Communications of the ACM
Password Memorability and Security: Empirical Results
IEEE Security and Privacy
International Journal of Human-Computer Studies - Special isssue: HCI research in privacy and security is critical now
A large-scale study of web password habits
Proceedings of the 16th international conference on World Wide Web
Déjà Vu: a user study using images for authentication
SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
Proceedings of the 3rd symposium on Usable privacy and security
A comprehensive study of frequency, interference, and training of multiple graphical passwords
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Proceedings of the 2011 workshop on New security paradigms workshop
Graphical passwords: Learning from the first twelve years
ACM Computing Surveys (CSUR)
NAPTune: fine tuning graphical authentication
Proceedings of the 3rd International Conference on Human Computer Interaction
WYSWYE: shoulder surfing defense for recognition based graphical passwords
Proceedings of the 24th Australian Computer-Human Interaction Conference
Quantifying the security of graphical passwords: the case of android unlock patterns
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Hi-index | 0.00 |
Traditional Personal Identification Numbers (PINs) are widely used, but the attacks in which they are captured have been increasing. One-time PINs offer better security, but potentially create greater workload for users. In this paper, we present an independent evaluation of a commercial system that makes PINs more resistant to observation attacks by using graphical passwords on a grid to generate a one-time PIN. 83 participants were asked to register with the system and log in at varying intervals. The successful login rate was approximately 91% after 3--4 days, and 97% after 9--10 days. Twenty five participants were retested after two years, and 27% of those were able to recall their pattern. We recorded 17 instances of failed attempts, and found that even though participants recalled the general shape of the pass-pattern in 13 of these instances, they could not recall its detailed location or sequence of cells. We conclude that GrIDsure is usable if people have one pass-pattern, but the level of security will depend on the context of use (it will work best in scenarios where repeated observations of transactions are unlikely), and the instructions given to users (without guidance, they are likely to chose from a small subset of the possible patterns which are easily guessed).