Graphical One-Time Password (GOTPass): A usability evaluation

ABSTRACT

Complying with a security policy often requires users to create long and complex passwords to protect their accounts. However, remembering such passwords is difficult for many and may lead to insecure practices, such as choosing weak passwords or writing them down. In addition, they are vulnerable to various types of attacks, such as shoulder surfing, replay, and keylogger attacks (Gupta, Sahni, Sabbu, Varma, & Gangashetty, 2012) One-Time Passwords (OTPs) aim to overcome such problems (Gupta et al., 2012); however, most implemented OTP techniques require special hardware, which not only adds cost, but there are also issues regarding its availability (Brostoff, Inglesant, & Sasse, 2010). In contrast, the use of graphical passwords is an alternative authentication mechanism designed to aid memorability and ease of use, often forming part of a multifactor authentication process. This article is complementary to the earlier work that introduced and evaluated the security of the new hybrid user-authentication approach: Graphical One-Time Password (GOTPass) (Alsaiari et al., 2015). The scheme aims to combine the usability of recognition-based and draw-based graphical passwords with the security of OTP. The article presents the results of an empirical user study that investigates the usability features of the proposed approach, as well as pretest and posttest questionnaires. The experiment was conducted during three separate sessions, which took place over five weeks, to measure the efficiency, effectiveness, memorability, and user satisfaction of the new scheme. The results showed that users were able to easily create and enter their credentials as well as remember them over time. Participants carried out a total of 1,302 login attempts with a 93% success rate and an average login time of 24.5 s.     

图形密码身份认证方案设计及其安全性分析

为了解决身份认证方案中口令的安全性和易记忆性的矛盾,针对传统的字符式口令的诸多缺点,提出了结合新型图形密码的身份认证参考方案.在图形密码设计原则下,依据基于识别型和基于记忆型的设计思想,提出图形密码身份认证参照方案,并将图形密码的安全性与文本密码进行比较,分析了图形密码的密钥空间和抵抗常见口令攻击的能力.经分析多数图形密码在易记忆性和安全性方面优于传统密码.     

Why That Picture? Discovering Password Properties in Recognition-Based Graphical Authentication

Numerous graphical authentication ideas have been proposed on how to address the security and usability of text-based passwords. However, it remains unclear how users approach graphical password selection and the inherent personal bias when selecting images. This study investigates user choices in password selection for recognition-based graphical authentication. Our analysis is based on a total of 302 participants continuously using a graphical authentication system during a 6-week long study. The results show pronounced preference effects for image properties such as color, shape, and category. Additionally, there is a significant difference between genders in the selected images based on the same properties.     

An Enhanced Drawing Reproduction Graphical Password Strategy

Passwords are used in the vast majority of computer and communication systems for authentication. The greater security and memorability of graphical passwords make them a possible alternative to traditional textual passwords. In this paper we propose a new graphical password scheme called YAGP, which is an extension of the Draw-A-Secret (DAS) scheme. The main difference between YAGP and DAS is soft matching. The concepts of the stroke-box, image-box, trend quadrant, and similarity are used to describe the images characteristics for soft matching. The reduction in strict user input rules in soft matching improves the usability and therefore creates a great advantage. The denser grid granularity enables users to design a longer password, enlarging the practical password space and enhancing security. Meanwhile, YAGP adopts a triple-register process to create multi-templates, increasing the accuracy and memorability of characteristics extraction. Experiments illustrate the effectiveness of YAGP.     

Bend Passwords: using gestures to authenticate on flexible devices

Upcoming mobile devices will have flexible displays, allowing us to explore alternate forms of user authentication. On flexible displays, users can interact with the device by deforming the surface of the display through bending. In this paper, we present Bend Passwords, a new type of user authentication that uses bend gestures as its input modality. We ran three user studies to evaluate the usability and security of Bend Passwords and compared it to PINs on a mobile phone. Our first two studies evaluated the creation and memorability of user-chosen and system-assigned passwords. The third study looked at the security problem of shoulder-surfing passwords on mobile devices. Our results show that bend passwords are a promising authentication mechanism for flexible display devices. We provide eight design recommendations for implementing Bend Passwords on flexible display devices.     

A Human-Cognitive Perspective of Users’ Password Choices in Recognition-Based Graphical Authentication

ABSTRACT

Graphical password composition is an important part of graphical user authentication which affects the strength of the chosen password. Considering that graphical authentication is associated with visual search, perception, and information retrieval, in this paper we report on an eye-tracking study (N = 109) that aimed to investigate the effects of users’ cognitive styles toward the strength of the created passwords and shed light into whether and how the visual strategy of the users during graphical password composition is associated with the passwords’ strength. For doing so, we adopted Witkin’s Field Dependence-Independence theory, which underpins individual differences in visual information and cognitive processing, as graphical password composition tasks are associated with visual search. The analysis revealed that users with different cognitive processing characteristics followed different patterns of visual behavior during password composition which affected the strength of the created passwords. The findings underpin the need of considering human-cognitive characteristics as a design factor in graphical password schemes. The paper concludes by discussing implications for improving recognition-based graphical passwords through adaptation and personalization techniques based on individual cognitive characteristics.     

Bu-Dash: a universal and dynamic graphical password scheme (extended version)

Passwordless authentication is a trending theme in cyber security, while biometrics gradually replace knowledge-based schemes. However, Personal Identification Numbers, passcodes, and graphical passwords are still considered as the primary means for authentication. Passwords must be memorable to be usable; therefore, users tend to choose easy to guess secrets, compromising security. The Android Pattern Unlock is a popular graphical password scheme that can be easily attacked by exploiting human behavioristic traits. Despite its vulnerabilities, the popularity of the scheme has led researchers to propose adjustments and variations that enhance security but maintain its familiar user interface. Nevertheless, prior work demonstrated that improving security while preserving usability remains frequently a hard task. In this paper we propose a novel graphical password scheme built on the foundations of the well-accepted Android Pattern Unlock method, which is usable, inclusive, universal, and robust against shoulder surfing and (basically) smudge attacks. Our scheme, named Bu-Dash, features a dynamic user interface that mutates every time a user swipes the screen. Our pilot studies illustrate that Bu-Dash attracts positive user acceptance rates, it is secure, and maintains high usability levels. We define complexity metrics that can be used to further diversify user input, and we conduct complexity and security assessments.

     

Feasibility study of tactile-based authentication

Research suggests that human limitations are rarely considered in the design of knowledge-based authentication systems. In an attempt to foster entry to a system, individuals tend to choose passwords which are easy to recall. However, inappropriate selection can compromise data security. A novel approach has been developed to restore the balance between security and memorability through the use of the haptic channel. This paper introduces the Tactile Authentication System (TAS), which enables the user to authenticate entry through the ability to remember a sequence of pre-selected tactile sensations. The design process undertaken to develop distinguishable tactile stimuli for use within TAS is described, and details of the recognition-based tactile authentication mechanism are also presented. Findings from an empirical study reported in this paper, have revealed that 16 participants were able to authenticate access to TAS over the course of a one-month period, with low levels of error. The approach was found to offer benefits over conventional visual-based authentication methods. Tactile stimuli are presented underneath the fingertips, and are therefore occluded from others. As the sense of touch is personal to each user, tactile stimuli are difficult to describe in concrete terms, and cannot easily be written down or disclosed, thereby reducing the chance of unauthorized third party access.     

An Enhanced Graphical Authentication Scheme Using Multiple-Image Steganography

Most remote systems require user authentication to access resources. Text-based passwords are still widely used as a standard method of user authentication. Although conventional text-based passwords are rather hard to remember, users often write their passwords down in order to compromise security. One of the most complex challenges users may face is posting sensitive data on external data centers that are accessible to others and do not be controlled directly by users. Graphical user authentication methods have recently been proposed to verify the user identity. However, the fundamental limitation of a graphical password is that it must have a colorful and rich image to provide an adequate password space to maintain security, and when the user clicks and inputs a password between two possible grids, the fault tolerance is adjusted to avoid this situation. This paper proposes an enhanced graphical authentication scheme, which comprises benefits over both recognition and recall-based graphical techniques besides image steganography. The combination of graphical authentication and steganography technologies reduces the amount of sensitive data shared between users and service providers and improves the security of user accounts. To evaluate the effectiveness of the proposed scheme, peak signal-to-noise ratio and mean squared error parameters have been used.     

A new method for using hash functions to solve remote user authentication

Recently, Peyravian and Zunic proposed the remote password authentication schemes only based on the collision-resistant hash function. The schemes are, therefore, easy to implement and simple to use. The attractive properties cause a series of discussion. Several security flaws are found and remedied. Unfortunately, most of the remedies either are insecure or violate the original advantages because of involving public-key cryptosystems or modular exponential operations. Hence, it is still a challenge to design a secure scheme abiding by the beneficial assumption of the Peyravian-Zunic schemes. The proposed scheme not only keeps the original advantages (user friendness and computational cheapness) but also highlights certain of valuable features, such as (1) mutual authentication (higher security level), (2) server’s ignorance of users’ passwords (further security guaranee to users, specially for financial services), (3) immunity from maintaining security-sensitive table (maintaining burden reduction to servers), and so forth.     

Tackling the Password Problem: Image- and Gesture-Based Alternatives to Alphanumeric Passwords

Abstract

Alphanumeric passwords remain a ubiquitous means of user authentication, yet they are plagued by a fundamental problem: Secure passwords are difficult to create and remember. This paper suggests that image- or gesture-based passwords might strike a better balance between security and usability. It examines two such systems that are currently in widespread commercial use and examines alternative approaches that may offer insights for future improvements. Finally, it considers the possibility that touch-screen gesture passwords may become a viable biometric measure, which may allow them to provide multi-factor gesture-based authentication.     

Faces and Pictures: Understanding age differences in two types of graphical authentications

Recall of knowledge-based authentication codes such as passwords and PINs can be problematic, particularly for older adults given the known memory decline associated with ageing. We explored the extent to which recognition-based Graphical Authentication Systems were effective alternatives to PINs and passwords in a study in which users were asked to commit several different codes to memory and recall them at different time periods. Populations of younger and older adults were given face-based and picture-based authentication codes to remember over the course of three weeks. Results show a pronounced age effect, with younger participants outperforming older participants. Older participants fared better with the face-based system over the picture-based system while younger participants exhibited the opposite effect. A significant performance drop was observed for older participants over time, as additional codes were introduced.     

Effectiveness of image-based mnemonic techniques for enhancing the memorability and security of user-generated passwords

Complex passwords are hard to remember, so people often pick simple passwords, write complex ones down, and reuse the same password across multiple accounts. Proactive password checking (PPC) restrictions and mnemonic techniques can enhance password security and memorability. Participants in this study were assigned to one of three password generation groups: PPC restrictions alone, image-based mnemonic, or text-based mnemonic. They were asked to generate and later recall passwords for five separate fictitious online accounts. The use of mnemonic techniques resulted in the generation of longer and more complex passwords. Furthermore, passwords were more accurately recalled when they were generated using the image-based mnemonic technique or PPC restrictions alone, as opposed to the text-based mnemonic technique. However, passwords generated using PPC restrictions alone were more easily forgotten and susceptible to being cracked. Thus, the image-based mnemonic technique was shown to be the most effective method for generating secure and memorable passwords.     

Encouraging users to improve password security and memorability

Security issues in text-based password authentication are rarely caused by technical issues, but rather by the limitations of human memory, and human perceptions together with their consequential responses. This study introduces a new user-friendly guideline approach to password creation, including persuasive messages that motivate and influence users to select more secure and memorable text passwords without overburdening their memory. From a broad understanding of human factors-caused security problems, we offer a reliable solution by encouraging users to create their own formula to compose passwords. A study has been conducted to evaluate the efficiency of the proposed password guidelines. Its results suggest that the password creation methods and persuasive message provided to users convinced them to create cryptographically strong and memorable passwords. Participants were divided into two groups in the study. The participants in the experimental group who were given several password creation methods along with a persuasive message created more secure and memorable passwords than the participants in the control group who were asked to comply with the usual strict password creation rules. The study also suggests that our password creation methods are much more efficient than strict password policy rules. The security and usability evaluation of the proposed password guideline showed that simple improvements such as adding persuasive text to the usual password guidelines consisting of several password restriction rules make significant changes to the strength and memorability of passwords. The proposed password guidelines are a low-cost solution to the problem of improving the security and usability of text-based passwords.

     

User interface design affects security: patterns in click-based graphical passwords

Design of the user interface for authentication systems influences users and may encourage either secure or insecure behaviour. Using data from four different but closely related click-based graphical password studies, we show that user-selected passwords vary considerably in their predictability. Our post-hoc analysis looks at click-point patterns within passwords and shows that PassPoints passwords follow distinct patterns. Our analysis shows that many patterns appear across a range of images, thus motivating attacks which are independent of specific background images. Conversely, Cued Click-Points (CCP) and Persuasive Cued Click-Points (PCCP) passwords are nearly indistinguishable from those of a randomly generated simulated dataset. These results provide insight on modeling effective password spaces and on how user interface characteristics lead to more (or less) security resulting from user behaviour.     

Secure Graphical One Time Password (GOTPass): An Empirical Study

ABSTRACT

The traditional text-based password has been the default security medium for years; however, the difficulty of memorizing secure strong passwords often leads to insecure practices. A possible alternative solution is graphical authentication, which is motivated by the fact that the capability of humans’ memory for images is superior to text, which helps to improve password usability and security. Recently, some implementations of graphical authentication techniques have been deployed in practice. This paper introduces a new hybrid graphical authentication, “GOTPass,” that authenticates by means of a one-time numerical code that needs to be typed in based on a sequence of secret images and a prechosen input format. An important focus for this paper was the security aspects of the graphical password scheme. This paper reports an in-depth analysis of the security evaluation and shows a high resistance capability of GOTPass against common graphical password attacks. Three attacks were simulated (Guessing, Intersection, and Shoulder-surfing), and the results showed that nearly 98% of the 690 attempts failed to compromise the system.     

A user authentication system using back-propagation network

Information security has been a critical issue in the field of information systems. One of the key factors in the security of a computer system is how to identify the authorization of users. Password-based user authentication is widely used to authenticate a legitimate user in the current system. In conventional password-based user authentication schemes, a system has to maintain a password table or verification table which stores the information of users IDs and passwords. Although the one-way hash functions and encryption algorithms are applied to prevent the passwords from being disclosed, the password table or verification table is still vulnerable. In order to solve this problem, in this paper, we apply the technique of back-propagation network instead of the functions of the password table and verification table. Our proposed scheme is useful in solving the security problems that occurred in systems using the password table and verification table. Furthermore, our scheme also allows each user to select a username and password of his/her choice.     

Secure Encrypted Steganography Graphical Password scheme for Near Field Communication smartphone access control system

The revolutionary development of smartphone which offers compelling computing and storage capabilities has radically changed the digital lifestyles of users. The integration of Near Field Communication (NFC) into smartphone has further opened up opportunities for new applications and business models such as in industry for payment, electronic ticketing and access control systems. NFC and graphical password scheme are two imperative technologies that can be used to achieve secure and convenient access control system. One of the potential uses of such technologies is the integration of steganography graphical password scheme into NFC-enabled smartphone to transcend conventional digital key/tokens access control systems into a more secure and convenient environment. Smartphone users would have more freedom in customizing the security level and how they interact with the access control system. As such, this paper presents a secure two-factor authentication NFC smartphone access control system using digital key and the proposed Encrypted Steganography Graphical Password (ESGP). This paper also validates the user perception and behavioral intention to use NFC ESGP smartphone access control system through an experiment and user evaluation survey. Results indicated that users weigh security as a dominant attribute for their behavioral intention to use NFC ESGP smartphone access control system. Our findings offer a new insight for security scholars, mobile device service providers and expert systems to leverage on the two-factor authentication with the use of NFC-enabled smartphone.     

Shoulder-surfing-proof graphical password authentication scheme

The graphical password authentication scheme uses icons instead of text-based passwords to authenticate users. Icons might be somehow more familiar to human beings than text-based passwords, since it is hard to remember the latter with sufficient security strength. No matter what kind of password is used, there are always shoulder-surfing problems. An attacker can easily get text-based password or graphical password by observation, capturing a video or recording the login process. In this paper, we propose a shoulder-surfing-proof graphical password authentication scheme using the convex-hull graphical algorithm. We give evaluation and comparisons to demonstrate the security strength and the functionality advantages of our scheme.