ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Use Your Illusion: secure authentication usable anywhere
Full text PdfPdf (235 KB)
Source
ACM International Conference Proceeding Series; Vol. 337 archive
Proceedings of the 4th symposium on Usable privacy and security table of contents
Pittsburgh, Pennsylvania
SESSION: Authentication II table of contents
Pages 35-45  
Year of Publication: 2008
ISBN:978-1-60558-276-4
Authors
Eiji Hayashi  CMU/CyLab Japan
Rachna Dhamija  Harvard University
Nicolas Christin  CMU/CyLab Japan
Adrian Perrig  CMU/CyLab
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 26,   Downloads (12 Months): 223,   Citation Count: 3
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1408664.1408670
What is a DOI?

ABSTRACT

In this paper, we propose and evaluate Use Your Illusion, a novel mechanism for user authentication that is secure and usable regardless of the size of the device on which it is used. Our system relies on the human ability to recognize a degraded version of a previously seen image. We illustrate how distorted images can be used to maintain the usability of graphical password schemes while making them more resilient to social engineering or observation attacks. Because it is difficult to mentally "revert" a degraded image, without knowledge of the original image, our scheme provides a strong line of defense against impostor access, while preserving the desirable memorability properties of graphical password schemes.

Using low-fidelity tests to aid in the design, we implement prototypes of Use Your Illusion as i) an Ajax-based web service and ii) on Nokia N70 cellular phones. We conduct a between-subjects usability study of the cellular phone prototype with a total of 99 participants in two experiments. We demonstrate that, regardless of their age or gender, users are very skilled at recognizing degraded versions of self-chosen images, even on small displays and after time periods of one month. Our results indicate that graphical passwords with distorted images can achieve equivalent error rates to those using traditional images, but only when the original image is known.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
Flickr. http://www.flickr.com.
 
2
Phoney finance. The Economist. October 26, 2006. http://www.economist.com/finance/displaystory.cfm?story_id=8089667.
3
Ross Anderson, Why cryptosystems fail, Proceedings of the 1st ACM conference on Computer and communications security, p.215-227, November 03-05, 1993, Fairfax, Virginia, United States  [doi>10.1145/168588.168615]
 
4
G. Blonder. United states patent, 1996. United States Patent 5559961.
 
5
G. H. Bower, M. B. Karlin, and A. Dueck. Comprehension and memory for pictures. Memory and Cognition, 2:216--220, 1975.
 
6
S. Brostoff and M. Sasse. Are passfaces more usable than passwords? A field trial investigation. In Proceedings of HCI 2000, pages 405--424, Sept. 2000.
 
7
M. Burton, S. Wilson, M. Cowan, and V. Bruce. Face recognition in poor quality video: Evidence from security surveillance. Psychological Science, 10:243--248, 1999.
 
8
Rachna Dhamija , Adrian Perrig, Déjà Vu: a user study using images for authentication, Proceedings of the 9th conference on USENIX Security Symposium, p.4-4, August 14-17, 2000, Denver, Colorado
9
Rachna Dhamija , J. D. Tygar, The battle against phishing: Dynamic Security Skins, Proceedings of the 2005 symposium on Usable privacy and security, p.77-88, July 06-08, 2005, Pittsburgh, Pennsylvania  [doi>10.1145/1073001.1073009]
 
10
A. Goldstein and J. E. Chance. Visual recognition memory for complex configurations. Perception and Psychophysics, 9:237--241, 1970.
 
11
Philippe Golle , David Wagner, Cryptanalysis of a Cognitive Authentication Scheme (Extended Abstract), Proceedings of the 2007 IEEE Symposium on Security and Privacy, p.66-70, May 20-23, 2007  [doi>10.1109/SP.2007.13]
 
12
R. L. Gregory. The Intelligent Eye. 1970.
 
13
A. Harada, T. Isarida, T. Mizuno, and M. Nishigaki. A user authentication system using schema of visual memory. In Proc. BioADIT'06, pages 338--345, Jan. 2006.
 
14
Z. Henderson, V. Bruce, and M. Burton. Matching the faces of robbers captured on video. Applied Cognitive Psychology, 15:445--464, 2001.
 
15
Gerald Holzmann, Beyond Photography: The Digital Darkroom, Prentice Hall Professional Technical Reference, 1988
 
16
Ian Jermyn , Alain Mayer , Fabian Monrose , Michael K. Reiter , Aviel D. Rubin, The design and analysis of graphical passwords, Proceedings of the 8th conference on USENIX Security Symposium, p.1-1, August 23-26, 1999, Washington, D.C.
 
17
H. Kinjo and J. G. Snodgrass. Does the generation effect occur for pictures? Amer. J. of Psych., 6:156--163, 2000.
 
18
T. Matsumoto, H. Matsumoto, K. Yamada, and S. Hoshino. Impact of artificial gummy fingers on fingerprint systems. In Proc. SPIE: Optical Security and Counterfeit Deterrence Techniques IV, volume 4677, pages 275--289, Jan. 2002.
19
Wendy Moncur , Grégory Leplâtre, Pictures at the ATM: exploring the usability of multiple graphical passwords, Proceedings of the SIGCHI conference on Human factors in computing systems, April 28-May 03, 2007, San Jose, California, USA  [doi>10.1145/1240624.1240758]
 
20
Darren Davis , Fabian Monrose , Michael K. Reiter, On user choice in graphical password schemes, Proceedings of the 13th conference on USENIX Security Symposium, p.11-11, August 09-13, 2004, San Diego, CA
 
21
Real User Corporation. The science behind Passfaces, 2001. http://www.realusers.com.
22
Hirokazu Sasamoto , Nicolas Christin , Eiji Hayashi, Undercover: authentication usable in front of prying eyes, Proceeding of the twenty-sixth annual SIGCHI conference on Human factors in computing systems, April 05-10, 2008, Florence, Italy  [doi>10.1145/1357054.1357085]
 
23
R. Shepard. Recognition memory for words, sentences and pictures. J. Verbal Learning and Verbal Behavior, 113(1):95--121, 1967.
 
24
Sony Corporation. Overview of FeliCa. http://www.sony.net/Products/felica/abt/dvs.html.
 
25
L. Standing, J. Conezio, and R. N. Haber. Perception and memory for pictures: single trial learning of 2,500 visual stimuli. Psychonomic Sci., 19(2):73--74, 1970.
 
26
A. Stubblefield and D. Simon. Inkblot authentication. Technical Report MSR-TR-2004-85, Aug. 2004.
 
27
Julie Thorpe , P. C. van Oorschot, Graphical dictionaries and the memorable space of graphical passwords, Proceedings of the 13th conference on USENIX Security Symposium, p.10-10, August 09-13, 2004, San Diego, CA
 
28
Julie Thorpe , P. C. van Oorschot, Towards Secure Design Choices for Implementing Graphical Passwords, Proceedings of the 20th Annual Computer Security Applications Conference, p.50-60, December 06-10, 2004  [doi>10.1109/CSAC.2004.44]
 
29
Julie Thorpe , P. C. van Oorschot, Human-seeded attacks and exploiting hot-spots in graphical passwords, Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, p.1-16, August 06-10, 2007, Boston, MA
 
30
Daphna Weinshall, Cognitive Authentication Schemes Safe Against Spyware (Short Paper), Proceedings of the 2006 IEEE Symposium on Security and Privacy, p.295-300, May 21-24, 2006  [doi>10.1109/SP.2006.10]
 
31
S. Wiedenbeck, J. Waters, J.-C. Birget, A. Brodskiy, and N. Memon. Authentication using graphical passwords: Basic results. In HCI International, July 2005.
32
Susan Wiedenbeck , Jim Waters , Jean-Camille Birget , Alex Brodskiy , Nasir Memon, Authentication using graphical passwords: effects of tolerance and image choice, Proceedings of the 2005 symposium on Usable privacy and security, p.1-12, July 06-08, 2005, Pittsburgh, Pennsylvania  [doi>10.1145/1073001.1073002]

CITED BY  3
Alexander De Luca , Martin Denzel , Heinrich Hussmann, Look into my eyes!: can you guess my password?, Proceedings of the 5th Symposium on Usable Privacy and Security, July 15-17, 2009, Mountain View, California
K. V. Renaud, Guidelines for designing graphical authentication mechanism interfaces, International Journal of Information and Computer Security, v.3 n.1, p.60-85, June 2009
Rajesh Krishna Balan , Narayan Ramasubbu , Komsit Prakobphol , Nicolas Christin , Jason Hong, mFerio: the design and evaluation of a peer-to-peer mobile payment system, Proceedings of the 7th international conference on Mobile systems, applications, and services, June 22-25, 2009, Kraków, Poland

INDEX TERMS

Primary Classification:
  K. Computing Milieux
  K.4 COMPUTERS AND SOCIETY
      K.4.4 Electronic Commerce

Additional Classification:
  K. Computing Milieux
  K.6 MANAGEMENT OF COMPUTING AND INFORMATION SYSTEMS
      K.6.5 Security and Protection (D.4.6, K.4.2)


General Terms:
Design, Human Factors, Security


Keywords:
distortion, graphical passwords, social engineering

Collaborative Colleagues:
Eiji Hayashi: colleagues
Rachna Dhamija: colleagues
Nicolas Christin: colleagues
Adrian Perrig: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player