On automated image choice for secure and usable graphical passwords

The usability of graphical passwords based upon recognition of images is widely explored. However, it is likely that their observed high memorability is contingent on certain attributes of the image sets presented to users. Characterizing this relationship remains an open problem; for example, there is no systematic (and empirically verified) method to determine how similarity between the elements of an image set impacts the usability of the login challenge. Strategies to assemble suitable images are usually carried out by hand, which represents a significant barrier to uptake as the process has usability and security implications. In this paper, we explore the role of simple image processing techniques to provide automated assembly of usable login challenges in the context of recognition-based graphical passwords. We firstly carry out a user study to obtain a similarity ranked image set, and use the results to select an optimal per-pixel image similarity metric. Then we conduct a short-term image recall test using Amazon Mechanical Turk with 343 subjects where we manipulated the similarity present in image grids. In the most significant case, we found that our automated methods to choose decoy images could impact the login success rate by 40%, and the median login duration by 35 seconds.

[1]  Nasir D. Memon,et al.  Modeling user choice in the PassPoints graphical password scheme , 2007, SOUPS '07.

[2]  Andreas P. Heiner,et al.  A closer look at recognition-based graphical passwords on mobile devices , 2010, SOUPS.

[3]  James Ze Wang,et al.  SIMPLIcity: Semantics-Sensitive Integrated Matching for Picture LIbraries , 2000, IEEE Trans. Pattern Anal. Mach. Intell..

[4]  Patrick Olivier,et al.  A security assessment of tiles: a new portfolio-based graphical authentication system , 2012, CHI EA '12.

[5]  Roy Want,et al.  Photographic Authentication through Untrusted Terminals , 2003, IEEE Pervasive Comput..

[6]  Karen Renaud,et al.  On user involvement in production of images used in visual authentication , 2009, J. Vis. Lang. Comput..

[7]  Gerrit C. van der Veer,et al.  CHI '05 Extended Abstracts on Human Factors in Computing Systems , 2005, CHI 2005.

[8]  Dugald Ralph Hutchings,et al.  Order and entropy in picture passwords , 2008, Graphics Interface.

[9]  Lyle V. Jones,et al.  Effects upon verbal learning of stimulus similarity, number of stimuli per response, and concept formation , 1963 .

[10]  David McG. Squire,et al.  Learning a similarity-based distance measure for image database organization from human partitionings of an image set , 1998, Proceedings Fourth IEEE Workshop on Applications of Computer Vision. WACV'98 (Cat. No.98EX201).

[11]  Nasir D. Memon,et al.  PassPoints: Design and longitudinal evaluation of a graphical password system , 2005, Int. J. Hum. Comput. Stud..

[12]  Kai Li,et al.  Image similarity search with compact data structures , 2004, CIKM '04.

[13]  Nicolas Christin,et al.  Use Your Illusion: secure authentication usable anywhere , 2008, SOUPS '08.

[14]  Daphna Weinshall,et al.  Cognitive authentication schemes safe against spyware , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[15]  Darren Gergle,et al.  Emotion rating from short blog texts , 2008, CHI.

[16]  Paul C. van Oorschot,et al.  A Research Agenda Acknowledging the Persistence of Passwords , 2012, IEEE Security & Privacy.

[17]  Adrian Perrig,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Déjà Vu: A User Study Using Images for Authentication , 2000 .

[18]  N. Stanietsky,et al.  The interaction of TIGIT with PVR and PVRL2 inhibits human NK cell cytotoxicity , 2009, Proceedings of the National Academy of Sciences.

[19]  Julie Thorpe,et al.  On Purely Automated Attacks and Click-Based Graphical Passwords , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[20]  Robert Biddle,et al.  Graphical passwords: Learning from the first twelve years , 2012, CSUR.

[21]  Antonella De Angeli,et al.  VIP: a visual approach to user authentication , 2002, AVI '02.

[22]  Ramin Zabih,et al.  Histogram refinement for content-based image retrieval , 1996, Proceedings Third IEEE Workshop on Applications of Computer Vision. WACV'96.

[23]  J. Duncan,et al.  Visual search and stimulus similarity. , 1989, Psychological review.

[24]  Robert Biddle,et al.  Facing the facts about image type in recognition-based graphical passwords , 2011, ACSAC '11.

[25]  Lorrie Faith Cranor,et al.  Human selection of mnemonic phrase-based passwords , 2006, SOUPS '06.

[26]  R. Shepard Recognition memory for words, sentences, and pictures , 1967 .

[27]  Ying Zhu,et al.  Graphical passwords: a survey , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[28]  Daniel V. Klein ‘ ‘ Foiling the Cracker ’ ’ : yA Survey of , and Improvements to , Password Securit , 1990 .

[29]  Leonidas J. Guibas,et al.  The Earth Mover's Distance as a Metric for Image Retrieval , 2000, International Journal of Computer Vision.

[30]  M. Angela Sasse,et al.  Are Passfaces More Usable Than Passwords? A Field Trial Investigation , 2000, BCS HCI.

[31]  Thomas S. Tullis,et al.  Can users remember their pictorial passwords six years later , 2011, CHI EA '11.

[32]  Karen Renaud,et al.  DynaHand: Observation-resistant recognition-based web authentication , 2007, IEEE Technology and Society Magazine.

[33]  Adrian Ford,et al.  Colour Space Conversions_1 , 1998 .

[34]  Aniket Kittur,et al.  Crowdsourcing user studies with Mechanical Turk , 2008, CHI.

[35]  Tadayoshi Kohno,et al.  A comprehensive study of frequency, interference, and training of multiple graphical passwords , 2009, CHI.

[36]  Thomas S. Tullis,et al.  Using personal photos as pictorial passwords , 2005, CHI Extended Abstracts.

[37]  D L Medin,et al.  Concepts and conceptual structure. , 1989, The American psychologist.

[38]  Aude Oliva,et al.  Visual long-term memory has a massive storage capacity for object details , 2008, Proceedings of the National Academy of Sciences.

[39]  Leonidas J. Guibas,et al.  A metric for distributions with applications to image databases , 1998, Sixth International Conference on Computer Vision (IEEE Cat. No.98CH36271).

[40]  S. Westland,et al.  Evaluation of Image Similarity by Histogram Intersection , 2005 .

[41]  Richard E. Smith,et al.  Authentication: From Passwords to Public Keys , 2001 .

[42]  Vassilis Kostakos,et al.  Proceedings of the twenty-sixth annual SIGCHI conference on Human factors in computing systems , 2008 .

[43]  Peter Stanchev,et al.  Content-Based Image Retrieval Systems , 2001 .

[44]  Patrick Olivier,et al.  Securing passfaces for description , 2008, SOUPS '08.

[45]  Mary Ellen Zurko,et al.  User-centered security , 1996, NSPW '96.