots are displayed in shu✏ed order as cues duringlogin, and users enter each of their 2-character responses.The same shu✏ed order is used for each subsequent login.It was suggested that with time, users would memorize theirpassword and would no longer need to rely on the inkblots ascues. Twenty-five users in a lab study were presented with 10inkblots and created a corresponding password. After oneday, 80% of users entered their entire password correctly;72% were successful after one week. With only one excep-tion, when users made mistakes, it was on only one of their10 character-pairs. The resulting passwords were relativelystrong (20 characters long with no recognizable words; al-though some letters were more popular than others). It isclaimed that inkblots are abstract enough that an attackerseeing the inkblots would not have an advantage in guessinga user’s password.Similarly, Jiminy [96, 97] is a graphical tool for remem-

bering text passwords. A grid of alphanumeric characters isplaced over an image and users are provided with colouredtemplates that contain several openings. To log in, usersselect the appropriate template, “anchor” it to the correctlocation on the image, then enter the sequence of charactersvisible through the openings. Instead of remembering theirtext password, users remember the position of the templateon the image. Several users in paper-based and web-basedstudies selected the same anchor points, indicating that thesecurity impact of hotspots in this scheme is in doubt.Alsulaiman and El Saddik [2] proposed a 3D scheme where

users navigate a 3D world and perform actions interpretedas their password. Much like the 2D graphical passwordsabove, the 3D environment acts as a cue to prompt usersto perform their actions. The designers envision that userscould perform various actions such as clicking on certainareas, typing or drawing on a virtual surface, supplying abiometric, or interacting with parts of the virtual world (liketurning on a light switch). A prototype system implements asmall portion of the scheme (users can walk through a virtualart gallery and enter text passwords at virtual computersor select pictures as part of a graphical password). Detail

9

IntBlot

Jiminy

three dimensional virtual environment constructs the user’s 3D password. Therefore, the user can walk in the virtual environment and type something on a computer that exist in (x1, y1, z1) position, then walk into a room that has a white board that exist in a position (x2, y2, z2) and draw something on the white board. The combination and the sequence of the previous two actions towards the specific objects construct the user’s 3D password. Users can navigate through a three-dimensional virtual environment that can contain any virtual object.

Virtual objects can be of any type. We will list some possible objects to clarify the idea.

An object can be: 1. A computer that the user can type in 2. A white board that a user can draw on 3. An ATM machine that requires a smart card and PIN 4. A light that can be switched on/off 5. Any biometric device 6. Any Graphical password scheme 7. Any real life object 8. Any upcoming authentication scheme

Moreover, in the virtual three-dimensional environment we can have two different computers in two different locations. Actions and interactions with the first computer is totally different than actions towards the second computer since each computer has a (x,y,z) position in the three-dimensional virtual environment. Each object in the virtual three-dimensional environment has its own (x,y,z) coordinates, speed, weight and responses toward actions.

B. 3D Password Selection and Inputs

Consider a three dimensional virtual environment space that is of the size G!G!G. Each point in the three dimensional environment space represented by the coordinates (x, y, z) [1..G] ! [1..G] ![1..G]. The objects are distributed in the three-dimensional virtual environment. Every object has its own (x,y,z) coordinates. Assume the user can navigate and walk through the three-dimensional virtual environment and can see the objects and interact with the objects. The input device for interactions with objects can be a mouse, a keyboard, styles, a card reader, a microphone …etc.

User actions, interactions and inputs towards the objects and towards the three-dimensional virtual environment are mapped into a sequence of three-dimensional coordinates and actions, interactions and inputs. For example, consider a user navigates through the three-dimensional virtual environment and types "AB" into a computer that exists in the position of (13, 2, 30). The user then walks over and turns off the light located in (20, 6,12), and then goes to a white board located in (55,3,30) and draws just one dot in the (x,y) coordinate of the white board at the specific point of (530,250). The user then presses the login button. The representation of user actions, interactions and inputs towards the objects and the

three-dimensional virtual environments can be represented as the following:

(13,2,30) Action = Typing, "A", (13,2,30) Action = Typing , "B", (20,6,12) Action = Turning the Light, Off, (55,3,30) Action = drawing , point = (530,250) Two 3D passwords are equal to each other when the

sequence of actions towards every specific object are equal and the actions themselves are equal towards the objects.

As described earlier, three-dimensional virtual environments can be designed to include any virtual objects. The first step in building a 3D password system is designing the three-dimensional virtual environment. The selection of what objects to use, locations, and types of responses are very critical tasks. The design affects the strength, usability and performance of the 3D password. Figure 1 shows an experimental three-dimensional environment.

Figure (1): Snapshot of proof of concept three-dimensional virtual environment. A virtual art gallery that consist of 36 pictures and 6 computers where users can navigate and interact with virtual objects by either typing or

drawing.

III. SECURITY ANALYSIS

The information content of a password space defined in [9] as "the entropy of the probability distribution over that space given by the relative frequencies of the passwords that users actually choose". It is a measure that determines how hard the attack is. However, trying to have a scheme that has very large possible passwords is one of the important parts in resisting the attack on such a scheme.

We will analyze 3D passwords by discovering how large the 3D password space is. Then we will analyze the knowledge distribution of the 3D password.

A. The Size of the 3D Password Space

First of all, by computing the size of the 3D Password space we count all possible 3D Passwords that have a certain number of (actions, interaction, and inputs) towards all objects that exist in the three-dimensional virtual environment. We assume that the probability of a 3D Password of a size greater than Lmax is zero.

126

3D virtual environment for cued authentication

19

summary of cued-recall based schemes

20

Table 3: Cued-recall systems (summary).

Scheme Jim

iny

Suo’s

scheme

PassPoints

CCP

PCCP

Inkblot

Auth

entication

3D

scheme

Theoretical # # / H# H# H# H# pswd (bits) 9 16 / 43 43 43 43 94 i.d.

User choice * * * * i.d.resilienceVariant no yes no no no no i.d.responseServer 1 i.d. 1 many many 1 i.d.probes

Paper study 2⇥/4 wk – – – – – –Lab study – 2⇥/1wk 1⇥ 1⇥ 3⇥/1wk –

3⇥/6wk 2⇥/2wk1⇥

2⇥/2wkField study 12wk – 7-9wk – – – –Web study – – – – – – –Login time – – 9-25s 7s 11-89s – –Success rate †47-73% – 38-94% 96% 83-94% †68-80% –Interference – – yes – – – –studied

over time. Issues of accessibility may arise since di↵erentuser populations, such as the elderly [93], have di↵erent re-quirements. Many of the systems we have discussed im-plicitly require users with good vision, potentially includinggood colour vision (for recognizing cues), and good motorskills (for entering sketches or accurate clicks on an image).Design of graphical password systems therefore needs to ei-ther address these issues, provide alternatives, or be veryaware of the limitations they impose on who will be able tosuccessfully use the software. Because authentication sys-tems by their nature act as gate-keepers to computer sys-tems and services, these issues must be taken very seriouslyand should be addressed in proposals for new schemes.

8.2 TasksEase of login is the most frequently examined task, but

is only one of many. Ideally, usability should be exploredalong several dimensions. For usability, essential elements tomeasure and report include: time to create a password, andtime to login; memorability (typically through success ratesand number of errors made during login over an extendedperiod); and interference, by testing with a normal passwordload (as opposed to with only one password at a time).

8.2.1 Password InitializationAuthentication systems require initialization. A graphical

password can either be assigned or user-selected. Trainingmay be conducted, in part to compensate for the novelty ofa scheme relative to well-known approaches like text pass-words. Password confirmation is usually involved to ensurethat users have not made trivial entry errors, and can accu-rately remember and enter their password after a short timebefore testing longer term memorability.

Allowing users to select their own password can aid us-ability since a password having personal meaning may beeasier to remember. However, this design decision has secu-

rity disadvantages. As discussed later, graphical passwordsystems that su↵er from predictability problems due to userchoice include the canonical examples of all three main cat-egories: Passfaces, DAS (Pass-Go), and PassPoints. For ex-ample, from their study of Face and Story, Davis et al. [30]conclude that user choice leads to predictable patterns thatmay exploited by attackers.Allowing user-chosen passwords can also encourage pass-

word reuse across accounts. Despite obvious usability ad-vantages (e.g., reduced memory load, and no need to thinkof new creative passwords for each new account), passwordreuse implies that an attacker who gains access to an accounton a weakly protected system may then have su�cient in-formation to log in to that user’s higher value accounts. Ifpermitted, users often reuse passwords verbatim; Florencioet al. [44] found that text passwords are reused on an av-erage of 6 di↵erent accounts. Many users also form somecommon strategy or pattern across accounts [1]. Both situ-ations may be exploited by an attacker who acquires one ofthe passwords.Systems which assign randomly selected passwords pre-

clude attacks exploiting predictability, and also eliminate thepotential for cross-account password reuse. However, suchsystems may require time-consuming training to help usersremember their passwords (e.g., recall Weinshall [133]). Evenwith training, such passwords may remain more di�cult toremember since opportunities for leveraging are removed.In the Passfaces study of Everitt et al. [41], which assignedpasswords to avoid the predictability seen in earlier Pass-faces studies, the order of password acquisition and login fre-quency significantly impacted password memorability. Al-lowing users to use their own images may improve memo-rability and encourage positive a↵ective responses [69], butpredictability and personalization may weaken security.It is possible for a system to allow partial user choice in

password selection. For example, in PCCP (see Section 6.2),

12

20

usability aspects§ users

§ implicitly require users with§ good (colour) vision§ good motor skills

§ tasks§ creating password

§ user or system chosen password§ password re-use across accounts vs. memorability; PCCP

§ login§ portable login

§ password reset and change§ image reuse

§ memorability§ interference -- “the impaired ability to remember an item when it is similar to

other items stored in memory”

§ target environments

21

21

security aspects§ more vulnerable to shoulder surfing than text passwords§ less vulnerable to some social engineering§ as vulnerable to malware

22

Figure 10: Most graphical password schemes fall

along the descending line, where increased security

implies decreased usability. The design goal is to

increase usability and security simultaneously.

vide greater security than text passwords in the face of themost serious attacks such as resident malware, graphicalpasswords nonetheless remain of practical interest due tothe possibility of o↵ering at least as much security, with thepossibility of greater usability and memorability.

In many systems having poor security, user actions com-promise security in favour of memorability. The exploitablepatterns evident in Passfaces, DAS, and PassPoints pass-words result from users trying to select memorable pass-words, which in turn increases predictability and facilitatespassword guessing. A challenge for designers is to identifymemory aids for legitimate users, that cannot be leveragedby attackers to guess passwords. Furthermore, systems al-lowing some degree of user choice should encourage ran-domization of user-chosen sequences as well as individualitems, to avoid divide and conquer guessing attacks. It re-mains an open question whether systems can be designedsuch that user choice does not significantly weaken security,or whether a successful combination of system suggestionand user choice can be devised. A complementary methodfor addressing predictable passwords is the use of so-called“strong” password protocols (e.g., SRP [142], EKE [9]) de-signed to provide protection against o✏ine guessing attacksby avoiding verifiable text [50]. This can be important forboth text and graphical passwords, but their design is noto-riously tricky.

For usability, a major concern is multiple password inter-ference. Visual cues provided by graphical passwords alongwith the potential of human memory processing for imageso↵er reason for optimism, but further research is requiredto confirm that these can be translated into schemes withincreased security and usability, in a realistic setting. Asgraphical passwords are not widely deployed, it is unknownif we will simply mirror text password problems, where usersdevelop coping strategies, devise and reuse common pat-terns, and choose minimally secure passwords.

The development of password managers for graphical pass-words might address the problem of memory interference.However, such managers may well su↵er the same usabilityand security challenges as their text counterparts noted inSection 1, with additional challenges such as dealing withchallenge-response schemes (variant responses) and copingwith the variety of password entry requirements. Furtherconsideration of password managers is beyond the scope ofthis paper. Related to password interference, it would be in-teresting to investigate user choice if given the opportunityto select both the password schemes and the passwords formultiple accounts, allowing for any number of each type.

We expect tomorrow’s ideal graphical password systemsmay have many of the following desirable characteristics,reflecting lessons learned from proposals to date.

1. Theoretical password space meeting the security policyof the intended domain.

2. Avoidance of exploitable reductions in security dueto user choice of passwords, e.g., through persuadingpassword choice towards flatter distributions.

3. At least mild resistance to di↵erent types of capture at-tacks including shoulder surfing and key logging, throughvariable response (challenge-response) design.

4. Cues aiding memorability, design features minimizingpassword interference.

5. Usability (e.g., login success rates, login times, pass-word creation times) as close as possible to, or betterthan, text passwords.

6. Implicit feedback to legitimate users, when passwordsare multi-part.

7. Leveraging of pre-existing user-specific knowledge wherepossible, rather than having users memorize entirelynew and/or random information.

In addition to the importance of the evaluation checklistof Section 10.4, and the characteristics immediately above,we emphasize here two additional lessons learned. First, de-sign decisions related to usability should be evaluated jointlywith an exploration of their impact on security, since a us-able authentication system without adequate security failsto meet its primary purpose. For example, a system whereusers can choose memorable-but-weak passwords may be us-able but can provide a false sense of security. Interface de-sign changes that appear to a↵ect only usability may in factintroduce additional security vulnerabilities.Second, in assessing usability, apples-to-apples compari-

son requires comparing schemes of comparable security. Us-ability comparisons between schemes o↵ering significantlydi↵erent security propositions must highlight the lack of cal-ibration, to avoid seriously misleading others. For example,the full password space of many recognition-based systemscalibrates to that of 4-digit PINs, while recall and cued-recallsystems are similar to text passwords of 8-characters-or-more. Longer login times may be acceptable for password-level systems than for PIN-level systems (recalling the Sec-tion 7 levels), if the former provide greater security.Security and usability have historically been viewed as

items to be traded o↵, representing opposite ends of a spec-trum: increasing one necessarily decreases the other. Mostproducts and mechanisms to date, including for many graph-ical password schemes, a↵ord only fixed levers such that, forexample, adding extra rounds to Passfaces increases securityat the cost of an additional memorability burden since eachextra round also exposes users to a new set of decoys. Asillustrated in Figure 10, the challenge for the second gener-ation of graphical passwords, and in the design for usablesecurity in general, is to find new designs and architectureswhich a↵ord increases in security and usability together.

20

22