Emanuel von Zezschwitz
Paul Dunphy
ABSTRACT
Graphical password systems based upon the recall and reproduction of visual patterns (e.g. as seen on the Google Android platform) are assumed to have desirable usability and memorability properties. However, there are no empirical studies that explore whether this is actually the case on an everyday basis. In this paper, we present the results of a real world user study across 21 days that was conducted to gather such insight; we compared the performance of Android-like patterns to personal identification numbers (PIN), both on smartphones, in a field study. The quantitative results indicate that PIN outperforms the pattern lock when comparing input speed and error rates. However, the qualitative results suggest that users tend to accept this and are still in favor of the pattern lock to a certain extent. For instance, it was rated better in terms of ease-of-use, feedback and likeability. Most interestingly, even though the pattern lock does not provide any undo or cancel functionality, it was rated significantly better than PIN in terms of error recovery; this provides insight into the relationship between error prevention and error recovery in user authentication.
- Adams, A., and Sasse, M. A. Users are not the enemy. Commun. ACM 42, 12 (1999), 40--46. Google Scholar
Digital Library
- Bianchi, A., Oakley, I., and Kwon, D. S. The secure haptic keypad: a tactile password system. In CHI '10: Proceedings of the 28th international conference on Human factors in computing systems, ACM (New York, NY, USA, 2010), 1089--1092. Google ScholarDigital Library
- Bonneau, J., Preibusch, S., and Anderson, R. A birthday present every eleven wallets' the security of customer-chosen banking PINs. In 16th International Conference on Financial Cryptography, Springer-Verlag (Heidelberg, Germany, 2012).Google ScholarCross Ref
- Chong, M., and Marsden, G. Exploring the use of discrete gestures for authentication. In Human Computer Interaction INTERACT 2009, vol. 5727, Springer Berlin Heidelberg (2009), 205--213. Google ScholarDigital Library
- Clarke, N., Furnell, S., Rodwell, P., and Reynolds, P. Acceptance of subscriber authentication methods for mobile telephony devices. Computers & Security 21, 3 (2002), 220--228.Google ScholarDigital Library
- Cutler, K.-M. Android reaches 400 million device activations adds 1 million per day. Website, June 2012. Available online at http://techcrunch.com/2012/06/27/android-reaches-400-milliondevices-activations-1-million-per-day; visited on August 6th 2012.Google Scholar
- Davis, D., Monrose, F., and Reiter, M. K. On user choice in graphical password schemes. In SSYM'04: Proceedings of the 13th conference on USENIX Security Symposium, USENIX Association (Berkeley, CA, USA, 2004), 11--11. Google ScholarDigital Library
- De Angeli, A., Coutts, M., Coventry, L., Johnson, G. I., Cameron, D., and Fischer, M. H. Vip: a visual approach to user authentication. In AVI '02: Proceedings of the Working Conference on Advanced Visual Interfaces, ACM (New York, NY, USA, 2002), 316--323. Google ScholarDigital Library
- De Angeli, A., Coventry, L., Johnson, G., and Renaud, K. Is a picture really worth a thousand words? exploring the feasibility of graphical authentication systems. Int. J. Hum.-Comput. Stud. 63, 1-2 (2005), 128--152. Google ScholarDigital Library
- De Luca, A., Denzel, M., and Hussmann, H. Look into my eyes!: can you guess my password? In SOUPS '09: Proceedings of the 5th Symposium on Usable Privacy and Security, ACM (New York, NY, USA, 2009), 1--12. Google ScholarDigital Library
- De Luca, A., Hang, A., Brudy, F., Lindner, C., and Hussmann, H. Touch me once and i know it's you! implicit authentication based on touch screen patterns. In Proceedings of the 2012 annual conference on Human factors in computing systems, CHI '12, ACM (New York, NY, USA, 2012). Google ScholarDigital Library
- De Luca, A., Langheinrich, M., and Hussmann, H. Towards understanding atm security: a fleld study of real world atm use. In SOUPS '10: Proceedings of the Sixth Symposium on Usable Privacy and Security, ACM (New York, NY, USA, 2010), 1--10. Google ScholarDigital Library
- De Luca, A., von Zezschwitz, E., and Hussmann, H. Vibrapass: secure authentication based on shared lies. In CHI '09: Proceedings of the 27th international conference on Human factors in computing systems, ACM (New York, NY, USA, 2009), 913--916. Google ScholarDigital Library
- Dhamija, R., and Perrig, A. Dèjá vu: a user study using images for authentication. In SSYM'00: Proceedings of the 9th conference on USENIX Security Symposium, USENIX Association (Berkeley, CA, USA, 2000), 4--4. Google ScholarDigital Library
- Dunphy, P., Heiner, A. P., and Asokan, N. A closer look at recognition-based graphical passwords on mobile devices. In Proceedings of the Sixth Symposium on Usable Privacy and Security, SOUPS '10, ACM (New York, NY, USA, 2010), 1--12. Google ScholarDigital Library
- Dunphy, P., and Yan, J. Do background images improve "draw a secret" graphical passwords? In CCS '07: Proceedings of the 14th ACM conference on Computer and communications security, ACM (New York, NY, USA, 2007), 36--47. Google ScholarDigital Library
- Hayashi, E., Dhamija, R., Christin, N., and Perrig, A. Use your illusion: secure authentication usable anywhere. In Proceedings of the 4th symposium on Usable privacy and security, SOUPS '08, ACM (New York, NY, USA, 2008), 35--45. Google ScholarDigital Library
- Jermyn, I., Mayer, A., Monrose, F., Reiter, M. K., and Rubin, A. D. The design and analysis of graphical passwords. In SSYM'99: Proceedings of the 8th conference on USENIX Security Symposium, USENIX Association (Berkeley, CA, USA, 1999), 1--1. Google ScholarDigital Library
- Karlson, A. K., Brush, A. B., and Schechter, S. Can i borrow your phone?: understanding concerns when sharing mobile phones. In Proceedings of the 27th international conference on Human factors in computing systems, CHI '09, ACM (New York, NY, USA, 2009), 1647--1650. Google ScholarDigital Library
- Kim, D., Dunphy, P., Briggs, P., Hook, J., Nicholson, J., Nicholson, J., and Olivier, P. Multi-touch authentication on tabletops. In CHI '10: Proceedings of the 28th international conference on Human factors in computing systems, ACM (New York, NY, USA, 2010), 1093--1102. Google ScholarDigital Library
- Malek, B., Orozco, M., and El Saddik, A. Novel shoulder-surfing resistant haptic-based graphical password. In EuroHaptics 2006 (July 2006).Google Scholar
- Nali, D., and Thorpe, J. Analyzing user choice in graphical passwords. Tech. rep., School of Computer Science, Carleton University, 2004.Google Scholar
- Nelson, D. L., Reed, V. S., and Walling, J. R. Pictorial superiority effect. Journal of Experimental Psychology: Human Learning and Memory 2, 5 (Sept. 1976), 523--528.Google ScholarCross Ref
- Norman, D. The Design of Everyday Things. Perseus Books, Aug. 2002. Google ScholarDigital Library
- Oorschot, P. C. v., and Thorpe, J. On predictive models and user-drawn graphical passwords. ACM Trans. Inf. Syst. Secur. 10 (January 2008), 5:1--5:33. Google ScholarDigital Library
- Renaud, K., and De Angeli, A. Visual passwords: cure-all or snake-oil? Commun. ACM 52, 12 (Dec. 2009), 135--140. Google ScholarDigital Library
- Rogers, J. Please enter your 4-digit pin. Financial Services Technology, U.S. Edition Issue 4 (Mar. 2007).Google Scholar
- Roth, V., Richter, K., and Freidinger, R. A pin-entry method resilient against shoulder surfing. In CCS '04: Proceedings of the 11th ACM conference on Computer and communications security, ACM (New York, NY, USA, 2004), 236--245. Google ScholarDigital Library
- Shadmehr, R., and Brashers-Krug, T. Functional stages in the formation of human long-term motor memory. The Journal of Neuroscience 17 (1997), 409--419.Google ScholarCross Ref
- Standing, L. Learning 10,000 pictures. The Quarterly Journal of Experimental Psychology 25 (1973), 203--222.Google Scholar
- Tao, H., and Adams, C. Pass-go: A proposal to improve the usability of graphical passwords. International Journal of Network Security 7, 2 (2008), 273--292.Google Scholar
- Weiss, R., and De Luca, A. Passshapes utilizing stroke based authentication to increase password memorability. In NordiCHI 2008: Proceedings of the 5th Nordic Conference on Human-Computer Interaction, ACM (New York, NY, USA, 2008), 383--392. Google ScholarDigital Library
- Wiedenbeck, S., Waters, J., Birget, J., Brodskiy, A., and Memon, N. PassPoints: design and longitudinal evaluation of a graphical password system. International Journal of Human-Computer Studies 63, 1-2 (July 2005), 102--127. Google ScholarDigital Library
- Wiedenbeck, S., Waters, J., Sobrado, L., and Birget, J.-C. Design and evaluation of a shoulder-surfing resistant graphical password scheme. In AVI '06: Proceedings of the working conference on Advanced visual interfaces, ACM (New York, NY, USA, 2006), 177--184. Google ScholarDigital Library
Index Terms
- Patterns in the wild: a field study of the usability of pattern and pin-based authentication on mobile devices
Recommendations
On the Security of Smartphone Unlock PINs
In this article, we provide the first comprehensive study of user-chosen four- and six-digit PINs (n=1705) collected on smartphones with participants being explicitly primed for device unlocking. We find that against a throttled attacker (with 10, 30, ...
Evaluation of a template protection approach to integrate fingerprint biometrics in a PIN-based payment infrastructure
Biometric authentication has a great potential to improve the security, reduce cost, and enhance the customer convenience of payment systems. Despite these benefits, biometric authentication has not yet been adopted by large-scale point-of-sale and ...
Users' Perceptions of Recognition-Based Graphical Passwords: A Qualitative Study on Culturally Familiar Graphical Passwords
SIN '14: Proceedings of the 7th International Conference on Security of Information and NetworksIn user authentication, alphanumeric passwords suffer from several weaknesses. They are hard to remember if they have been created from a random mix of letters and numbers. Recognition-based graphical passwords were proposed to increase memorability and ...
Comments