Evaluation of recognition-based graphical password schemes in terms of usability and security attributes

User Authentication is a critical component in information security. Several widely used mechanisms for security to protect services from illegal access include alphanumerical usernames passwords. However, there are several drawbacks attached in this method. For instance, the users themselves usually those passwords that are easy to guess. As difficult passwords are difficult to recall. A new alternative is the graphic-based password and there has been a growing trend in the use of such a password. The human psychology study reveals that humans find it easier to remember pictures as opposed to words. There are two main aspects to the graphical password scheme, namely security and usability. This study comprises of a comprehensive research in the current Recognition-Based graphical password schemes. The common usability attributes and possible attacks on the Recognition-Based graphical password are reviewed, identified and examined in detail. There are several previous surveys on the graphical passwords. The latest research review and summarize graphical password systems concisely and at the same time, analyze usability features for every design. However it was found that there is not a single method that has the most resounding usability attributes. Therefore, this research suggests a set of usability attributes that can be applied into a single Recognition-Based graphical password system. In addition, this study examines and compares success rates on login, login time and memorability of existing systems which are the usability measures most often reported in user studies of graphical passwords.  Lastly, a comparison table is revealed to put forth the limitations and strengths of each approach in terms of security and usability.

[1]  Andrew S. Patrick,et al.  HCI and security systems , 2003, CHI Extended Abstracts.

[2]  Wayne A. Jansen,et al.  Authenticating Users on Handheld Devices , 2003 .

[3]  Ying Zhu,et al.  Graphical passwords: a survey , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[4]  Nasir D. Memon,et al.  Authentication using graphical passwords: effects of tolerance and image choice , 2005, SOUPS '05.

[5]  K. Srinathan,et al.  WYSWYE: shoulder surfing defense for recognition based graphical passwords , 2012, OZCHI.

[6]  Borka Jerman-Blazic,et al.  Recognition-Based Graphical Authentication with Single-Object Images , 2011, 2011 Developments in E-systems Engineering.

[7]  Wei-Chi Ku,et al.  A Sector-Based Graphical Password Scheme with Resistance to Login-Recording Attacks , 2015, IEICE Trans. Inf. Syst..

[8]  D. Levin Race as a visual feature: using visual search and perceptual discrimination tasks to understand face categories and the cross-race recognition deficit. , 2000, Journal of experimental psychology. General.

[9]  Robert Biddle,et al.  Facing the facts about image type in recognition-based graphical passwords , 2011, ACSAC '11.

[10]  Uwe Aickelin,et al.  A New Graphical Password Scheme Resistant to Shoulder-Surfing , 2010, 2010 International Conference on Cyberworlds.

[11]  Adrian Perrig,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Déjà Vu: A User Study Using Images for Authentication , 2000 .

[12]  Susan Wiedenbeck,et al.  Design and evaluation of a shoulder-surfing resistant graphical password scheme , 2006, AVI '06.

[13]  Arash Habibi Lashkari,et al.  Security Evaluation for Graphical Password , 2011, DICTAP.

[14]  Moshe Zviran,et al.  Authentication Methods for Computer Systems Security , 2009 .

[15]  Daphna Weinshall,et al.  Cognitive authentication schemes safe against spyware , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[16]  Angelos Stavrou,et al.  Universal Multi-Factor Authentication Using Graphical Passwords , 2008, 2008 IEEE International Conference on Signal Image Technology and Internet Based Systems.

[17]  Xiaolin Li,et al.  S3PAS: A Scalable Shoulder-Surfing Resistant Textual-Graphical Password Authentication Scheme , 2007, 21st International Conference on Advanced Information Networking and Applications Workshops (AINAW'07).

[18]  T. Takada FakePointer: An Authentication Scheme for Improving Security against Peeping Attacks Using Video Cameras , 2008, 2008 The Second International Conference on Mobile Ubiquitous Computing, Systems, Services and Technologies.

[19]  Robert Biddle,et al.  Graphical passwords: Learning from the first twelve years , 2012, CSUR.

[20]  Ying Zhu,et al.  Analysis and Design of Graphical Password Techniques , 2006, ISVC.

[21]  Dawei Hong,et al.  A Graphical Password Scheme Strongly Resistant to Spyware , 2004, Security and Management.

[22]  Dugald Ralph Hutchings,et al.  Order and entropy in picture passwords , 2008, Graphics Interface.

[23]  Arash Habibi Lashkari,et al.  A Secure Recognition Based Graphical Password by Watermarking , 2011, 2011 IEEE 11th International Conference on Computer and Information Technology.

[24]  Moshe Zviran,et al.  Personalized Cognitive Passwords: An Exploratory Assessment , 2011, Inf. Manag. Comput. Secur..

[25]  Nasir D. Memon,et al.  PassPoints: Design and longitudinal evaluation of a graphical password system , 2005, Int. J. Hum. Comput. Stud..

[26]  M. Angela Sasse,et al.  Are Passfaces More Usable Than Passwords? A Field Trial Investigation , 2000, BCS HCI.

[27]  A. Ant Ozok,et al.  A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords , 2006, SOUPS '06.

[28]  Michael K. Reiter,et al.  On User Choice in Graphical Password Schemes , 2004, USENIX Security Symposium.

[29]  N. Sangeetha,et al.  AUTHENTICATING MOBILE DEVICE USERS THROUGH IMAGE SELECTION , 2013 .

[30]  Amr M. Youssef,et al.  A PIN Entry Scheme Resistant to Recording-Based Shoulder-Surfing , 2009, 2009 Third International Conference on Emerging Security Information, Systems and Technologies.

[31]  J. Kase Graphical Passwords , 2008 .

[32]  Robert Biddle,et al.  Do you see your password?: applying recognition to textual passwords , 2012, SOUPS.