International Journal of Information Security

, Volume 13, Issue 5, pp 421–437 | Cite as

Analysis of a two-factor graphical password scheme

Regular Contribution


Graphical passwords are a promising research branch, but implementation of many proposed schemes often requires considerable resources (e.g., data storage, high quality displays) making difficult their usage on small devices, such as old-fashioned ATM terminals. Furthermore, most of the time, such schemes lack a careful security analysis. In this paper, we analyze the security and usability for an authentication mechanism that can be instantiated as a graphical password scheme. We model the information an adversary might extract by analyzing the transcripts of authentication sessions as a boolean formula. Our experiments show that the time needed by a passive adversary to extract the user secret in the last presented protocol grows exponentially in the system parameter, giving evidence of the security of the proposed scheme.


User authentication Graphical passwords ATM authentication Security analysis Sat solver 


  1. 1.
    Barak, A.: MOSIX\(^{\textregistered }\) Cluster and Multicluster Management 2009.
  2. 2.
    Bicakci, K., Atalay, N.B., Yuceel, M., Gurbaslar, H., Erdeniz, B.: Towards usable solutions to graphical password hotspot problem. In: 2009 33rd Annual IEEE International Computer Software and Applications Conference, pp. 318–323. IEEE (2009)Google Scholar
  3. 3.
    Biddle, R., Chiasson, S., van Oorschot, P.C.: Graphical Passwords: Learning from the First Generation. Technical Report TR-09-09, School of Computer Science, Carleton University (2009)Google Scholar
  4. 4.
    Blonder, G.E.: Graphical Passwords. Lucent Technologies Inc, Murray Hill, NJ (US), US Patent No. 5559961 (1996)Google Scholar
  5. 5.
    Blundo, C., D’Arco, P., De Santis, A., Galdi, C.: \(\text{ H }_{{\rm yppocrates}}\): a new proactive password checker. J. Syst. Softw. 71(1–2), 163–175 (2004)Google Scholar
  6. 6.
    Catuogno, L., Galdi, C.: A graphical pin authentication mechanism for smart cards and low-cost devices. In: Proceedings of the 2nd Workshop on Information Security Theory and Practices (WISTP 08) Sevilla (Spain), May 13–16, Volume 5019 of Lecture Notes in Computer Science. Springer, Berlin (2008)Google Scholar
  7. 7.
    Catuogno, L., Galdi, C.: On the security of a two-factor authentication scheme. In: Proceedings of the 4th Workshop on Information Security Theory and Practices (WISTP 2010) Passau (Germany), April 12–14, 2010, Volume to Appear of Lecture Notes in Computer Science. Springer, Berlin (2010)Google Scholar
  8. 8.
    Ciaramella, A., D’Arco, P., De Santis, A.,, Galdi, C., Tagliaferri, R.: Neural network techniques for proactive password checking. IEEE Trans. Dependable Secure Comput. 3(4), 327–339 (2006)Google Scholar
  9. 9.
    De Luca, A., von Zezschwitz, E., Hussmann, H., Vibrapass: secure authentication based on shared lies. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, ser. CHI ’09, pp. 913–916. ACM, New York, NY, USA (2009)Google Scholar
  10. 10.
    De Luca, A., Denzel, M., Hussmann, H.: Look into my eyes! Can you guess my password? In: Proceedings of the 5th Symposium on Usable Privacy and Security, p. 7. ACM (2009)Google Scholar
  11. 11.
    Dhamija, R., Perring, A.: Dèjá vu: a user study using images for authentication, pp. 14–17. In: IX USENIX UNIX Security Symposium, Denver, CO, USA (August 2000)Google Scholar
  12. 12.
    Gao, H., Liu, X.: A new graphical password scheme against spyware by using captcha. In: Proceedings of the 5th Symposium on Usable Privacy and Security, SOUPS 2009, Mountain View, California, USA, July 15–17, 2009, ACM International Conference Proceeding Series. ACM (2009)Google Scholar
  13. 13.
    Golle, P., Wagner, D.: Cryptanalysis of a cognitive authentication scheme (extended abstract). In: IEEE Symposium on Security and Privacy, pp. 66–70. IEEE Computer Society (2007)Google Scholar
  14. 14.
    Grady, C.L., Mcintosh, A.R., Craik, F.I.M.: Neural correlates of the episodic encoding of pictures and words. Proc. Natl. Acad. Sci. USA 95, 2703–2708 (1998)CrossRefGoogle Scholar
  15. 15.
    Harada, A., Isarida, T., Mizuno, T., Nishigaki, M.: A user authentication system using schema of visual memory. In: Biologically Inspired Approaches to Advanced Information Technology: Second International Workshop, Bioadit 2006, Osaka, Japan 26–27, 2006, Proceedings, volume 3853 of Lecture Notes in Computer Science, pp. 338–345. Springer, Berlin (2006)Google Scholar
  16. 16.
    Hayashi, E., Dhamija, R., Christin, N., Perrig, A.: Use your illusion: secure authentication usable anywhere. In: Proceedings of the 4th Symposium on Usable Privacy and Security, pp. 35–45. ACM, New York, NY, USA (2008)Google Scholar
  17. 17.
    Hopper, N.J., Blum, M.: Secure human identification protocols. In: ASIACRYPT 2001, volume 2248 of Lecture Notes in Computer Science, pp. 52–66. Springer, Berlin (2001)Google Scholar
  18. 18.
    International Organization for Standardization (ISO): Ergonomics of Human–System Interaction. ISO 9241 (1998)Google Scholar
  19. 19.
    Jain, H., Bartzis, C., Clarke, E.M.: Satisfiability checking of non-clausal formulas using general matings. In: Biere, A., Gomes, C.P. (eds.), SAT, volume 4121 of Lecture Notes in Computer Science, pp. 75–89. Springer, Berlin (2006)Google Scholar
  20. 20.
    Jameel, H., Shaikh, R.A., Lee, H., Lee, S.: Human identification through image evaluation using secret predicates. Lect. Notes Comput. Sci. 4377, 67 (2006)CrossRefMathSciNetGoogle Scholar
  21. 21.
    Jensen, W., Gavrila, S., Korolev, V., Ayers, R., Swanstrom, R.: Picture password: a visual login technique for mobile devices. In: National Institute of Standards and Technologies Interagency Report, volume NISTIR 7030 (2003)Google Scholar
  22. 22.
    Jermyn, I., Mayer, A., Monrose, F., Reiter, M.K., Rubin, A.D.: The design and analysis of graphical passwords. In: Proceedings of the 8th USENIX security Symposium, Washington, DC, USA (August 23–26 1999)Google Scholar
  23. 23.
    Juels, A., Weis, S.A.: Authenticating pervasive devices with human protocols. In: Advances in Cryptology—CRYPTO 2005: 25th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 14–18, 2005, Proceedings, volume 3621 of Lecture Notes in Computer Science, pp. 293–308. Springer, Berlin (2005)Google Scholar
  24. 24.
    Kumar, M., Garfinkel, T., Boneh, D., Winograd, T.: Reducing shoulder-surfing by using gaze-based password entry. In: Symposium On Usable Privacy and Security (SOUPS) (2007)Google Scholar
  25. 25.
    Matsumoto, T.: Human–computer cryptography: an attempt. In: ACM Conference on Computer and Communications Security, pp. 68–75 (1996)Google Scholar
  26. 26.
    NagraID Security. Display Cards. February 2011Google Scholar
  27. 27.
    Real User Coorp: Pass Faces. (1998)
  28. 28.
    Roth, V., Richter, K., Freidinger, R.: A pin-entry method resilient against shoulder surfing. In: CCS ’04: Proceedings of the 11th ACM Conference on Computer and Communications Security, pp. 236–245. ACM Press, New York, NY, USA (2004)Google Scholar
  29. 29.
    Salehi-Abari, A., Thorpe, J., van Oorschot, PC: On purely automated attacks and click-based graphical passwords. In: Proceedings of the 2008 Annual Computer Security Applications Conference, pp. 111–120. IEEE Computer Society, Washington, DC, USA (2008)Google Scholar
  30. 30.
    Sasamoto, H., Christin, N., Hayashi, E.: Undercover: authentication usable in front of prying eyes. In: CHI’08 Proceedings of the SIGCHI conference on human factors in computing systems, pp. 183–192. ACM, New York (2008)Google Scholar
  31. 31.
    Sobrado, L., Birget, J.C.: Graphical password. Rutgers Scholar Electron. Bull. Undergrad. Res. 4 (2002)Google Scholar
  32. 32.
    Suo, X., Zhu, Y., Owen, G.S.: Graphical passwords: a survey. In: Proceedings of 21st Annual Computer Security Application Conference (ACSAC 2005) December 5–9, pp. 463–472. Tucson, AZ, USA (December 2005)Google Scholar
  33. 33.
    Takada, T.: FakePointer: an authentication scheme for improving security against peeping attacks using video cxameras. In: The Second International Conference on Mobile Ubiquitous Computing, Systems, Services and Technologies, 2008 (UBICOMM ’08), pp. 395–400 (2008)Google Scholar
  34. 34.
    Thiffault, C., Bacchus, F., Walsh, T.: Solving non-clausal formulas with dpll search. In: Wallace, M., (ed.), CP, volume 3258 of Lecture Notes in Computer Science, pp. 663–678. Springer, Berlin (2004) Google Scholar
  35. 35.
    Thorpe, J., van Oorschot, P.C.: Human-seeded attacks and exploiting hot-spots in graphical passwords. In: Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium Table of Contents. USENIX Association Berkeley, CA, USA (2007)Google Scholar
  36. 36.
    University of British Columbia: Ubcsat, the Stochastic Local Search Sat Solver.
  37. 37.
    Varenhorst, C., et al.: Passdoodles: A Lightweight Authentication Method. Research Science Institute (2004)Google Scholar
  38. 38.
    Weinshall, D.: Cognitive authentication schemes safe against spyware (short paper). In: IEEE Symposium on Security and Privacy, pp. 295–300. IEEE Computer Society (2006)Google Scholar
  39. 39.
    Wiedenbeck, S., Waters, J., Birget, J.C., Brodskiy, A., Memon, N.: PassPoints: design and longitudinal evaluation of a graphical password system. Int. J. Human–Comput Stud. 63(1–2), 102–127 (2005)CrossRefGoogle Scholar
  40. 40.
    Wiedenbeck, S., Waters, J., Sobrado, L., Birget, J.C.: Design and evaluation of a shoulder-surfing resistant graphical password scheme. In: Proceedings of Advanced Visual Interface,s AVI 2006, Venice, Italy (May 23–26 2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  1. 1.Dipartimento di InformaticaUniversità di SalernoFiscianoItaly
  2. 2.Dipartimento di Ingegneria Elettrica e delle Tecnologie dell’InformazioneUniversità di Napoli “Federico II”NaplesItaly

Personalised recommendations