Free-Form Gesture Authentication in the Wild

Free-form gesture passwords have been introduced as an alternative mobile authentication method. Text passwords are not very suitable for mobile interaction, and methods such as PINs and grid patterns sacrifice security over usability. However, little is known about how free-form gestures perform in the wild. We present the first field study (N=91) of mobile authentication using free-form gestures, with text passwords as a baseline. Our study leveraged Experience Sampling Methodology to increase ecological validity while maintaining control of the experiment. We found that, with gesture passwords, participants generated new passwords and authenticated faster with comparable memorability while being more willing to retry. Our analysis of the gesture password dataset indicated biases in user-chosen distribution tending towards common shapes. Our findings provide useful insights towards understanding mobile device authentication and gesture-based authentication.

[1]  Joseph Bonneau,et al.  The Password Thicket: Technical and Market Failures in Human Authentication on the Web , 2010, WEIS.

[2]  Alex X. Liu,et al.  Secure unlocking of mobile touch screen devices by simple gestures: you can see it but you can not do it , 2013, MobiCom.

[3]  Alireza Sahami Shirazi,et al.  Graphical Passwords in the Wild: Understanding How Users Choose Pictures and Passwords in Image-based Authentication Schemes , 2015, MobileHCI.

[4]  Antti Oulasvirta,et al.  Text Entry Method Affects Password Security , 2014, ArXiv.

[5]  Anna Cuxart,et al.  What Risks Do People Perceive in Everyday Life? A Perspective Gained from the Experience Sampling Method (ESM) , 2007, Risk analysis : an official publication of the Society for Risk Analysis.

[6]  F. Wilcoxon Individual Comparisons by Ranking Methods , 1945 .

[7]  E A FLEISHMAN,et al.  Factors in the retention and relearning of perceptual-motor skill. , 1962, Journal of experimental psychology.

[8]  Andy P. Field,et al.  Discovering Statistics Using SPSS , 2000 .

[9]  Alain Forget,et al.  Multiple password interference in text passwords and click-based graphical passwords , 2009, CCS.

[10]  Yang Li,et al.  Protractor: a fast and accurate gesture recognizer , 2010, CHI.

[11]  Daniel J. Barrett,et al.  An Introduction to Computerized Experience Sampling in Psychology , 2001 .

[12]  Hai Huang,et al.  You Are How You Touch: User Verification on Smartphones via Tapping Behaviors , 2014, 2014 IEEE 22nd International Conference on Network Protocols.

[13]  Shridatt Sugrim,et al.  User-generated free-form gestures for authentication: security and memorability , 2014, MobiSys.

[14]  Matthew Smith,et al.  On the ecological validity of a password study , 2013, SOUPS.

[15]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[16]  Wendy Moncur,et al.  Pictures at the ATM: exploring the usability of multiple graphical passwords , 2007, CHI.

[17]  Jun Ho Huh,et al.  On the Effectiveness of Pattern Lock Strength Meters: Measuring the Strength of Real World Pattern Locks , 2015, CHI.

[18]  Markus Dürmuth,et al.  Quantifying the security of graphical passwords: the case of android unlock patterns , 2013, CCS.

[19]  Dawn Xiaodong Song,et al.  Touchalytics: On the Applicability of Touchscreen Input as a Behavioral Biometric for Continuous Authentication , 2012, IEEE Transactions on Information Forensics and Security.

[20]  Heinrich Hußmann,et al.  Touch me once and i know it's you!: implicit authentication based on touch screen patterns , 2012, CHI.

[21]  Virpi Roto,et al.  Interaction in 4-second bursts: the fragmented nature of attentional resources in mobile HCI , 2005, CHI.

[22]  Nuria Oliver,et al.  A large-scale study of daily information needs captured in situ , 2014, TCHI.

[23]  Alexander De Luca,et al.  Is secure and usable smartphone authentication asking too much? , 2015, Computer.

[24]  Alexander De Luca,et al.  It's a Hard Lock Life: A Field Study of Smartphone (Un)Locking Behavior and Risk Perception , 2014, SOUPS.

[25]  Per Ola Kristensson,et al.  Improving two-thumb text entry on touchscreen devices , 2013, CHI.

[26]  Jason I. Hong,et al.  A diary study of password usage in daily life , 2011, CHI.

[27]  Joseph Bonneau,et al.  The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords , 2012, 2012 IEEE Symposium on Security and Privacy.

[28]  Martin Pielot,et al.  An in-situ study of mobile phone notifications , 2014, MobileHCI '14.

[29]  Madhu Sudan,et al.  A Fuzzy Vault Scheme , 2006, Des. Codes Cryptogr..

[30]  Alexander De Luca,et al.  Patterns in the wild: a field study of the usability of pattern and pin-based authentication on mobile devices , 2013, MobileHCI '13.

[31]  M. Csíkszentmihályi,et al.  The ecology of adolescent activity and experience , 1977, Journal of youth and adolescence.

[32]  Konstantin Beznosov,et al.  Does my password go up to eleven?: the impact of password meters on password selection , 2013, CHI.

[33]  Lynne Baillie,et al.  Why aren't Users Using Protection? Investigating the Usability of Smartphone Locking , 2015, MobileHCI.

[34]  A. Paivio,et al.  Picture superiority in free recall: Imagery or dual coding? , 1973 .

[35]  Frank Stajano,et al.  The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes , 2012, 2012 IEEE Symposium on Security and Privacy.

[36]  Alireza Sahami Shirazi,et al.  Understanding shortcut gestures on mobile touch devices , 2014, MobileHCI '14.

[37]  Elizabeth Stobert,et al.  Memory retrieval and graphical passwords , 2013, SOUPS.

[38]  Janne Lindqvist,et al.  Engineering Gesture-Based Authentication Systems , 2014, IEEE Pervasive Computing.

[39]  Nasir D. Memon,et al.  Biometric-rich gestures: a novel approach to authentication on multi-touch devices , 2012, CHI.

[40]  Blase Ur,et al.  Measuring Real-World Accuracies and Biases in Modeling Password Guessability , 2015, USENIX Security Symposium.

[41]  Heinrich Hußmann,et al.  I Feel Like I'm Taking Selfies All Day!: Towards Understanding Biometric Authentication on Smartphones , 2015, CHI.

[42]  M. Csíkszentmihályi,et al.  Validity and Reliability of the Experience‐Sampling Method , 1987, The Journal of nervous and mental disease.

[43]  James Nicholson,et al.  Age-related performance issues for PIN and face-based authentication systems , 2013, CHI.

[44]  M. Angela Sasse,et al.  The true cost of unusable password policies: password use in the wild , 2010, CHI.

[45]  Kat Krol,et al.  The Great Authentication Fatigue - And How to Overcome It , 2014, HCI.

[46]  Per Ola Kristensson,et al.  Memorability of pre-designed and user-defined gesture sets , 2013, CHI.

[47]  Heinrich Hußmann,et al.  Honey, I shrunk the keys: influences of mobile devices on password composition and authentication performance , 2014, NordiCHI.

[48]  Matthew Smith,et al.  Now you see me, now you don't: protecting smartphone authentication from shoulder surfers , 2014, CHI.

[49]  David A. Wagner,et al.  Are You Ready to Lock? , 2014, CCS.

[50]  Wenyuan Xu,et al.  KinWrite: Handwriting-Based Authentication Using Kinect , 2013, NDSS.

[51]  Heinrich Hußmann,et al.  Easy to Draw, but Hard to Trace?: On the Observability of Grid-based (Un)lock Patterns , 2015, CHI.

[52]  Marc Langheinrich,et al.  Back-of-device authentication on smartphones , 2013, CHI.

[53]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[54]  S. Hart,et al.  Development of NASA-TLX (Task Load Index): Results of Empirical and Theoretical Research , 1988 .

[55]  Tadayoshi Kohno,et al.  A comprehensive study of frequency, interference, and training of multiple graphical passwords , 2009, CHI.