Cited By
View all- Vhaduri SDibbo SMuratyan ACheung W(2024)mWIoTAuthFuture Generation Computer Systems10.1016/j.future.2024.05.025159:C(230-242)Online publication date: 1-Oct-2024
Eye-GUAna: Higher Gaze-Based Entropy and Increased Password Space in Graphical User Authentication Through Gamification
Authors: 
Christina Katsini, 
George E. Raptis, Andrew Jian-lan Cen, Nalin Asanka Gamagedara Arachchilage, 
Lennart E. NackeAuthors Info & Claims
Christina Katsini, George E. Raptis, Andrew Jian-lan Cen, Nalin Asanka Gamagedara Arachchilage, Lennart E. NackeAuthors Info & ClaimsArticle No.: 22, Pages 1 - 7
Abstract
Graphical user authentication (GUA) is a common alternative to text-based user authentication, where people are required to draw graphical passwords on background images. Recent research provides evidence that gamification of the graphical password creation process influences people to make less predictable choices. Aiming to understand the underlying reasons from a visual behavior perspective, in this paper, we report a small-scale eye-tracking study that compares the visual behavior developed by people who follow a gamified approach and people who follow a non-gamified approach to make their graphical password choices. The results show that people who follow a gamified approach have higher gaze-based entropy, as they fixate on more image areas and for longer periods, and thus, they have an increased effective password space, which could lead to better and less predictable password choices.
References
[1]
Florian Alt, Stefan Schneegass, Alireza Sahami Shirazi, Mariam Hassib, and Andreas Bulling. 2015. Graphical Passwords in the Wild: Understanding How Users Choose Pictures and Passwords in Image-based Authentication Schemes. In Proceedings of the 17th International Conference on Human-Computer Interaction with Mobile Devices and Services (Copenhagen, Denmark) (MobileHCI ’15). ACM, New York, NY, USA, 316–322. https://doi.org/10.1145/2785830.2785882
[2]
Joni A. Amorim, Maurice Hendrix, Sten F. Andler, and Per M. Gustavsson. 2013. Gamified Training for Cyber Defence: Methods and Automated Tools for Situation and Threat Assessment. In NATO Modelling and Simulation Group (MSG) Annual Conference 2013 (MSG-111), 2013. NATO Modelling and Simulation Group, 18:1–18:12.
[3]
Nalin AG Arachchilage, Ivan Flechais, and Konstantin Beznosov. 2014. A Game Storyboard Design for Avoiding Phishing Attacks. In Proceedings of the 11th Symposium On Usable Privacy and Security (SOUPS). SOUPS, Menlo Park, CA, USA, 2 pages.
[4]
Nalin Asanka Gamagedara Arachchilage, Steve Love, and Konstantin Beznosov. 2016. Phishing Threat Avoidance Behaviour: An Empirical Investigation. Computers in Human Behavior 60 (2016), 185–197.
[5]
K Boopathi, S Sreejith, and A Bithin. 2015. Learning Cyber Security Through Gamification. Indian Journal of Science and Technology 8, 7 (2015), 642–649.
[6]
Sacha Brostoff and M Angela Sasse. 2000. Are Passfaces More Usable Than Passwords? A Field Trial Investigation. In People and Computers XIV—Usability or Else!Springer, London, UK, 405–424.
[7]
Andreas Bulling, Florian Alt, and Albrecht Schmidt. 2012. Increasing the Security of Gaze-based Cued-recall Graphical Passwords Using Saliency Masks. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Austin, Texas, USA) (CHI ’12). ACM, New York, NY, USA, 3011–3020. https://doi.org/10.1145/2207676.2208712
[8]
Ivan Cherapau, Ildar Muslukhov, Nalin Asanka Gamagedara Arachchilage, and Konstantin Beznosov. 2015. On the Impact of Touch ID on iPhone Passcodes. In SOUPS. USENIX Association, Ottawa, Canada, 257–276.
[9]
Sonia Chiasson, Alain Forget, Elizabeth Stobert, P. C. van Oorschot, and Robert Biddle. 2009. Multiple Password Interference in Text Passwords and Click-based Graphical Passwords. In Proceedings of the 16th ACM Conference on Computer and Communications Security (Chicago, Illinois, USA) (CCS ’09). ACM, New York, NY, USA, 500–511. https://doi.org/10.1145/1653662.1653722
[10]
Sonia Chiasson, Elizabeth Stobert, Alain Forget, Robert Biddle, and Paul C Van Oorschot. 2012. Persuasive cued click-points: Design, implementation, and evaluation of a knowledge-based authentication mechanism. IEEE Transactions on Dependable and Secure Computing 9, 2 (2012), 222–235.
[11]
Adrian Dabrowski, Markus Kammerstetter, Eduard Thamm, Edgar Weippl, and Wolfgang Kastner. 2015. Leveraging Competitive Gamification for Sustainable Fun and Profit in Security Education. In 2015 USENIX Summit on Gaming, Games, and Gamification in Security Education (3GSE 15). USENIX Association, Washington, D.C., 8 pages. https://www.usenix.org/conference/3gse15/summit-program/presentation/dabrowski
[12]
Antonella De Angeli, Mike Coutts, Lynne Coventry, Graham I. Johnson, David Cameron, and Martin H. Fischer. 2002. VIP: A Visual Approach to User Authentication. In Proceedings of the Working Conference on Advanced Visual Interfaces (Trento, Italy) (AVI ’02). Association for Computing Machinery, New York, NY, USA, 316–323. https://doi.org/10.1145/1556262.1556312
[13]
Sebastian Deterding, Dan Dixon, Rilla Khaled, and Lennart Nacke. 2011. From Game Design Elements to Gamefulness: Defining ”Gamification”. In Proceedings of the 15th International Academic MindTrek Conference: Envisioning Future Media Environments (Tampere, Finland) (MindTrek ’11). ACM, New York, NY, USA, 9–15. https://doi.org/10.1145/2181037.2181040
[14]
Rachna Dhamija and Adrian Perrig. 2000. Deja Vu-A User Study: Using Images for Authentication. In Proceedings of the 9th conference on USENIX Security Symposium, Vol. 9. USENIX Association, Denver, CO, USA, 45–48.
[15]
Paul Dunphy and Jeff Yan. 2007. Do Background Images Improve ”Draw a Secret” Graphical Passwords?. In Proceedings of the 14th ACM Conference on Computer and Communications Security (Alexandria, Virginia, USA) (CCS ’07). ACM, New York, NY, USA, 36–47. https://doi.org/10.1145/1315245.1315252
[16]
Frank Ebbers and Philipp Brune. 2016. The Authentication Game-Secure User Authentication by Gamification?. In International Conference on Advanced Information Systems Engineering. Springer, Cham, Switzerland, 101–115.
[17]
Dinei Florencio and Cormac Herley. 2007. A Large-scale Study of Web Password Habits. In Proceedings of the 16th International Conference on World Wide Web (Banff, Alberta, Canada) (WWW ’07). ACM, New York, NY, USA, 657–666. https://doi.org/10.1145/1242572.1242661
[18]
Maximilian Golla, Björn Hahn, Karsten Meyer zu Selhausen, Henry Hosseini, and Markus Dürmuth. 2018. Bars, Badges, and High Scores: On the Impact of Password Strength Visualizations. In Proceedings of the 4th Who are you? Adventures in Authentication Workshop(WAY 2018). WAY 2018, Baltimore, MD, USA, 7 pages.
[19]
Cormac Herley and Paul van Oorschot. 2012. A Research Agenda Acknowledging the Persistence of Passwords. IEEE Security Privacy 10, 1 (Jan. 2012), 28–36. https://doi.org/10.1109/MSP.2011.150
[20]
Ian H. Jermyn, Alain Mayer, Fabian Monrose, Michael K. Reiter, and Aviel D. Rubin. 1999. The Design and Analysis of Graphical Passwords. In Proceedings of the 8th USENIX Security Symposium. USENIX Association, Washington, D.C., USA, 14 pages.
[21]
Junya Kani and Masakatsu Nishigaki. 2013. Gamified CAPTCHA. In Human Aspects of Information Security, Privacy, and Trust, Louis Marinos and Ioannis Askoxylakis (Eds.). Springer, Berlin, Heidelberg, Germany, 39–48.
[22]
Stylianos Karagiannis, Thanos Papaioannou, Emmanouil Magkos, and Aggeliki Tsohou. 2020. Game-Based Information Security/Privacy Education and Awareness: Theory and Practice. In Information Systems, Marinos Themistocleous, Maria Papadaki, and Muhammad Mustafa Kamal (Eds.). Springer International Publishing, Cham, Switzerland, 509–525. https://doi.org/10.1007/978-3-030-63396-7_34
[23]
Christina Katsini, Yasmeen Abdrabou, George E. Raptis, Mohamed Khamis, and Florian Alt. 2020. The Role of Eye Gaze in Security and Privacy Applications: Survey and Future HCI Research Directions. In Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems (Honolulu, HI, USA) (CHI ’20). Association for Computing Machinery, New York, NY, USA, 1–21. https://doi.org/10.1145/3313831.3376840
[24]
Christina Katsini, Christos Fidas, George E. Raptis, Marios Belk, George Samaras, and Nikolaos Avouris. 2018a. Eye Gaze-Driven Prediction of Cognitive Differences during Graphical Password Composition. In 23rd International Conference on Intelligent User Interfaces (Tokyo, Japan) (IUI ’18). Association for Computing Machinery, New York, NY, USA, 147–152. https://doi.org/10.1145/3172944.3172996
[25]
Christina Katsini, Christos Fidas, George E. Raptis, Marios Belk, George Samaras, and Nikolaos Avouris. 2018b. Influences of Human Cognition and Visual Behavior on Password Strength during Picture Password Composition. In Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems (Montreal QC, Canada) (CHI ’18). Association for Computing Machinery, New York, NY, USA, 1–14. https://doi.org/10.1145/3173574.3173661
[26]
Christina Katsini, George E. Raptis, Christos Fidas, and Nikolaos Avouris. 2018c. Towards Gaze-Based Quantification of the Security of Graphical Authentication Schemes. In Proceedings of the 2018 ACM Symposium on Eye Tracking Research & Applications (Warsaw, Poland) (ETRA ’18). Association for Computing Machinery, New York, NY, USA, Article 17, 5 pages. https://doi.org/10.1145/3204493.3204589
[27]
Saranga Komanduri, Richard Shay, Patrick Gage Kelley, Michelle L. Mazurek, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Serge Egelman. 2011. Of Passwords and People: Measuring the Effect of Password-composition Policies. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Vancouver, BC, Canada) (CHI ’11). ACM, New York, NY, USA, 2595–2604. https://doi.org/10.1145/1978942.1979321
[28]
Christien Kroeze and Martin S. Olivier. 2012. Gamifying Authentication. In Proceedings of the 12th Information Security for South Africa(ISSA 2012). IEEE, Danvers, MA, USA, 8 pages.
[29]
Weizhi Meng, Wenjuan Li, Lam-For Kwok, and Kim-Kwang Raymond Choo. 2017. Towards enhancing click-draw based graphical passwords using multi-touch behaviours on smartphones. Computers & Security 65 (March 2017), 213–229. https://doi.org/10.1016/j.cose.2016.11.010
[30]
Martin Mihajlov and Borka Jerman-Blazic. 2017. Eye Tracking Graphical Passwords. In Advances in Human Factors in Cybersecurity, Denise Nicholson (Ed.). Springer International Publishing, Cham, Switzerland, 37–44. https://doi.org/10.1007/978-3-319-60585-2_4
[31]
Martin Mihajlov, Marija Trpkova, and Arsenovski Sime. 2013. Eye tracking Recognition-based Graphical Authentication. In Proceeding of the 7th International Conference on Application of Information and Communication Technologies. IEEE, Danvers, MA, USA, 1–5. https://doi.org/10.1109/ICAICT.2013.6722632
[32]
Jacques Ophoff and Frauke Dietz. 2019. Using Gamification to Improve Information Security Behavior: A Password Strength Experiment. In IFIP Advances in Information and Communication Technology. Springer International Publishing, Cham, Switzerland, 157–169. https://doi.org/10.1007/978-3-030-23451-5_12
[33]
Zach Pace. 2011. Signing in With a Picture Password. Microsoft. https://blogs.msdn.microsoft.com/b8/2011/12/16/signing-in-with-a-picture-password/
[34]
George E. Raptis, Christina Katsini, Andrew Jian-Lan Cen, Nalin Asanka Gamagedara Arachchilage, and Lennart E. Nacke. 2021. Better, Funner, Stronger: A Gameful Approach to Nudge People into Making Less Predictable Graphical Password Choices. In Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems (Yokohama, Japan) (CHI ’21). Association for Computing Machinery, New York, NY, USA, 1–21. https://doi.org/10.1145/3411764.3445658
[35]
Rahul Saha, Riyanka Manna, and G Geetha. 2012. Captchino-a gamification of image-based captchas to evaluate usability issues. In 2012 International Conference on Computing Sciences. IEEE, USA, 95–99.
[36]
SM Udhaya Sankar and V Vijaya Chamundeeswari. 2014. JIGSPASSZLE: A Novel Jigsaw Based Password System Using Mouse Drag Dynamics. Middle-East Journal of Scientific Research 21, 11 (2014), 2039–2051.
[37]
Florian Schaub, Ruben Deyhle, and Michael Weber. 2012. Password Entry Usability and Shoulder Surfing Susceptibility on Different Smartphone Platforms. In Proceedings of the 11th International Conference on Mobile and Ubiquitous Multimedia (Ulm, Germany) (MUM ’12). Association for Computing Machinery, New York, NY, USA, Article 13, 10 pages. https://doi.org/10.1145/2406367.2406384
[38]
Z. Cliffe Schreuders and Emlyn Butterfield. 2016. Gamification for Teaching and Learning Computer Security in Higher Education. In 2016 USENIX Workshop on Advances in Security Education (ASE 16). USENIX Association, Austin, TX, 8 pages.
[39]
Steve Sheng, Bryant Magnien, Ponnurangam Kumaraguru, Alessandro Acquisti, Lorrie Faith Cranor, Jason Hong, and Elizabeth Nunge. 2007. Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish. In Proceedings of the 3rd Symposium on Usable Privacy and Security (Pittsburgh, Pennsylvania, USA) (SOUPS ’07). Association for Computing Machinery, New York, NY, USA, 88–99. https://doi.org/10.1145/1280680.1280692
[40]
Hector Suarez, Hooper Kincannon, and Li Yang. 2017. SSETGami: Secure Software Education Through Gamification. In KSU Proceedings on Cybersecurity Education, Research and Practice. Kennesaw State University, Kennesaw, GA, USA, 16 pages.
[41]
Paul van Oorschot, Amriali Salehi-Abari, and Julie Thorpe. 2010. Purely Automated Attacks on PassPoints-Style Graphical Passwords. IEEE Transactions on Information Forensics and Security 5, 3 (Sept. 2010), 393–405. https://doi.org/10.1109/TIFS.2010.2053706
[42]
Susan Wiedenbeck, Jim Waters, Jean-Camille Birget, Alex Brodskiy, and Nasir Memon. 2005a. Authentication Using Graphical Passwords: Effects of Tolerance and Image Choice. In Proceedings of the 2005 Symposium on Usable Privacy and Security (Pittsburgh, Pennsylvania, USA) (SOUPS ’05). ACM, New York, NY, USA, 1–12. https://doi.org/10.1145/1073001.1073002
[43]
Susan Wiedenbeck, Jim Waters, Jean-Camille Birget, Alex Brodskiy, and Nasir Memon. 2005b. PassPoints: Design and longitudinal evaluation of a graphical password system. International journal of human-computer studies 63, 1-2 (2005), 102–127.
[44]
Johannes Zagermann, Ulrike Pfeil, and Harald Reiterer. 2016. Measuring Cognitive Load Using Eye Tracking Technology in Visual Computing. In Proceedings of the Sixth Workshop on Beyond Time and Errors on Novel Evaluation Methods for Visualization (Baltimore, MD, USA) (BELIV ’16). Association for Computing Machinery, New York, NY, USA, 78–85. https://doi.org/10.1145/2993901.2993908
[45]
Ziming Zhao, Gail-Joon Ahn, and Hongxin Hu. 2015. Picture Gesture Authentication: Empirical Analysis, Automated Attacks, and Scheme Evaluation. ACM Trans. Inf. Syst. Secur. 17, 4, Article 14 (April 2015), 37 pages. https://doi.org/10.1145/2701423
Index Terms
- Eye-GUAna: Higher Gaze-Based Entropy and Increased Password Space in Graphical User Authentication Through Gamification
Index terms have been assigned to the content through auto-classification.
Recommendations
Better, Funner, Stronger: A Gameful Approach to Nudge People into Making Less Predictable Graphical Password Choices
CHI '21: Proceedings of the 2021 CHI Conference on Human Factors in Computing SystemsGraphical user authentication (GUA) is a common alternative to text-based user authentication, where people are required to draw graphical passwords on background images. Such schemes are theoretically considered remarkably secure because they offer a ...
Shoulder-surfing-proof graphical password authentication scheme
The graphical password authentication scheme uses icons instead of text-based passwords to authenticate users. Icons might be somehow more familiar to human beings than text-based passwords, since it is hard to remember the latter with sufficient ...
An eye gaze-driven metric for estimating the strength of graphical passwords based on image hotspots
IUI '20: Proceedings of the 25th International Conference on Intelligent User InterfacesIn this paper, we propose an eye gaze-driven metric based on hotspot vs. non-hotspot segments of images for unobtrusively estimating the strength of user-created graphical passwords by analyzing the users' eye gaze behavior during password creation. To ...
Comments
Information & Contributors
Information
Published In
May 2021
232 pages
ISBN:9781450383455
DOI:10.1145/3448018
Copyright © 2021 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 25 May 2021
Check for updates
Author Tags
Qualifiers
- Short-paper
- Research
- Refereed limited
Conference
ETRA '21
Sponsor:
ETRA '21: 2021 Symposium on Eye Tracking Research and Applications
May 25 - 27, 2021
Virtual Event, Germany
Acceptance Rates
Overall Acceptance Rate 69 of 137 submissions, 50%
Upcoming Conference
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations1Total Citations
- 176Total Downloads
- Downloads (Last 12 months)19
- Downloads (Last 6 weeks)2
Reflects downloads up to 08 Mar 2025
Other Metrics
Citations
Cited By
View all- Vhaduri SDibbo SMuratyan ACheung W(2024)mWIoTAuthFuture Generation Computer Systems10.1016/j.future.2024.05.025159:C(230-242)Online publication date: 1-Oct-2024
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign inFull Access
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML Format