Florian Schaub
ABSTRACT
Smartphones have emerged as a likely application area for graphical passwords, because they are easier to input on touchscreens than text passwords. Extensive research on graphical passwords and the capabilities of modern smartphones result in a complex design space for graphical password schemes on smartphones. We analyze and describe this design space in detail. In the process, we identify and highlight interrelations between usability and security characteristics, available design features, and smartphone capabilities. We further show the expressiveness and utility of the design space in the development of graphical passwords schemes by implementing five different existing graphical password schemes on one smartphone platform. We performed usability and shoulder surfing experiments with the implemented schemes to validate identified relations in the design space. From our results, we derive a number of helpful insights and guidelines for the design of graphical passwords.
- A. Aviv, K. Gibson, E. Mossop, M. Blaze, and J. M. Smith. Smudge attacks on smartphone touch screens. In Workshop on Offensive Technologies (WOOT '10). USENIX Assoc., 2010. Google Scholar
Digital Library
- A. Bianchi, I. Oakley, V. Kostakos, and D. S. Kwon. The phone lock: audio and haptic shoulder-surfing resistant PIN entry methods for mobile devices. In Proc. Conf. on Tangible, embedded, and embodied interaction (TEI '11). ACM, 2011. Google ScholarDigital Library
- K. Bicakci, M. Yuceel, B. Erdeniz, H. Gurbaslar, and N. Atalay. Graphical passwords as browser extension: Implementation and usability study. In Third IFIP WG 11.11 International Conference on Trust Management (IFIPTM '09). Springer, 2009.Google Scholar
- R. Biddle, S. Chiasson, and P. Van Oorschot. Graphical passwords: Learning from the first twelve years. ACM Computing Surveys, 44(4):1--41, 2012. Google ScholarDigital Library
- J. Bonneau. The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords. In 2012 IEEE Symposium on Security and Privacy, number Section VII, pages 538--552. IEEE, May 2012. Google ScholarDigital Library
- J. Bonneau, C. Herley, P. C. V. Oorschot, and F. Stajano. The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes. In IEEE Symp. on Security and Privacy. IEEE, 2012. Google ScholarDigital Library
- S. Brostoff and M. A. Sasse. Are Passfaces more usable than passwords? a field trial investigation. In Proc. BCS-HCI '00. Springer, 2000.Google Scholar
- A. Bulling, F. Alt, and A. Schmidt. Increasing the security of gaze-based cued-recall graphical passwords using saliency masks. In Proc. CHI '12. ACM, 2012. Google ScholarDigital Library
- S. Chiasson, J. Srinivasan, R. Biddle, and P. van Oorschot. Centered discretization with application to graphical passwords. In Proc. USENIX Workshop Usability, Psychology, and Security (UPSEC). USENIX Assoc., 2008. Google ScholarDigital Library
- S. Chiasson, E. Stobert, A. Forget, R. Biddle, and P. C. van Oorschot. Persuasive Cued Click-Points: Design, implementation, and Evaluation of a Knowledge-Based Authentication Mechanism. IEEE Trans. Depend. and Secure Comp., 9(2):222--235, 2011. Google ScholarDigital Library
- S. Chiasson, P. van Oorschot, and R. Biddle. Graphical Password Authentication Using Cued Click Points. In Proc. ESORICS '07. Springer, 2007. Google ScholarDigital Library
- U. Cil and K. Bicakci. gridwordx: Design, implementation, and usability evaluation of an authentication scheme supporting both desktops and mobile devices. In Workshop on Mobile Security Technologies (MoST '13), 2013.Google Scholar
- J. Citty and D. R. Hutchings. TAPI: touch-screen authentication using partitioned images. Tech. Report 2010-1, Elon University, 2010.Google Scholar
- D. Davis, F. Monrose, and M. K. Reiter. On User Choice in Graphical Password Schemes. In Proc. USENIX Security Symposium. USENIX Assoc., 2004. Google ScholarDigital Library
- A. De Angeli, L. Coventry, G. Johnson, and K. Renaud. Is a picture really worth a thousand words? Exploring the feasibility of graphical authentication systems. International Journal of Human-Computer Studies, 63(1--2):128--152, 2005. Google ScholarDigital Library
- A. De Luca, M. Denzel, and H. Hussmann. Look into my eyes!: can you guess my password? In Proc. SOUPS '09. ACM, 2009. Google ScholarDigital Library
- A. De Luca, A. Hang, F. Brudy, C. Lindner, and H. Hussmann. Touch me once and I know it's you! In Proc. CHI '12. ACM, 2012. Google ScholarDigital Library
- A. De Luca, E. von Zezschwitz, N. D. H. Nguyen, M. Maurer, E. Rubegni, M. P. Scipioni, and M. Langheinrich. Back-of-Device Authentication on Smartphones. In Proc. CHI '13. ACM, 2013. Google ScholarDigital Library
- R. Dhamija and A. Perrig. Déjà Vu: a user study using images for authentication. In Proc. USENIX Security Symposium. USENIX Association, 2000. Google ScholarDigital Library
- P. Dunphy, A. P. Heiner, and N. Asokan. A closer look at recognition-based graphical passwords on mobile devices. In Proc. SOUPS '10. ACM, 2010. Google ScholarDigital Library
- P. Dunphy and P. Olivier. On automated image choice for secure and usable graphical passwords. In Proc. Annual Comp. Security Applications Conf. (ACSAC '12). ACM, 2012. Google ScholarDigital Library
- P. Dunphy and J. Yan. Do background images improve "draw a secret" graphical passwords? In Proc. CCS '07. ACM, 2007. Google ScholarDigital Library
- K. M. Everitt, T. Bragin, J. Fogarty, and T. Kohno. A comprehensive study of frequency, interference, and training of multiple graphical passwords. In Proc. CHI '09. ACM, 2009. Google ScholarDigital Library
- A. G. Goldstein and J. E. Chance. Visual recognition memory for complex configurations. Perception Psychophysics, 9(2):237--241, 1970.Google ScholarCross Ref
- K. Golofit. Click Passwords Under Investigation. In Proc. ESORICS '07. Springer, 2007. Google ScholarDigital Library
- E. Hayashi, R. Dhamija, N. Christin, and A. Perrig. Use Your Illusion: secure authentication usable anywhere. In Proc. SOUPS '08. ACM, 2008. Google ScholarDigital Library
- C. Herley and P. van Oorschot. A Research Agenda Acknowledging the Persistence of Passwords. IEEE Security & Privacy Magazine, 10(1):28--36, 2012. Google ScholarDigital Library
- W. Jansen, S. Gavrila, V. Korolev, R. Ayers, and R. Swanstrom. Picture password: A visual login technique for mobile devices. Tech. report NISTIR 7030, NIST, 2003.Google Scholar
- I. Jermyn, A. Mayer, F. Monrose, M. K. Reiter, and A. D. Rubin. The design and analysis of graphical passwords. In Proc. USENIX Security Symposium. USENIX Assoc., 1999. Google ScholarDigital Library
- R. A. Khot, P. Kumaraguru, and K. Srinathan. WYSWYE: Shoulder Surfing Defense for Recognition based Graphical Passwords. In Proc. OzCHI '12, 2012. Google ScholarDigital Library
- D. Kim, P. Dunphy, P. Briggs, J. Hook, J. Nicholson, J. Nicholson, and P. Olivier. Multi-touch authentication on tabletops. In Proc. CHI '10. ACM, 2010. Google ScholarDigital Library
- M. Kumar, T. Garfinkel, D. Boneh, and T. Winograd. Reducing Shoulder-surfing by Using Gaze-based Password Entry. In Proc. SOUPS '07, 2007. Google ScholarDigital Library
- J. R. Lewis. IBM Computer Usability Satisfaction Questionnaires: Psychometric Evaluation and Instructions for Use. International Journal of Human-Computer Interaction, 7(1):57--78, 1995. Google ScholarDigital Library
- B. Malek, M. Orozco, and A. El Saddik. Novel shoulder-surfing resistant haptic-based graphical password. In Proc. EuroHaptics '06, 2006.Google Scholar
- D. Nali and J. Thorpe. Analyzing user choice in graphical passwords. Tech. report TR-04-01, Carleton University, 2004.Google Scholar
- J. Nicholson, P. Dunphy, and L. Coventry. A security assessment of tiles: a new portfolio-based graphical authentication system. In Proc. CHI '12 Extended Abstracts. ACM, 2012. Google ScholarDigital Library
- I. Oakley and A. Bianchi. Multi-touch passwords for mobile device access. In Proc. UbiComp '12. ACM, 2012. Google ScholarDigital Library
- A. Paivio. Dual coding theory: Retrospect and current status. Canadian Journal of Psychology, 45(3), 1991.Google ScholarCross Ref
- R. Raguram, A. M. White, D. Goswami, F. Monrose, and J.-m. Frahm. iSpy: automatic reconstruction of typed input from compromising reflections. In Proc. CCS '11. ACM, 2011. Google ScholarDigital Library
- K. Renaud. Guidelines for designing graphical authentication mechanism interfaces. Int. Journal of Info. and Comp. Sec., 3(1):60, 2009. Google ScholarDigital Library
- D. Ritter, F. Schaub, M. Walch, and M. Weber. MIBA: Multitouch image-based authentication on smartphones. In Proc. CHI '13 Extended Abstracts. ACM, 2013. Google ScholarDigital Library
- A. Sahami Shirazi, P. Moghadam, H. Ketabdar, and A. Schmidt. Assessing the vulnerability of magnetic gestural authentication to video-based shoulder surfing attacks. In Proc. CHI '12. ACM, 2012. Google ScholarDigital Library
- H. Sasamoto, N. Christin, and E. Hayashi. Undercover: authentication usable in front of prying eyes. In Proc. CHI '08. ACM, 2008. Google ScholarDigital Library
- F. Schaub, R. Deyhle, and M. Weber. Password entry usability and shoulder surfing susceptibility on different smartphone platforms. In Proc. Mobile and Ubiquitous Multimedia (MUM '12). ACM, 2012. Google ScholarDigital Library
- S. Schechter, C. Herley, and M. Mitzenmacher. Popularity is everything: A new approach to protecting passwords from statistical-guessing attacks. In Proc. 5th USENIX Workshop on Hot Topics in Security (HotSec '10). USENIX Assoc., 2010. Google ScholarDigital Library
- J. Seifert, A. De Luca, B. Conradi, and H. Hussmann. TreasurePhone: Context-sensitive user data protection on mobile phones. In Proc. Pervasive '10, 2010. Google ScholarDigital Library
- X. Suo, Y. Zhu, and G. S. Owen. Graphical Passwords: A Survey. In Proc. Annual Comp. Security Applications Conf. (ACSAC '05). IEEE, 2005. Google ScholarDigital Library
- H. Tao and C. Adams. Pass-Go: A Proposal to Improve the Usability of Graphical Passwords. Int. J. Network Security, 7(2):273--292, 2008.Google Scholar
- F. Tari, A. A. Ozok, and S. H. Holden. A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords. In Proc. SOUPS'06. ACM, 2006. Google ScholarDigital Library
- J. Thorpe and P. van Oorschot. Towards Secure Design Choices for Implementing Graphical Passwords. In Proc. Annual Comp. Security Applications Conf. (ACSAC '04). IEEE, 2004. Google ScholarDigital Library
- J. Thorpe and P. C. van Oorschot. Graphical dictionaries and the memorable space of graphical passwords. In Proc. USENIX Security Symposium. USENIX Assoc., 2004. Google ScholarDigital Library
- P. C. van Oorschot and J. Thorpe. On predictive models and user-drawn graphical passwords. ACM TISSEC, 10(4):1--33, 2008. Google ScholarDigital Library
- P. C. van Oorschot and J. Thorpe. Exploiting Predictability in Click-based Graphical Passwords. Journal of Computer Security, 19(4):669--702, 2011. Google ScholarDigital Library
- S. Wiedenbeck, J. Waters, L. Sobrado, and J.-c. Birget. Design and Evaluation of a Shoulder-Surfing Resistant Graphical Password Scheme. In Proc. Conf. Advanced visual interfaces (AVI '06), 2006. Google ScholarDigital Library
- N. H. Zakaria, D. Griffiths, S. Brostoff, and J. Yan. Shoulder surfing defence for recall-based graphical passwords. In Proc. SOUPS '11. ACM, 2011. Google ScholarDigital Library
Index Terms
- Exploring the design space of graphical passwords on smartphones
Recommendations
A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords
SOUPS '06: Proceedings of the second symposium on Usable privacy and securityPrevious research has found graphical passwords to be more memorable than non-dictionary or "strong" alphanumeric passwords. Participants in a prior study expressed concerns that this increase in memorability could also lead to an increased ...
Password entry usability and shoulder surfing susceptibility on different smartphone platforms
MUM '12: Proceedings of the 11th International Conference on Mobile and Ubiquitous MultimediaVirtual keyboards of different smartphone platforms seem quite similar at first glance, but the transformation from a physical to a virtual keyboard on a small-scale display results in user experience variations that cause significant differences in ...
Users' Perceptions of Recognition-Based Graphical Passwords: A Qualitative Study on Culturally Familiar Graphical Passwords
SIN '14: Proceedings of the 7th International Conference on Security of Information and NetworksIn user authentication, alphanumeric passwords suffer from several weaknesses. They are hard to remember if they have been created from a random mix of letters and numbers. Recognition-based graphical passwords were proposed to increase memorability and ...
Comments