MARASIM: a novel jigsaw based authentication scheme using tagging

In this paper we propose and evaluate Marasim, a novel Jigsaw based graphical authentication mechanism using tagging. Marasim is aimed at achieving the security of random images with the memorability of personal images. Our scheme relies on the human ability to remember a personal image and later recognize the alternate visual representations (images) of the concepts occurred in the image. These concepts are retrieved from the tags assigned to the image. We illustrate how a Jigsaw based approach helps to create a portfolio of system-chosen random images to be used for authentication. The paper describes the complete design of Marasim along with the empirical studies of Marasim that provide evidences of increased memorability. Results show that 93% of all participants succeeded in the authentication tests using Marasim after three months while 71% succeeded in authentication tests using Marasim after nine months. Our findings indicate that Marasim has potential applications, especially where text input is hard (e.g., PDAs or ATMs), or in situations where passwords are infrequently used (e.g., web site passwords).

[1]  David C. Feldmeier,et al.  UNIX Password Security - Ten Years Later , 1989, CRYPTO.

[2]  Lorrie Faith Cranor,et al.  Security and Usability: Designing Secure Systems that People Can Use , 2005 .

[3]  Adrian Perrig,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Déjà Vu: A User Study Using Images for Authentication , 2000 .

[4]  Roy Want,et al.  Photographic Authentication through Untrusted Terminals , 2003, IEEE Pervasive Comput..

[5]  Antonella De Angeli,et al.  Is a picture really worth a thousand words? Exploring the feasibility of graphical authentication systems , 2005, Int. J. Hum. Comput. Stud..

[6]  M. Angela Sasse,et al.  Are Passfaces More Usable Than Passwords? A Field Trial Investigation , 2000, BCS HCI.

[7]  Rachna Dhamija,et al.  Hash visualization in user authentication , 2000, CHI Extended Abstracts.

[8]  Michael K. Reiter,et al.  On User Choice in Graphical Password Schemes , 2004, USENIX Security Symposium.

[9]  Mor Naaman,et al.  Why we tag: motivations for annotation in mobile and online media , 2007, CHI.

[10]  Dennis J. Delprato,et al.  Mind and Its Evolution: A Dual Coding Theoretical Approach , 2009 .

[11]  Julie Thorpe,et al.  Human-Seeded Attacks and Exploiting Hot-Spots in Graphical Passwords , 2007, USENIX Security Symposium.

[12]  Thomas S. Tullis,et al.  Using personal photos as pictorial passwords , 2005, CHI Extended Abstracts.

[13]  Ken Thompson,et al.  Password security: a case history , 1979, CACM.

[14]  Michael K. Reiter,et al.  The Design and Analysis of Graphical Passwords , 1999, USENIX Security Symposium.

[15]  Nasir D. Memon,et al.  Modeling user choice in the PassPoints graphical password scheme , 2007, SOUPS '07.

[16]  V. S. Reed,et al.  Pictorial superiority effect. , 1976, Journal of experimental psychology. Human learning and memory.

[17]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[18]  J. G. Snodgrass,et al.  Does the generation effect occur for pictures? , 2000, The American journal of psychology.

[19]  Simson L. Garfinkel,et al.  Security and Usability , 2005 .

[20]  Mark Bedworth A Theory of Probabilistic One-Time Passwords , 2008, Security and Management.

[21]  Joseph Bonneau,et al.  The Password Thicket: Technical and Market Failures in Human Authentication on the Web , 2010, WEIS.

[22]  Karen Renaud,et al.  On user involvement in production of images used in visual authentication , 2009, J. Vis. Lang. Comput..

[23]  Nasir D. Memon,et al.  PassPoints: Design and longitudinal evaluation of a graphical password system , 2005, Int. J. Hum. Comput. Stud..

[24]  Moshe Zviran,et al.  Cognitive passwords: The key to easy access control , 1990, Comput. Secur..

[25]  Monika Knopf,et al.  Memory for action events: findings in neurological patients. , 2005, Scandinavian journal of psychology.

[26]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[27]  Walter Kintsch,et al.  11 – Models for Free Recall and Recognition1 , 1970 .