Use Your Illusion: Secure Authentication Usable Anywhere
July 24, 2008 by Richard Conlanhttp://cups.cs.cmu.edu/soups/2008/proceedings/p35Hayashi.pdf
This research proposes a graphic login system in which the presented images at login time are highly distorted versions of the images chosen at password creation time. The user should be able to recognize the distorted version of the picture they originally chose. That said, there is a trade-off in that as distortion increases the ability to associate the original with the distorted copy may become more difficult for the user.
Unlike in many graphical password schemes, UYI allows users are allowed to provide the pictures since they’ll be distorted anyways. The distortion used discard precise shapes and colors but preserves rough shapes and colors. An attacker will then not be able to tell what the blurred images represent and won’t be able guess the proper image even if the user used highly personal pictures.
They completed research in which they asked users to distinguish the picture with different levels of distortion to find the region in which it would be very hard to recognize without knowing the original image but relatively easy to recognize when the image is known. They implemented a prototype on the web and on a Nokia cell phone.
In the prototype the user creates their password by choosing three images. They then proceed through a Practice session in which they have to choose their images from a grid with the proper image plus eight random incorrect images; during this phase there is explicit feedback on whether the user has chosen the proper image. Finally, the user logs in during an authentication phase which prompts the user to select the proper image from a field including eight random images, but with no immediate feedback. The user can choose the wrong image three three times before authentication is considered failed.
The researchers completed two usability tests. The first had 45 participants and lasted 1 week; the second had 54 participants and lasted 4 weeks. For the first study participants were divided into three groups with different degrees of image distortion. In each group they were asked to choose three pictures to create the password, login on the first day, the second day, and one week later. It was found that the non-distorted and somewhat distorted groups did about equal, with only the heavily distorted group having notable problems.
For the second test the 54 participants were divided into three groups. This test was differentiated by having the user also log in again four weeks after the initial date, and by including a group in which the user’s were not able to provide their own photos and only ever saw the distorted images. While the group with imposed, distorted images did the worst, the results were fairly similar across the three groups.