Chapter

Financial Cryptography and Data Security

Volume 7862 of the series Lecture Notes in Computer Science pp 34-51

The Impact of Length and Mathematical Operators on the Usability and Security of System-Assigned One-Time PINs

  • Patrick Gage KelleyAffiliated withUniversity of New MexicoCarnegie Mellon University
  • , Saranga KomanduriAffiliated withUniversity of New MexicoCarnegie Mellon University
  • , Michelle L. MazurekAffiliated withUniversity of New MexicoCarnegie Mellon University
  • , Richard ShayAffiliated withUniversity of New MexicoCarnegie Mellon University
  • , Timothy VidasAffiliated withUniversity of New MexicoCarnegie Mellon University
  • , Lujo BauerAffiliated withUniversity of New MexicoCarnegie Mellon University
  • , Nicolas ChristinAffiliated withUniversity of New MexicoCarnegie Mellon University
  • , Lorrie Faith CranorAffiliated withUniversity of New MexicoCarnegie Mellon University

* Final gross prices may vary according to local VAT.

Get Access

Abstract

Over the last decade, several proposals have been made to replace the common personal identification number, or PIN, with often-complicated but theoretically more secure systems. We present a case study of one such system, a specific implementation of system-assigned one-time PINs called PassGrids. We apply various modifications to the basic scheme, allowing us to review usability vs. security trade-offs as a function of the complexity of the authentication scheme. Our results show that most variations of this one-time PIN system are more enjoyable and no more difficult than PINs, although accuracy suffers for the more complicated variants. Some variants increase resilience against observation attacks, but the number of users who write down or otherwise store their password increases with the complexity of the scheme. Our results shed light on the extent to which users are able and willing to tolerate complications to authentication schemes, and provides useful insights for designers of new password schemes.