Entropy of graphical passwords: towards an information-theoretic analysis of face-recognition based authentication

Authors:
Stefan Rass;David Schuller;Christian Kollmitzer
Affiliations:
Institute of Applied Informatics, System Security Group, Universitaet Klagenfurt, Klagenfurt, Austria;Quantum Technologies, Department Safety & Security, AIT Austrian Institute of Technology GmbH, Klagenfurt, Austria;Quantum Technologies, Department Safety & Security, AIT Austrian Institute of Technology GmbH, Klagenfurt, Austria
Venue:
CMS'10 Proceedings of the 11th IFIP TC 6/TC 11 international conference on Communications and Multimedia Security
Year:
2010

Citing 8
Cited 0

Towards Secure Design Choices for Implementing Graphical Passwords

ACSAC '04 Proceedings of the 20th Annual Computer Security Applications Conference
Handbook Of Pattern Recognition And Computer Vision

Handbook Of Pattern Recognition And Computer Vision
Authentication using graphical passwords: effects of tolerance and image choice

SOUPS '05 Proceedings of the 2005 symposium on Usable privacy and security
Graphical Passwords: A Survey

ACSAC '05 Proceedings of the 21st Annual Computer Security Applications Conference
Déjà Vu: a user study using images for authentication

SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
The design and analysis of graphical passwords

SSYM'99 Proceedings of the 8th conference on USENIX Security Symposium - Volume 8
Graphical Password: Comprehensive Study of the Usability Features of the Recognition Base Graphical Password Methods

ICCIT '08 Proceedings of the 2008 Third International Conference on Convergence and Hybrid Information Technology - Volume 02
Towards Automating Social Engineering Using Social Networking Sites

CSE '09 Proceedings of the 2009 International Conference on Computational Science and Engineering - Volume 03

Quantified Score

Hi-index	0.00

Visualization

Abstract

We present an information-theoretic discussion of authentication via graphical passwords, and devise a model for entropy estimation. Our results make face-recognition based authentication comparable to standard password authentication in terms of uncertainty (Shannon-entropy) that an adversary is confronted with in both situations. It is widely known that cognitive abilities strongly determine the choice of alphanumeric passwords as well as graphical passwords, and we discuss various selected psychological aspects that influence the selection process. As a central result, we obtain a theoretical limit to the entropy of a face-recognition based authentication in the light of some social engineering techniques (dictionary attacks on graphical passwords). Remarkably, our results hold independently of any information that can be obtained from the internet or through other forms of social engineering. Thus, we obtain very general bounds on the quality of authentication through face-recognition that solely depend on the authentication mechanism.