Secure Graphical One Time Password (GOTPass): An Empirical Study

ABSTRACT The traditional text-based password has been the default security medium for years; however, the difficulty of memorizing secure strong passwords often leads to insecure practices. A possible alternative solution is graphical authentication, which is motivated by the fact that the capability of humans’ memory for images is superior to text, which helps to improve password usability and security. Recently, some implementations of graphical authentication techniques have been deployed in practice. This paper introduces a new hybrid graphical authentication, “GOTPass,” that authenticates by means of a one-time numerical code that needs to be typed in based on a sequence of secret images and a prechosen input format. An important focus for this paper was the security aspects of the graphical password scheme. This paper reports an in-depth analysis of the security evaluation and shows a high resistance capability of GOTPass against common graphical password attacks. Three attacks were simulated (Guessing, Intersection, and Shoulder-surfing), and the results showed that nearly 98% of the 690 attempts failed to compromise the system.

[1]  Antonella De Angeli,et al.  Is a picture really worth a thousand words? Exploring the feasibility of graphical authentication systems , 2005, Int. J. Hum. Comput. Stud..

[2]  Paul C. van Oorschot,et al.  TwoStep: An Authentication Method Combining Text and Graphical Passwords , 2009, MCETECH.

[3]  Krzysztof Gołofit Picture Passwords Superiority and Picture Passwords Dictionary Attacks , 2007 .

[4]  Andreas P. Heiner,et al.  A closer look at recognition-based graphical passwords on mobile devices , 2010, SOUPS.

[5]  Adrian Perrig,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Déjà Vu: A User Study Using Images for Authentication , 2000 .

[6]  Arash Habibi Lashkari,et al.  Shoulder Surfing attack in graphical password authentication , 2009, ArXiv.

[7]  Rosanne English,et al.  Measuring the revised guessability of graphical passwords , 2011, 2011 5th International Conference on Network and System Security.

[8]  Antonella De Angeli,et al.  Visual passwords , 2009, Commun. ACM.

[9]  Rosanne English,et al.  Towards a metric for recognition-based graphical password security , 2011, 2011 5th International Conference on Network and System Security.

[10]  Haichang Gao,et al.  A survey on the use of graphical passwords in security , 2013, J. Softw..

[11]  Uwe Aickelin,et al.  Against Spyware Using CAPTCHA in Graphical Password Scheme , 2010, 2010 24th IEEE International Conference on Advanced Information Networking and Applications.

[12]  Haichang Gao,et al.  A new graphical password scheme against spyware by using CAPTCHA , 2009, SOUPS.

[13]  Ying Zhu,et al.  Graphical passwords: a survey , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[14]  Malrey Lee,et al.  Security in graphical authentication , 2013 .

[15]  Rosanne English,et al.  The Effectiveness of Intersection Attack Countermeasures for Graphical Passwords , 2012, 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications.

[16]  Alain Forget,et al.  Influencing users towards better passwords: persuasive cued click-points , 2008, BCS HCI.

[17]  Alain Forget,et al.  Influencing users towards better passwords: persuasive cued click-points , 2008 .

[18]  Frank Stajano,et al.  The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes , 2012, 2012 IEEE Symposium on Security and Privacy.

[19]  Michael Weber,et al.  Exploring the design space of graphical passwords on smartphones , 2013, SOUPS.

[20]  K. Srinathan,et al.  WYSWYE: shoulder surfing defense for recognition based graphical passwords , 2012, OZCHI.

[21]  Anthony Asiaghi,et al.  The pictorial superiority effect in recognition memory , 1977 .

[22]  Robert Biddle,et al.  Graphical passwords: Learning from the first twelve years , 2012, CSUR.