Usability and Security of Gaze-Based Graphical Grid Passwords

We present and analyze several gaze-based graphical password schemes based on recall and cued-recall of grid points; eye-trackers are used to record user’s gazes, which can prevent shoulder-surfing and may be suitable for users with disabilities. Our 22-subject study observes that success rate and entry time for the grid-based schemes we consider are comparable to other gaze-based graphical password schemes. We propose the first password security metrics suitable for analysis of graphical grid passwords and provide an in-depth security analysis of usergenerated passwords from our study, observing that, on several metrics, user-generated graphical grid passwords are substantially weaker than uniformly random passwords, despite our attempts at designing schemes to improve quality of user-generated passwords.

[1]  David Griffiths,et al.  Shoulder surfing defence for recall-based graphical passwords , 2011, SOUPS.

[2]  Alexander De Luca,et al.  PassShapes: utilizing stroke based authentication to increase password memorability , 2008, NordiCHI.

[3]  Alain Forget,et al.  Shoulder-surfing resistance with eye-gaze entry in cued-recall graphical passwords , 2010, CHI.

[4]  Robert Biddle,et al.  Graphical passwords: Learning from the first twelve years , 2012, CSUR.

[5]  Alexander De Luca,et al.  Evaluation of eye-gaze interaction methods for security enhanced PIN-entry , 2007, OZCHI '07.

[6]  Adam J. Aviv,et al.  Smudge Attacks on Smartphone Touch Screens , 2010, WOOT.

[7]  Claudio Carpineto,et al.  A Survey of Automatic Query Expansion in Information Retrieval , 2012, CSUR.

[8]  Robert Biddle,et al.  Do you see your password?: applying recognition to textual passwords , 2012, SOUPS.

[9]  Julie Thorpe,et al.  Analyzing User Choice in Graphical Passwords , 2004 .

[10]  Albrecht Schmidt,et al.  Increasing the security of gaze-based cued-recall graphical passwords using saliency masks , 2012, CHI.

[11]  Tal Garfinkel,et al.  Reducing shoulder-surfing by using gaze-based password entry , 2007, SOUPS '07.

[12]  Julie Thorpe,et al.  On predictive models and user-drawn graphical passwords , 2008, TSEC.

[13]  Susan Wiedenbeck,et al.  Authentication Using Graphical Passwords: Basic Results , 2005 .

[14]  Nicolas Christin,et al.  Security through a different kind of obscurity: evaluating distortion in graphical authentication schemes , 2011, CHI.

[15]  Alireza Sahami Shirazi,et al.  Assessing the vulnerability of magnetic gestural authentication to video-based shoulder surfing attacks , 2012, CHI.

[16]  L. Jean Camp,et al.  Comparative eye tracking of experts and novices in web single sign-on , 2013, CODASPY '13.

[17]  Heinrich Hußmann,et al.  Touch me once and i know it's you!: implicit authentication based on touch screen patterns , 2012, CHI.

[18]  Nasir D. Memon,et al.  Authentication using graphical passwords: effects of tolerance and image choice , 2005, SOUPS '05.

[19]  Andreas P. Heiner,et al.  A closer look at recognition-based graphical passwords on mobile devices , 2010, SOUPS.

[20]  Michael K. Reiter,et al.  On User Choice in Graphical Password Schemes , 2004, USENIX Security Symposium.

[21]  Heinrich Hußmann,et al.  Look into my Eyes! Can you guess my Password? , 2009 .

[22]  Julie Thorpe,et al.  Purely Automated Attacks on PassPoints-Style Graphical Passwords , 2010, IEEE Transactions on Information Forensics and Security.

[23]  Kori Inkpen Quinn,et al.  Gathering evidence: use of visual security cues in web browsers , 2005, Graphics Interface.

[24]  Mike Bond Comments on Gridsure Authentication , 2008 .

[25]  Michael K. Reiter,et al.  The Design and Analysis of Graphical Passwords , 1999, USENIX Security Symposium.

[26]  Julie Thorpe,et al.  Exploiting predictability in click-based graphical passwords , 2011, J. Comput. Secur..

[27]  Christos Faloutsos,et al.  Epidemic thresholds in real networks , 2008, TSEC.