skip to main content
10.1145/3204493.3204589acmconferencesArticle/Chapter ViewAbstractPublication PagesetraConference Proceedingsconference-collections
short-paper

Towards gaze-based quantification of the security of graphical authentication schemes

Published: 14 June 2018 Publication History

Abstract

In this paper, we introduce a two-step method for estimating the strength of user-created graphical passwords based on the eye-gaze behaviour during password composition. First, the individuals' gaze patterns, represented by the unique fixations on each area of interest (AOI) and the total fixation duration per AOI, are calculated. Second, the gaze-based entropy of the individual is calculated. To investigate whether the proposed metric is a credible predictor of the password strength, we conducted two feasibility studies. Results revealed a strong positive correlation between the strength of the created passwords and the gaze-based entropy. Hence, we argue that the proposed gaze-based metric allows for unobtrusive prediction of the strength of the password a user is going to create and enables intervention to the password composition for helping users create stronger passwords.

References

[1]
Marios Belk, Christos Fidas, Panagiotis Germanakos, and George Samaras. 2017. The Interplay Between Humans, Technology and User Authentication: A Cognitive Processing Perspective. Computers in Human Behavior 76 (2017), 184 -- 200.
[2]
Darrell S. Best and Andrew T. Duchowski. 2016. A Rotary Dial for Gaze-based PIN Entry. In Proceedings of the Ninth Biennial ACM Symposium on Eye Tracking Research & Applications (ETRA '16). ACM, New York, NY, USA, 69--76.
[3]
Robert Biddle, Sonia Chiasson, and Paul C. Van Oorschot. 2012. Graphical Passwords: Learning from the First Twelve Years. ACM Computing Surveys (CSUR) 44, 4, Article 19 (Sept. 2012), 41 pages.
[4]
Sacha Brostoff and M. Angela Sasse. 2000. Are Passfaces More Usable Than Passwords? A Field Trial Investigation. In People and Computers XIV --- Usability or Else!, Sharon McDonald, Yvonne Waern, and Gilbert Cockton (Eds.). Springer London, London, 405--424.
[5]
Andreas Bulling, Florian Alt, and Albrecht Schmidt. 2012. Increasing the Security of Gaze-based Cued-recall Graphical Passwords Using Saliency Masks. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '12). ACM, New York, NY, USA, 3011--3020.
[6]
Sonia Chiasson, Elizabet Stobert, Alain Forget, Robert Biddle, and Paul C. Van Oorschot. 2012. Persuasive Cued Click-Points: Design, Implementation, and Evaluation of a Knowledge-Based Authentication Mechanism. IEEE Transactions on Dependable and Secure Computing 9, 2 (March 2012), 222--235.
[7]
Sonia Chiasson, Paul C. van Oorschot, and Robert Biddle. 2007. Graphical Password Authentication Using Cued Click Points. In Computer Security - ESORICS 2007, Joachim Biskup and Javier Lopez (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 359--374.
[8]
Rachna Dhamija and Adrian Perrig. 2000. Deja Vu-A User Study: Using Images for Authentication. In USENIX Security Symposium, Vol. 9. 4--4.
[9]
Ahmet Emir Dirik, Nasir Memon, and Jean-Camille Birget. 2007. Modeling User Choice in the PassPoints Graphical Password Scheme. In Proceedings of the 3rd Symposium on Usable Privacy and Security (SOUPS '07). ACM, New York, NY, USA, 20--28.
[10]
Sukru Eraslan, Yeliz Yesilada, and Simon Harper. 2016a. Eye Tracking Scanpath Analysis on Web Pages: How Many Users?. In Proceedings of the Ninth Biennial ACM Symposium on Eye Tracking Research & Applications (ETRA '16). ACM, New York, NY, USA, 103--110.
[11]
Sukru Eraslan, Yeliz Yesilada, and Simon Harper. 2016b. Scanpath Trend Analysis on Web Pages: Clustering Eye Tracking Scanpaths. ACM Transactions on the Web (TWEB) 10, 4, Article 20 (Nov. 2016), 35 pages.
[12]
Bogdan Hoanca and Kenrick Mock. 2006. Secure Graphical Password System for High Traffic Public Areas. In Proceedings of the 2006 Symposium on Eye Tracking Research & Applications (ETRA '06). ACM, New York, NY, USA, 35--35.
[13]
David E. Irwin. 2004. Fixation Location and Fixation Duration as Indices of Cognitive Processing. In The Interface of Language, Vision, and Action: Eye Movements and the Visual World, John M. Henderson and Fernanda Ferreira (Eds.). Psychology Press, New York, NY, USA, Chapter 3, 105--133.
[14]
Christina Katsini, Marios Belk, Christos Fidas, Nikolaos Avouris, and George Samaras. 2016. Security and Usability in Knowledge-based User Authentication: A Review. In Proceedings of the 20th Pan-Hellenic Conference on Informatics (PCI '16). ACM, New York, NY, USA, Article 63, 6 pages.
[15]
Christina Katsini, Christos Fidas, George E. Raptis, Marios Belk, George Samaras, and Nikolaos Avouris. 2018a. Eye Gaze-driven Prediction of Cognitive Differences During Graphical Password Composition. In 23rd International Conference on Intelligent User Interfaces (IUI '18). ACM, New York, NY, USA, 147--152.
[16]
Christina Katsini, Christos Fidas, George E. Raptis, Marios Belk, George Samaras, and Nikolaos Avouris. 2018b. Influences of Human Cognition and Visual Behavior on Password Security during Picture Password Composition. In Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems (CHI '18). ACM, New York, NY, USA.
[17]
Krzysztof Krejtz, Andrew Duchowski, Tomasz Szmidt, Izabela Krejtz, Fernando González Perilli, Ana Pires, Anna Vilaro, and Natalia Villalobos. 2015. Gaze Transition Entropy. ACM Transactions on Applied Perception (TAP) 13, 1, Article 4 (Dec. 2015), 20 pages.
[18]
Martin Mihajlov, Borka Jerman-Blažič, and Marko Ilievski. 2011. ImagePass - Designing Graphical Authentication for Security. In 7th International Conference on Next Generation Web Services Practices. 262--267.
[19]
Kenrick Mock, Bogdan Hoanca, Justin Weaver, and Mikal Milton. 2012. Real-time Continuous Iris Recognition for Authentication Using an Eye Tracker. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS '12). ACM, New York, NY, USA, 1007--1009.
[20]
Philip K. Oltman, Evelyn Raskin, and Herman A. Witkin. 1971. Group Embedded Figures Test. Consulting Psychologists Press Palo Alto, CA.
[21]
George E. Raptis, Christos Fidas, and Nikolaos Avouris. 2018. Effects of Mixed-Reality on Players' Behaviour and Immersion in a Cultural Tourism Game: A Cognitive Processing Perspective. International Journal of Human-Computer Studies 114 (2018), 69 -- 79.
[22]
George E. Raptis, Christina Katsini, Marios Belk, Christos Fidas, George Samaras, and Nikolaos Avouris. 2017. Using Eye Gaze Data and Visual Activities to Infer Human Cognitive Styles: Method and Feasibility Studies. In Proceedings of the 25th Conference on User Modeling, Adaptation and Personalization (UMAP '17). ACM, New York, NY, USA, 164--173.
[23]
Amir Sadovnik and Tsuhan Chen. 2013. A Visual Dictionary Attack on Picture Passwords. In 2013 IEEE International Conference on Image Processing. 4447--4451.
[24]
Amirali Salehi-Abari, Julie Thorpe, and Paul C. van Oorschot. 2008. On Purely Automated Attacks and Click-Based Graphical Passwords. In 2008 Annual Computer Security Applications Conference (ACSAC). 111--120.
[25]
Steven Sinofsky. 2011. Signing in with a Picture Password. (dec 2011). https://blogs.msdn.microsoft.com/b8/2011/12/16/signing-in-with-a-picture-password/
[26]
Ivo Sluganovic, Marc Roeschlin, Kasper B. Rasmussen, and Ivan Martinovic. 2016. Using Reflexive Eye Movements for Fast Challenge-Response Authentication. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS '16). ACM, New York, NY, USA, 1056--1067.
[27]
Elizabeth Stobert, Alain Forget, Sonia Chiasson, Paul C. van Oorschot, and Robert Biddle. 2010. Exploring Usability Effects of Increasing Security in Click-based Graphical Passwords. In Proceedings of the 26th Annual Computer Security Applications Conference (ACSAC '10). ACM, New York, NY, USA, 79--88.
[28]
Julie Thorpe, Muath Al-Badawi, Brent MacRae, and Amirali Salehi-Abari. 2014. The Presentation Effect on Graphical Passwords. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '14). ACM, New York, NY, USA, 2947--2950.
[29]
Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle L. Mazurek, Timothy Passaro, Richard Shay, Timothy Vidas, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2012. How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation. In 21st USENIX Security Symposium (USENIX Security 12). USENIX, Bellevue, WA, 65--80. https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/ur
[30]
Boris M. Velichkovsky, Markus Joos, Jens R. Helmert, and Sebastian Pannasch. 2005. Two Visual Systems and Their Eye Movements: Evidence from Static and Dynamic Scene Perception. In Proceedings of the XXVII Annual Conference of the Cognitive Science Society (CogSci 2005). Stresa, Italy.
[31]
Susan Wiedenbeck, Jim Waters, Jean-Camille Birget, Alex Brodskiy, and Nasir Memon. 2005. PassPoints: Design and Longitudinal Evaluation of a Graphical Password System. International Journal of Human-Computer Studies 63, 1 (2005), 102 -- 127. HCI research in privacy and security.
[32]
Ziming Zhao, Gail-Joon Ahn, and Hongxin Hu. 2015. Picture Gesture Authentication: Empirical Analysis, Automated Attacks, and Scheme Evaluation. ACM Transactions on Information and System Security (TISSEC) 17, 4, Article 14 (April 2015), 37 pages.

Cited By

View all
  • (2025)A Review on Secure Authentication Mechanisms for Mobile SecuritySensors10.3390/s2503070025:3(700)Online publication date: 24-Jan-2025
  • (2022)”Your Eyes Tell You Have Used This Password Before”: Identifying Password Reuse from Gaze and Keystroke DynamicsProceedings of the 2022 CHI Conference on Human Factors in Computing Systems10.1145/3491102.3517531(1-16)Online publication date: 29-Apr-2022
  • (2021)Eye-GUAna: Higher Gaze-Based Entropy and Increased Password Space in Graphical User Authentication Through GamificationACM Symposium on Eye Tracking Research and Applications10.1145/3448018.3458615(1-7)Online publication date: 25-May-2021
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
ETRA '18: Proceedings of the 2018 ACM Symposium on Eye Tracking Research & Applications
June 2018
595 pages
ISBN:9781450357067
DOI:10.1145/3204493
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 14 June 2018

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. entropy
  2. eye-tracking
  3. graphical passwords
  4. graphical user authentication
  5. password strength estimation

Qualifiers

  • Short-paper

Funding Sources

  • General Secretariat for Research and Technology (GSRT) and the Hellenic Foundation for Research and Innovation (H.F.R.I.)

Conference

ETRA '18

Acceptance Rates

Overall Acceptance Rate 69 of 137 submissions, 50%

Upcoming Conference

ETRA '25

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)10
  • Downloads (Last 6 weeks)4
Reflects downloads up to 20 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2025)A Review on Secure Authentication Mechanisms for Mobile SecuritySensors10.3390/s2503070025:3(700)Online publication date: 24-Jan-2025
  • (2022)”Your Eyes Tell You Have Used This Password Before”: Identifying Password Reuse from Gaze and Keystroke DynamicsProceedings of the 2022 CHI Conference on Human Factors in Computing Systems10.1145/3491102.3517531(1-16)Online publication date: 29-Apr-2022
  • (2021)Eye-GUAna: Higher Gaze-Based Entropy and Increased Password Space in Graphical User Authentication Through GamificationACM Symposium on Eye Tracking Research and Applications10.1145/3448018.3458615(1-7)Online publication date: 25-May-2021
  • (2021)GazeMeter: Exploring the Usage of Gaze Behaviour to Enhance Password AssessmentsACM Symposium on Eye Tracking Research and Applications10.1145/3448017.3457384(1-12)Online publication date: 25-May-2021
  • (2021)Fast and Secure Authentication in Virtual Reality Using Coordinated 3D Manipulation and PointingACM Transactions on Computer-Human Interaction10.1145/342812128:1(1-44)Online publication date: 20-Jan-2021
  • (2021)Understanding Insider Attacks in Personalized Picture Password SchemesHuman-Computer Interaction – INTERACT 202110.1007/978-3-030-85610-6_42(722-731)Online publication date: 30-Aug-2021
  • (2020)CogniPGA: Longitudinal Evaluation of Picture Gesture Authentication with Cognition-Based Interventioni-com10.1515/icom-2019-001118:3(237-257)Online publication date: 14-Jan-2020
  • (2020)GazeLockPatterns: Comparing Authentication Using Gaze and Touch for Entering Lock PatternsACM Symposium on Eye Tracking Research and Applications10.1145/3379156.3391371(1-6)Online publication date: 2-Jun-2020
  • (2020)An eye gaze-driven metric for estimating the strength of graphical passwords based on image hotspotsProceedings of the 25th International Conference on Intelligent User Interfaces10.1145/3377325.3377537(33-37)Online publication date: 17-Mar-2020
  • (2020)The Role of Eye Gaze in Security and Privacy Applications: Survey and Future HCI Research DirectionsProceedings of the 2020 CHI Conference on Human Factors in Computing Systems10.1145/3313831.3376840(1-21)Online publication date: 21-Apr-2020
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media