Picture Gesture Authentication: Empirical Analysis, Automated Attacks, and Scheme Evaluation

Authors:
Ziming Zhao

Arizona State University, Tempe, AZ, USA

Arizona State University, Tempe, AZ, USA
View Profile

,
Gail-Joon Ahn

Arizona State University, Tempe, AZ, USA

Arizona State University, Tempe, AZ, USA
View Profile

,
Hongxin Hu

Clemson University, Clemson, USA

Clemson University, Clemson, USA
View Profile

ACM Transactions on Information and System Security Volume 17 Issue 4Article No.: 14pp 1–37https://doi.org/10.1145/2701423

Published:13 April 2015Publication History

ACM Transactions on Information and System Security

Abstract

Picture gesture authentication has been recently introduced as an alternative login experience to text-based password on touch-screen devices. In particular, the newly on market Microsoft Windows 8™ operating system adopts such an alternative authentication to complement its traditional text-based authentication. We present an empirical analysis of picture gesture authentication on more than 10,000 picture passwords collected from more than 800 subjects through online user studies. Based on the findings of our user studies, we propose a novel attack framework that is capable of cracking passwords on previously unseen pictures in a picture gesture authentication system. Our approach is based on the concept of selection function that models users’ thought processes in selecting picture passwords. Our evaluation results show the proposed approach could crack a considerable portion of picture passwords under different settings. Based on the empirical analysis and attack results, we comparatively evaluate picture gesture authentication using a set of criteria for a better understanding of its advantages and limitations.

References

Bogdan Alexe, Thomas Deselaers, and Vittorio Ferrari. 2012. Measuring the objectness of image windows. IEEE Transactions Pattern Analysis and Machine Intelligence (2012), 2189--2202. Google ScholarDigital Library
Adam J. Aviv, Katherine Gibson, Evan Mossop, Matt Blaze, and Jonathan M. Smith. 2010. Smudge attacks on smartphone touch screens. In Proceedings of the 4th USENIX Conference on Offensive Technologies. USENIX Association, 1--7. Google ScholarDigital Library
Dana H. Ballard. 1981. Generalizing the hough transform to detect arbitrary shapes. Pattern Recognition 13, 2 (1981), 111--122.Google ScholarCross Ref
Kemal Bicakci, Nart Bedin Atalay, Mustafa Yuceel, Hakan Gurbaslar, and Burak Erdeniz. 2009. Towards usable solutions to graphical password hotspot problem. In Proceedings of the 33rd IEEE International Conference on Computer Software and Applications Conference, Vol. 2. IEEE, 318--323. Google ScholarDigital Library
Robert Biddle, Sonia Chiasson, and Paul C. Van Oorschot. 2011. Graphical passwords: Learning from the first twelve years. Computer Surveys 44, 4 (2011). Google ScholarDigital Library
Joseph Bonneau. 2012a. Guessing human-chosen secrets. University of Cambridge.Google Scholar
Joseph Bonneau. 2012b. The science of guessing: Analyzing an anonymized corpus of 70 million passwords. In Proceedings of the 2012 IEEE Symposium on Security and Privacy. IEEE, 538--552. Google ScholarDigital Library
Joseph Bonneau, Cormac Herley, Paul C. van Oorschot, and Frank Stajano. 2012a. The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes. Technical Report UCAM-CL-TR-817. University of Cambridge, Computer Laboratory.Google Scholar
Joseph Bonneau, Cormac Herley, Paul C. van Oorschot, and Frank Stajano. 2012b. The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In Proceedings of the 2012 IEEE Symposium on Security and Privacy. IEEE, 553--567. Google ScholarDigital Library
Joseph Bonneau, Sören Preibusch, and Ross Anderson. 2012c. A birthday present every eleven wallets&quest; The security of customer-chosen banking PINs. In Proceedings of the the 16th International Conference on Financial Cryptography.Google Scholar
Joseph Bonneau, Sören Preibusch, and Ross Anderson. 2012d. A birthday present every eleven wallets&quest; The security of customer-chosen banking PINs. Financial Cryptography and Data Security (2012), 25--40.Google Scholar
Ali Borji, Dicky N. Sihite, and Laurent Itti. 2012. Salient object detection: A benchmark. In Proceedings of the 2012 European Conference on Computer Vision. Springer, 414--429.Google ScholarCross Ref
Ali Borji, Hamed R. Tavakoli, Dicky N. Sihite, and Laurent Itti. 2013. Analysis of scores, datasets, and models in visual saliency prediction. In Proceedings of the 2013 IEEE International Conference on Computer Vision. IEEE, 921--928. Google ScholarDigital Library
Sacha Brostoff and M. Angela Sasse. 2000. Are Passfaces more usable than passwords&quest; A field trial investigation. People and Computers (2000), 405--424.Google Scholar
John Canny. 1986. A computational approach to edge detection. IEEE Transactions on Pattern Analysis and Machine Intelligence 6 (1986), 679--698. Google ScholarDigital Library
Claude Castelluccia, Markus Dürmuth, and Daniele Perito. 2012. Adaptive password-strength meters from Markov models. In Proceedings of the 19th Network and Distributed System Security Symposium.Google Scholar
Sonia Chiasson, Alain Forget, Robert Biddle, and Paul C. van Oorschot. 2009. User interface design affects security: Patterns in click-based graphical passwords. International Journal of Information Security 8, 6 (2009), 387--398. Google ScholarDigital Library
Sonia Chiasson, Elizabeth Stobert, Alain Forget, Robert Biddle, and Paul C. Van Oorschot. 2012. Persuasive cued click-points: Design, implementation, and evaluation of a knowledge-based authentication mechanism. IEEE Transactions on Dependable and Secure Computing 9, 2 (2012), 222--235. Google ScholarDigital Library
Sonia Chiasson, Paul van Oorschot, and Robert Biddle. 2007. Graphical password authentication using cued click points. In Proceedings of the 12th European Symposium on Research in Computer Security. Springer, 359--374. Google ScholarDigital Library
Darren Davis, Fabian Monrose, and Michael K. Reiter. 2004. On user choice in graphical password schemes. In Proceedings of the 13th Conference on USENIX Security Symposium. USENIX Association, 11--23. Google ScholarDigital Library
Antonella De Angeli, Lynne Coventry, Graham Johnson, and Karen Renaud. 2005. Is a picture really worth a thousand words&quest; Exploring the feasibility of graphical authentication systems. International Journal of Human-Computer Studies 63, 1 (2005), 128--152. Google ScholarDigital Library
Rachna Dhamija and Adrian Perrig. 2000. Déjà Vu: A user study using images for authentication. In Proceedings of the 9th Conference on USENIX Security Symposium. USENIX Association. Google ScholarDigital Library
Ahmet Emir Dirik, Nasir Memon, and Jean-Camille Birget. 2007. Modeling user choice in the PassPoints graphical password scheme. In Proceedings of the 3rd Symposium on Usable Privacy and Security. ACM, 20--28. Google ScholarDigital Library
Paul Dunphy and Jeff Yan. 2007. Do background images improve draw a secret graphical passwords&quest; In Proceedings of the 14th ACM Conference on Computer and Communications Security. ACM, 36--47. Google ScholarDigital Library
Uriel Feige, László Lovász, and Prasad Tetali. 2004. Approximating min sum set cover. Algorithmica 40, 4 (2004), 219--234. Google ScholarDigital Library
Pedro F. Felzenszwalb, Ross B. Girshick, David McAllester, and Deva Ramanan. 2010. Object detection with discriminatively trained part-based models. IEEE Transactions on Pattern Analysis and Machine Intelligence 32, 9 (2010), 1627--1645. Google ScholarDigital Library
Alain Forget, Sonia Chiasson, and Robert Biddle. 2010. Shoulder-surfing resistance with eye-gaze entry in cued-recall graphical passwords. In Proceedings of the 28th International Conference on Human Factors in Computing Systems. ACM, 1107--1110. Google ScholarDigital Library
Haichang Gao, Xuewu Guo, Xiaoping Chen, Liming Wang, and Xiyang Liu. 2008. Yagp: Yet another graphical password strategy. In Proceedings of the 24th Annual Computer Security Applications Conference. IEEE, 121--129. Google ScholarDigital Library
Ross B. Girshick, Pedro F. Felzenszwalb, and David McAllester. 2010. Discriminatively Trained Deformable Part Models, Release 5. Retrieved from http://people.cs.uchicago.edu/rbg/latent-release5/.Google Scholar
Brian Honan. 2012. Visual Data Security White Paper. Retrieved from http://www.visualdatasecurity.eu/wp-content/uploads/2012/07/Visual-Data-Security-White-Paper.pdf.Google Scholar
Dawei Hong, Jean-Camille Birget, and Nasir Memon. 2006. Graphical passwords based on robust discretization. IEEE Transactions on Information Forensics and Security 1, 3 (2006), 395--399. Google ScholarDigital Library
Ian Jermyn, Alain Mayer, Fabian Monrose, Michael K. Reiter, and Aviel D. Rubin. 1999. The design and analysis of graphical passwords. In Proceedings of the 8th USENIX Security Symposium. USENIX Association, 1--14. Google ScholarDigital Library
Huaizu Jiang, Jingdong Wang, Zejian Yuan, Yang Wu, Nanning Zheng, and Shipeng Li. 2013. Salient object detection: A discriminative regional feature integration approach. In Proceedings of the 2013 IEEE Conference on Computer Vision and Pattern Recognition. IEEE, 2083--2090. Google ScholarDigital Library
Jeff Johnson, Steve Seixeiro, Zachary Pace, Giles Van der Bogert, Sean Gilmour, Levi Siebens, and Ken Tubbs. US Patent 163201, 2012. Picture gesture authentication. (US Patent 163201, 2012).Google Scholar
Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Richard Shay, Timothy Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Julio Lopez. 2012. Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 523--537. Google ScholarDigital Library
Microsoft. 2013. Microsoft by the Numbers. Retrieved from http://www.microsoft.com/en-us/news/bythenumbers/ms_numbers.pdf.Google Scholar
Zach Pace. 2011a. Signing in with a Picture Password. Retrieved from http://blogs.msdn.com/b/b8/archive/2011/12/16/signing-in-with-a-picture-password.aspx.Google Scholar
Zach Pace. 2011b. Signing into Windows 8 with a Picture Password. Retrieved from http://www.youtube.com/watch&quest;v=Ek9N2tQzHOA.Google Scholar
Ashwini Rao, Birendra Jha, and Gananand Kini. 2013. Effect of grammar on security of long passwords. In Proceedings of the 3rd ACM Conference on Data and Application Security and Privacy. ACM, 317--324. Google ScholarDigital Library
Karen Renaud. 2009. Guidelines for designing graphical authentication mechanism interfaces. International Journal of Information and Computer Security 3, 1 (2009), 60--85. Google ScholarDigital Library
Amirali Salehi-Abari, Julie Thorpe, and Paul C. van Oorschot. 2008. On purely automated attacks and click-based graphical passwords. In Proceedings of the 24th Annual Computer Security Applications Conference. IEEE, 111--120. Google ScholarDigital Library
Stuart Schechter, Cormac Herley, and Michael Mitzenmacher. 2010. Popularity is everything: A new approach to protecting passwords from statistical-guessing attacks. In Proceedings of the 5th USENIX conference on Hot Topics in Security. USENIX Association, 1--8. Google ScholarDigital Library
Stuart E. Schechter, Rachna Dhamija, Andy Ozment, and Ian Fischer. 2007. The emperor’s new security indicators. In Proceedings of the 2007 IEEE Symposium on Security and Privacy. IEEE, 51--65. Google ScholarDigital Library
Xiaoyuan Suo, Ying Zhu, and G. Scott Owen. 2005. Graphical passwords: A survey. In Proceedings of the 21st Annual Computer Security Applications Conference. IEEE, 10--19. Google ScholarDigital Library
Satoshi Suzuki. 1985. Topological structural analysis of digitized binary images by border following. Computer Vision, Graphics, and Image Processing 30, 1 (1985), 32--46.Google ScholarCross Ref
Hai Tao and Carlisle Adams. 2008. Pass-Go: A proposal to improve the usability of graphical passwords. International Journal of Network Security 7, 2 (2008), 273--292.Google Scholar
Julie Thorpe, Muath Al-Badawi, Brent MacRae, and Amirali Salehi-Abari. 2014. The presentation effect on graphical passwords. In Proceedings of the 32nd Annual ACM Conference on Human Factors in Computing Systems. ACM, 2947--2950. Google ScholarDigital Library
Julie Thorpe and Paul Van Oorschot. 2004. Towards secure design choices for implementing graphical passwords. In Proceedings of the 20th Annual Computer Security Applications Conference. IEEE, 50--60. Google ScholarDigital Library
Julie Thorpe and Paul Van Oorschot. 2007. Human-seeded attacks and exploiting hot-spots in graphical passwords. In Proceedings of 16th USENIX Security Symposium. USENIX Association, 8. Google ScholarDigital Library
Julie Thorpe and Paul C. van Oorschot. 2004. Graphical dictionaries and the memorable space of graphical passwords. In Proceedings of the 13th Conference on USENIX Security Symposium. USENIX Association, 135--150. Google ScholarDigital Library
Sebastian Uellenbeck, Markus Dürmuth, Christopher Wolf, and Thorsten Holz. 2013. Quantifying the security of graphical passwords: The case of Android unlock patterns. In Proceedings of the 20th ACM Conference on Computer and Communications Security. ACM, 161--172. Google ScholarDigital Library
Paul C. Van Oorschot, Amirali Salehi-Abari, and Julie Thorpe. 2010. Purely automated attacks on PassPoints-style graphical passwords. IEEE Transactions on Information Forensics and Security 5, 3 (2010), 393--405. Google ScholarDigital Library
Paul C. van Oorschot and Julie Thorpe. 2008. On predictive models and user-drawn graphical passwords. ACM Transactions on Information and System Security 10, 4 (2008), 5. Google ScholarDigital Library
Paul C. van Oorschot and Julie Thorpe. 2011. Exploiting predictability in click-based graphical passwords. Journal of Computer Security 19, 4 (2011), 669--702. Google ScholarDigital Library
Christopher Varenhorst, M. V. Kleek, and Larry Rudolph. 2004. Passdoodles: A lightweight authentication method. MIT Research Science Institute (2004).Google Scholar
Rafael Veras, Christopher Collins, and Julie Thorpe. 2014. On the semantic patterns of passwords and their security impact. In Proceedings of the Network and Distributed System Security Symposium.Google ScholarCross Ref
Paul Viola and Michael J. Jones. 2004. Robust real-time face detection. International Journal of Computer Vision 57, 2 (2004), 137--154. Google ScholarDigital Library
Roman Weiss and Alexander De Luca. 2008. PassShapes: Utilizing stroke based authentication to increase password memorability. In Proceedings of the 5th Nordic Conference on Human-Computer Interaction: Building Bridges. ACM, 383--392. Google ScholarDigital Library
Susan Wiedenbeck, Jim Waters, Jean-Camille Birget, Alex Brodskiy, and Nasir Memon. 2005a. Authentication using graphical passwords: Effects of tolerance and image choice. In Proceedings of the Symposium on Usable Privacy and Security. ACM, 1--12. Google ScholarDigital Library
Susan Wiedenbeck, Jim Waters, Jean-Camille Birget, Alex Brodskiy, and Nasir Memon. 2005b. PassPoints: Design and longitudinal evaluation of a graphical password system. International Journal of Human-Computer Studies 63, 1 (2005), 102--127. Google ScholarDigital Library
Qiang Yan, Jin Han, Yingjiu Li, and Robert H. Deng. 2012. On limitations of designing leakage-resilient password systems: Attacks, principles and usability. In Proceedings of the 19th Network and Distributed System Security Symposium.Google Scholar
John C. Yuille. 1983. Imagery, Memory, and Cognition. Lawrence Erlbaum Associates, Inc.Google Scholar
Nur Haryani Zakaria, David Griffiths, Sacha Brostoff, and Jeff Yan. 2011. Shoulder surfing defence for recall-based graphical passwords. In Proceedings of the 7th Symposium on Usable Privacy and Security. ACM, 6--17. Google ScholarDigital Library
Yinqian Zhang, Fabian Monrose, and Michael K. Reiter. 2010. The security of modern password expiration: An algorithmic framework and empirical analysis. In Proceedings of the 17th ACM Conference on Computer and Communications Security. ACM, 176--186. Google ScholarDigital Library
Ziming Zhao, Gail-Joon Ahn, Jeongjin Seo, and Hongxin Hu. 2013. On the security of picture gesture authentication. In Proceedings of the 22nd USENIX Security Symposium. USENIX Association, 383--398. Google ScholarDigital Library

Index Terms

Picture Gesture Authentication: Empirical Analysis, Automated Attacks, and Scheme Evaluation
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

On the security of picture gesture authentication
SEC'13: Proceedings of the 22nd USENIX conference on Security

Computing devices with touch-screens have experienced unprecedented growth in recent years. Such an evolutionary advance has been facilitated by various applications that are heavily relying on multi-touch gestures. In addition, picture gesture ...
Read More
Unconditionally secure ring authentication
ASIACCS '07: Proceedings of the 2nd ACM symposium on Information, computer and communications security

We propose ring authentication in unconditionally secure setting. In a ring authentication system a sender can choose a set of users and construct an authenticated message for a receiver such that the receiver can verify authenticity of the message with ...
Read More
Practical Anonymous Password Authentication and TLS with Anonymous Client Authentication
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

Anonymous authentication allows one to authenticate herself without revealing her identity, and becomes an important technique for constructing privacy-preserving Internet connections. Anonymous password authentication is highly desirable as it enables ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM Transactions on Information and System Security Volume 17, Issue 4
April 2015
127 pages
ISSN:1094-9224
EISSN:1557-7406
DOI:10.1145/2756875
Editor:
Gene Tsudik
University of California at Irvine, USA
Issue’s Table of Contents
Copyright © 2015 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 13 April 2015
- Accepted: 1 December 2014
- Revised: 1 November 2014
- Received: 1 February 2014
Published in tissec Volume 17, Issue 4

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Picture gesture authentication
automated attacks
empirical analysis
scheme evaluation
Qualifiers
- research-article
- Research
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 34
  Total Citations
  View Citations
- 760
  Total Downloads
- Downloads (Last 12 months)78
- Downloads (Last 6 weeks)14
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Picture Gesture Authentication: Empirical Analysis, Automated Attacks, and Scheme Evaluation

ACM Transactions on Information and System Security

Abstract

References

Cited By

Index Terms

Recommendations

On the security of picture gesture authentication

Unconditionally secure ring authentication

Practical Anonymous Password Authentication and TLS with Anonymous Client Authentication