research-article

LociMotion: Towards Learning a Strong Authentication Secret in a Single Session

Authors:

Jayesh Doolani,

Matthew Wright,

S M Taiabul HaqueAuthors Info & Claims

CHI '21: Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems

Article No.: 689, Pages 1 - 13

https://doi.org/10.1145/3411764.3445105

Published: 07 May 2021 Publication History

CHI '21: Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems

LociMotion: Towards Learning a Strong Authentication Secret in a Single Session

Pages 1 - 13

Abstract
References

Abstract

In this work, we design and evaluate LociMotion, a training interface to learn a strong authentication secret in a single session. LociMotion automatically takes a random password with twelve lowercase letters (56-bit entropy) to generate the training interface. It first leverages users’ spatial and visual (declarative) memory by showing them a video clip based on the method of loci, and then consolidates the learning process by having them play a computer game that leverages their motor (procedural) memory. The results of a memorability study with 300 participants showed that LociMotion had a significantly higher recall success rate than a control condition. A second study with 200 participants demonstrated the effectiveness of LociMotion over a period of time (99%, 96%, and 81% recall success rates after 1, 4, and 18 days, respectively). LociMotion offers an alternative to the spaced repetition technique, as it does not require dozens of training sessions.

References

[1]

Anne Adams and Martina Angela Sasse. 1999. Users are not the enemy. Commun. ACM 42, 12 (1999), 40–46.

Digital Library

[2]

Anne Adams, Martina Angela Sasse, and Peter Lunt. 1997. Making Passwords Secure and Usable. In HCI on People and Computers XII.

[3]

Mahdi Nasrullah Al-Ameen and Matthew Wright. 2015. Multiple-Password Interference in the GeoPass User Authentication Scheme. In USEC.

[4]

Mahdi Nasrullah Al-Ameen, Matthew Wright, and Shannon Scielzo. 2015. Towards Making Random Passwords Memorable: Leveraging Users’ Cognitive Ability Through Multiple Cues. In CHI.

[5]

P. B. Baltes and U. Lindenberger. 1988. On the range of cognitive plasticity in old age as a function of experience: 15 years of intervention research. Behavior Therapy 19(1988), 283–300.

[6]

Robert Biddle, Sonia Chiasson, and P.C. van Oorschot. 2012. Graphical Passwords: Learning from the First Twelve Years. Comput. Surveys 44(4)(2012).

Digital Library

[7]

Matt Bishop and Daniel V. Klein. 1995. Improving system security via proactive password checking. Computers & Security 14, 3 (1995), 233–249.

Digital Library

[8]

Jeremiah Blocki, Saranga Komanduri, Lorrie Cranor, and Anupam Datta. 2015. Spaced Repetition and Mnemonics Enable Recall of Multiple Strong Passwords. In NDSS.

[9]

H. Bojinov, D. Sanchez, P. Reber, D. Boneh, and P. Lincoln. 2012. Neuroscience meets cryptography: Designing crypto primitives secure against rubber hose attacks. In USENIX.

[10]

Joseph Bonneau, Cormac Herley, Paul C. van Oorschot, and Frank Stajano. 2012. The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes. In IEEE S & P.

[11]

Joseph Bonneau and Stuart Schechter. 2014. Towards reliable storage of 56-bit secrets in human memory. In USENIX Security.

[12]

John Brooke. 1986. SUS - A Quick and Dirty Usability Scale. Taylor and Francis.

[13]

M. Buhrmester, T. Kwang, and S. D. Gosling. 2011. Amazon’s Mechanical Turk: A new source of inexpensive, yet high-quality, data?Perspectives on Psychological Science 6, 1 (2011), 3–5.

[14]

N. Burgess, E. A. Maguire, and J. O’Keefe. 2002. The human hippocampus and spatial and episodic memory. Neuron 35, 4 (2002), 625–641.

[15]

W. E. Burr, D. F. Dodson, and W. T. Polk. 2006. Electronic Authentication Guideline. NIST Special Publication 800-63(2006).

[16]

D. S. Carstens, L. C. Malone, and P. R. Mccauley-Bell. 2006. Applying chunking theory in organizational password guidelines. Journal of Information, Information Technology, and Organizations 1, 1(2006).

[17]

C. Castellucia, M. Durmuth, M. Golla, and F. Deniz. 2017. Towards implicit visual memory-based authentication. In NDSS.

[18]

Atanu Das, Joseph Bonneau, Matthew Caesar, Nikita Borisov, and XiaoFeng Wang. 2014. The tangled web of password reuse. In NDSS.

[19]

Sauvik Das, David Lu, Taehoon Lee, and Jason Hong. 2019. The memory palace: Exploring visual-spatial paths for strong, memorable, infrequent authentication. In UIST. 1109–1121.

[20]

P. Dunphy and J. Yan. 2007. Do background images improve “Draw a Secret” graphical passwords?. In CCS.

[21]

H. Ebbinghaus. 1885. Memory: A contribution to experimental psychology. Dover, New York, NY.

[22]

Dinei Florêncio and Cormac Herley. 2007. A large-scale study of web password habits. In WWW.

[23]

Ravi Ganesan, Chris Davies, and Bell Atlantic. 1994. A new attack on random pronounceable password generators. In 17th NIST-NCSC National Computer Security Conference. Citeseer, 184–197.

[24]

C. George, D. Buschek, M. Khamis, and H. Hussmann. 2019. Investigating the Third Dimension for Authentication in Immersive Virtual Reality and in the Real World. In IEEE VR.

[25]

C. George, D. Buschek, A. Ngao, and M. Khamis. 2020. GazeRoomLock: Using gaze and head-pose to improve the usability and observation resistance of 3D passwords in virtual reality. In Augmented Reality, Virtual Reality, and Computer Graphics.

[26]

S M Taiabul Haque, M N Al-Ameen, Matthew Wright, and Shannon Scielzo. 2017. Learning System-assigned Passwords (up to 56 Bits) in a single registration session with the methods of Cognitive Psychology. In USEC.

[27]

S M Taiabul Haque, Shannon Scielzo, and Matthew Wright. 2014. Applying psychometrics to measure user comfort when constructing a strong password. In SOUPS.

[28]

S M Taiabul Haque, Matthew Wright, and Shannon Scielzo. 2013. Passwords and Interfaces: Towards creating stronger passwords by using mobile phone handsets. In SPSM.

[29]

S. M. T. Haque, M. Wright, and S. Scielzo. 2014. Hierarchy of users’ Web passwords: Perceptions, practices, and susceptibilities. International Journal of Human-Computer Studies 72, 12 (2014), 860–874.

[30]

Eiji Hayashi and Jason I. Hong. 2011. A diary study of password usage in daily life. In CHI.

[31]

J. H. Huh, H. Kim, R. B. Bobba, M. N. Bashir, and K. Beznosov. 2015. On the memorability of system-generated PINs: Can chunking help?. In SOUPS.

[32]

Jun Ho Huh, Seongyeol Oh, Hyoungshick Kim, and Konstantin Beznosov. 2015. Surpass: System-initiated User-replaceable passwords. In CCS.

Digital Library

[33]

Blake Ives, Kenneth R. Walsh, and Helmut Schneider. 2004. The domino effect of password reuse. Commun. ACM 47, 4 (2004), 75–78.

Digital Library

[34]

Z. Joudaki, J. Thorpe, and M. V. Martin. 2018. Reinforcing system-assigned passphrases through implicit learning. In CCS.

[35]

M. Keith, B. Shao, and P. Steinbart. 2007. The usability of passphrases for authentication: An empirical field study. International Journal of Human-Computer Studies 65, 1 (2007).

Digital Library

[36]

M. Keith, B. Shao, and P. Steinbart. 2009. A behavioral analysis of passphrase design and effectiveness. Journal of the Association for Information Systems 10, 2 (2009).

[37]

Saranga Komanduri, Richard Shay, Patrick Gage Kelley, Michelle L. Mazurek, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Serge Egelman. 2011. Of passwords and people: Measuring the effect of password-composition policies. In CHI.

[38]

J. W. Krakauer and R. Shadmehr. 2006. Consolidation of motor memory. Trends in Neurosciences 29, 1 (2006), 58–64.

[39]

C. A. Mace. 1932. The Psychology of Study. Methuen & Co. Ltd, London.

[40]

E. A. Maguire, E. R. Valentine, J. M. Wilding, and N. Kapur. 2003. Routes to remembering: The brains behind superior memory. Nature Neuroscience 6, 1 (2003), 90–95.

[41]

G. A. Miller. 1956. The magical number seven, plus or minus two: Some limits on our capacity for processing information. Psychological Review 63(1956).

[42]

James Nicholson, Lynne Coventry, and Pam Briggs. 2013. Age-Related Performance Issues for PIN and Face-Based Authentication Systems. In CHI.

[43]

Raja Parasuraman and Matthew Rizzo. 2008. Neuroergonomics: The Brain at Work. Oxford University Press, New York.

Digital Library

[44]

M. Peters. 1995. Revised Vanderberg and Kuse mental rotation tests: Forms MRT-A to MRT-D. Technical Report. Department of Psychology, University of Guelph.

[45]

R. A. Poldrack and M. G. Packard. 2003. Competition among multiple memory systems: Converging evidence from animal and human brain studies. Neuropsychologia 41, 3 (2003), 245–251.

[46]

Marc Prensky. 2007. Digital-Game Based Learning. Paragon House, Saint Paul.

[47]

A. Raz, M. G Packard, G. M. Alexander, J. T. Buhle, H. Zhu, S. Yu, and B. S. Peterson. 2009. A slice of pi : An exploratory neuroimaging study of digit encoding and retrieval in a superior memorist. Neurocase 15, 5 (2009), 361–372.

[48]

J. T. E. Richardson. 1995. The efficacy of imagery mnemonics in memory remediation. Neuropsychologia 33(1995), 1345–1357.

[49]

D. Sanchez, E. Gobel, and P. Reber. 2010. Performing the unexplainable: Implicit task performance reveals individually reliable sequence learning without explicit knowledge. Psychonomic Bulletin & Review 17 (2010), 790–796.

[50]

Jeff Sauro. 2011. A Practical Guide to the System Usability Scale: Background, Benchmarks and Best Practices. CreateSpace Publishing.

[51]

Richard Shay, Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Blase Ur, Timothy Vidas, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2012. Correct horse battery staple: Exploring the usability of system-assigned passphrases. In SOUPS.

[52]

Richard Shay, Saranga Komanduri, Adam L. Durity, Phillip Huh, Michelle L. Mazurek, Sean Segreti, Blase Ur, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2014. Can long passwords be secure and usable?. In CHI.

[53]

Richard Shay, Saranga Komanduri, Patrick Gage Kelley, Pedro Giovanni Leon, Michelle L. Mazurek, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2010. Encountering stronger password requirements: User attitudes and behaviors. In SOUPS.

[54]

M. T. Ullman. 2004. Contributions of memory circuits to languages: The declarative/procedural model. Cognition 92, 1-2 (2004).

[55]

M. T. Ullman. 2007. The Biocognition of the Mental Lexicon. The Oxford Handbook of Psycholinguists.

[56]

M. T. Ullman. 2013. The role of declarative and procedural memory in disorders of language. Linguistic Variation 13, 2 (2013).

[57]

Emanuel Von Zezschwitz, Paul Dunphy, and Alexander De Luca. 2013. Patterns in the wild: A field study of the usability of pattern and PIN-based authentication on mobile devices. In MobileHCI.

[58]

Nicholas Wright, Andrew S. Patrick, and Robert Biddle. 2012. Do you see your password?: Applying recognition to textual passwords. In SOUPS.

[59]

F. A. Yates. 1966. The Art of Memory. University of Chicago Press, Chicago.

[60]

J. A. Yesavage. 1983. Imagery pretraining and memory training in the elderly. Gerontology 29(1983), 271–275.

[61]

Yinqian Zhang, Fabian Monrose, and Michael K. Reiter. 2010. The security of modern password expiration: An algorithmic framework and empirical analysis. In CCS.

Cited By

Bonnail ETseng WMcgill MLecolinet EHuron SGugenheimer J(2023)Memory Manipulations in Extended RealityProceedings of the 2023 CHI Conference on Human Factors in Computing Systems10.1145/3544548.3580988(1-20)Online publication date: 19-Apr-2023
https://dl.acm.org/doi/10.1145/3544548.3580988

Index Terms

LociMotion: Towards Learning a Strong Authentication Secret in a Single Session

Index terms have been assigned to the content through auto-classification.

Recommendations

A Secure Strong-Password Authentication Protocol

Password authentication, which is widely used for authenticated method, also is important protocol by requiring a username and password before being allowed access to resources. In 2001, Lin et al. proposed the optimal strong-password authentication ...
PassPoints: design and longitudinal evaluation of a graphical password system
Special isssue: HCI research in privacy and security is critical now

Computer security depends largely on passwords to authenticate human users. However, users have difficulty remembering passwords over time if they choose a secure password, i.e. a password that is long and random. Therefore, they tend to choose short ...
A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords
SOUPS '06: Proceedings of the second symposium on Usable privacy and security

Previous research has found graphical passwords to be more memorable than non-dictionary or "strong" alphanumeric passwords. Participants in a prior study expressed concerns that this increase in memorability could also lead to an increased ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CHI '21: Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems

May 2021

10862 pages

ISBN:9781450380966

DOI:10.1145/3411764

General Chairs:
Yoshifumi Kitamura
Tohoku University, Japan
,
Aaron Quigley
University of New South Wales, Australia
,
Program Chairs:
Katherine Isbister
University of California Santa Cruz, USA
,
Takeo Igarashi
The University of Tokyo, Japan
,
Publications Chairs:
Pernille Bjørn
University of Copenhagen, Denmark
,
Steven Drucker
Microsoft Research, USA

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGCHI: ACM Special Interest Group on Computer-Human Interaction

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 May 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Badges

Honorable Mention

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

CHI '21

Sponsor:

SIGCHI

CHI '21: CHI Conference on Human Factors in Computing Systems

May 8 - 13, 2021

Yokohama, Japan

Acceptance Rates

Overall Acceptance Rate 6,199 of 26,314 submissions, 24%

Upcoming Conference

CHI 2025

Sponsor:
sigchi

ACM CHI Conference on Human Factors in Computing Systems

April 26 - May 1, 2025

Yokohama , Japan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
426
Total Downloads

Downloads (Last 12 months)103
Downloads (Last 6 weeks)46

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Bonnail ETseng WMcgill MLecolinet EHuron SGugenheimer J(2023)Memory Manipulations in Extended RealityProceedings of the 2023 CHI Conference on Human Factors in Computing Systems10.1145/3544548.3580988(1-20)Online publication date: 19-Apr-2023
https://dl.acm.org/doi/10.1145/3544548.3580988

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Figures

Tables

Media

View Table of Conten