Communications of the ACM
Towards Secure Design Choices for Implementing Graphical Passwords
ACSAC '04 Proceedings of the 20th Annual Computer Security Applications Conference
Authentication using graphical passwords: effects of tolerance and image choice
SOUPS '05 Proceedings of the 2005 symposium on Usable privacy and security
Password management strategies for online accounts
SOUPS '06 Proceedings of the second symposium on Usable privacy and security
Déjà Vu: a user study using images for authentication
SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
Graphical dictionaries and the memorable space of graphical passwords
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
On user choice in graphical password schemes
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
The design and analysis of graphical passwords
SSYM'99 Proceedings of the 8th conference on USENIX Security Symposium - Volume 8
Crowdsourcing user studies with Mechanical Turk
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Human-seeded attacks and exploiting hot-spots in graphical passwords
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
Personal knowledge questions for fallback authentication: security questions in the era of Facebook
Proceedings of the 4th symposium on Usable privacy and security
Use Your Illusion: secure authentication usable anywhere
Proceedings of the 4th symposium on Usable privacy and security
It's No Secret. Measuring the Security and Reliability of Authentication via "Secret Questions
SP '09 Proceedings of the 2009 30th IEEE Symposium on Security and Privacy
Goldilocks and the two mobile devices: going beyond all-or-nothing access to a device's applications
Proceedings of the Eighth Symposium on Usable Privacy and Security
ACM Transactions on Accessible Computing (TACCESS)
Know your enemy: the risk of unauthorized access in smartphones by insiders
Proceedings of the 15th international conference on Human-computer interaction with mobile devices and services
Hi-index | 0.01 |
While a large body of research on image-based authentication has focused on memorability, comparatively less attention has been paid to the new security challenges these schemes may introduce. Because images can convey more information than text, image-based authentication may be more vulnerable to educated guess attacks than passwords. In this paper, we evaluate the resilience of a recognition-based graphical authentication scheme using distorted images against two types of educated guess attacks through two user studies. The first study, consisting of 30 participants, investigates whether distortion prevents educated guess attacks primarily based on information about individual users. The second study, using Amazon Mechanical Turk, investigates whether distortion mitigates the risk of educated guess attacks based on collective information about users. Our results show that authentication images without distortion are vulnerable to educated guess attacks, especially when information about the target is known, and that distortion makes authentication images more resilient against educated guess attacks.