Usable authentication and click-based graphical passwords

Security experts often refer to humans as the "weakest link" (Sasse, Brostoff, and Weirich, 2001) in the security chain, asserting that the problem lies not with the security systems themselves, but with users who are unable or unwilling to comply with security protocols. The shift towards usable security and including human factors in system design is an important one that has a direct impact on system security. In this thesis, we focus on knowledge-based authentication. We examine the password problem, where passwords are either weak-and-memorable or secure-but-difficult-to-remember, despite the need for secure and memorable passwords. We concentrate on graphical passwords due to the human ability to accurately recognize and recall images. We began by cataloguing existing graphical passwords, focusing equally on usability and security characteristics, and identified PassPoints, a click-based graphical password scheme, as the scheme that appeared most promising and that we believed warranted closer evaluation. Our overall research question, therefore, asks: "Can click-based graphical passwords simultaneously support both memorability and security, while maintaining usability? " We conducted lab and field studies of PassPoints, and identified areas for usability and security improvements. We designed Cued Click-Points and Persuasive Cued Click-Points, schemes with several novel design features: one-to-one cueing to help with the memorability, implicit feedback meaningful only to legitimate users, and a safe-path-of-least-resistance influencing users to select stronger memorable passwords. Empirical studies of both schemes provide evidence of increased usability, memorability, and security. Additionally, we propose a new discretization method for such systems that improves usability by making the system more predictable from the user's perspective and improves security by allowing for smaller tolerance regions without sacrificing usability. From this empirical work, we identified the underlying design characteristics of our systems that led to success and generalized our findings as design strategies that may be applicable to other knowledge-based authentication schemes.

[1]  Michael Backes,et al.  2008 IEEE Symposium on Security and Privacy Compromising Reflections –or– How to Read LCD Monitors Around the Corner , 2022 .

[2]  Susan Wiedenbeck,et al.  Authentication Using Graphical Passwords: Basic Results , 2005 .

[3]  L. Faulkner Beyond the five-user assumption: Benefits of increased sample sizes in usability testing , 2003, Behavior research methods, instruments, & computers : a journal of the Psychonomic Society, Inc.

[4]  Robert Biddle,et al.  Centered Discretization with Application to Graphical Passwords , 2008, UPSEC.

[5]  Jennifer Preece,et al.  Electronic Survey Methodology: A Case Study in Reaching Hard-to-Involve Internet Users , 2003, Int. J. Hum. Comput. Interact..

[6]  Ka-Ping Yee,et al.  Guidelines and Strategies for Secure Interaction Design , 2005 .

[7]  Sri Hastuti Kurniawan,et al.  Review of Interaction design , 2003 .

[8]  Radia J. Perlman,et al.  Network security - private communication in a public world , 2002, Prentice Hall series in computer networking and distributed systems.

[9]  Alan F. Blackwell,et al.  The memorability and security of passwords – some empirical results , 2000 .

[10]  P. V. Oorschot,et al.  Multiple Password Interference in Text and Click-Based Graphical Passwords , 2008 .

[11]  Allen Allport,et al.  Visual attention , 1989 .

[12]  Michael Workman,et al.  Gaining Access with Social Engineering: An Empirical Study of the Threat , 2007, Inf. Secur. J. A Glob. Perspect..

[13]  Joshua Cook,et al.  Improving password security and memorability to protect personal and organizational information , 2007, Int. J. Hum. Comput. Stud..

[14]  Robert Biddle,et al.  A second look at the usability of click-based graphical passwords , 2007, SOUPS '07.

[15]  Alain Forget,et al.  Influencing users towards better passwords: persuasive cued click-points , 2008 .

[16]  Dennis J. Delprato,et al.  Mind and Its Evolution: A Dual Coding Theoretical Approach , 2009 .

[17]  Alain Forget,et al.  Multiple password interference in text passwords and click-based graphical passwords , 2009, CCS.

[18]  John R. Anderson,et al.  RECOGNITION AND RETRIEVAL PROCESSES IN FREE RECALL , 1972 .

[19]  Julie Thorpe,et al.  On Predicting and Exploiting HotSpots in Click-Based Graphical Passwords , 2008 .

[20]  Nancy Staggers,et al.  Mental Models: Concepts for Human-Computer Interaction Research , 1993, Int. J. Man Mach. Stud..

[21]  Nasir D. Memon,et al.  Authentication using graphical passwords: effects of tolerance and image choice , 2005, SOUPS '05.

[22]  Hai Tao,et al.  Pass-Go: A Proposal to Improve the Usability of Graphical Passwords , 2008, Int. J. Netw. Secur..

[23]  Alain Forget,et al.  User interface design affects security: patterns in click-based graphical passwords , 2009, International Journal of Information Security.

[24]  Jared M. Spool,et al.  Testing web sites: five users is nowhere near enough , 2001, CHI Extended Abstracts.

[25]  Dugald Ralph Hutchings,et al.  Order and entropy in picture passwords , 2008, Graphics Interface.

[26]  Stephen J. Payne,et al.  CHAPTER 6 – Users' Mental Models: The Very Ideas , 2003 .

[27]  Ying Zhu,et al.  Graphical passwords: a survey , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[28]  R. Haber,et al.  Perception and memory for pictures: Single-trial learning of 2500 visual stimuli , 1970 .

[29]  Peter J. Diggle,et al.  Statistical analysis of spatial point patterns , 1983 .

[30]  Karen Renaud,et al.  On user involvement in production of images used in visual authentication , 2009, J. Vis. Lang. Comput..

[31]  Mukesh Singhal,et al.  Password-Based Authentication: Preventing Dictionary Attacks , 2007, Computer.

[32]  Sacha Brostoff,et al.  Transforming the ‘Weakest Link’ — a Human/Computer Interaction Approach to Usable and Effective Security , 2001 .

[33]  Benjamin B. M. Shao,et al.  The usability of passphrases for authentication: An empirical field study , 2007, Int. J. Hum. Comput. Stud..

[34]  Nasir D. Memon,et al.  Modeling user choice in the PassPoints graphical password scheme , 2007, SOUPS '07.

[35]  Alexandre Gaudeul An Experimental Study of Memory. , 1921 .

[36]  Ivan Flechais,et al.  Usable Security: Why Do We Need It? How Do We Get It? , 2005 .

[37]  Ka-Ping Yee,et al.  Aligning Security and Usability , 2004, IEEE Secur. Priv..

[38]  Colin Potts,et al.  Design of Everyday Things , 1988 .

[39]  Tom Carey,et al.  ACM SIGCHI Curricula for Human-Computer Interaction , 1992 .

[40]  Lorrie Faith Cranor,et al.  A Framework for Reasoning About the Human in the Loop , 2008, UPSEC.

[41]  John Cotton,et al.  Basic statistics for the behavioral sciences. , 1978 .

[42]  Mary Ellen Zurko,et al.  User-centered security , 1996, NSPW '96.

[43]  Xiaoyuan Suo,et al.  A Design and Analysis of Graphical Password , 2006 .

[44]  J. Kase Graphical Passwords , 2008 .

[45]  Antonella De Angeli,et al.  Is a picture really worth a thousand words? Exploring the feasibility of graphical authentication systems , 2005, Int. J. Hum. Comput. Stud..

[46]  Jakob Nielsen,et al.  Improving a human-computer dialogue , 1990, CACM.

[47]  Gonzalo Navarro,et al.  A guided tour to approximate string matching , 2001, CSUR.

[48]  Anastasis D. Petrou Review of “Persuasive technology: Using computers to change what we think and do by B. J. Fogg” Morgan Kaufmann, 2003 , 2003 .

[49]  B. J. Fogg,et al.  Persuasive technology: using computers to change what we think and do , 2002, UBIQ.

[50]  Rachna Dhamija,et al.  The Seven Flaws of Identity Management: Usability and Security Challenges , 2008, IEEE Security & Privacy.

[51]  Robert Biddle,et al.  A Usability Study and Critique of Two Password Managers , 2006, USENIX Security Symposium.

[52]  Robert Biddle,et al.  Graphical Password Authentication Using Cued Click Points , 2007, ESORICS.

[53]  van Marie-Colette Lieshout,et al.  Indices of Dependence Between Types in Multivariate Point Patterns , 1999 .

[54]  Niels Provos,et al.  All Your iFRAMEs Point to Us , 2008, USENIX Security Symposium.

[55]  Daniel Klein,et al.  Foiling the cracker: A survey of, and improvements to, password security , 1992 .

[56]  Julie Thorpe,et al.  Human-Seeded Attacks and Exploiting Hot-Spots in Graphical Passwords , 2007, USENIX Security Symposium.

[57]  Ben Shneiderman,et al.  Designing The User Interface , 2013 .

[58]  Lynn Westbrook,et al.  Mental models: a theoretical overview and preliminary study , 2006, J. Inf. Sci..

[59]  Ka-Ping Yee,et al.  User Interaction Design for Secure Systems , 2002, ICICS.

[60]  A. Baddeley,et al.  A non-parametric measure of spatial interaction in point patterns , 1996, Advances in Applied Probability.

[61]  Markus Jakobsson,et al.  Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft , 2006 .

[62]  Susan Wiedenbeck,et al.  Design and evaluation of a shoulder-surfing resistant graphical password scheme , 2006, AVI '06.

[63]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[64]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[65]  J. Henderson,et al.  Accurate visual memory for previously attended objects in natural scenes , 2002 .

[66]  Simson Garfinkel,et al.  UNIX System Security Tools , 1999 .

[67]  J.L. Thames,et al.  A distributed active response architecture for preventing SSH dictionary attacks , 2008, IEEE SoutheastCon 2008.

[68]  Michael K. Reiter,et al.  The Design and Analysis of Graphical Passwords , 1999, USENIX Security Symposium.

[69]  Tal Garfinkel,et al.  Reducing shoulder-surfing by using gaze-based password entry , 2007, SOUPS '07.

[70]  Ross Ihaka,et al.  Gentleman R: R: A language for data analysis and graphics , 1996 .

[71]  Vibha Sazawal,et al.  Doodling our way to better authentication , 2002, CHI Extended Abstracts.

[72]  A. Paivio,et al.  Why are pictures easier to recall than words? , 1968 .

[73]  Alain Forget,et al.  Memorability of persuasive passwords , 2008, CHI Extended Abstracts.

[74]  Larry Rudolph,et al.  Passdoodles; a Lightweight Authentication Method , 2004 .

[75]  B. Malek,et al.  Haptic-Based Sensible Graphical Password , 2007 .

[76]  Nasir D. Memon,et al.  Graphical passwords based on robust discretization , 2006, IEEE Transactions on Information Forensics and Security.

[77]  G. NaveenSundar,et al.  Password management using doodles , 2007, ICMI '07.

[78]  Jeremy M Wolfe,et al.  Visual Attention , 2020, Computational Models for Cognitive Vision.

[79]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[80]  William L. Simon,et al.  The Art of Deception: Controlling the Human Element of Security , 2001 .

[81]  Wendy Moncur,et al.  Pictures at the ATM: exploring the usability of multiple graphical passwords , 2007, CHI.

[82]  LYNNE COVENTRY Usable Biometrics , 2005 .

[83]  Robin Berthier,et al.  Profiling Attacker Behavior Following SSH Compromises , 2007, 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'07).

[84]  M. Furlong,et al.  Eight Was Not Enough , 2009 .

[85]  E. Tulving,et al.  Availability versus accessibility of information in memory for words , 1966 .

[86]  Julie Thorpe,et al.  On predictive models and user-drawn graphical passwords , 2008, TSEC.

[87]  Dorothy E. Denning,et al.  Location-based authentication: Grounding cyberspace for better security , 1996 .

[88]  Benny Pinkas,et al.  Securing passwords against dictionary attacks , 2002, CCS '02.

[89]  Yvonne Rogers,et al.  Interaction Design: Beyond Human-Computer Interaction , 2002 .

[90]  Adrian Baddeley,et al.  spatstat: An R Package for Analyzing Spatial Point Patterns , 2005 .

[91]  Nasir D. Memon,et al.  PassPoints: Design and longitudinal evaluation of a graphical password system , 2005, Int. J. Hum. Comput. Stud..

[92]  Alain Forget,et al.  Improving text passwords through persuasion , 2008, SOUPS '08.

[93]  Ross J. Anderson Why cryptosystems fail , 1993, CCS '93.

[94]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[95]  L. Jean Camp,et al.  Mental Models of Security Risks , 2007, Financial Cryptography.

[96]  Volker Roth,et al.  A PIN-entry method resilient against shoulder surfing , 2004, CCS '04.

[97]  Robin Jeffries,et al.  Applying cognitive walkthroughs to more complex user interfaces: experiences, issues, and recommendations , 1992, CHI.

[98]  Don Davis Compliance Defects in Public Key Cryptography , 1996, USENIX Security Symposium.

[99]  Krzysztof Golofit Click Passwords Under Investigation , 2007, ESORICS.

[100]  R. Biddle,et al.  Persuasion as Education for Computer Security , 2007 .

[101]  Nicolas Christin,et al.  Use Your Illusion: secure authentication usable anywhere , 2008, SOUPS '08.

[102]  Paul Dourish,et al.  An approach to usable security based on event monitoring and visualization , 2002, NSPW '02.

[103]  Kai Wang,et al.  Reconsidering physical key secrecy: teleduplication via optical decoding , 2008, CCS.

[104]  David A. Wagner,et al.  Cryptanalysis of a Cognitive Authentication Scheme (Extended Abstract) , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[105]  Adrian Perrig,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Déjà Vu: A User Study Using Images for Authentication , 2000 .

[106]  Julie Thorpe,et al.  Analyzing User Choice in Graphical Passwords , 2004 .

[107]  Julie Thorpe,et al.  On Purely Automated Attacks and Click-Based Graphical Passwords , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[108]  Brent Waters,et al.  A convenient method for securely managing passwords , 2005, WWW '05.

[109]  Dan Boneh,et al.  Stronger Password Authentication Using Browser Extensions , 2005, USENIX Security Symposium.

[110]  Lorrie Faith Cranor,et al.  Security and Usability: Designing Secure Systems that People Can Use , 2005 .

[111]  Endel Tulving,et al.  Continuity between recall and recognition. , 1973 .

[112]  Abdulmotaleb El-Saddik,et al.  A Novel 3D Graphical Password Schema , 2006, 2006 IEEE Symposium on Virtual Environments, Human-Computer Interfaces and Measurement Systems.

[113]  Daphna Weinshall,et al.  Cognitive authentication schemes safe against spyware , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[114]  Paul C. van Oorschot,et al.  On countering online dictionary attacks with login histories and humans-in-the-loop , 2006, TSEC.

[115]  Patrick Olivier,et al.  Securing passfaces for description , 2008, SOUPS '08.

[116]  Lorrie Faith Cranor,et al.  Human selection of mnemonic phrase-based passwords , 2006, SOUPS '06.

[117]  J. Yan,et al.  Password memorability and security: empirical results , 2004, IEEE Security & Privacy Magazine.

[118]  Jeff Yan,et al.  Do background images improve "draw a secret" graphical passwords? , 2007, CCS '07.

[119]  R. Shepard Recognition memory for words, sentences, and pictures , 1967 .

[120]  Alain Forget,et al.  Persuasion for Stronger Passwords: Motivation and Pilot Study , 2008, PERSUASIVE.

[121]  V. S. Reed,et al.  Pictorial superiority effect. , 1976, Journal of experimental psychology. Human learning and memory.

[122]  I. Scott MacKenzie,et al.  Extending Fitts' law to two-dimensional tasks , 1992, CHI.

[123]  F. Craik,et al.  Age differences in recall and recognition , 1987 .

[124]  Walter Kintsch,et al.  11 – Models for Free Recall and Recognition1 , 1970 .

[125]  Sharath Pankanti,et al.  BIOMETRIC IDENTIFICATION , 2000 .

[126]  Jakob Nielsen,et al.  Usability engineering , 1997, The Computer Science and Engineering Handbook.

[127]  Jerome H. Saltzer,et al.  Protecting Poorly Chosen Secrets from Guessing Attacks , 1993, IEEE J. Sel. Areas Commun..

[128]  Robert A. Virzi,et al.  Refining the Test Phase of Usability Evaluation: How Many Subjects Is Enough? , 1992 .

[129]  M. Angela Sasse,et al.  Are Passfaces More Usable Than Passwords? A Field Trial Investigation , 2000, BCS HCI.

[130]  A. Ant Ozok,et al.  A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords , 2006, SOUPS '06.

[131]  Yvonne Rogers,et al.  Interaction Design: Beyond Human-Computer Interaction. Second Edition , 2007 .

[132]  J. Doug Tygar,et al.  Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 , 1999, USENIX Security Symposium.

[133]  Michael K. Reiter,et al.  On User Choice in Graphical Password Schemes , 2004, USENIX Security Symposium.