Skip to main content
SpringerLink
Log in

Analysis of a two-factor graphical password scheme

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

Graphical passwords are a promising research branch, but implementation of many proposed schemes often requires considerable resources (e.g., data storage, high quality displays) making difficult their usage on small devices, such as old-fashioned ATM terminals. Furthermore, most of the time, such schemes lack a careful security analysis. In this paper, we analyze the security and usability for an authentication mechanism that can be instantiated as a graphical password scheme. We model the information an adversary might extract by analyzing the transcripts of authentication sessions as a boolean formula. Our experiments show that the time needed by a passive adversary to extract the user secret in the last presented protocol grows exponentially in the system parameter, giving evidence of the security of the proposed scheme.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6

Similar content being viewed by others

Notes

  1. See http://logic.pdmi.ras.ru/~basolver/rtl.html for some details.

References

  1. Barak, A.: MOSIX\(^{\textregistered }\) Cluster and Multicluster Management 2009. http://www.mosix.org

  2. Bicakci, K., Atalay, N.B., Yuceel, M., Gurbaslar, H., Erdeniz, B.: Towards usable solutions to graphical password hotspot problem. In: 2009 33rd Annual IEEE International Computer Software and Applications Conference, pp. 318–323. IEEE (2009)

  3. Biddle, R., Chiasson, S., van Oorschot, P.C.: Graphical Passwords: Learning from the First Generation. Technical Report TR-09-09, School of Computer Science, Carleton University (2009)

  4. Blonder, G.E.: Graphical Passwords. Lucent Technologies Inc, Murray Hill, NJ (US), US Patent No. 5559961 (1996)

  5. Blundo, C., D’Arco, P., De Santis, A., Galdi, C.: \(\text{ H }_{{\rm yppocrates}}\): a new proactive password checker. J. Syst. Softw. 71(1–2), 163–175 (2004)

  6. Catuogno, L., Galdi, C.: A graphical pin authentication mechanism for smart cards and low-cost devices. In: Proceedings of the 2nd Workshop on Information Security Theory and Practices (WISTP 08) Sevilla (Spain), May 13–16, Volume 5019 of Lecture Notes in Computer Science. Springer, Berlin (2008)

  7. Catuogno, L., Galdi, C.: On the security of a two-factor authentication scheme. In: Proceedings of the 4th Workshop on Information Security Theory and Practices (WISTP 2010) Passau (Germany), April 12–14, 2010, Volume to Appear of Lecture Notes in Computer Science. Springer, Berlin (2010)

  8. Ciaramella, A., D’Arco, P., De Santis, A.,, Galdi, C., Tagliaferri, R.: Neural network techniques for proactive password checking. IEEE Trans. Dependable Secure Comput. 3(4), 327–339 (2006)

    Google Scholar 

  9. De Luca, A., von Zezschwitz, E., Hussmann, H., Vibrapass: secure authentication based on shared lies. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, ser. CHI ’09, pp. 913–916. ACM, New York, NY, USA (2009)

  10. De Luca, A., Denzel, M., Hussmann, H.: Look into my eyes! Can you guess my password? In: Proceedings of the 5th Symposium on Usable Privacy and Security, p. 7. ACM (2009)

  11. Dhamija, R., Perring, A.: Dèjá vu: a user study using images for authentication, pp. 14–17. In: IX USENIX UNIX Security Symposium, Denver, CO, USA (August 2000)

  12. Gao, H., Liu, X.: A new graphical password scheme against spyware by using captcha. In: Proceedings of the 5th Symposium on Usable Privacy and Security, SOUPS 2009, Mountain View, California, USA, July 15–17, 2009, ACM International Conference Proceeding Series. ACM (2009)

  13. Golle, P., Wagner, D.: Cryptanalysis of a cognitive authentication scheme (extended abstract). In: IEEE Symposium on Security and Privacy, pp. 66–70. IEEE Computer Society (2007)

  14. Grady, C.L., Mcintosh, A.R., Craik, F.I.M.: Neural correlates of the episodic encoding of pictures and words. Proc. Natl. Acad. Sci. USA 95, 2703–2708 (1998)

    Article  Google Scholar 

  15. Harada, A., Isarida, T., Mizuno, T., Nishigaki, M.: A user authentication system using schema of visual memory. In: Biologically Inspired Approaches to Advanced Information Technology: Second International Workshop, Bioadit 2006, Osaka, Japan 26–27, 2006, Proceedings, volume 3853 of Lecture Notes in Computer Science, pp. 338–345. Springer, Berlin (2006)

  16. Hayashi, E., Dhamija, R., Christin, N., Perrig, A.: Use your illusion: secure authentication usable anywhere. In: Proceedings of the 4th Symposium on Usable Privacy and Security, pp. 35–45. ACM, New York, NY, USA (2008)

  17. Hopper, N.J., Blum, M.: Secure human identification protocols. In: ASIACRYPT 2001, volume 2248 of Lecture Notes in Computer Science, pp. 52–66. Springer, Berlin (2001)

  18. International Organization for Standardization (ISO): Ergonomics of Human–System Interaction. ISO 9241 (1998)

  19. Jain, H., Bartzis, C., Clarke, E.M.: Satisfiability checking of non-clausal formulas using general matings. In: Biere, A., Gomes, C.P. (eds.), SAT, volume 4121 of Lecture Notes in Computer Science, pp. 75–89. Springer, Berlin (2006)

  20. Jameel, H., Shaikh, R.A., Lee, H., Lee, S.: Human identification through image evaluation using secret predicates. Lect. Notes Comput. Sci. 4377, 67 (2006)

    Article  MathSciNet  Google Scholar 

  21. Jensen, W., Gavrila, S., Korolev, V., Ayers, R., Swanstrom, R.: Picture password: a visual login technique for mobile devices. In: National Institute of Standards and Technologies Interagency Report, volume NISTIR 7030 (2003)

  22. Jermyn, I., Mayer, A., Monrose, F., Reiter, M.K., Rubin, A.D.: The design and analysis of graphical passwords. In: Proceedings of the 8th USENIX security Symposium, Washington, DC, USA (August 23–26 1999)

  23. Juels, A., Weis, S.A.: Authenticating pervasive devices with human protocols. In: Advances in Cryptology—CRYPTO 2005: 25th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 14–18, 2005, Proceedings, volume 3621 of Lecture Notes in Computer Science, pp. 293–308. Springer, Berlin (2005)

  24. Kumar, M., Garfinkel, T., Boneh, D., Winograd, T.: Reducing shoulder-surfing by using gaze-based password entry. In: Symposium On Usable Privacy and Security (SOUPS) (2007)

  25. Matsumoto, T.: Human–computer cryptography: an attempt. In: ACM Conference on Computer and Communications Security, pp. 68–75 (1996)

  26. NagraID Security. Display Cards. February 2011

  27. Real User Coorp: Pass Faces. http://www.realuser.com (1998)

  28. Roth, V., Richter, K., Freidinger, R.: A pin-entry method resilient against shoulder surfing. In: CCS ’04: Proceedings of the 11th ACM Conference on Computer and Communications Security, pp. 236–245. ACM Press, New York, NY, USA (2004)

  29. Salehi-Abari, A., Thorpe, J., van Oorschot, PC: On purely automated attacks and click-based graphical passwords. In: Proceedings of the 2008 Annual Computer Security Applications Conference, pp. 111–120. IEEE Computer Society, Washington, DC, USA (2008)

  30. Sasamoto, H., Christin, N., Hayashi, E.: Undercover: authentication usable in front of prying eyes. In: CHI’08 Proceedings of the SIGCHI conference on human factors in computing systems, pp. 183–192. ACM, New York (2008)

  31. Sobrado, L., Birget, J.C.: Graphical password. Rutgers Scholar Electron. Bull. Undergrad. Res. 4 (2002)

  32. Suo, X., Zhu, Y., Owen, G.S.: Graphical passwords: a survey. In: Proceedings of 21st Annual Computer Security Application Conference (ACSAC 2005) December 5–9, pp. 463–472. Tucson, AZ, USA (December 2005)

  33. Takada, T.: FakePointer: an authentication scheme for improving security against peeping attacks using video cxameras. In: The Second International Conference on Mobile Ubiquitous Computing, Systems, Services and Technologies, 2008 (UBICOMM ’08), pp. 395–400 (2008)

  34. Thiffault, C., Bacchus, F., Walsh, T.: Solving non-clausal formulas with dpll search. In: Wallace, M., (ed.), CP, volume 3258 of Lecture Notes in Computer Science, pp. 663–678. Springer, Berlin (2004)

  35. Thorpe, J., van Oorschot, P.C.: Human-seeded attacks and exploiting hot-spots in graphical passwords. In: Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium Table of Contents. USENIX Association Berkeley, CA, USA (2007)

  36. University of British Columbia: Ubcsat, the Stochastic Local Search Sat Solver. http://www.satlib.org/ubcsat

  37. Varenhorst, C., et al.: Passdoodles: A Lightweight Authentication Method. Research Science Institute (2004)

  38. Weinshall, D.: Cognitive authentication schemes safe against spyware (short paper). In: IEEE Symposium on Security and Privacy, pp. 295–300. IEEE Computer Society (2006)

  39. Wiedenbeck, S., Waters, J., Birget, J.C., Brodskiy, A., Memon, N.: PassPoints: design and longitudinal evaluation of a graphical password system. Int. J. Human–Comput Stud. 63(1–2), 102–127 (2005)

    Article  Google Scholar 

  40. Wiedenbeck, S., Waters, J., Sobrado, L., Birget, J.C.: Design and evaluation of a shoulder-surfing resistant graphical password scheme. In: Proceedings of Advanced Visual Interface,s AVI 2006, Venice, Italy (May 23–26 2006)

Download references

Author information

Authors and Affiliations

  1. Dipartimento di Informatica, Università di Salerno, Via Ponte Don Melillo, 84084 , Fisciano, SA, Italy

    Luigi Catuogno

  2. Dipartimento di Ingegneria Elettrica e delle Tecnologie dell’Informazione, Università di Napoli “Federico II”, Via Claudio, 21, 80125 , Naples, NA, Italy

    Clemente Galdi

Authors
  1. Luigi Catuogno
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Clemente Galdi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Clemente Galdi.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Catuogno, L., Galdi, C. Analysis of a two-factor graphical password scheme. Int. J. Inf. Secur. 13, 421–437 (2014). https://doi.org/10.1007/s10207-014-0228-y

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-014-0228-y

Keywords

Search

Navigation