ABSTRACT
Passwords are the most common authentication scheme today. However, it is difficult for people to memorize strong passwords, such as random sequences of characters. Additionally, passwords do not provide protection against phishing attacks. This paper introduces WebTicket, a low cost, easy-to-use and reliable web account management system that uses "tickets", which are tokens that contain a two-dimensional barcode that can be printed or stored on smartphones. Users can log into accounts by presenting the barcodes to webcams connected to computers. Through two lab studies and one field study consisting of 59 participants in total, we found that WebTicket can provide reliable authentication and phishing resilience.
- eToken. http://www.aladdin.com/etoken/.Google Scholar
- QRCode.com. http://www.denso-wave.com/qrcode/.Google Scholar
- RSA securID http://www.rsa.com/node.aspx?id=1156.Google Scholar
- A. Adams and M. Sasse. Users are not the enemy. Communications of the ACM (1999). Google ScholarDigital Library
- S. Brostoff and M. Sasse. Are passfaces more usable than passwords: A field trial investigation. In Proc. of HCI 2000, (2000).Google ScholarCross Ref
- S. Chiasson, R. Biddle, and P. V. Oorschot. A second look at the usability of click-based graphical passwords. In Proc. of SOUPS (2007). Google ScholarDigital Library
- R. Dhamija and J. Tygar. The battle against phishing: Dynamic security skins. In Proc. of SOUPS (2005). Google ScholarDigital Library
- A. Dirik, N. Memon, and J. C. Birget. Modeling user choice in the passpoints graphical password scheme. In Proc. of SOUPS (2007). Google ScholarDigital Library
- S. Egelman, L. F. Cranor, J. Hong. You've been warned: an empirical study of the effectiveness of web browser phishing warnings. In Proc. of SIGCHI (2008) Google ScholarDigital Library
- K. Everitt, T. Bragin, J. Fogarty, and T. Kohno. A comprehensive study of frequency, interference, and training of multiple graphical passwords. In Proc. of CHI (2009). Google ScholarDigital Library
- Gartner. Automated password resets can cut it service desk costs. 2004.Google Scholar
- S. Gaw and E. Felten. Password management strate-gies for online accounts. In Proc. of SOUPS (2006). Google ScholarDigital Library
- J. T. Hallinan. Why We Make Mistakes. Broadway, 2009.Google Scholar
- E. Hayashi, R. Dhamija, N. Christin, and A. Perrig. Use your illusion: secure authentication usable anywhere. In Proc. of SOUPS (2008). Google ScholarDigital Library
- E. Hayashi, J. I. Hong, A Diary Study of Password Usage in Daily Life. In Proc. of SIGCHI (2011). Google ScholarDigital Library
- D. V. Klein. "foiling the cracker": A survey of, and improvements to, password security. In Proc. of USENIX Security, (1990).Google Scholar
- S. Klemmer, M. Newman, and R. Farrell. The designers' outpost: a tangible interface for collaborative web site. In Proc. of UIST (2001). Google ScholarDigital Library
- C. Kuo, S. Romanosky, and L. Cranor. Human selection of mnemonic phrase-based passwords. In Proc. of SOUPS (2006). Google ScholarDigital Library
- S. L. Learning 10,000 pictures. Quarterly Journal of Experimental Psychology, (1967).Google Scholar
- W. MacKay. Is paper safer? The role of paper flight strips in air traffic control. ACM Transactions on Computer-Human Interaction, (1999). Google ScholarDigital Library
- J. McCune, A. Perrig, and M. Reiter. Seeing-isbelieving: Using camera phones for human-verifiable authentication. In IEEE S&P (2005). Google ScholarDigital Library
- D. McGee, P. Cohen, R. Wesson, and S. Horman. Comparing paper and tangible, multimodal tools. In Proc. of CHI (2002). Google ScholarDigital Library
- T. Moran, E. Saund, W. V. Melle, A. Gujar, K. Fishkin, and B. Harrison. Design and technology for collaborage: collaborative collages of information on physical walls. In Proc. of UIST (1999). Google ScholarDigital Library
- L. Nelson, S. Ichimura, E. Pedersen, and L. Adams. Palette: a paper interface for giving presentations. In Proc. of CHI (1999). Google ScholarDigital Library
- A. Paivio and T. Rogers. Why are pictures easier to recall than words? Psychonomic Science, (1968).Google ScholarCross Ref
- B. Parno, C. Cuo and A. Perrig, PhoolprofPhishing Prevention. In Proc of. the Financial Cryptography and data security (2006). Google ScholarDigital Library
- B. Ross, C. Jackson, N. Miyake, D. Boneh, and J. Mitchell. Stronger password authentication using browser extensions. In Proc. of the USENIX Security(2005). Google ScholarDigital Library
- M. Sasse, S. Brostoff, and D. Weirich. Transforming the 'weakest link' a human/computer interaction approach to usable and effective security. BT technology journal, (2001). Google ScholarDigital Library
- A. Whitten and J. Tygar. Why johnny can't encrypt. In USENIX Security, (1999).Google Scholar
- S. Wiedenbeck, J. Waters, J. Birget, and A. Brodskiy. Passpoints: Design and longitudinal evaluation of a graphical password system. International Journal of Human-Computer Studies, (2005). Google ScholarDigital Library
- J. Yan, A. Blackwell, R. Anderson, and A. Grant. Password memorability and security: Empirical results. In IEEE Security & privacy, Vol. 2, pp. 25--31, (2004). Google ScholarDigital Library
- K. Yee, K. Sitaker. Passpet: convenient password management and phishing protection. In Proc. of SOUPS (2006). Google ScholarDigital Library
- Your Top 20 most frequently used passwords. http://www.tomshardware.com/news/imperva-rockyoumost-common-passwords,9486.htmlGoogle Scholar
Index Terms
- WebTicket: account management using printable tokens
Recommendations
Pictures at the ATM: exploring the usability of multiple graphical passwords
CHI '07: Proceedings of the SIGCHI Conference on Human Factors in Computing SystemsUsers gain access to cash, confidential information and services at Automated Teller Machines (ATMs) via an authentication process involving a Personal Identification Number (PIN). These users frequently have many different PINs, and fail to remember ...
Using Episodic Memory for User Authentication
Passwords are widely used for user authentication, but they are often difficult for a user to recall, easily cracked by automated programs, and heavily reused. Security questions are also used for secondary authentication. They are more memorable than ...
An enhanced multi-server authentication protocol using password and smart-card: cryptanalysis and design
At the present time, application of online communication systems are rapidly increasing and most of the clients depend on a set of servers to fulfill their daily needs. In order to access these servers, a client user needs to register to each server ...
Comments