Mental Trapdoors for User Authentication on Small Mobile Devices

As small mobile devices such as mobile phones become increasingly sophisticated, they are beginning to be used for highly securitysensitive applications such as payment systems, stock trading, and access control systems. The increasing importance of mobile phones exposes the tremendous lack of access control systems that restrict access to the legitimate user. In fact, a lost mobile phone “delegates” all rights to its new owner. The main challenges in designing a secure user authentication system for small mobile devices are the miniaturization as well as the requirement for usability across a wide range of people. In this paper, we propose and evaluate a novel mechanism for user authentication. The cognitive process we rely on is the human ability to recognize degraded images; degraded images are easily recognized by legitimate users who have been being exposed to the original picture. On the other hand, without knowledge of the original image, it is difficult to mentally “revert” from the degraded image to the original image, which provides a line of defense against guessing attacks. We implement a prototype user authentication system in Nokia N70 cellular phones, and conduct a usability study of our scheme with 54 participants. We find that all users manage to authenticate, even after four weeks, which is a strong indication that the scheme is usable by a wide range of people, even on miniaturized portable devices. We anticipate that this research will revitalize and encourage research in the important topic of portable device based user authentication.

[1]  Tadanori Mizuno,et al.  A User Authentication System Using Schema of Visual Memory , 2006, BioADIT.

[2]  Daphna Weinshall,et al.  Cognitive authentication schemes safe against spyware , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[3]  R. Shepard Recognition memory for words, sentences, and pictures , 1967 .

[4]  Lorrie Faith Cranor,et al.  Security and Usability: Designing Secure Systems that People Can Use , 2005 .

[5]  Nasir D. Memon,et al.  Authentication using graphical passwords: effects of tolerance and image choice , 2005, SOUPS '05.

[6]  R. Gregory The intelligent eye , 1970 .

[7]  V. Bruce,et al.  Face Recognition in Poor-Quality Video: Evidence From Security Surveillance , 1999 .

[8]  Julie Thorpe,et al.  Towards secure design choices for implementing graphical passwords , 2004, 20th Annual Computer Security Applications Conference.

[9]  Brant C. White,et al.  United States patent , 1985 .

[10]  J. Doug Tygar,et al.  The battle against phishing: Dynamic Security Skins , 2005, SOUPS '05.

[11]  Susan Wiedenbeck,et al.  Authentication Using Graphical Passwords: Basic Results , 2005 .

[12]  Ross J. Anderson Why cryptosystems fail , 1994, CACM.

[13]  M. Angela Sasse,et al.  Are Passfaces More Usable Than Passwords? A Field Trial Investigation , 2000, BCS HCI.

[14]  Vicki Bruce,et al.  Matching the faces of robbers captured on video , 2001 .

[15]  Michael K. Reiter,et al.  On User Choice in Graphical Password Schemes , 2004, USENIX Security Symposium.

[16]  Julie Thorpe,et al.  Graphical Dictionaries and the Memorable Space of Graphical Passwords , 2004, USENIX Security Symposium.

[17]  Volker Roth,et al.  A PIN-entry method resilient against shoulder surfing , 2004, CCS '04.

[18]  David A. Wagner,et al.  Cryptanalysis of a Cognitive Authentication Scheme , 2006, IACR Cryptol. ePrint Arch..

[19]  R. Haber How we remember what we see. , 1970, Scientific American.

[20]  Michael K. Reiter,et al.  The Design and Analysis of Graphical Passwords , 1999, USENIX Security Symposium.

[21]  Adrian Perrig,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Déjà Vu: A User Study Using Images for Authentication , 2000 .

[22]  G. Bower,et al.  Comprehension and memory for pictures , 1975, Memory & cognition.

[23]  J. G. Snodgrass,et al.  Does the generation effect occur for pictures? , 2000, The American journal of psychology.

[24]  R. Haber,et al.  Perception and memory for pictures: Single-trial learning of 2500 visual stimuli , 1970 .

[25]  A. G. Goldstein,et al.  Visual recognition memory for complex configurations , 1971 .

[26]  Satoshi Hoshino,et al.  Impact of artificial "gummy" fingers on fingerprint systems , 2002, IS&T/SPIE Electronic Imaging.

[27]  Julie Thorpe,et al.  Human-Seeded Attacks and Exploiting Hot-Spots in Graphical Passwords , 2007, USENIX Security Symposium.