Detalles de arquitectura

In recognition-based systems, users have to memorise a set of chosen images during password creation and then recognise their pre-selected images from among many different ones in order to log into the system. This type of scheme relies on exceptional human memory to recognise previously seen images, even those seen quickly. Currently, proposed recognition-based systems use images such as faces, random art pictures, daily objects and icons. The most extensively studied graphical passwords are Passfaces (Passfaces, 2009) and Dejavu (Dhemija and Perrig, 2000) and Story (Davis, Monrose and Reiter, 2004). The following sub-sections will discuss each scheme in detail.

Passfaces:

The first example of a recognition-based scheme which uses human faces as a verification tool for authentication process is Passfaces. In this technique, users see a grid of nine faces and selects one face previously chosen by the user as shown in Figure 6.1. It offers two-factor authentication to provide a higher level of security which can be easily integrated into existing systems in different working areas such as financial, government, healthcare and corporate networks (Passfaces, 2009). Passfaces was based on the fact which is proven by some research and experimental studies which reveals that viewing and recognising faces leaves an impact on one’s memory recognition. Hadyn et al. (1992) explain that face recognition is a kind of different process from general object recognition in the human brain; since neurological measurements indicate that our brains have a special component, a unique function, to recognise faces specifically. In addition,

the human brain does not need any conscious effort to commit faces to memory and it recognises the faces not recalls.

In order to enrol in Passfaces, users are first presented a number of faces (could be three to five faces) to view. In the familiarisation process they are required to familiarise themselves with these presented faces. The process begins with examining each face and trying to find similarities between the shown face and people they may know. Then they are asked to go through a face recognition exercise which requires them to select one of the presented faces from a grid of nine faces. Once the user has successfully recognised the correct faces, they are allowed to log in.

Figure 6. 1 Example of Passfaces

Davis et al. (2004) indicate that allowing people to choose the faces to create their password can lead to predictability issues since more attractive faces are most probably chosen frequently, thus significantly reducing the security. Dunphy et al. (2007) consider the social engineering attacks, by the way users are convinced by the attackers to describe the images in their portfolio. Their study results show that 8% participants could log in obtaining the portfolio images based on verbal descriptions. The results also indicate that if more or less similar decoy images to the portfolio images are used to reduce social

engineering attacks, it causes usability issues since recognising the correct portfolio images become difficult.

Later, Everitt et al. (2009) preferred to investigate the Passfaces scheme in terms of the effect of frequency access on a graphical password. They examined interference effect resulting from interleaving access to multiple graphical passwords and patterns of access while training. In a five-week period users were directed to log on to four different accounts according to different schedules. The results demonstrated that users who logged in more frequently were more successful at remembering their passwords. This study is the first of its kind in graphical password domains looking into the issues and effect of having multiple graphical passwords, as people commonly need more than four passwords. Thus, the effects of interference are even more crucial in a widespread deployment of graphical passwords. Unlike similar studies that examine only single graphical passwords, these findings discuss more realistic evaluations of multiple graphical passwords usage.

DejaVu:

DejaVu was proposed by Dhamija and Perrig (2000) to point the drawbacks of traditional alphanumeric passwords and PINs. In general, DejaVu consists of three major phases; portfolio creation, training and authentication. During the portfolio creation phase, users select a specific number of images from a larger set of images presented by the server. Figure 6.2 shows some images from the image selection phase in their proposed prototype system. Dhamija and Perrig suggest that the strategy of choosing images from random art instead of photographs reduces the predictability of the portfolio, hence increasing the security of the system. They believe that the images of random art are more difficult for users to write down as their password or to share with others by describing the images from the portfolio.

Figure 6. 2 Selection of random art images in DejaVu scheme (Dhajima and Perrig, 2000)

Next phase is a training phase, where users choose the images in the portfolio containing a set of decoy images. A secure environment must be provided during the selection and training phase to guarantee that no other person can see the image portfolio. Then in the authentication phase, a user will be validated if he manages to identify all portfolio images correctly among the decoys. In the prototype system, a panel of twenty- five images is displayed, five of which belong to the user’s portfolio. The authors of this scheme propose that a fixed set of 10,000 images is adequate, but the attractive images should be hand-selected to increase the likelihood that images have similar probabilities of being selected by users.

Since it uses abstract images which help to decrease the risk of social engineering attacks which is trying to gather enough information to log in by tricking the user into verbalising their password, DejaVu scheme is advantageous. Similarly, it would seem difficult to identify images belonging to a particular user based on knowing other information about the user; however, problems resulting from predictable user choice remain possible, whereby users might make their choices based on favourite colours or shapes. Moreover, the usability issue was raised due to the fact that no feedback was given when users click on particular images, making it difficult for a user to be certain whether an image has been selected, which is obviously for security since providing too much feedback might lead to security being compromised.

Story:

the Passfaces scheme. In the Story scheme, users create their passwords by selecting a sequence of k images from a single set of n>k images to make a “story”. Each image is drawn from a distinct category of image types which are capable of producing n! / (n – k)! choices (Davis, Monrose and Reiter, 2004). The image category of the Story scheme is based on nine categories; animals, cars, women, food, children, men, objects, nature and sports. Example of images in Story scheme can be seen in Figure 6.3.

Figure 6. 3 Example of images in Story scheme (Davis, Monrose and Reiter, 2004)