User Authentication

Rachna DhamijaHuman Centered Computing Course

December 6, 1999

Image Recognition in

Security systems human factors?

Passwords multiple long strings

Problem

Replace text w/ images? Replace recall w/ recognition Portfolio “Random Art” & Real Images

A solution

“Vast, almost limitless memory” for pictures [Haber]

Recognition Fraction of a sec to remember & recognize [Intraub, Pavio

& Codes] 2560 photos for few seconds 90 % recognition rate

[Standing, Conezio & Haber] 10,000 photos 2 days, 66% recognized [Standing]

Recall recall semantics or sketch “pictures are not only recognized better but are also

recalled better than words” [Standing]

Visual Memory

Target population = general computer users novice/expert users few passwords/multiple passwords

10 (+20) people interviewed about behavior 10 – 40+ instances vs. 1-7 actual passwords names, phone numbers, fav movies, ~6 char tools: majority wrote them down, 2 PIM minimum effort, never change them ability to share is a feature people hate passwords but prefer them to alternatives

Task Analysis

10 20 30 40 50 60 70 80 90 1001 1.0E+01 2.0E+01 3.0E+01 4.0E+01 5.0E+01 6.0E+01 7.0E+01 8.0E+01 9.0E+01 1.0E+022 4.5E+01 1.9E+02 4.4E+02 7.8E+02 1.2E+03 1.8E+03 2.4E+03 3.2E+03 4.0E+03 5.0E+033 1.2E+02 1.1E+03 4.1E+03 9.9E+03 2.0E+04 3.4E+04 5.5E+04 8.2E+04 1.2E+05 1.6E+054 2.1E+02 4.8E+03 2.7E+04 9.1E+04 2.3E+05 4.9E+05 9.2E+05 1.6E+06 2.6E+06 3.9E+065 2.5E+02 1.6E+04 1.4E+05 6.6E+05 2.1E+06 5.5E+06 1.2E+07 2.4E+07 4.4E+07 7.5E+076 2.1E+02 3.9E+04 5.9E+05 3.8E+06 1.6E+07 5.0E+07 1.3E+08 3.0E+08 6.2E+08 1.2E+097 1.2E+02 7.8E+04 2.0E+06 1.9E+07 1.0E+08 3.9E+08 1.2E+09 3.2E+09 7.5E+09 1.6E+108 4.5E+01 1.3E+05 5.9E+06 7.7E+07 5.4E+08 2.6E+09 9.4E+09 2.9E+10 7.8E+10 1.9E+119 1.0E+01 1.7E+05 1.4E+07 2.7E+08 2.5E+09 1.5E+10 6.5E+10 2.3E+11 7.1E+11 1.9E+12

10 1.0E+00 1.8E+05 3.0E+07 8.5E+08 1.0E+10 7.5E+10 4.0E+11 1.6E+12 5.7E+12 1.7E+13

Selection Size (# of images)

Portfolio Size

10 26 36 52 62 964 1.0E+04 4.6E+05 1.7E+06 7.3E+06 1.5E+07 8.5E+075 1.0E+05 1.2E+07 6.0E+07 3.8E+08 9.2E+08 8.2E+096 1.0E+06 3.1E+08 2.2E+09 2.0E+10 5.7E+10 7.8E+117 1.0E+07 8.0E+09 7.8E+10 1.0E+12 3.5E+12 7.5E+138 1.0E+08 2.1E+11 2.8E+12 5.3E+13 2.2E+14 7.2E+159 1.0E+09 5.4E+12 1.0E+14 2.8E+15 1.4E+16 6.9E+17

10 1.0E+10 1.4E+14 3.7E+15 1.4E+17 8.4E+17 6.6E+19

Password Length

Character Set

Security: Brute Force Attack

4 Digit PIN = 5 out of 20 images

6 char password =

10 out of 55

BUT most passwords require

< brute force!

Benefits Images easier to remember

less errors change more frequently good for infrequently used passwords?

Images esp Random Art is hard to describe

Vulnerabilities “shoulder surfing” attack “intersection” attack

Security Analysis (cont)

Task: create portfolio & login People can remember images! (4-10) Photos/art – 50/50 preference & time Wanted to view portfolio during creation Must be simple and fast (no click through screens) Horizontal layout for quick scanning

Lo-fi Prototype

Create 4 “passwords”PIN (4 digits)Password (6 char.)Art portfolio (5/100)Photo portfolio (5/100)

LoginPINPasswordArt (5/25)Photo (5/25)

Task order- 50% did Art first Image order Repeat login after 1 week!

Experiment Design

Test MeasuresTask Completion Time

(20 users, same day)

0

20

40

60

80

create login

Tasks

Tim

e (s

eco

nd

s) PIN

Pass

Art

Photo

Does not include uncompleted tasks

sev1: minorsev2: major, recoverablesev3: major, unrecoverable

No unrecoverable errors made with portfolios

Number and Severity of Errors(20 users, same day)

0

1

2

3

4

5

1 2 3

Severity

Nu

mb

er o

f E

rro

rs

PIN

Pass

Art

Photo

Comfort Level Create portfolio - @#$% Login portfolio - wow

Text vs. images Passwords/PINS faster to create/logon Photos easier to remember than PINS (short term)

Art vs. photos Photos easier to remember, schemes, more personal People chose similar photos, but not art

Interface issues Scrolling is bad, one screen, thumbnails, single-click Lack of feedback

# picked so far, which picked?? how to give feedback securely?

More Results

1 image selected

Changes to next version show # selected

hide selected images

smaller images

Potential for use where text input is hard, limited observation

(e.g., ATM, PDA) infrequent, high availability passwords

Future Directions Self created images

authenticate: recreate or recognize

Conclusions

Random Art + Text Sharing & collaboration Other human abilities?

Houston JP. Fundamentals of learning and memory. 4th ed. Florida: Harcourt Brace Jovanovich; 1991.

Ralph Norman Haber. How we remember what we see. Scientific American, 222(5):104-112, May 1970.

Lionel Standing. Learning 10,000 pictures. Quarterly Journal of Experimental Psychology, 25:207-222, 1973.

Lionel Standing, Jerry Conezio, and Ralph Norman Haber. Perception and memory for pictures: Single-trial learning of 2500 visual stimuli. Psychonomic Science, 19(2):73-74, 1970.

Helene Intraub. Presentation rate and the representation of briefly glimpsed pictures in memory. Journal of Experimental Psychology: Human Learning and Memory, 6(1):1-12, 1980.

Hash Visualization: A New Technique to Improve Real-World Security, Adrian Perrig and Dawn Song, in Proceedings of the 1999 International Workshop on Cryptographic Techniques and E-Commerce (CryTEC '99)

References