research-article

WebTicket: account management using printable tokens

Authors:
Eiji Hayashi

Carnegie Mellon University, Pittsburgh, Pennsylvania, United States

Carnegie Mellon University, Pittsburgh, Pennsylvania, United States
View Profile

,
Bryan Pendleton

Carnegie Mellon University, Pittsburgh, Pennsylvania, United States

Carnegie Mellon University, Pittsburgh, Pennsylvania, United States
View Profile

,
Fatih Ozenc

Autodesk Inc., Waltham, Massachusetts, United States

Autodesk Inc., Waltham, Massachusetts, United States
View Profile

,
Jason Hong

Carnegie Mellon University, Pittsburgh, Pennsylvania, United States

Carnegie Mellon University, Pittsburgh, Pennsylvania, United States
View Profile

CHI '12: Proceedings of the SIGCHI Conference on Human Factors in Computing SystemsMay 2012Pages 997–1006https://doi.org/10.1145/2207676.2208545

Published:05 May 2012Publication History

CHI '12: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems

Pages 997–1006

ABSTRACT

Passwords are the most common authentication scheme today. However, it is difficult for people to memorize strong passwords, such as random sequences of characters. Additionally, passwords do not provide protection against phishing attacks. This paper introduces WebTicket, a low cost, easy-to-use and reliable web account management system that uses "tickets", which are tokens that contain a two-dimensional barcode that can be printed or stored on smartphones. Users can log into accounts by presenting the barcodes to webcams connected to computers. Through two lab studies and one field study consisting of 59 participants in total, we found that WebTicket can provide reliable authentication and phishing resilience.

References

eToken. http://www.aladdin.com/etoken/.Google Scholar
QRCode.com. http://www.denso-wave.com/qrcode/.Google Scholar
RSA securID http://www.rsa.com/node.aspx?id=1156.Google Scholar
A. Adams and M. Sasse. Users are not the enemy. Communications of the ACM (1999). Google ScholarDigital Library
S. Brostoff and M. Sasse. Are passfaces more usable than passwords: A field trial investigation. In Proc. of HCI 2000, (2000).Google ScholarCross Ref
S. Chiasson, R. Biddle, and P. V. Oorschot. A second look at the usability of click-based graphical passwords. In Proc. of SOUPS (2007). Google ScholarDigital Library
R. Dhamija and J. Tygar. The battle against phishing: Dynamic security skins. In Proc. of SOUPS (2005). Google ScholarDigital Library
A. Dirik, N. Memon, and J. C. Birget. Modeling user choice in the passpoints graphical password scheme. In Proc. of SOUPS (2007). Google ScholarDigital Library
S. Egelman, L. F. Cranor, J. Hong. You've been warned: an empirical study of the effectiveness of web browser phishing warnings. In Proc. of SIGCHI (2008) Google ScholarDigital Library
K. Everitt, T. Bragin, J. Fogarty, and T. Kohno. A comprehensive study of frequency, interference, and training of multiple graphical passwords. In Proc. of CHI (2009). Google ScholarDigital Library
Gartner. Automated password resets can cut it service desk costs. 2004.Google Scholar
S. Gaw and E. Felten. Password management strate-gies for online accounts. In Proc. of SOUPS (2006). Google ScholarDigital Library
J. T. Hallinan. Why We Make Mistakes. Broadway, 2009.Google Scholar
E. Hayashi, R. Dhamija, N. Christin, and A. Perrig. Use your illusion: secure authentication usable anywhere. In Proc. of SOUPS (2008). Google ScholarDigital Library
E. Hayashi, J. I. Hong, A Diary Study of Password Usage in Daily Life. In Proc. of SIGCHI (2011). Google ScholarDigital Library
D. V. Klein. "foiling the cracker": A survey of, and improvements to, password security. In Proc. of USENIX Security, (1990).Google Scholar
S. Klemmer, M. Newman, and R. Farrell. The designers' outpost: a tangible interface for collaborative web site. In Proc. of UIST (2001). Google ScholarDigital Library
C. Kuo, S. Romanosky, and L. Cranor. Human selection of mnemonic phrase-based passwords. In Proc. of SOUPS (2006). Google ScholarDigital Library
S. L. Learning 10,000 pictures. Quarterly Journal of Experimental Psychology, (1967).Google Scholar
W. MacKay. Is paper safer? The role of paper flight strips in air traffic control. ACM Transactions on Computer-Human Interaction, (1999). Google ScholarDigital Library
J. McCune, A. Perrig, and M. Reiter. Seeing-isbelieving: Using camera phones for human-verifiable authentication. In IEEE S&P (2005). Google ScholarDigital Library
D. McGee, P. Cohen, R. Wesson, and S. Horman. Comparing paper and tangible, multimodal tools. In Proc. of CHI (2002). Google ScholarDigital Library
T. Moran, E. Saund, W. V. Melle, A. Gujar, K. Fishkin, and B. Harrison. Design and technology for collaborage: collaborative collages of information on physical walls. In Proc. of UIST (1999). Google ScholarDigital Library
L. Nelson, S. Ichimura, E. Pedersen, and L. Adams. Palette: a paper interface for giving presentations. In Proc. of CHI (1999). Google ScholarDigital Library
A. Paivio and T. Rogers. Why are pictures easier to recall than words? Psychonomic Science, (1968).Google ScholarCross Ref
B. Parno, C. Cuo and A. Perrig, PhoolprofPhishing Prevention. In Proc of. the Financial Cryptography and data security (2006). Google ScholarDigital Library
B. Ross, C. Jackson, N. Miyake, D. Boneh, and J. Mitchell. Stronger password authentication using browser extensions. In Proc. of the USENIX Security(2005). Google ScholarDigital Library
M. Sasse, S. Brostoff, and D. Weirich. Transforming the 'weakest link' a human/computer interaction approach to usable and effective security. BT technology journal, (2001). Google ScholarDigital Library
A. Whitten and J. Tygar. Why johnny can't encrypt. In USENIX Security, (1999).Google Scholar
S. Wiedenbeck, J. Waters, J. Birget, and A. Brodskiy. Passpoints: Design and longitudinal evaluation of a graphical password system. International Journal of Human-Computer Studies, (2005). Google ScholarDigital Library
J. Yan, A. Blackwell, R. Anderson, and A. Grant. Password memorability and security: Empirical results. In IEEE Security & privacy, Vol. 2, pp. 25--31, (2004). Google ScholarDigital Library
K. Yee, K. Sitaker. Passpet: convenient password management and phishing protection. In Proc. of SOUPS (2006). Google ScholarDigital Library
Your Top 20 most frequently used passwords. http://www.tomshardware.com/news/imperva-rockyoumost-common-passwords,9486.htmlGoogle Scholar

Index Terms

WebTicket: account management using printable tokens
1. Human-centered computing
  1. Human computer interaction (HCI)

Recommendations

Pictures at the ATM: exploring the usability of multiple graphical passwords
CHI '07: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems

Users gain access to cash, confidential information and services at Automated Teller Machines (ATMs) via an authentication process involving a Personal Identification Number (PIN). These users frequently have many different PINs, and fail to remember ...
Read More
Using Episodic Memory for User Authentication

Passwords are widely used for user authentication, but they are often difficult for a user to recall, easily cracked by automated programs, and heavily reused. Security questions are also used for secondary authentication. They are more memorable than ...
Read More
An enhanced multi-server authentication protocol using password and smart-card: cryptanalysis and design

At the present time, application of online communication systems are rapidly increasing and most of the clients depend on a set of servers to fulfill their daily needs. In order to access these servers, a client user needs to register to each server ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CHI '12: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
May 2012
3276 pages
ISBN:9781450310154
DOI:10.1145/2207676
General Chair:
Joseph A. Konstan
University of Minnesota
,
Program Chairs:
Ed H. Chi
Google
,
Kristina Höök
Mobile Life at KTH
Copyright © 2012 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 5 May 2012
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
password
usable security
user authentication
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate6,199of26,314submissions,24%
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 10
  Total Citations
  View Citations
- 556
  Total Downloads
- Downloads (Last 12 months)13
- Downloads (Last 6 weeks)2
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

WebTicket: account management using printable tokens

CHI '12: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems

ABSTRACT

References

Cited By

Index Terms

Recommendations

Pictures at the ATM: exploring the usability of multiple graphical passwords

Using Episodic Memory for User Authentication

An enhanced multi-server authentication protocol using password and smart-card: cryptanalysis and design