User authentication is a central component of currently deployed security infrastructures. We distinguish three main techniques for user authentication: Knowledge-based systems, token-based systems, and systems based on biometrics.
In today's security systems, knowledge-based schemes are predominantly used for user authentication. Although biometrics can be useful for user identification, one problem with these systems is the difficult tradeoff between impostor pass rate and false alarm rate [DP89]. In addition, many biometric systems require specialized devices, and some can be unpleasant to use.
Most token-based authentication systems also use knowledge-based authentication to prevent impersonation through theft or loss of the token. An example is ATM authentication, which requires a combination of a token (a bank card) and secret knowledge (a PIN).
For these reasons, knowledge-based techniques are currently the most frequently used method for user authentication. In this paper we focus on authentication based on passwords or PINs.
Despite their wide usage, passwords and PINs have a number of shortcomings. Simple or meaningful passwords are easier to remember, but are vulnerable to attack. Passwords that are complex and arbitrary are more secure, but are difficult to remember. Since users can only remember a limited number of passwords, they tend to write them down or will use similar or even identical passwords for different purposes.
One approach to improve user authentication systems is to replace the precise recall of a password or PIN with the recognition of a previously seen image, a skill at which humans are remarkably proficient. In general, it is much easier to recognize something than to recall the same information from memory without help [Nie93]. Classic cognitive science experiments show that humans have a vast, almost limitless memory for pictures in particular [Hab70, ]. In fact, experiments show that we can remember and recognize hundreds to thousands of pictures in fractions of a second of perception [Int80, ]. By replacing precise recall of the password with image recognition, we can minimize the users cognitive load, help the user to make fewer mistakes and provide a more pleasant experience.
The basic concepts of recognition-based authentication are described by Perrig and Song [PS99]. In this paper, however, we explore the user authentication aspects more thoroughly, design the Déjà Vu system, and make the following contributions. First, we perform user studies of a prototype system to validate and improve our image-based user authentication system. Second, we analyze the security of Déjà Vu, discuss possible real-world attacks and illustrate countermeasures.
In the next section we enumerate the shortcomings of password-based authentication. In section 3, we discuss our approach of recognition-based authentication and introduce our solution, Déjà Vu. In section 4, we describe a user study that compares Déjà Vu to traditional authentication methods, and we summarize our findings. Finally, we discuss related work in section 5 and present our conclusions and future work in section 6.