We review previous work which makes an attempt to solve the problem of password-based user authentication.
Blonder patented a ``graphical password'', which requires a user to touch predetermined areas of an image (tap regions) in a predetermined sequence for authentication [Blo96]. The main drawback to this system is that it is location and sequence dependent, so the user is required to recall the regions to tap and the correct order in which to tap them.
Jermyn, et al. propose a graphical password selection and input scheme, where the password consists of a simple picture drawn on a grid. [JMM99]. A benefit of their solution is that it removes the need for temporal recall, by decoupling the position of inputs from the temporal order in which those inputs occur. Early cognition experiments do indeed support the claim that pictures are recalled better than words. Their solution, however, still suffers from the fact that it requires users to precisely recall how to draw their images, rather than relying on recognition.
Passlogix Inc. distributes v-go, an application which remembers user names and passwords and automatically logs the user on to password-protected Web sites and applications [Pas00]. They allow users to create passwords by clicking on objects in a graphical window, such as by entering the time on a clock, drawing cards from a card deck, selecting ingredients to mix a cocktail or to cook a meal, dialing a phone number, hiding objects in a room, trading stocks, and entering a password on a keyboard. The weaknesses of their system are manyfold.
First, the space of different passwords is very small. For example, there are only limited places available to select to cook a meal. In the case of hiding objects in a room, the requirement to hide the objects already strongly reduces the state space. It would be better if the user could place objects in arbitrary locations. There are only a few places in the given room where the objects can really be hidden, for example under the mattress or the cabinet are locations which users are likely to select.
Furthermore, the system allows users to pick poor passwords. For example, choosing all aces in a deck of cards is certainly not secure. It is likely that many users will choose commonly known combinations, for example by choosing to mix the same drinks.
Finally, the system requires users to precisely recall the authentication task, instead of relying on recognition. Another weakness is that an attacker will only need to break the v-go password to get access to all the users' other passwords.
IDArts distributes Passfaces, an authentication system based on recognizing previously seen images of faces [Art99]. This idea is similar to ours, and there is strong evidence to support their claim that humans have an innate ability to remember faces. They claim that authentication rates can be significantly improved by ``training'' the user during passface creation, which we did not do in our study.
A drawback of their system is that users pick faces which they are attracted to, which greatly facilitates impersonation attacks. Interestingly, in our study many users told us that they did not select photographs of people because they did not feel that they could relate personally to the image. We did notice that when pictures of people were chosen, the people closely resembled the users (e.g., one user selected an image that resembled his grandparents, one Indian woman selected an image of an Indian woman and a Chinese woman selected an image of a Chinese man). Since we use randomly generated images, knowing the preferences of a person only has limited usefulness.
Ellison et al. propose a scheme in which a user can protect a secret key using ``the personal entropy in his whole life'', that is by encrypting the passphrase using the answers to several personal questions [EHMS99]. The scheme is designed so that a user can forget the answers to a subset of the questions and still recover the secret key, while an attacker must learn the answer to a large subset of the questions to learn the key.
Naor and Shamir propose a Visual Cryptography scheme, which splits secret information into two transparencies, such that each part contains no useful information, but the combination reveals the secret [NS95]. Naor and Pinkas extend this idea as a means for a user to authenticate text and images [NP97]. In this case, the recipient is equipped with a transparency. When the recipient places the transparency over a message or image that was sent to him, the combination of both images reveals the message. Visual cryptography could be used to devise a user authentication scheme that is token based.
Ian Goldberg's ``visual key fingerprint''[Gol96] and Raph Levien's [Lev96] PGP Snowflake were developed as a way to graphically identify and recognize PGP key fingerprints.
Adams and Sasse propose that educating users in security is a solution for the problem of choosing weak passwords [AS99]. They claim that if users receive specific security training and understand security models, they will select secure passwords and refrain from engaging in insecure behavior. In our user study, however, we discover that the level of security training did not prevent users from choosing trivial passwords or from storing them insecurely. We conjecture that this is the case because people prefer convenience over security. Therefore, security should be an inherent component of the system by default.