ABSTRACT
Increasingly widespread use of mobile devices for processing monetary transactions and accessing business secrets has created a great demand on securing mobile devices. Poorly designed authentication mechanisms (e.g., screen lock and SIM card lock) on mobile devices either make users feel a hassle to lock the devices, or are vulnerable to attacks, such as shoulder surfing and smudge attack.
In this paper, we propose a new login option for unlocking mobile devices called Time-Evolving Graphical Password (TEGP), which improves the strength of the password gradually over time by evolving the distortion degree of the images in the challenge portfolio without changing the pass images. By taking advantage of the extraordinary human ability to recall images, TEGP authenticates users by asking them to recognize the pass images which are transformed from the images uploaded by the user at registration. To achieve desired security and remain the usability, we present two metrics, Information Retention Rate (IRR) and Password Diversity Score (PDS), to advise the selection and distortion of the pass images and decoy images. Our experimental results show the memorability from the perspective of users, and the ability of TEGP to defend against various attacks.
- A. D. Angeli, L. Coventry, G. Johnson, and K. Renaud. Is a picture really worth a thousand words? exploringthe feasibility of graphical authentication systems. Int. J. Hum.-Comput. Stud., 63(1-2):128--152, 2005. Google ScholarDigital Library
- J. Canny. A computationnal approach to edge detection. IEEE Trans. Pattern Anal. Mach. Intell., 8:679--698, 1986. Google ScholarDigital Library
- S. Chiasson, A. Forget, R. Biddle, and P. van Oorschot. User interface design affects security: patterns in click-based graphical passwords. Int. J. Inf. Secur, 8(6):387--398, 2009. Google ScholarDigital Library
- Passfaces corporation. In The Science Behind Passfaces. Company white paper.Google Scholar
- S. Chiasson. Usable authentication and click-based graphical passwords. In Ph.D. Thesis, School of Computer Science, Carleton University, Ottawa, Canada, 2008. Google ScholarDigital Library
- S. Chiasson, A. Forget, E. Stobert, P. van Oorschot, and R. Biddle. Multiple password interference in text passwords and click-based graphical passwords. In ACM Conference on Computer and Communications Security, pages 500--511, 2009. Google ScholarDigital Library
- A. E. Dirik, N. Memon, and J.-C. Birget. Modeling user choice in the passpoints graphical password scheme. In Proceedings of the 3rd symposium on Usable privacy and security, SOUPS '07, pages 20--28, New York, NY, USA, 2007. ACM. Google ScholarDigital Library
- P. Dunphy and J. Yan. Do background images improve "draw a secret" graphical passwords? In Proceedings of the 14th ACM conference on Computer and communications security, CCS '07, pages 36--47, New York, NY, USA, 2007. ACM. Google ScholarDigital Library
- E. Hayashi, R. Dhamija, N. Christin, and A. Perrig. Use your illusion: secure authentication usable anywhere. In Symposium on Usable Privacy and Security, pages 35--45, 2008. Google ScholarDigital Library
- D. Hong, S. Man, B. Hawes, and M. Mathews. A password scheme strongly resistant to spyware. In Proc. International conference on security and management, 2004.Google Scholar
- W. Z. Khan, M. Y. Aalsalem, and Y. Xiang. A graphical password based system for small mobile devices. CoRR, abs/1110.3844, 2011.Google Scholar
- R. A. Khot, K. Srinathan, and P. Kumaraguru. Marasim: a novel jigsaw based authentication scheme using tagging. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI '11, pages 2605--2614, New York, NY, USA, 2011. ACM. Google ScholarDigital Library
- Microsoft, http://windows.microsoft.com.Google Scholar
- A. Oulasvirta, T. Rattenbury, L. Ma, and E. Raita. Habits make smartphone use more pervasive. Personal and Ubiquitous Computing, 16(1):105--114, 2012. Google ScholarDigital Library
- T. Pering, M. Sundar, J. Light, and R. Want. Photographic authentication through untrusted terminals. IEEE Pervasive Computing, 2(1):30--36, 2003. Google ScholarDigital Library
- T. Takada, T. Onuki, and H. Koike. Awase-e: Recognition-based image authentication scheme using users' personal photographs. In Innovations in Information Technology, pages 1--5, 2006.Google ScholarCross Ref
- X. Suo, Y. Zhu, and G. Owen. Graphical passwords: A survey. In Proc. Annual Computer Security Applications Conference, pages 463--472, 2005. Google ScholarDigital Library
- D. Weinshall and S. Kirkpatrick. Passwords you'll never forget, but can't recall. In Proc. Conference on Human Factors in Computing Systems, pages 1399--1402, 2004. Google ScholarDigital Library
- S. Wiedenbeck, J. Waters, J. Birget, A. Brodskiy, and N. Memon. Authentication using graphical passwords: effects of tolerance and image choice. In Proc. Symposium on Usable Privacy and Security, pages 1--12, 2005. Google ScholarDigital Library
Index Terms
- Time evolving graphical password for securing mobile devices
Recommendations
Graphical Password: Prototype Usability Survey
ICACTE '08: Proceedings of the 2008 International Conference on Advanced Computer Theory and EngineeringAccess to computer networks and systems is most often based on the use of conventional passwords nowadays. However, users have difficulty remembering a password that is long and random-appearing. So, they create short, simple, and insecure passwords. ...
Token-based graphical password authentication
Given that phishing is an ever-increasing problem, a better authentication system is required. We propose a system that uses a graphical password deployed from a Trojan and virus-resistant embedded device. The graphical password utilizes a personal ...
A new shoulder-surfing resistant password for mobile environments
ICUIMC '11: Proceedings of the 5th International Conference on Ubiquitous Information Management and CommunicationIn mobile devices such as smart phones, it is important to provide adequate user authentication. Conventional text-based passwords have significant drawbacks though they are used as the most common authentication method. To address the vulnerabilities of ...
Comments