Post on 24-Feb-2016
description
1
A Comprehensive Study of the Usability of multiple Graphical Passwords
SoumChowdhury (Presenter)Ron Poet
Lewis Mackenzie
School of Computing Science
2
PhD ResearcherAn organism that converts caffeine and
sandwiches/pizza into PhD thesis
+ =
Motivation
School of Computing Science
text passwords
1. Writing down the passwords; 2. Reusing the same passwords; 3. Sharing them with others
School of Computing Science
A potential solution: Images as password‘M’ number of images = 1 password
Limitation of existing work:
• focused on the usability of a single password
• Users need to remember and use multiple passwords
Research Problem
Objectives
School of Computing Science
which image type (s) performs best in terms of usability, when multiple passwords are used?’
Compare the usability of 4 image types: Mikon, doodle, art and everyday object, when used as passwords
6
1: Username selection
2: Password image selection (4 images)
3: Password confirmation
4: Registration completion
Registration
School of Computing Science
Select 4 images
4 images = 1 password
7
AuthenticationFour step login = 1 * 4 images (T)
Each step: 1 target+ 15 decoys = 1 challenge set
Select 1 image (target) and move to next step
School of Computing Science
Result: Displayed at the end of the 4th (final) step
8
IMAGE TYPES USED AS PASSWORD
(1)Mikon: These are icon-like images which have been drawn by users using a tool called the Mikon engine developed by Mikons.com
(2) Doodle: These images are drawn by users using pen on paper
School of Computing Science
9
Image types used in our research(3) Art: These images were collected from a range of free websites and comprised of paintings
from different styles such as cubism, abstract and modernism
(4) Object: These images comprised of pictures of food and drinks, sculpture and buildings as well as sports and leisure activities, again collected from a range of free websites
most of the existing usability studies have been done with themSince this is the first study of its kind, we did not concentrate in examining more image types
Why use these image types?
School of Computing Science
10
Experimental design / User Study
School of Computing Science
Mikon
25 users
TASK OF EACH USER IN A CONDITION
1. Create 4 passwords (a survey with sample users)2. login with 4 passwords every week3. Frequency of login was varied
Doodle
25 users
Art
25 users
Object
25 users
Conditions
# users
INDEPENDENT MEASURES
11
Frequency of login in each week
School of Computing Science
1 2 3-4 5 6 7 80
5
10
15
20
25
20 20
10
24
23
Week
Num
ber o
f log
in s
essi
ons
with
1 p
assw
ord
in a
wee
k
week 1 is the training week; participants would get used to the system
12
100 participants of age 19-24 for a period of eight weeks
User Demographics
School of Computing Science
Grounded theory framework for pre-study survey
Mean successful login percentage: It examined the mean successful login percentage for in each condition :
Shapiro-Wilk test – Normal Distribution
ANOVA– Significant difference in all conditions
Tukey Post hoc test- Significant difference in each pair of condition except Mikon and Object
Result 1: Memorability
Object passwords are the most memorable whereas art passwords are the least
School of Computing Science
13
Mikon Doodle Art Object0
102030405060708090
74.2267.4
54.9
77.4
Conditions
Mea
n Lo
gin
Suc
cess
per
cent
age
from
wee
k 2
to 8
14
Weekly Login Success Percentage
School of Computing Science
mikon doodle art object0
10
20
30
40
50
60
70
80
90
w2w3-4w5w6w7w8
Image types
aver
age
wee
kly
logi
n su
cces
s
The memorability decreases with time and less frequent usage
15
Result 2: Registration time
School of Computing Science
p1 p2 p3 p40
20
40
60
80
100
120
140
mikondoodleartobject
Passwords
Mea
n R
egis
tratio
n tim
e (s
econ
ds)
decreases from p1- first registered password to p4- last registered password
decreases as users get used to the system
16
Result 3: Login time
School of Computing Science
Mikon Doodle Art Object0
5
10
15
20
25
30
19.5222.16
24.56
18.28
Conditions
Mea
n lo
gin
time
in s
econ
ds
differences between the average login time of Mikon and doodle as well as Mikon and object passwords is not significant
School of Computing Science
Post Study: Strategy to create and remember password
story/patterns personal likings visual appeal caption/verbal tag random0
10
20
30
40
50
60
42
29
5
13 11
33
39
0
18
105
46
36
0
13
32
52
16
0 0
mikondoodleartobject
Password creation strategy
Par
ticip
ant %
Mikon and doodle: story/pattern or personal likings
Art: personal likings or visual appeal
Object: personal likings or story
18
First study that compares the usability of multiple image passwords using 4 different images types- Mikon, doodle, art and objects
Results demonstrated that
object passwords are most usable in the sense of being more memorable and less time-consuming to employ;
Mikon images are close behind (without any significant difference);
but doodle and art images are significantly inferior
CONCLUSION-1
School of Computing Science
19
Do users find it difficult to remember multiple image passwords?
• Users do have problems remembering many image passwords.
• Hence they will face the same password memorability/ management problems as that of text passwords, when the number of image passwords increases.
CONCLUSION-2
School of Computing Science
20
REMARKS- 1 If a system is not usable, then the users will engage into insecure
practices, which may compromise the security.
Solving the memorability problem of the passwords could prevent insecure coping mechanisms.
A solution to address the memorability problem
Provide adequate security
‘Hint based authentication’
ONGOING WORK
School of Computing Science
21
REMARKS-2
In the absence of any related study of this kind, it is impossible to produce a flawless experimental design.
There is no standard procedure to design experiments for studying multiple image passwords.
(Major limitation of our field)The use of different experimental framework, dependant variables and image types makes it difficult to allow systematic comparison of our results with them.
School of Computing Science
22
REMARKS-3
School of Computing Science
We believe that the experimental design in our user studies is:
valid as it answers the research question through the data we collected;
reliable as it can be reproduced by the research community;
most importantly, such a study for the stated research problem has not been conducted in the past.
23
Learn – Unlearn – Relearn
School of Computing Science