The following subsections will present a brief overview of the usability of cued recall-based GASs, followed by a brief discussion of some common security vulnerabilities in these systems. Table 2.2 summarises the usability results reported in the existing literature of cued recall-based GASs.
2.3.1 Usability of Cued Recall GASs
The literature in cued recall-based systems is dominated by PassPoints (Wiedenbeck et al., 2005a; 2005b). A password in this system is a sequence of five click-points selected by the user on an image assigned by the system. During login, the user must choose each click-point in the correct order and within a tolerance area specified by the system, as shown in Figure
27
2.5. The results of the lab-based studies reported in Wiedenbeck et al. (2005a) showed that the password creation time was 64 sec, and the users required an additional average training time of 171 sec to memorise their respective passwords. The mean login success rate varied between 55% and 90%, whereas the mean login time varied between 9sec and 19 sec.
Figure 2.5: An example of PassPoints (Wiedenbeck et al., 2005a)
Cued Click Points (CCP) was reported in Chiasson & Oorschot (2007), where a user is required to choose a single point (click-point), on each of the five distinct images presented by the system in a sequential order, unlike Passpoints (five points on one image). The images in sequence are dependent on the coordinates of the click point in the prior image. Hence a wrong selection during the login process, would not display any of the images that were used to create the respective click points. The result of the authentication session is shown only after the final point is clicked. The study reported in Chiasson & Oorschot (2007) showed that the mean registration time was 25 sec and the mean authentication time was 7 sec. The mean success rate was 96%. The analysis of the click points chosen by the users revealed that, users tended to choose points falling within known hotspots, i.e. popular points or areas of an image with higher probability of being chosen as click-points.
Persuasive Cued Click Points (PCCP) is a variant of CCP, designed to persuade the users to select more secure passwords (Chiasson et al., 2011). During the password registration, the image is dimmed, except for a small square view-port area randomly positioned on the image, as shown in Figure 2.6. Users can either select a click point from within the viewport, or press the shuffle button to randomly reposition the viewport, until they are satisfied with the location. The login process is same as that of CCP. The idea was to reduce the hotspots, by flattening the distribution of the click-points across multiple users. The login success rate of PCCP (83%-94%) was similar to CCP. However, the mean password registration time
28
increased to 50 sec in PCCP, mainly due to the participants who shuffled the viewport repeatedly. It took almost 8 sec to login in PCCP. The review of PCCP presented in Biddle et al. (2009) reported that login time in PCCP varies between 11 sec – 89 sec.
Figure 2.6: PCCP with a view-port area (Chiasson et al., 2011)
Suo (2006) proposed a modified version of PassPoints to resist against the shoulder surfing attacks. The registration process is same as the Passpoints. During login, the image is blurred except a small focus area. Users must enter Y or N using a keyboard, or use the right and left mouse buttons, to indicate, if the click points selected during registration are within the focussed area. This process is repeated for at most 10 rounds, until all the click points are identified. However, the author did not report any user study to demonstrate the effectiveness and efficiency of the proposed approach.
Alsilaiman & El Saddik (2006) proposed a system, where users would navigate a 3D environment, and perform a sequence of actions such as clicking on certain areas, interacting with certain parts of the virtual world, typing or drawing on the virtual surface, which will be interpreted as their password. The idea is that 3D environment will act as the cue to prompt the users to repeat their actions. A prototype was implemented, where users can walk through a virtual art gallery, and enter text passwords at the virtual computers or select pictures to form their passwords. However, no user studies were conducted to demonstrate the effectiveness and efficiency of the proposed system.
29
A variant of cued recall-based system, also known as Windows Picture Passwords has been commercially deployed on Windows operating system (Windows, 2011). In this mechanism, users are first required to choose an image from their personal collection (any collection), and then highlight the parts of the image that are either important or interesting to them. The highlighted sections (gestures) on the image form the password. Ideally, the user has to choose three gestures (analogous to three click-points in CCP). The users can choose the gestures by: clicking on the image using a mouse in the case of a desktop; tapping on the image (handheld devices); connecting/highlighting points in the image by drawing lines or circles. This is one of the widespread deployments of the graphical authentication.
In Table 2.2, each of the cued recall-based GASs discussed above is evaluated, based on the usability results presented in the literature. The structure of the table and terminologies used are the same as in Table 2.1. Please note that the statistics presented for CCP is obtained from the single password studies. The statistics related to multiple passwords study reported in Chiasson et al. (2009) will be presented in Table 2.5 (Section 2.6).
System Type of study Study duration Registration time (seconds) Login time (seconds) Login success rate Multiple password studies PassPoints Lab 2 × 1wk 1 × 2 × 2wk 64 sec 9 -19 sec 38% - 94% No Field 7-9wk CCP Lab 1 × 2 × 1wk
25 sec 7 sec 96% Yes (Chiasson et al., 2009) Suo No study Unknown Unknown Unknown Unknown Unknown PCCP Lab 1 ×
2 × 1wk
50 sec 8-89sec 83%-94% No
3D No study Unknown Unknown Unknown Unknown Unknown Windows
Picture
No study Unknown Unknown Unknown Unknown Unknown
30
2.3.2 Security Overview
Passpoints and its variants have been analysed rigorously in the context of security.
The two major weaknesses that enable efficient dictionary attacks in PassPoints are: hotspots (Chiasson & Oorschot, 2007) and patterns (Chiasson et al., 2009). If an attacker can predict the hotspots in an image through image analysis or predictable behavior of the users, then a dictionary of passwords comprising of such hotspots can be created, to launch a dictionary attack. Chiasson et al. (2009) showed that geometric patterns were absent in case of CCP, as the password was constructed across 5 images, as opposed to 5 click-points in a single image (PassPoints). According to Chiasson et al. (2011), PCCP eliminated the major concerns regarding hot spots and patterns.
In the context of shoulder surfing, the user’s password is observable on the screen, while the user enters it. Hence, the system may not be resistant to shoulder surfing attacks. For example, it might be easier for an observer to detect the change in images in the case of CCP, than the movement of the mouse pointer in PassPoints. It is also easy to capture the user’s screen or authentication session using cameras and other recording equipment. However, none of the existing studies have evaluated this aspect in the context of the CCP.
Social engineering attacks remain a concern, as it may be possible to describe the click-points verbally or simply using screen captures and other recording equipment. However, none of the existing studies have examined this aspect.
2.3.3 Summary
The potential problems in a cued recall system, discussed in Renaud & Angeli (2004) are listed below:
According to Parkin (1993), the effectiveness of cued recall would depend on the strength of the association between the cue (memorable objects in the image) and response (correctly pointing the location). However, it is difficult to find an image which has many memorable locations, does not have too many bright objects and consists of smooth well defined objects. In case the image does not have many memorable locations, the same location are likely to be used by many users as their
31
passwords. This may make the system insecure to use. PCCP has claimed to solve this problem of hotspots, however the system is time consuming to employ.
The users may also find it difficult to click on the exact location (click-point) which will lead to an unsuccessful authentication attempts (Renaud & Angeli, 2004). This may make the system difficult to use. However, this aspect has not been evaluated in the existing studies.
To summarise, early cued recall-based systems such as PassPoints were found to be usable in single password studies, but suffered from security issues due to hotspots and patterns in the user selection. Later schemes such as PCCP alleviate the security issues, but their performance in terms of usability (especially, efficiency) deteriorated. Chiasson et al. (2009) reported the only multiple password study in the field of cued recall-based systems, which will be further discussed in Section 2.6.2.