Is a picture really worth a thousand words? Exploring the feasibility of graphical authentication systems

The weakness of knowledge-based authentication systems, such as passwords and Personal Identification Numbers (PINs), is well known, and reflects an uneasy compromise between security and human memory constraints. Research has been undertaken for some years now into the feasibility of graphical authentication mechanisms in the hope that these will provide a more secure and memorable alternative. The graphical approach substitutes the exact recall of alphanumeric codes with the recognition of previously learnt pictures, a skill at which humans are remarkably proficient. So far, little attention has been devoted to usability, and initial research has failed to conclusively establish significant memory improvement. This paper reports two user studies comparing several implementations of the graphical approach with PINs. Results demonstrate that pictures can be a solution to some problems relating to traditional knowledge-based authentication but that they are not a simple panacea, since a poor design can eliminate the picture superiority effect in memory. The paper concludes by discussing the potential of the graphical approach and providing guidelines for developers contemplating using these mechanisms.

[1]  M. Angela Sasse,et al.  Are Passfaces More Usable Than Passwords? A Field Trial Investigation , 2000, BCS HCI.

[2]  Richard P. Ayers,et al.  Picture Password: A Visual Login Technique for Mobile Devices , 2003 .

[3]  Michael K. Reiter,et al.  On User Choice in Graphical Password Schemes , 2004, USENIX Security Symposium.

[4]  Antonella De Angeli,et al.  My password is here! An investigation into visuo-spatial authentication mechanisms , 2004, Interact. Comput..

[5]  R. Haber,et al.  Perception and memory for pictures: Single-trial learning of 2500 visual stimuli , 1970 .

[6]  L. Standing Learning 10,000 pictures. , 1973, The Quarterly journal of experimental psychology.

[7]  A. Paivio,et al.  Why are pictures easier to recall than words? , 1968 .

[8]  R. Shepard Recognition memory for words, sentences, and pictures , 1967 .

[9]  Sacha Brostoff,et al.  Transforming the ‘Weakest Link’ — a Human/Computer Interaction Approach to Usable and Effective Security , 2001 .

[10]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[11]  A. Paivio Imagery and verbal processes , 1972 .

[12]  Adrian Perrig,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Déjà Vu: A User Study Using Images for Authentication , 2000 .

[13]  L. Standing Learning 10000 pictures , 1973 .

[14]  Paul T. McCabe Contemporary Ergonomics 2003 , 2003 .

[15]  Antonella De Angeli,et al.  USABILITY AND USER AUTHENTICATION: PICTORIAL PASSWORDS VS. PIN , 2004 .

[16]  David N. Perkins,et al.  Your Memory: How It Works and How to Improve It@@@Psychology of Memory , 1979 .

[17]  Antonella De Angeli,et al.  Biometric Verification at a Self Service Interface , 2004 .

[18]  Antonella De Angeli,et al.  Usability and biometric verification at the ATM interface , 2003, CHI '03.

[19]  Julie Thorpe,et al.  Graphical Dictionaries and the Memorable Space of Graphical Passwords , 2004, USENIX Security Symposium.

[20]  J. Henderson,et al.  Accurate visual memory for previously attended objects in natural scenes , 2002 .

[21]  John C. Yuille,et al.  Imagery, memory, and cognition : essays in honor of Allan Paivio , 1984 .

[22]  Budi Arief,et al.  Computer security impaired by legitimate users , 2004, Comput. Secur..

[23]  D. Park,et al.  Memory for pictures: does an age-related decline exist? , 1986, Psychology and aging.

[24]  Michael K. Reiter,et al.  The Design and Analysis of Graphical Passwords , 1999, USENIX Security Symposium.

[25]  V. S. Reed,et al.  Learning to Order Pictures and Words: A Model of Sensory and Semantic Encoding. , 1977 .

[26]  R. Nickerson,et al.  SHORT-TERM MEMORY FOR COMPLEX MEANINGFUL VISUAL CONFIGURATIONS: A DEMONSTRATION OF CAPACITY. , 1965, Canadian journal of psychology.

[27]  Daphna Weinshall,et al.  Passwords you'll never forget, but can't recall , 2004, CHI EA '04.

[28]  Vibha Sazawal,et al.  Doodling our way to better authentication , 2002, CHI Extended Abstracts.

[29]  Antonella De Angeli,et al.  VIP: a visual approach to user authentication , 2002, AVI '02.

[30]  M. Conway,et al.  Pictures, images, and recollective experience. , 1994, Journal of experimental psychology. Learning, memory, and cognition.

[31]  T. Wright,et al.  A Picture Memory. , 2003 .