WebTicket: account management using printable tokens

Passwords are the most common authentication scheme today. However, it is difficult for people to memorize strong passwords, such as random sequences of characters. Additionally, passwords do not provide protection against phishing attacks. This paper introduces WebTicket, a low cost, easy-to-use and reliable web account management system that uses "tickets", which are tokens that contain a two-dimensional barcode that can be printed or stored on smartphones. Users can log into accounts by presenting the barcodes to webcams connected to computers. Through two lab studies and one field study consisting of 59 participants in total, we found that WebTicket can provide reliable authentication and phishing resilience.

[1]  Joseph Hallinan,et al.  Why we make mistakes , 2011 .

[2]  J. Doug Tygar,et al.  The battle against phishing: Dynamic Security Skins , 2005, SOUPS '05.

[3]  Mark W. Newman,et al.  The designers' outpost: a tangible interface for collaborative web site , 2001, UIST '01.

[4]  Jason I. Hong,et al.  A diary study of password usage in daily life , 2011, CHI.

[5]  Nasir D. Memon,et al.  PassPoints: Design and longitudinal evaluation of a graphical password system , 2005, Int. J. Hum. Comput. Stud..

[6]  Wendy E. Mackay,et al.  Is paper safer? The role of paper flight strips in air traffic control , 1999, TCHI.

[7]  L. Standing Learning 10000 pictures , 1973 .

[8]  Nasir D. Memon,et al.  Modeling user choice in the PassPoints graphical password scheme , 2007, SOUPS '07.

[9]  Daniel Klein,et al.  Foiling the cracker: A survey of, and improvements to, password security , 1992 .

[10]  A. Paivio,et al.  Why are pictures easier to recall than words? , 1968 .

[11]  Dan Boneh,et al.  Stronger Password Authentication Using Browser Extensions , 2005, USENIX Security Symposium.

[12]  Sacha Brostoff,et al.  Transforming the ‘Weakest Link’ — a Human/Computer Interaction Approach to Usable and Effective Security , 2001 .

[13]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[14]  Tadayoshi Kohno,et al.  A comprehensive study of frequency, interference, and training of multiple graphical passwords , 2009, CHI.

[15]  Hiroshi Ishii,et al.  Tangible bits: towards seamless interfaces between people, bits and atoms , 1997, CHI.

[16]  M. Angela Sasse,et al.  Are Passfaces More Usable Than Passwords? A Field Trial Investigation , 2000, BCS HCI.

[17]  Yves Maetz,et al.  graphical password system , 2009 .

[18]  Michael K. Reiter,et al.  Seeing-is-believing: using camera phones for human-verifiable authentication , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[19]  Lia Adams,et al.  Palette: a paper interface for giving presentations , 1999, CHI '99.

[20]  Lorrie Faith Cranor,et al.  You've been warned: an empirical study of the effectiveness of web browser phishing warnings , 2008, CHI.

[21]  Robert Biddle,et al.  A second look at the usability of click-based graphical passwords , 2007, SOUPS '07.

[22]  Lorrie Faith Cranor,et al.  Human selection of mnemonic phrase-based passwords , 2006, SOUPS '06.

[23]  J. Yan,et al.  Password memorability and security: empirical results , 2004, IEEE Security & Privacy Magazine.

[24]  Philip R. Cohen,et al.  Comparing paper and tangible, multimodal tools , 2002, CHI.

[25]  L. Standing Learning 10,000 pictures. , 1973, The Quarterly journal of experimental psychology.

[26]  Eric Saund,et al.  Design and technology for Collaborage: collaborative collages of information on physical walls , 1999, UIST '99.

[27]  Adrian Perrig,et al.  Phoolproof Phishing Prevention , 2006, Financial Cryptography.

[28]  Edward W. Felten,et al.  Password management strategies for online accounts , 2006, SOUPS '06.

[29]  Nicolas Christin,et al.  Use Your Illusion: secure authentication usable anywhere , 2008, SOUPS '08.

[30]  Ka-Ping Yee,et al.  Passpet: convenient password management and phishing protection , 2006, SOUPS '06.