research-article

WYSWYE: shoulder surfing defense for recognition based graphical passwords

Authors:

Rohit Ashok Khot,

Ponnurangam Kumaraguru,

Kannan SrinathanAuthors Info & Claims

OzCHI '12: Proceedings of the 24th Australian Computer-Human Interaction Conference

Pages 285 - 294

https://doi.org/10.1145/2414536.2414584

Published: 26 November 2012 Publication History

Abstract

Recognition based graphical passwords are inherently vulnerable to shoulder surfing attacks because of their visual mode of interaction. In this paper, we propose and evaluate two novel shoulder-surfing defense techniques for recognition based graphical passwords. These techniques are based on WYSWYE (Where You See is What You Enter) strategy, where the user identifies a pattern of password images within a presented grid of images and replicates it onto another grid. We conducted controlled laboratory experiments to evaluate the usability and security of the proposed techniques. Both the schemes had high login success rates with no failures in authentication. More than seventy percent of participants successfully logged on to the system in their first attempt in both the schemes. The participants were satisfied with the schemes and were willing to use it in public places. In addition, both the schemes were significantly secure against shoulder surfing than normal unprotected recognition based graphical passwords. The login efficiency improved with practice in one of the proposed scheme. We believe, WYSWYE strategy has considerable potential and can easily be extended to other types of authentication systems such as text passwords and PINS.

References

[1]

Bianchi, A., Oakley, I., Lee, J. K., and Kwon, D. S. The haptic wheel: design & evaluation of a tactile password system. In Proc. CHI EA 2010, ACM, 3625--3630.

Digital Library

[2]

Biddle, R., Chiasson, S., and Oorschot, P. C. V. Graphical Passwords: Learning from the First Twelve Years. ACM Computing Surveys, 44(4), 2011.

Digital Library

[3]

Bonneau, J., and Preibusch, S. The password thicket: technical and market failures in human authentication on the web, In Proc. WEIS 2010.

[4]

Brostoff, S., Inglesant, P., and Sasse. M. A. Evaluating the usability and security of a graphical one-time PIN system. In Proc. BCS 2010, BCS, 88--97.

Digital Library

[5]

Cranor, L., and Garfinkel, S. Security and Usability: Designing Systems that People can use. O'reilly, 2005.

Digital Library

[6]

De Luca, A., Hertzschuch, K., and Hussmann, H. ColorPIN - Securing PIN Entry through Indirect Input. In Proc. CHI 2010, ACM Press, 1103--1106.

Digital Library

[7]

De Luca, A., Weiss, R., and Drewes, H. Evaluation of Eye-Gaze Interaction methods for security enhanced PIN entry. In Proc. OZCHI 2007, ACM, 199--202.

Digital Library

[8]

De Luca, A., von Zezschwitz, E., and Hussmann, H. Vibrapass: secure authentication based on shared lies. In Proc. CHI 2009, ACM, 913--916.

Digital Library

[9]

De Luca, A., Denzel, M., and Hussmann, H. Look into my Eyes! Can you guess my Password? In Proc. SOUPS 2009, ACM, 1--12.

Digital Library

[10]

Dunphy, P., Fitch, A., and Olivier, P. Gaze Contingent graphical passwords at the ATM. In Proc. COGAIN '08.

[11]

Dunphy, P., Heiner, P., A., and Asokan, N. A closer look at recognition based graphical passwords on mobile devices. In Proc. SOUPS 2010, ACM Press.

Digital Library

[12]

Forget, A., Chiasson, S., and Biddle, R. Shoulder- Surfing Resistance with Eye-Gaze Entry in Cued-Recall Graphical Passwords. In Proc. CHI 2010, ACM Press, 1107--1110.

Digital Library

[13]

Gridsure. http://www.gridsure.com.

[14]

Jakobsson, M., Shi, E., and Chow, R. Implicit authentication for mobile devices, In Proc. HotSec 2009.

Digital Library

[15]

Jermyn, I., Mayer, A., Monrose, F., Reiter, M. K., and Rubin, A. D. The design and analysis of graphical passwords. In Proc. USENIX Security, 1999.

Digital Library

[16]

Hayashi, E., Christin, N., Dhamija, R., and Perrig, A. Use Your Illusion: Secure authentication usable anywhere, In Proc. SOUPS 2008, ACM, 35--45.

Digital Library

[17]

Khot R. A., Srinathan K., and Kumaraguru, P. Marasim: a novel jigsaw based authentication scheme using tagging, In Proc. CHI 2011, ACM, 2605--2614.

Digital Library

[18]

Kumar, M., Garfinkel, T., Boneh, D., and Winograd, T. Reducing shoulder-surfing by using gaze-based password entry. In Proc. SOUPS 2007, ACM, 13--19.

Digital Library

[19]

Lin, D., Dunphy, P., Oliver, P., and Yan, J. Graphical Passwords & Qualitative Spatial Relations. In Proc. SOUPS 2007, ACM, 161--162.

Digital Library

[20]

Malek, B., Orozco, M., and El Saddik, A. Novel Shoulder Surfing Resistant Haptic-based Graphical Password. In Proc. EuroHaptics 2006, 3--6.

[21]

Man, S., Hong, D., and Matthews, M. A Shoulder-Surfing Resistant Graphical Password Scheme. In Proc. Security and Management 2003, CSREA, 105--111.

[22]

Marquardt, P., Verma, A., Carter, H., and Traynor, P. (sp)iPhone: decoding vibrations from nearby keyboards using mobile phone accelerometers. In Proc. CCS 2011, ACM, 551--562.

Digital Library

[23]

Panjwani, S., and Cutrell, E. Usably secure, low-cost authentication for mobile banking. In Proc. SOUPS 2010, ACM Press.

Digital Library

[24]

Real User Corporation, Passfaces: Two Factor Authentication for the Enterprise, 2005.

[25]

RSA SecureID http://www.rsa.com/node.aspx?id=1156.

[26]

Roth, V., Richter, K., and Freidinger, R. A PIN-Entry Method Resilient Against Shoulder Surfing. In Proc. CCS 2004, ACM, 236--245.

Digital Library

[27]

Sasamoto, H., Christin, N., and Hayashi, E. Undercover: authentication usable in front of prying eyes. In Proc. CHI 2008, ACM, 183--192.

Digital Library

[28]

Sobrado, L., and Birget, J. C. Graphical passwords. vol. 4: The Rutgers Scholar, 2002.

[29]

Suo, X. 2006. A Design and Analysis of Graphical Password. M. S. thesis, College of Arts and Sciences, Georgia State University.

[30]

Tan, D., Keyani, P., Czerwinski, M. Spy-resistant keyboard: more secure password entry on public touch screen displays. In Proc. OZCHI 2005.

Digital Library

[31]

Tari, F., Ozok, A. A., and Holden, S. H. A Comparison of Perceived and Real Shoulder-surfing Resistant Risks between Alphanumeric and Graphical Passwords. In Proc. SOUPS 2006, ACM, 56--66.

Digital Library

[32]

Tullis, T., Tedesco, D., and McCaffrey, K. Can users remember their pictorial passwords six years later? In Proc. CHI EA '11, ACM, 1789--1794.

Digital Library

[33]

Weinshall, D. Cognitive Authentication Schemes Safe against Spyware. In Proc. IEEE S&P 2006.

Digital Library

[34]

Wiedenbeck, S., Waters, J., Birget, J., Brodskiy, A., and Memon, N. PassPoints: design and longitudinal evaluation of a graphical password system. Int. J. Hum. Comput. Stud. 2005, 102--127.

Digital Library

[35]

Zakaria, N., Griffiths, D., Brostoff, S., and Yan, J. Shoulder Surfing Defense for Recall-based Graphical Passwords, In Proc. SOUPS 2011, ACM Press.

Digital Library

Cited By

Saadi ZSadiq AAkif OFarhan A(2024)A Survey: Security Vulnerabilities and Protective Strategies for Graphical PasswordsElectronics10.3390/electronics1315304213:15(3042)Online publication date: 1-Aug-2024
https://doi.org/10.3390/electronics13153042
Binbeshr FSiong KPor LImam MAl-Saggaf AAbudaqa A(2024)A systematic review of graphical password methods resistant to shoulder-surfing attacksInternational Journal of Information Security10.1007/s10207-024-00956-324:1Online publication date: 18-Dec-2024
https://doi.org/10.1007/s10207-024-00956-3
Pal CKushwaha STanwar PSharma S(2022)Analysis of Graphical Password Systems-Recognition Based GPS and Recall Based GPS2022 International Conference on Computer Communication and Informatics (ICCCI)10.1109/ICCCI54379.2022.9740899(01-07)Online publication date: 25-Jan-2022
https://doi.org/10.1109/ICCCI54379.2022.9740899
Show More Cited By

Index Terms

WYSWYE: shoulder surfing defense for recognition based graphical passwords
1. Human-centered computing
  1. Human computer interaction (HCI)
    1. Interaction devices
      1. Touch screens
2. Security and privacy
  1. Security services
    1. Authentication

Recommendations

Design and evaluation of a shoulder-surfing resistant graphical password scheme
AVI '06: Proceedings of the working conference on Advanced visual interfaces

When users input their passwords in a public place, they may be at risk of attackers stealing their password. An attacker can capture a password by direct observation or by recording the individual's authentication session. This is referred to as ...
A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords
SOUPS '06: Proceedings of the second symposium on Usable privacy and security

Previous research has found graphical passwords to be more memorable than non-dictionary or "strong" alphanumeric passwords. Participants in a prior study expressed concerns that this increase in memorability could also lead to an increased ...
Multi-touch authentication on tabletops
CHI '10: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems

The introduction of tabletop interfaces has given rise to the need for the development of secure and usable authentication techniques that are appropriate for the co-located collaborative settings for which they have been designed. Most commonly, user ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

OzCHI '12: Proceedings of the 24th Australian Computer-Human Interaction Conference

November 2012

692 pages

ISBN:9781450314381

DOI:10.1145/2414536

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

New Zealand Chapter of ACM SIGCHI
Human Factors & Ergonomics Soc: Human Factors & Ergonomics Soc

In-Cooperation

SIGCHI: ACM Special Interest Group on Computer-Human Interaction

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 26 November 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

OzCHI '12

Sponsor:

Human Factors & Ergonomics Soc

OzCHI '12: The 24th Australian Computer-Human Interaction Conference

November 26 - 30, 2012

Melbourne, Australia

Acceptance Rates

Overall Acceptance Rate 362 of 729 submissions, 50%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

17
Total Citations
View Citations
460
Total Downloads

Downloads (Last 12 months)6
Downloads (Last 6 weeks)1

Reflects downloads up to 01 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Saadi ZSadiq AAkif OFarhan A(2024)A Survey: Security Vulnerabilities and Protective Strategies for Graphical PasswordsElectronics10.3390/electronics1315304213:15(3042)Online publication date: 1-Aug-2024
https://doi.org/10.3390/electronics13153042
Binbeshr FSiong KPor LImam MAl-Saggaf AAbudaqa A(2024)A systematic review of graphical password methods resistant to shoulder-surfing attacksInternational Journal of Information Security10.1007/s10207-024-00956-324:1Online publication date: 18-Dec-2024
https://doi.org/10.1007/s10207-024-00956-3
Pal CKushwaha STanwar PSharma S(2022)Analysis of Graphical Password Systems-Recognition Based GPS and Recall Based GPS2022 International Conference on Computer Communication and Informatics (ICCCI)10.1109/ICCCI54379.2022.9740899(01-07)Online publication date: 25-Jan-2022
https://doi.org/10.1109/ICCCI54379.2022.9740899
Mator JLehman WMcManus WPowers STiller LUnverricht JStill J(2020)Usability: Adoption, Measurement, ValueHuman Factors: The Journal of the Human Factors and Ergonomics Society10.1177/001872081989509863:6(956-973)Online publication date: 14-Jan-2020
https://doi.org/10.1177/0018720819895098
Por LAdebimpe LIdris MKhaw CKu C(2019)LocPass: A Graphical Password Method to Prevent Shoulder-SurfingSymmetry10.3390/sym1110125211:10(1252)Online publication date: 8-Oct-2019
https://doi.org/10.3390/sym11101252
Por LKu CAng T(2019)Preventing Shoulder-Surfing Attacks using Digraph Substitution Rules and Pass-Image Output FeedbackSymmetry10.3390/sym1109108711:9(1087)Online publication date: 30-Aug-2019
https://doi.org/10.3390/sym11091087
Bošnjak LBrumen B(2019)Shoulder surfingInternational Journal of Human-Computer Studies10.1016/j.ijhcs.2019.04.003130:C(1-20)Online publication date: 1-Oct-2019
https://dl.acm.org/doi/10.1016/j.ijhcs.2019.04.003
Tiller LAngelini CLeibner SStill J(2019)Explore-a-Nation: Combining Graphical and Alphanumeric AuthenticationHCI for Cybersecurity, Privacy and Trust10.1007/978-3-030-22351-9_6(81-95)Online publication date: 12-Jun-2019
https://doi.org/10.1007/978-3-030-22351-9_6
Still JCain A(2019)Over-the-Shoulder Attack Resistant Graphical Authentication Schemes Impact on Working MemoryAdvances in Human Factors in Cybersecurity10.1007/978-3-030-20488-4_8(79-86)Online publication date: 6-Jun-2019
https://doi.org/10.1007/978-3-030-20488-4_8
Islam APor LOthman FKu C(2018)A Review on Recognition-Based Graphical Password TechniquesComputational Science and Technology10.1007/978-981-13-2622-6_49(503-512)Online publication date: 28-Aug-2018
https://doi.org/10.1007/978-981-13-2622-6_49
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten