Evaluating the usability and security of a graphical one-time PIN system

Authors:
Sacha Brostoff;Philip Inglesant;M. Angela Sasse
Affiliations:
UCL (University College London), Malet Place, London, UK;UCL (University College London), Malet Place, London, UK;UCL (University College London), Malet Place, London, UK
Venue:
BCS '10 Proceedings of the 24th BCS Interaction Specialist Group Conference
Year:
2010

Citing 8
Cited 5

Users are not the enemy

Communications of the ACM
Transforming the 'Weakest Link' — a Human/Computer Interaction Approach to Usable and Effective Security

BT Technology Journal
Password Memorability and Security: Empirical Results

IEEE Security and Privacy
Is a picture really worth a thousand words? Exploring the feasibility of graphical authentication systems

International Journal of Human-Computer Studies - Special isssue: HCI research in privacy and security is critical now
A large-scale study of web password habits

Proceedings of the 16th international conference on World Wide Web
Déjà Vu: a user study using images for authentication

SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
Is FacePIN secure and usable?

Proceedings of the 3rd symposium on Usable privacy and security
A comprehensive study of frequency, interference, and training of multiple graphical passwords

Proceedings of the SIGCHI Conference on Human Factors in Computing Systems

A multi-word password proposal (gridWord) and exploring questions about science in security research and usable security evaluation

Proceedings of the 2011 workshop on New security paradigms workshop
Graphical passwords: Learning from the first twelve years

ACM Computing Surveys (CSUR)
NAPTune: fine tuning graphical authentication

Proceedings of the 3rd International Conference on Human Computer Interaction
WYSWYE: shoulder surfing defense for recognition based graphical passwords

Proceedings of the 24th Australian Computer-Human Interaction Conference
Quantifying the security of graphical passwords: the case of android unlock patterns

Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

Quantified Score

Hi-index	0.00

Visualization

Abstract

Traditional Personal Identification Numbers (PINs) are widely used, but the attacks in which they are captured have been increasing. One-time PINs offer better security, but potentially create greater workload for users. In this paper, we present an independent evaluation of a commercial system that makes PINs more resistant to observation attacks by using graphical passwords on a grid to generate a one-time PIN. 83 participants were asked to register with the system and log in at varying intervals. The successful login rate was approximately 91% after 3--4 days, and 97% after 9--10 days. Twenty five participants were retested after two years, and 27% of those were able to recall their pattern. We recorded 17 instances of failed attempts, and found that even though participants recalled the general shape of the pass-pattern in 13 of these instances, they could not recall its detailed location or sequence of cells. We conclude that GrIDsure is usable if people have one pass-pattern, but the level of security will depend on the context of use (it will work best in scenarios where repeated observations of transactions are unlikely), and the instructions given to users (without guidance, they are likely to chose from a small subset of the possible patterns which are easily guessed).