Eiji Hayashi
Adrian Perrig
ABSTRACT
In this paper, we propose and evaluate Use Your Illusion, a novel mechanism for user authentication that is secure and usable regardless of the size of the device on which it is used. Our system relies on the human ability to recognize a degraded version of a previously seen image. We illustrate how distorted images can be used to maintain the usability of graphical password schemes while making them more resilient to social engineering or observation attacks. Because it is difficult to mentally "revert" a degraded image, without knowledge of the original image, our scheme provides a strong line of defense against impostor access, while preserving the desirable memorability properties of graphical password schemes.
Using low-fidelity tests to aid in the design, we implement prototypes of Use Your Illusion as i) an Ajax-based web service and ii) on Nokia N70 cellular phones. We conduct a between-subjects usability study of the cellular phone prototype with a total of 99 participants in two experiments. We demonstrate that, regardless of their age or gender, users are very skilled at recognizing degraded versions of self-chosen images, even on small displays and after time periods of one month. Our results indicate that graphical passwords with distorted images can achieve equivalent error rates to those using traditional images, but only when the original image is known.
- Flickr. http://www.flickr.com.Google Scholar
- Phoney finance. The Economist. October 26, 2006. http://www.economist.com/finance/displaystory.cfm?story_id=8089667.Google Scholar
- R. Anderson. Why cryptosystems fail. In Proc. ACM CCS, pages 215--227, Nov. 1993. Google ScholarDigital Library
- G. Blonder. United states patent, 1996. United States Patent 5559961.Google Scholar
- G. H. Bower, M. B. Karlin, and A. Dueck. Comprehension and memory for pictures. Memory and Cognition, 2:216--220, 1975.Google ScholarCross Ref
- S. Brostoff and M. Sasse. Are passfaces more usable than passwords? A field trial investigation. In Proceedings of HCI 2000, pages 405--424, Sept. 2000.Google ScholarCross Ref
- M. Burton, S. Wilson, M. Cowan, and V. Bruce. Face recognition in poor quality video: Evidence from security surveillance. Psychological Science, 10:243--248, 1999.Google ScholarCross Ref
- R. Dhamija and A. Perrig. Déjà vu: A user study, using images for authentication. In Proc. 9th USENIX Security Symp., Aug. 2000. Google ScholarDigital Library
- R. Dhamija and J. D. Tygar. The battle against phishing: Dynamic security skins. In Proc. 1st Symp. on Usable Privacy and Security, 2005. Google ScholarDigital Library
- A. Goldstein and J. E. Chance. Visual recognition memory for complex configurations. Perception and Psychophysics, 9:237--241, 1970.Google ScholarCross Ref
- P. Golle and D. Wagner. Cryptanalysis of a cognitive authentication scheme. In Proc. of the 2007 IEEE Symposium on Security and Privacy, 2007. Google ScholarDigital Library
- R. L. Gregory. The Intelligent Eye. 1970.Google Scholar
- A. Harada, T. Isarida, T. Mizuno, and M. Nishigaki. A user authentication system using schema of visual memory. In Proc. BioADIT'06, pages 338--345, Jan. 2006. Google ScholarDigital Library
- Z. Henderson, V. Bruce, and M. Burton. Matching the faces of robbers captured on video. Applied Cognitive Psychology, 15:445--464, 2001.Google ScholarCross Ref
- G. J. Holzmann. Beyond Photography: The Digital Darkroom. Prentice Hall, June 1988. Google ScholarDigital Library
- I. Jermyn, A. Mayer, F. M. M. Reiter, and A. Rubin. The design and analysis of graphical passwords. In Proc. 8th USENIX Security Symp., Aug. 1999. Google ScholarDigital Library
- H. Kinjo and J. G. Snodgrass. Does the generation effect occur for pictures? Amer. J. of Psych., 6:156--163, 2000.Google Scholar
- T. Matsumoto, H. Matsumoto, K. Yamada, and S. Hoshino. Impact of artificial gummy fingers on fingerprint systems. In Proc. SPIE: Optical Security and Counterfeit Deterrence Techniques IV, volume 4677, pages 275--289, Jan. 2002.Google ScholarCross Ref
- W. Moncur and G. Leplâtre. Pictures at the ATM: exploring the usability of multiple graphical passwords. In Proc. ACM CHI, pages 887--894, Apr. 2007. Google ScholarDigital Library
- F. Monrose, D. Davis, and M. Reiter. On user choice to graphical password schemes. In Proc. of the 13th USENIX Security Symp., pages 151--164, San Diego, CA, Aug. 2004. Google ScholarDigital Library
- Real User Corporation. The science behind Passfaces, 2001. http://www.realusers.com.Google Scholar
- H. Sasamoto, N. Christin, and E. Hayashi. Undercover: Authentication usable in front of prying eyes. In Proceedings of 2008 ACM Symposium on Computer-Human Interaction (CHI'08), Florence, Italy, Apr. 2008. To appear. Google ScholarDigital Library
- R. Shepard. Recognition memory for words, sentences and pictures. J. Verbal Learning and Verbal Behavior, 113(1):95--121, 1967.Google Scholar
- Sony Corporation. Overview of FeliCa. http://www.sony.net/Products/felica/abt/dvs.html.Google Scholar
- L. Standing, J. Conezio, and R. N. Haber. Perception and memory for pictures: single trial learning of 2,500 visual stimuli. Psychonomic Sci., 19(2):73--74, 1970.Google ScholarCross Ref
- A. Stubblefield and D. Simon. Inkblot authentication. Technical Report MSR-TR-2004-85, Aug. 2004.Google Scholar
- J. Thorpe and P. van Oorschot. Graphical dictionaries and the memorable space of graphical passwords. In Proc. 13th USENIX Security Symp., Aug. 2004. Google ScholarDigital Library
- J. Thorpe and P. van Oorschot. Towards secure design choices for implementing graphical passwords. In Proc. 20th ACSAC, Dec. 2004. Google ScholarDigital Library
- J. Thorpe and P. van Oorschot. Human-seeded attacks and exploiting hot-spots in graphical passwords. In Proc. 16th USENIX Security Symp., Aug. 2007. Google ScholarDigital Library
- D. Weinshall. Cognitive authentication schemes safe against spyware. In Proc. IEEE Symp. Sec. and Privacy, May 2006. Google ScholarDigital Library
- S. Wiedenbeck, J. Waters, J.-C. Birget, A. Brodskiy, and N. Memon. Authentication using graphical passwords: Basic results. In HCI International, July 2005.Google Scholar
- S. Wiedenbeck, J. Waters, J.-C. Birget, A. Brodskiy, and N. Memon. Authentication using graphical passwords: effects of tolerance and image choice. In Proc. of the 1st Symp. Usable Privacy and Security, pages 1--12, July 2005. Google ScholarDigital Library
Index Terms
- Use Your Illusion: secure authentication usable anywhere
Recommendations
Design and evaluation of a shoulder-surfing resistant graphical password scheme
AVI '06: Proceedings of the working conference on Advanced visual interfacesWhen users input their passwords in a public place, they may be at risk of attackers stealing their password. An attacker can capture a password by direct observation or by recording the individual's authentication session. This is referred to as ...
Authentication using graphical passwords: effects of tolerance and image choice
SOUPS '05: Proceedings of the 2005 symposium on Usable privacy and securityGraphical passwords are an alternative to alphanumeric passwords in which users click on images to authenticate themselves rather than type alphanumeric strings. We have developed one such system, called PassPoints, and evaluated it with human users. ...
A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords
SOUPS '06: Proceedings of the second symposium on Usable privacy and securityPrevious research has found graphical passwords to be more memorable than non-dictionary or "strong" alphanumeric passwords. Participants in a prior study expressed concerns that this increase in memorability could also lead to an increased ...
Comments