03-12-2012, 02:34 PM
Authentication Using Graphical Passwords: Effects of Tolerance and Image Choice
Authentication Using Graphical.pdf (Size: 518.41 KB / Downloads: 18)
ABSTRACT
Graphical passwords are an alternative to alphanumeric
passwords in which users click on images to authenticate
themselves rather than type alphanumeric strings. We have
developed one such system, called PassPoints, and evaluated it
with human users. The results of the evaluation were promising
with respect to rmemorability of the graphical password. In this
study we expand our human factors testing by studying two
issues: the effect of tolerance, or margin of error, in clicking on
the password points and the effect of the image used in the
password system. In our tolerance study, results show that
accurate memory for the password is strongly reduced when using
a small tolerance (10 х 10 pixels) around the user’s password
points. This may occur because users fail to encode the password
points in memory in the precise manner that is necessary to
remember the password over a lapse of time. In our image study
we compared user performance on four everyday images. The
results indicate that there were few significant differences in
performance of the images. This preliminary result suggests that
many images may support memorability in graphical password
systems.
INTRODUCTION
Because of increasing threats to networked computer systems,
there is great need for security innovations. Security practitioners
and researchers have made strides in protecting systems and,
correspondingly, individual users’ digital assets. However, the
problem arises that, until recently, security was treated wholly as
a technical problem – the system user was not factored into the
equation. Users interact with security technologies either
passively or actively. For passive use understandability may be
sufficient for users. For active use people need much more from
their security solutions: ease of use, memorability, efficiency,
effectiveness and satisfaction. Today there is an increasing
recognition that security issues are also fundamentally humancomputer
interaction issues [15, 25].
Authentication is the process of determining whether a user
should be allowed access to a particular system or resource. It is a
critical area of security research and practice. Alphanumeric
passwords are used widely for authentication, but other methods
are also available today, including biometrics and smart cards [11,
19]. However, there are problems of these alternative
technologies. Biometrics raise privacy concerns and smart cards
usually need a PIN because cards can be lost. As a result,
passwords are still dominant and are expected to continue to
remain so for some time [10].
Graphical Passwords
Why Graphical Passwords May Be Better
Most graphical password systems are based on either recognition
or cued recall. In recognition-based systems the user must
recognize previously chosen images from a larger group of
distractor images. The decision is binary: either the image is
known (recognized) or not known. In cued recall password
systems users must click on several previously chosen areas in an
image, cued by viewing the image.
Both types of systems may have memory advantages over
alphanumeric passwords. Alphanumeric passwords are based on
pure recall (presuming the user has not written the password
down). It is known that recognition memory is better than unaided
recall [24]. Furthermore, psychological studies show that images
are recognized with very high accuracy (up to 98 percent) after a
two hour delay, which is much higher than accuracy for words
and sentences [30]. In addition, it has been found that error in
recognition of images is only 17 percent after viewing 10,000
pictures [31]. Studies of recall also confirm that pictures are
recalled better than words [26] and this has led to the tag “picture
superiority effect” [23].
TOLERANCE STUDY
The objective of this study was to understand the effect of
different tolerance sizes around user click points. The tolerance
can be varied in the system. Our question is how does varying the
tolerance affect success in graphical password use. In a previous
experiment [33, 34] we used a relatively large tolerance However,
this tolerance restricted the password space more than we liked.
Therefore, we experimented with smaller tolerances to see how
they affect user performance.
Methodology
Thirty-two undergraduate students, ranging from their first year to
their last year of studies, participated in the experiment. Ten were
female and 22 were male. The mean age of participants was 22.7
(SD=1.33). Most of the participants were majoring in information
systems. They all used PCs frequently.
The PassPoints system used in this study was the same as in [33,
34], except that it used a different image. The interface included
the image used for testing and several buttons. The single image
used in this experiment depicted a colorful scene of children
painting murals in a room. The size of the image was 451 х 331
pixels. Two tolerances around the click points were used: 14 х 14
pixels, and 10 х 10 (Table 1). In our earlier study of PassPoints
[33, 34] we used a tolerance of 20 х 20 pixels and found that users
were quite successful. In studying the effects of smaller tolerances
we chose the 14 х 14 pixel tolerance and the 10 х 10 pixel
tolerance because they were respectively about one-half and onequarter
of the area of the 20 х 20 tolerance, as shown in Table 1.
Conclusion
With respect to the tolerance experiment, we can conclude that
the smaller tolerance of 10 х 10 pixels seriously impaired users’
memory, and correspondingly increased their password input
time, after one week in which the password was not used. Our
interpretation of this phenomenon is that users who forgot their
passwords failed in the learning phase to encode their password
points in memory precisely. Generally, they were able to identify
the area of their point but had not stored sufficiently precise
knowledge about the points. With the small tolerance they were
much less likely to click within the tolerance than users in the
larger 14 х 14 pixel tolerance. This effect would be likely to
decrease with long-term, regular use of the password, i.e., as their
performance became more automated. However, if that precise
memory decayed over a long lapse in usage, the user would again
be susceptible to failure because of the small margin of error.