Abstract
Over the last decade, several proposals have been made to replace the common personal identification number, or PIN, with often-complicated but theoretically more secure systems. We present a case study of one such system, a specific implementation of system-assigned one-time PINs called PassGrids. We apply various modifications to the basic scheme, allowing us to review usability vs. security trade-offs as a function of the complexity of the authentication scheme. Our results show that most variations of this one-time PIN system are more enjoyable and no more difficult than PINs, although accuracy suffers for the more complicated variants. Some variants increase resilience against observation attacks, but the number of users who write down or otherwise store their password increases with the complexity of the scheme. Our results shed light on the extent to which users are able and willing to tolerate complications to authentication schemes, and provides useful insights for designers of new password schemes.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Adar, E.: Why i hate mechanical turk research (and workshops). In: Proc. CHI Workshop on Crowdsourcing and Human Computation (2011)
Anderson, R.: Why cryptosystems fail. In: ACM CCS 1993, pp. 215–227 (1993)
Asghar, H.J., Li, S., Pieprzyk, J., Wang, H.: Cryptanalysis of the convex hull click human identification protocol. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 24–30. Springer, Heidelberg (2011)
Aviv, A.J., Gibson, K., Mossop, E., Blaze, M., Smith, J.M.: Smudge attacks on smartphone touch screens. In: WOOT 2010, pp. 1–7 (2010)
Biddle, R., Chiasson, S., van Ookrschot, P.: Graphical passwords: Learning from the first twelve years. ACM Computing Surveys (2011) (to appear)
Bond, M.: Comments on gridsure authentication (2008), http://www.cl.cam.ac.uk/~mkb23/
Brostoff, S., Inglesant, P., Sasse, M.A.: Evaluating the usability and security of a graphical one-time PIN system. In: BCS Conference on HCI (2010)
Brostoff, S., Sasse, A.: Are passfaces more usable than passwords? a field trial investigation. In: HCI 2000, pp. 405–424 (2000)
Buhrmester, M., Kwang, T., Gosling, S.D.: Amazon’s Mechanical Turk: A new source of inexpensive, yet high-quality, data? Perspectives on Psychological Science 6(1), 3–5 (2011)
De Luca, A., Denzel, M., Hussmann, H.: Look into my eyes!: Can you guess my password? In: SOUPS 2009, pp. 1–12. ACM (2009)
Downs, J.S., Holbrook, M.B., Sheng, S., Cranor, L.F.: Are your participants gaming the system? Screening Mechanical Turk workers. In: Proc. CHI (2010)
Golle, P., Wagner, D.: Cryptanalysis of a cognitive authentication scheme. In: IEEE SP 2007 (2007)
Jakobsson, M.: Experimenting on Mechanical Turk: 5 How Tos (July 2009), http://blogs.parc.com/blog/2009/07/experimenting-on-mechanical-turk-5-how-tos/
Jermyn, I., Mayer, A., Monrose, F., Reiter, M.K., Rubin, A.D.: The design and analysis of graphical passwords. In: USENIX Security Symposium, p. 1 (1999)
Kittur, A., Chi, E.H., Suh, B.: Crowdsourcing user studies with Mechanical Turk. In: Proc. CHI (2008)
Komanduri, S., Shay, R., Kelley, P.G., Mazurek, M.L., Bauer, L., Christin, N., Cranor, L.F., Egelman, S.: Of passwords and people: Measuring the effect of password-composition policies. In: CHI 2011 (2011)
Krebs, B.: ATM skimmers: Hacking the cash machine (2011), http://krebsonsecurity.com/2011/04/atm-skimmers-hacking-the-cash-machine/
Sasamoto, H., Christin, N., Hayashi, E.: Undercover: authentication usable in front of prying eyes. In: SIGCHI 2008, pp. 183–192. ACM (2008)
Suo, X., Zhu, Y., Owen, G.S.: Graphical passwords: A survey. In: ACSAC 2005, pp. 463–472 (2005)
SyferLock. Syferlock technology, http://www.syferlock.com/day1/demovidpin.htm
Tari, F., Ozok, A.A., Holden, S.H.: A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords. In: SOUPS 2006, pp. 56–66 (2006)
Thorpe, J., van Oorschot, P.C.: Human-seeded attacks and exploiting hot-spots in graphical passwords. In: USENIX Security Symposium, pp. 8:1–8:16 (2007)
Toomim, M., Kriplean, T., Pörtner, C., Landay, J.: Utility of human-computer interactions: toward a science of preference measurement. In: Proc. CHI (2011)
Weiss, R., De Luca, A.: Passshapes: Utilizing stroke based authentication to increase password memorability. In: 5th Nordic Conference on HCI (2008)
Wiedenbeck, S., Waters, J., Birget, J.-C., Brodskiy, A., Memon, N.: Authentication using graphical passwords: effects of tolerance and image choice. In: SOUPS 2005, pp. 1–12 (2005)
Wiedenbeck, S., Waters, J., Sobrado, L., Birget, J.-C.: Design and evaluation of a shoulder-surfing resistant graphical password scheme. In: AVI 2006, pp. 177–184 (2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Kelley, P.G. et al. (2013). The Impact of Length and Mathematical Operators on the Usability and Security of System-Assigned One-Time PINs. In: Adams, A.A., Brenner, M., Smith, M. (eds) Financial Cryptography and Data Security. FC 2013. Lecture Notes in Computer Science, vol 7862. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-41320-9_3
Download citation
DOI: https://doi.org/10.1007/978-3-642-41320-9_3
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-41319-3
Online ISBN: 978-3-642-41320-9
eBook Packages: Computer ScienceComputer Science (R0)