Graphical passwords: Learning from the first twelve years
ACM Computing Surveys (CSUR)
NAPTune: fine tuning graphical authentication
Proceedings of the 3rd International Conference on Human Computer Interaction
Time evolving graphical password for securing mobile devices
Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security
| Hi-index | 0.00 |
Security experts often refer to humans as the "weakest link" (Sasse, Brostoff, and Weirich, 2001) in the security chain, asserting that the problem lies not with the security systems themselves, but with users who are unable or unwilling to comply with security protocols. The shift towards usable security and including human factors in system design is an important one that has a direct impact on system security. In this thesis, we focus on knowledge-based authentication. We examine the password problem, where passwords are either weak-and-memorable or secure-but-difficult-to-remember, despite the need for secure and memorable passwords. We concentrate on graphical passwords due to the human ability to accurately recognize and recall images. We began by cataloguing existing graphical passwords, focusing equally on usability and security characteristics, and identified PassPoints, a click-based graphical password scheme, as the scheme that appeared most promising and that we believed warranted closer evaluation. Our overall research question, therefore, asks: "Can click-based graphical passwords simultaneously support both memorability and security, while maintaining usability? " We conducted lab and field studies of PassPoints, and identified areas for usability and security improvements. We designed Cued Click-Points and Persuasive Cued Click-Points, schemes with several novel design features: one-to-one cueing to help with the memorability, implicit feedback meaningful only to legitimate users, and a safe-path-of-least-resistance influencing users to select stronger memorable passwords. Empirical studies of both schemes provide evidence of increased usability, memorability, and security. Additionally, we propose a new discretization method for such systems that improves usability by making the system more predictable from the user's perspective and improves security by allowing for smaller tolerance regions without sacrificing usability. From this empirical work, we identified the underlying design characteristics of our systems that led to success and generalized our findings as design strategies that may be applicable to other knowledge-based authentication schemes.