Xiyang Liu,Zhongjie Ren,Xiuling Chang,Haichang Gao,Uwe Aickelin

DOI: https://doi.org/10.2139/ssrn.2829297

2013-01-01

Abstract:The trend toward a highly mobile workforce and the ubiquity of graphical interfaces (such as the stylus and touch-screen) has enabled the emergence of graphical authentications in Personal Digital Assistants (PDAs) [1]. However, most of the current graphical password schemes are vulnerable to shoulder-surfing [2,3], a known risk where an attacker can capture a password by direct observation or by recording the authentication session. Several approaches have been developed to deal with this problem, but they have significant usability drawbacks, usually in the time and effort to log in, making them less suitable for authentication [4, 8]. For example, it is time-consuming for users to log in CHC [4] and there are complex text memory requirements in scheme proposed by Hong [5]. With respect to the scheme proposed by Weinshall [6], not only is it intricate to log in, but also the main claim of resisting shoulder-surfing is proven false [7]. In this paper, we introduce a new graphical password scheme which provides a good resistance to shouldersurfing and preserves a desirable usability.

Hung-Min Sun,Shiuan-Tung Chen,Jyh-Haw Yeh,Chia-Yun Cheng

DOI: https://doi.org/10.1109/tdsc.2016.2539942

2016-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Authentication based on passwords is used largely in applications for computer security and privacy. However, human actions such as choosing bad passwords and inputting passwords in an insecure way are regarded as “the weakest link” in the authentication chain. Rather than arbitrary alphanumeric strings, users tend to choose passwords either short or meaningful for easy memorization. With web applications and mobile apps piling up, people can access these applications anytime and anywhere with various devices. This evolution brings great convenience but also increases the probability of exposing passwords to shoulder surfing attacks. Attackers can observe directly or use external recording devices to collect users’ credentials. To overcome this problem, we proposed a novel authentication system PassMatrix, based on graphical passwords to resist shoulder surfing attacks. With a one-time valid login indicator and circulative horizontal and vertical bars covering the entire scope of pass-images, PassMatrix offers no hint for attackers to figure out or narrow down the password even they conduct multiple camera-based attacks. We also implemented a PassMatrix prototype on Android and carried out real user experiments to evaluate its memorability and usability. From the experimental result, the proposed system achieves better resistance to shoulder surfing attacks while maintaining usability.

Liming Wang,Xiuling Chang,Zhongjie Ren,Haichang Gao,Xiyang Liu,Uwe Aickelin

DOI: https://doi.org/10.1109/AINA.2010.46

2013-06-01

Abstract:Text-based password schemes have inherent security and usability problems, leading to the development of graphical password schemes. However, most of these alternate schemes are vulnerable to spyware attacks. We propose a new scheme, using CAPTCHA (Completely Automated Public Turing tests to tell Computers and Humans Apart) that retaining the advantages of graphical password schemes, while simultaneously raising the cost of adversaries by orders of magnitude. Furthermore, some primary experiments are conducted and the results indicate that the usability should be improved in the future work.

Cryptography and Security

Qibin Sun,Zhi Li,Xudong Jiang,Alex Kot

DOI: https://doi.org/10.1109/iscas.2008.4542082

2008-01-01

Abstract:Graphical password (i.e., image based authentication) is considered as a promising alternative to traditional textual password for mobile devices, to achieve better tradeoff between usability and security. However, previous proposals of graphical password have the limitation of limited entropy. In this paper, we propose a new scheme incorporating user face based authentication into the association-based graphical password solution we proposed before, aiming at achieving higher security without compromising user-friendliness for mobile application scenarios. System performance analysis and comparisons with other schemes are presented to validate our scheme.

Xian Chu,Huiping Sun,Zhong Chen

DOI: https://doi.org/10.1007/978-3-030-54455-3_12

2020-01-01

Abstract:This paper proposes a two-factor graphical password authentication scheme, PassPage, which is suitable for website authentication with enhanced security. It leverages the implicit memory based on the user’s web browsing records. Whenever the user tries to log in, the server returns 9 small pages as a challenge, and asks the user to select all the pages the user has browsed besides inputting a text password. We performed user experiments on 12 volunteers. The experiment results showed that the average login success rate on a news website is steadily over 80% when the users are familiar with the login process, and the login success rate does not decrease sharply in 6 days.

Huiping Sun,Ke Wang,Xu Li,Nan Qin,Zhong Chen

DOI: https://doi.org/10.1145/2785830.2785880

2015-01-01

Abstract:Existing graphical passwords require users to proactively memorize their secrets and meanwhile these schemes are vulnerable to shoulder surfing attacks. We propose a novel graphical password scheme, PassApp, which utilizes users' everyday memory about installed apps on mobile devices as shared secrets. As the registration stage is no longer needed, PassApp exempts users from additional memory burden and greatly enhances user experience. Additionally, PassApp owns a large password set and only a small part of passwords may be exposed during a login. Therefore, PassApp has a natural advance on effectively resisting guessing attacks and shoulder surfing attacks. Our user studies demonstrate that PassApp performs well with a reasonable login time (7.27s) and a high success rate (95.48%). Our security analysis shows PassApp can effectively withstand one-time shoulder surfing attacks and on average 30 times of shoulder surfing are necessary to expose all passwords.

Mizuki Oka,Kazuhiko Kato,Yingqing Xu,Lin Liang,Fang Wen

DOI: https://doi.org/10.1109/icpr.2008.4761233

2008-01-01

Abstract:This paper presents a sketch-based password authentication system called Scribble-a-Secret as a graphical password scheme in which free-form drawings are used as a means to authenticate users. Unlike existing schemes, this approach requires no input of graphical passwords in particular sequences of strokes. Moreover, the system allows for a modicum of variation when users recreate their passwords. Our technique uses edge orientations extracted from sketch images to discern one user from another. Our experiments show that our recognition technique is robust for recognizing sketches while differentiating from others with both a false acceptance rate and false rejection rate of less than 1%.

XIE Qi,CHEN De-ren,YU Xiu-yuan

IF: 2.034

2010-01-01

Systems Engineering

Abstract:In 2009, Park, et al. proposed an efficient remote user authentication protocol. They claimed that their protocol was the first password and smart card based remote user authentication scheme which can resist the off-line password guessing attack, and had many advantages over existing solutions such as no password tables and timestamp, low communication and computational costs. However, this paper shows that their protocol cannot resist the forgery attack and off-line password guessing attack. To overcome the security weaknesses, two improved schemes based on either nonce or timestamp without affecting the merits of the Park, et al. scheme are proposed. Technical discussions are provided to show that the improved protocol is secure, efficient and practical.

Jing Tian,Chengzhang Qu,Wenyuan Xu,Song Wang

2013-01-01

Abstract:Password-based authentication is easy to use but its security is bounded by how much a user can remember. Biometrics-based authentication requires no memorization but ‘resetting’ a biometric password may not always be possible. In this paper, we propose a user-friendly authentication system (KinWrite) that allows users to choose arbitrary, short and easy-to-memorize passwords while providing resilience to password cracking and password theft. KinWrite lets users write their passwords in 3D space and captures the handwriting motion using a low cost motion input sensing device—Kinect. The low resolution and noisy data captured by Kinect, combined with low consistency of in-space handwriting, have made it challenging to verify users. To overcome these challenges, we exploit the Dynamic Time Warping (DTW) algorithm to quantify similarities between handwritten passwords. Our experimental results involving 35 signatures from 18 subjects and a brute-force attacker have shown that KinWrite can achieve a 100% precision and a 70% recall (the worst case) for verifying honest users, encouraging us to carry out a much larger scale study towards designing a foolproof system.

Hala Assal,Ahsan Imran,Sonia Chiasson

DOI: https://doi.org/10.48550/arXiv.1610.09743

2016-10-31

Abstract:In this paper, we explore graphical passwords as a child-friendly alternative for user authentication. We evaluate the usability of three variants of the PassTiles graphical password scheme for children, and explore the similarities and differences in performance and preferences between children and adults while using these schemes. Children were most successful at recalling passwords containing images of distinct objects. Both children and adults prefer graphical passwords to their existing schemes, but password memorization strategies differ considerably between the two groups. Based on our findings, we provide recommendations for designing more child-friendly authentication schemes.

Human-Computer Interaction

Hung-Min Sun,Yao-Hsin Chen,Chiung-Cheng Fang,Shih-Ying Chang

DOI: https://doi.org/10.1145/2414456.2414513

2012-01-01

Abstract:Text passwords have been used in authentication systems for many decades. Users must recall the textual strings selected during registration to pass authentication. However, there are some serious problems with text passwords recollection and security. Hence, various graphical-password authentication systems have been proposed to solve the problems of text passwords. Previous studies indicate that humans are better at recognizing and recalling images than texts. In 2005, Wiedenbeck et al. proposed PassPoints in which a password consists of a sequence of click-points (5 to 8) that a user chooses on an image. In the paper, we proposed an alternative system in which users can memorize fewer points while providing more security than PassPoints. Based on the idea of using an extremely large image as the password space, we propose a novel world map based graphical password authentication system called PassMap in which a password consists of a sequence of 2 click-points that a user selects on an large world map. We also conducted a user study for evaluation. The result shows that the passwords of PassMap are easy to memorize for humans and PassMap is friendly to use in practice. Furthermore, PassMap provides higher entropy than PassPoints and also increases the cost of attacks.

Ziming Zhao,Gail-Joon Ahn,Jeong-Jin Seo,Hongxin Hu

2013-01-01

Abstract:Computing devices with touch-screens have experienced unprecedented growth in recent years. Such an evolutionary advance has been facilitated by various applications that are heavily relying on multi-touch gestures. In addition, picture gesture authentication has been recently introduced as an alternative login experience to text-based password on such devices. In particular, the new Microsoft Windows 8™ operating system adopts such an alternative authentication to complement traditional text-based authentication. In this paper, we present an empirical analysis of picture gesture authentication on more than 10,000 picture passwords collected from over 800 subjects through online user studies. Based on the findings of our user studies, we also propose a novel attack framework that is capable of cracking passwords on previously unseen pictures in a picture gesture authentication system. Our approach is based on the concept of selection function that models users' password selection processes. Our evaluation results show the proposed approach could crack a considerable portion of collected picture passwords under different settings.

Can Liu,Shridatt Sugrim,Gradeigh D. Clark,Janne Lindqvist

DOI: https://doi.org/10.48550/arXiv.1812.09410

2018-12-21

Cryptography and Security

Abstract:Gesture and signature passwords are two-dimensional figures created by drawing on the surface of a touchscreen with one or more fingers. Prior results about their security have used resilience to either shoulder surfing, a human observation attack, or dictionary attacks. These evaluations restrict generalizability since the results are: non-comparable to other password systems (e.g. PINs), harder to reproduce, and attacker-dependent. Strong statements about the security of a password system use an analysis of the statistical distribution of the password space, which models a best-case attacker who guesses passwords in order of most likely to least likely. Estimating the distribution of recognition passwords is challenging because many different trials need to map to one password. In this paper, we solve this difficult problem by: (1) representing a recognition password of continuous data as a discrete alphabet set, and (2) estimating the password distribution through modeling the unseen passwords. We use Symbolic Aggregate approXimation (SAX) to represent time series data as symbols and develop Markov chains to model recognition passwords. We use a partial guessing metric, which demonstrates how many guesses an attacker needs to crack a percentage of the entire space, to compare the security of the distributions for gestures, signatures, and Android unlock patterns. We found the lower bounds of the partial guessing metric of gestures and signatures are much higher than the upper bound of the partial guessing metric of Android unlock patterns.

Zhi Li,Qibin Sun,Yong Lian,D. D. Giusto

DOI: https://doi.org/10.1007/11538356_78

2005-01-01

Abstract:Motivated by the need for designing secure and user-friendly authentication method for mobile devices, we present a novel image-based authentication (IBA) scheme in this paper. Its mnemonics efficacy rests on the human cognitive ability of association-based memorization. To tackle the shoulder-surfing attack issue, an interactive authentication process is presented. System performance analysis and comparisons with other schemes are presented to support our proposals.

Yan Li,Yao Cheng,Weizhi Meng,Yingjiu Li,Robert H. Deng

DOI: https://doi.org/10.1109/tifs.2020.3013212

IF: 7.231

2021-01-01

IEEE Transactions on Information Forensics and Security

Abstract:With the boom of Augmented Reality (AR) and Virtual Reality (VR) applications, head-mounted smart wearable glass devices are becoming popular to help users access various services like E-mail freely. However, most existing password entry schemes on smart glasses rely on additional computers or mobile devices connected to smart glasses, which require users to switch between different systems and devices. This may greatly lower the practicability and usability of smart glasses. In this paper, we focus on this challenge and design three practical anti-eavesdropping password entry schemes on stand-alone smart glasses, named gTapper, gRotator and gTalker. The main idea is to break the correlation between the underlying password and the interaction observable to adversaries. In our IRB-approved user study, these schemes are found to be easy-to-use without additional hardware under various test conditions, where the participants can enter their passwords within moderate time, at high accuracy, and in various situations.

computer science, theory & methods,engineering, electrical & electronic

Tony McBryan,Karen Renaud,J. Paul Siebert

DOI: https://doi.org/10.48550/arXiv.1407.8004

IF: 6.4588

2014-07-30

Human-Computer Interaction

Abstract:Computer users are generally authenticated by means of a password. Unfortunately passwords are often forgotten and replacement is expensive and inconvenient. Some people write their passwords down but these records can easily be lost or stolen. The option we explore is to find a way to cue passwords securely. The specific cueing technique we report on in this paper employs images as cues. The idea is to elicit textual descriptions of the images, which can then be used as passwords. We have defined a set of metrics for the kind of image that could function effectively as a password cue. We identified five candidate image types and ran an experiment to identify the image class with the best performance in terms of the defined metrics. The first experiment identified inkblot-type images as being superior. We tested this image, called a cueblot, in a real-life environment. We allowed users to tailor their cueblot until they felt they could describe it, and they then entered a description of the cueblot as their password. The cueblot was displayed at each subsequent authentication attempt to cue the password. Unfortunately, we found that users did not exploit the cueing potential of the cueblot, and while there were a few differences between textual descriptions of cueblots and non-cued passwords, they were not compelling. Hence our attempts to alleviate the difficulties people experience with passwords, by giving them access to a tailored cue, did not have the desired effect. We have to conclude that the password mechanism might well be unable to benefit from bolstering activities such as this one.

Chao Shen,Yufei Chen,Yao Liu,Xiaohong Guan

DOI: https://doi.org/10.1109/TNNLS.2018.2829223

Abstract:The pervasiveness of wearable devices furnished with state-of-the-art sensors has shown the powerful capability in context-aware applications. However, embedded sensors also become targets for adversaries to launch potential side-channel attacks. In this paper, we present a self-adaptive and pretraining-independent pattern attack that infers a graphical password by recovering the victim's hand movement trajectory via motion sensors of a wrist-worn smart device. With the adaptive pattern inference algorithm, the discovered attack can be launched remotely without requiring previous training data from victims or the prior knowledge about the keyboard input settings. Toward the proposed attack, we create a method to detect the sliding behavior that draws a graphical password on the screen. We also propose an inference algorithm to generate password candidates from hand movement trajectories for different keypad input settings. We implement the discovered attack on a smartwatch and conduct experiments to evaluate the impact of this attack. The evaluation results show that for complex graphical patterns, with a single try, the attack can infer the passwords at a success rate as high as 80%, and the success rate can be further boosted to over 90% within five attempts, which reveals the overlooked privacy information threat caused by sensor data leakage.

Zhangyu Meng,Jun Kong,Juan Li

DOI: https://doi.org/10.1016/j.cose.2021.102187

2021-04-01

Abstract:<p>Due to its invisibility feature, pressure is useful to enhance the security of authentication, especially preventing the shoulder surfing attack. However, users are more familiar with digital passwords than pressure-based passwords. In order to improve the usability of pressure-based authentication, this paper instantiates a pressure-based password (i.e., a sequence of pressures) to a decimal number. In addition, our approach features personalized pressure detection. The personalization further enhances security since an attacker must have a pressure habit that is consistent with the user. We conducted a series of user studies to compare the traditional four-digit password with our pressure-based password. The empirical result indicates that a pressure-based password is more resistant to the shoulder surfing attack than a four-digit password. However, it takes more time to input a pressure-based password on the first-time usage. The slowdown is caused by a modality change from vision to pressure. A field study that lasted for 10 days revealed that the side effect of modality change can be overcome through regular usages.</p>

computer science, information systems

Jaryn Shen,Timothy T. Yuen,Kim-Kwang Raymond Choo,Qingkai Zeng

DOI: https://doi.org/10.1007/978-3-030-21548-4_28

2019-01-01

Abstract:Passwords are widely used in online services, such as electronic and mobile banking services, and may be complemented by other authentication mechanism(s) for example in two-factor or three-factor authentication systems. There are, however, a number of known limitations and risks associated with the use of passwords, such as man-in-the-middle (MitM) and offline guessing attacks. In this paper, we present AMOGAP, a novel text password-based user authentication mechanism, to defend against MitM and offline guessing attacks. In our approach, users can select easy-to-remember passwords, and AMOGAP converts currently-used salted and hashed password files into user tokens, whose security relies on the Decisional Diffie-Hellman (DDH) assumption, at the server end. In other words, we use a difficult problem in number theory (i.e., DDH problem), rather than a one-way hash function, to ensure security against offline password guessing attackers and MitM attackers. AMOGAP does not require any change in existing authentication process and infrastructure or incur additional costs at the server.

Leon Bošnjak,Boštjan Brumen

DOI: https://doi.org/10.1016/j.ijhcs.2019.04.003

2019-04-21

Abstract:Shoulder surfing is an attack vector widely recognized as a real threat - enough to warrant researchers dedicating a considerable effort toward designing novel authentication methods to be shoulder surfing resistant. Despite a multitude of proposed solutions over the years, few have employed empirical evaluations and comparisons between different methods, and our understanding of the shoulder surfing phenomenon remains limited. Barring the challenges in experimental design, the reason for that can be primarily attributed to the lack of objective and comparable vulnerability measures. In this paper, we develop an ensemble of vulnerability metrics, a first endeavour toward a comprehensive assessment of a given method's susceptibility to observational attacks. In the largest on-site shoulder surfing experiment (n = 274) to date, we verify the model on four conceptually different authentication methods in two observation scenarios. On the example of a novel hybrid authentication method based on associations, we explore the effect of input type on the adversary's effectiveness. We provide first empirical evidence that graphical passwords are easier to observe; however, that does not necessarily mean that the observed information will allow the attacker to guess the victim's password easier. An in-depth analysis of individual metrics within the clusters offers insight into many additional aspects of the shoulder surfing attack not explored before. Our comparative framework makes an advancement in evaluation of shoulder surfing and furthers our understanding of observational attacks. The results have important implications for future shoulder surfing studies and the field of Password Security as a whole.

Cryptography and Security