Julie Thorpe
ABSTRACT
We design, implement, and evaluate GeoPass: an interface for digital map-based authentication where a user chooses a place as his or her password (i.e., a "location-password"). We conducted a multi-session in-lab/at-home user study to evaluate the usability, memorability, and security of location-passwords created with GeoPass. The results of our user study found that 97% of users were able to remember their location-password over the span of 8-9 days and most without any failed login attempts. Users generally welcomed GeoPass; all of the users who completed the study reported that they would at least consider using GeoPass for some of their accounts. We also perform an in-depth usability and security analysis of location-passwords. Our security analysis includes the effect of information that could be gleaned from social engineering. The results of our security analysis show that location-passwords created with GeoPass can have reasonable security against online attacks, even when accounting for social engineering attacks. Based on our results, we suggest GeoPass would be most appropriate in contexts where logins occur infrequently, e.g., as an alternative to secondary authentication methods used for password resets, or for infrequently used online accounts.
- A. De Angeli, L. Coventry, G. Johnson, and K. Renaud. Is a Picture Really Worth a Thousand Words? Exploring the Feasibility of Graphical Authentication Systems. International Journal of Human-Computer Studies, 63(1-2):128--152, 2005. Google Scholar
Digital Library
- A. J. Aviv, K. Gibson, E. Mossop, M. Blaze, and J. M. Smith. Smudge Attacks on Smartphone Touch Screens. In Proceedings of the 4th USENIX Conference on Offensive technologies, WOOT'10, 2010. Google ScholarDigital Library
- K. Bicakci and P. C. van Oorschot. A Multi-Word Password Proposal (gridWord) and Exploring Questions about Science in Security Research and Usable Security Evaluation. In Proceedings of the New Security Paradigms Workshop (NSPW), 2011. Google ScholarDigital Library
- R. Biddle, S. Chiasson, and P. C. Van Oorschot. Graphical Passwords: Learning from the First Twelve Years. ACM Computing Surveys, 44(4), 2012. Google ScholarDigital Library
- J. C. Birget, D. Hong, and N. Memon. Robust Discretization, with an Application to Graphical Passwords. IEEE Transactions on Information Forensics and Security, 1:395--399, 2006. Google ScholarDigital Library
- J. Bonneau. The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords. In 2012 IEEE Symposium on Security and Privacy, 2012. Google ScholarDigital Library
- J. Bonneau, M. Just, and G. Matthews. What's in a Name? Evaluating Statistical Attacks on Personal Knowledge Questions. In Financial Cryptography and Data Security. 2010. Google ScholarDigital Library
- S. Brostoff and A. Sasse. Are Passfaces More Usable Than Passwords? A Field Trial Investigation. In Proceedings of HCI 2000, pages 405--424, 2000.Google ScholarCross Ref
- Statistics Canada. Population and Dwelling Counts, For Canada, Provinces and Territories, and Census Divisions, 2006 and 2001 Censuses. http://www12.statcan.ca/english/census06/data/popdwell/Table.cfm?T=702&PR=35&SR=1&S=3&O=D, site accessed September 18, 2012.Google Scholar
- Travel Channel. Top 10 Vacation Spots. http://www.travelchannel.com/interests/travel-tips/articles/top-10-vacation-spots, site accessed March 2, 2013.Google Scholar
- S. Chiasson, J. Srinivasan, R. Biddle, and P. C. van Oorschot. Centered Discretization with Application to Graphical Passwords. In Proceedings of the 1st Conference on Usability, Psychology, and Security, UPSEC'08, 2008. Google ScholarDigital Library
- S. Chiasson, E. Stobert, A. Forget, R. Biddle, and P. C. van Oorschot. Persuasive Cued Click-Points: Design, Implementation, and Evaluation of a Knowledge-Based Authentication Mechanism. IEEE Transactions on Dependable and Secure Computing, 9(2):222--235, 2011. Google ScholarDigital Library
- S. Chiasson, P. C. van Oorschot, and R. Biddle. A Second Look at the Usability of Click-Based Graphical Passwords. In SOUPS, 2007. Google ScholarDigital Library
- D. Davis, F. Monrose, and M. K. Reiter. On User Choice in Graphical Password Schemes. In USENIX Security, 2004. Google ScholarDigital Library
- R. Dhamija and A. Perrig. Déjà Vu: A User Study Using Images for Authentication. In Proceedings of the 9th USENIX Security Symposium, 2000. Google ScholarDigital Library
- P. Dunphy and J. Yan. Do Background Images Improve Draw-A-Secret Graphical Passwords? In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS), 2007. Google ScholarDigital Library
- K. M. Everitt, T. Bragin, J. Fogarty, and T. Kohno. A Comprehensive Study of Frequency, Interference, and Training of Multiple Graphical Passwords. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI '09, 2009. Google ScholarDigital Library
- A. Forget, S. Chiasson, and R. Biddle. Shoulder-Surfing Resistance with Eye-Gaze Entry in Cued-Recall Graphical Passwords. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI '10, 2010. Google ScholarDigital Library
- S. Fox. Future Online Password Could be a Map, 2010. http://www.livescience.com/8622-future-online-password-map.html, site accessed March 2, 2013.Google Scholar
- E. Hayashi and J. Hong. A Diary Study of Password Usage in Daily Life. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI '11, 2011. Google ScholarDigital Library
- P. G. Inglesant and M. A. Sasse. The True Cost of Unusable Password Policies: Password Use in the Wild. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI '10, 2010. Google ScholarDigital Library
- W. Javed, S. Ghani, and N. Elmqvist. Polyzoom: Multiscale and multifocus exploration in 2d visual spaces. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI '12, 2012. Google ScholarDigital Library
- I. Jermyn, A. Mayer, F. Monrose, M. Reiter, and A. Rubin. The Design and Analysis of Graphical Passwords. In USENIX Security, 1999. Google ScholarDigital Library
- R. A. Khot, K. Srinathan, and P. Kumaraguru. MARASIM: A Novel Jigsaw Based Authentication Scheme Using Tagging. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI '11, 2011. Google ScholarDigital Library
- S. Kim, X. Cao, H. Zhang, and D. Tan. Enabling Concurrent Dual Views on Common LCD Screens. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI '12, 2012. Google ScholarDigital Library
- S. Madigan. Picture Memory. In J. C. Yuille, editor, Imagery, Memory and Cognition. Lawrence Erlbaum Assoc., 1983.Google Scholar
- D. Nelson, V. Reed, and J. Walling. Pictorial Superiority Effect. Journal of Experimental Psychology: Human Learning and Memory, 2(5):523--528, 1976.Google ScholarCross Ref
- New World Encyclopedia contributors. List of Countries and Outlying Territories by Total Area, 2008. http://www.newworldencyclopedia.org/p/index.php?title=List_of_countries_and_outlying_territories_by_total_area&oldid=866335, site accessed March 2, 2013.Google Scholar
- S. Nichols. Google Patents Eye-Tracking for Google Glass, 2012. http://www.techradar.com/news/portable-devices/google-patents-eye-tracking-for-google-glass-1091428, site accessed March 8, 2013.Google Scholar
- Passlogix. http://www.passlogix.com, site accessed Feb. 2, 2007.Google Scholar
- Real User Corporation. About Passfaces. http://www.realuser.com, site accessed April 2012.Google Scholar
- S. Schechter, A. J. B. Brush, and S. Egelman. It's No Secret. Measuring the Security and Reliability of Authentication via "Secret" Questions. In Proceedings of the 2009 30th IEEE Symposium on Security and Privacy, 2009. Google ScholarDigital Library
- S. Sinofsky. Signing in With a Picture Password, 2011. http://blogs.msdn.com/b/b8/archive/2011/12/16/signing-in-with-a-picture-password.aspx, accessed April 2012.Google Scholar
- J. Spitzer, C. Singh, and D. Schweitzer. A Security Class Project in Graphical Passwords. Journal of Computing Sciences in Colleges, 26(2):7--13, 2010. Google ScholarDigital Library
- H. Sun, Y. Chen, C. Fang, and S. Chang. PassMap: A Map Based Graphical-Password Authentication System. In Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security (ASIACCS), 2012. Google ScholarDigital Library
- H. Tao and C. Adams. Pass-Go: A Proposal to Improve the Usability of Graphical Passwords. International Journal of Network Security, 2(7):273--292, 2008.Google Scholar
- J. Thorpe and P. C. van Oorschot. Human-Seeded Attacks and Exploiting Hot-Spots in Graphical Passwords. In USENIX Security, 2007. Google ScholarDigital Library
- Tripadvisor. http://www.tripadvisor.com, site accessed August 22, 2012.Google Scholar
- M. Weir, S. Aggarwal, M. Collins, and H. Stern. Testing Metrics for Password Creation Policies by Attacking Large Sets of Revealed Passwords. In Proceedings of the 17th ACM conference on Computer and Communications Security, CCS '10, 2010. Google ScholarDigital Library
- S. Wiedenbeck, J. Waters, J. Birget, A. Brodskiy, and N. Memon. PassPoints: Design and Longitudinal Evaluation of a Graphical Password System. Int. J. Hum.-Comput. Stud., 63(1-2):102--127, 2005. Google ScholarDigital Library
- J. Yan, A. Blackwell, R. Anderson, and A. Grant. Password Memorability and Security: Empirical Results. IEEE Security and Privacy, 2(5):25--31, 2004. Google ScholarDigital Library
Index Terms
- Usability and security evaluation of GeoPass: a geographic location-password scheme
Recommendations
On the memorability of system-generated pins: can chunking help?
SOUPS '15: Proceedings of the Eleventh USENIX Conference on Usable Privacy and SecurityTo ensure that users do not choose weak personal identification numbers (PINs), many banks give out system-generated random PINs. 4-digit is the most commonly used PIN length, but 6-digit system-generated PINs are also becoming popular. The increased ...
The usability of passphrases for authentication: An empirical field study
In developing password policies, IT managers must strike a balance between security and memorability. Rules that improve structural integrity against attacks may also result in passwords that are difficult to remember. Recent technologies have relaxed ...
Optiwords: A new password policy for creating memorable and strong passwords
AbstractUser-generated textual passwords suffer from the conflict between security and usability. System administrators usually adopt password composition policies to help users choose strong passwords. However, users often use predictable patterns to ...
Comments