EvoPass: Evolvable graphical password against shoulder-surfing attacks

Abstract The passwords for authenticating users are susceptible to shoulder-surfing attacks in which attackers learn users' passwords through direct observations without any technical support. A straightforward solution to defend against such attacks is to change passwords periodically or even constantly, making the previously observed passwords useless. However, this may lead to a situation in which users run out of strong passwords they can remember, or they are forced to choose passwords that are weak, correlated, or difficult to memorize. To achieve both security and usability in user authentication, we propose EvoPass , the first evolvable graphical password authentication system. EvoPass transforms a set of user-selected pass images to pass sketches as user credentials. Users are required to identify their pass sketches from a set of challenge images for user authentication. Particularly, EvoPass improves password strength gradually over time through continually degrading pass sketches without annoying users to reselect pass images. The evolving feature makes it difficult for observational adversaries to identify the pass sketches, even though part of pass sketches may have been exposed to adversaries previously. We introduce two metrics, Information Retention Rate (IRR) and Password Diversity Score (PDS) to guide the process of generating pass sketches and a set of challenge images. Our experimental analysis reveals that applying reasonable IRR and PDS in EvoPass can remarkably improve the resistance to shoulder-surfing attacks without negatively affecting user experience. We also implement a prototype of EvoPass on Android platform with reasonable IRR and PDS applied. Our experimental results on the prototype further demonstrate that EvoPass could work efficiently and achieve a desired usability.

[1]  Roy Want,et al.  Photographic Authentication through Untrusted Terminals , 2003, IEEE Pervasive Comput..

[2]  Antonella De Angeli,et al.  Is a picture really worth a thousand words? Exploring the feasibility of graphical authentication systems , 2005, Int. J. Hum. Comput. Stud..

[3]  T. Takada,et al.  Awase-E: Recognition-based Image Authentication Scheme Using Users' Personal Photographs , 2006, 2006 Innovations in Information Technology.

[4]  Karen Renaud,et al.  Armchair authentication , 2009, BCS HCI.

[5]  J. M. Zachary,et al.  An Information Theoretic Approach to Content Based Image Retrieval. , 2000 .

[6]  Liang Li,et al.  Time evolving graphical password for securing mobile devices , 2013, ASIA CCS '13.

[7]  K. Srinathan,et al.  MARASIM: a novel jigsaw based authentication scheme using tagging , 2011, CHI.

[8]  Volker Roth,et al.  A PIN-entry method resilient against shoulder surfing , 2004, CCS '04.

[9]  Daniel L. Schacter,et al.  Brain regions associated with retrieval of structurally coherent visual information , 1995, Nature.

[10]  Alain Forget,et al.  Multiple password interference in text passwords and click-based graphical passwords , 2009, CCS.

[11]  Sonia Chiasson,et al.  Usable authentication and click-based graphical passwords , 2009 .

[12]  Alain Forget,et al.  User interface design affects security: patterns in click-based graphical passwords , 2009, International Journal of Information Security.

[13]  Ning Liu,et al.  The Hot-Spots Problem in Windows 8 Graphical Password Scheme , 2013, CSS.

[14]  Adrian Perrig,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Déjà Vu: A User Study Using Images for Authentication , 2000 .

[15]  T. Shallice,et al.  Neuroimaging evidence for dissociable forms of repetition priming. , 2000, Science.

[16]  Nasir D. Memon,et al.  Authentication using graphical passwords: effects of tolerance and image choice , 2005, SOUPS '05.

[17]  Marten van Dijk,et al.  Exploring implicit memory for painless password recovery , 2011, CHI.

[18]  Amela Karahasanovic,et al.  An Investigation into Keystroke Latency Metrics as an Indicator of Programming Performance , 2005, ACE.

[19]  Thierry Pun,et al.  Entropic thresholding, a new approach , 1981 .

[20]  Nasir D. Memon,et al.  Modeling user choice in the PassPoints graphical password scheme , 2007, SOUPS '07.

[21]  Ahmed S. Abutableb Automatic thresholding of gray-level pictures using two-dimensional entropy , 1989 .

[22]  Susan Wiedenbeck,et al.  Design and evaluation of a shoulder-surfing resistant graphical password scheme , 2006, AVI '06.

[23]  Andrew K. C. Wong,et al.  A new method for gray-level picture thresholding using the entropy of the histogram , 1985, Comput. Vis. Graph. Image Process..

[24]  Christoph Zauner,et al.  Implementation and Benchmarking of Perceptual Image Hash Functions , 2010 .

[25]  Karen Renaud,et al.  DynaHand: Observation-resistant recognition-based web authentication , 2007, IEEE Technology and Society Magazine.

[26]  Jeff Yan,et al.  Do background images improve "draw a secret" graphical passwords? , 2007, CCS '07.

[27]  I. Biederman Recognition-by-components: a theory of human image understanding. , 1987, Psychological review.

[28]  Alfred M. Bruckstein,et al.  Regularized Laplacian Zero Crossings as Optimal Edge Integrators , 2003, International Journal of Computer Vision.

[29]  Ravi S. Menon,et al.  The effects of visual object priming on brain activation before and after recognition , 2000, Current Biology.

[30]  Ying Zhu,et al.  Graphical passwords: a survey , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[31]  E. Miller,et al.  Effects of Visual Experience on the Representation of Objects in the Prefrontal Cortex , 2000, Neuron.

[32]  Wazir Zada Khan,et al.  A Graphical Password Based System for Small Mobile Devices , 2011, ArXiv.

[33]  Nicolas Christin,et al.  Use Your Illusion: secure authentication usable anywhere , 2008, SOUPS '08.

[34]  Sankar K. Pal,et al.  Entropy: a new definition and its applications , 1991, IEEE Trans. Syst. Man Cybern..

[35]  Charles F. Hockett,et al.  A mathematical theory of communication , 1948, MOCO.