Multiple-Password Interference in the GeoPass User Authentication Scheme

Password schemes based on selecting locations in an online map are an emerging topic in user authentication research. GeoPass is the most promising such scheme, as it provides satisfactory resilience against online guessing and showed high memorability (97%) for a single location-password. No multiple- password interference study, however, has been conducted to see if GeoPass or any other location-based password scheme is suitable for real-world deployment, where users have to remember multiple passwords. In this paper, we report the results of two separate multiple-password studies on GeoPass, each conducted over the span of three weeks. In the first study, we aim to understand the effects of interference on GeoPass scheme, where we found that users remembered location-passwords in less than 70% of login sessions, with 41:5% of login failures due to interference effects. Through a detailed analysis, we identify why interferences occur for location-passwords, and based on our findings, we propose to leverage mental stories to address the interference issue. We then perform a second interference study on modified GeoPass scheme to test the efficacy of our approach, where we found that the login success rate was greater than 97% and 3:4% of login attempts failed because of interference effects.

[1]  Julie Thorpe,et al.  Usability and security evaluation of GeoPass: a geographic location-password scheme , 2013, SOUPS.

[2]  F. Craik,et al.  Depth of processing and the retention of words , 1975 .

[3]  Richard C. Atkinson,et al.  Human Memory: A Proposed System and its Control Processes , 1968, Psychology of Learning and Motivation.

[4]  Michael K. Reiter,et al.  On User Choice in Graphical Password Schemes , 2004, USENIX Security Symposium.

[5]  Nasir D. Memon,et al.  Authentication using graphical passwords: effects of tolerance and image choice , 2005, SOUPS '05.

[6]  Matthew K. Wright,et al.  A study of user password strategy for multiple accounts , 2013, CODASPY '13.

[7]  Robert Biddle,et al.  Facing the facts about image type in recognition-based graphical passwords , 2011, ACSAC '11.

[8]  P. V. Oorschot,et al.  Multiple Password Interference in Text and Click-Based Graphical Passwords , 2008 .

[9]  Tadayoshi Kohno,et al.  A comprehensive study of frequency, interference, and training of multiple graphical passwords , 2009, CHI.

[10]  Michael K. Reiter,et al.  The Design and Analysis of Graphical Passwords , 1999, USENIX Security Symposium.

[11]  Robert Biddle,et al.  Do you see your password?: applying recognition to textual passwords , 2012, SOUPS.

[12]  Jason I. Hong,et al.  A diary study of password usage in daily life , 2011, CHI.

[13]  Mahdi N. Al-Ameen,et al.  A Comprehensive Study of the GeoPass User Authentication Scheme , 2014, ArXiv.

[14]  Alain Forget,et al.  Multiple password interference in text passwords and click-based graphical passwords , 2009, CCS.

[15]  Cormac Herley,et al.  Do Strong Web Passwords Accomplish Anything? , 2007, HotSec.

[16]  Robert Biddle,et al.  Graphical passwords: Learning from the first twelve years , 2012, CSUR.

[17]  Dino Schweitzer,et al.  A security class project in graphical passwords , 2010 .