Are Passfaces More Usable Than Passwords? A Field Trial Investigation

  • Sacha Brostoff
  • M Angela Sasse

Abstract

The proliferation of technology requiring user authentication has increased the number of passwords which users have to remember, creating a significant usability problem. This paper reports a usability comparison between a new mechanism for user authentication — Passfaces — and passwords, with 34 student participants in a 3-month field trial. Fewer login errors were made with Passfaces, even when periods between logins were long. On the computer facilities regularly chosen by participants to log in, Passfaces took a long time to execute. Participants consequently started their work later when using Passfaces than when using passwords, and logged into the system less often. The results emphasise the importance of evaluating the usability of security mechanisms in field trials.

Keywords

task performance evaluation passwords security human memory 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Adams, A. (1996), Reviewing Human Factors in Password Security Systems, Master’s thesis, University College London, London.Google Scholar
  2. Adams, A. & Sasse, M. A. (1999), “Users Are Not the Enemy: Why Users Compromise Security Mechanisms and How to Take Remedial Measures”, Communications of the ACM 42(12), 40–6.CrossRefGoogle Scholar
  3. Adams, A., Sasse, M. A. & Lunt, P. (1997), Making Passwords Secure and Usable, inH. Thimbleby, B. O’Conaill & P. Thomas (eds.), People and Computers XII (Proceedings of HCI’97), Springer-Verlag, pp. 1–19.Google Scholar
  4. Anderson, R. J. (1994), “Why Cryptosystems Fail”, Communications of the ACM 37(11), 32–40.CrossRefGoogle Scholar
  5. Arthur, C. (1997), “Your Eye. The Ultimate Id Card”, The Independent. Tuesday 2nd December.Google Scholar
  6. Baddeley, A. (1997), Human Memory: Theory and Practice, revised edition, Psychology Press.Google Scholar
  7. Bahrick, H. P., Bahrick, P. O. & Wittlinger, R. P. (1975), “Fifty Years of Memory for Names and Faces: A Cross-sectional Approach”, Journal of Experimental Social Psychology 104(1), 54–75.Google Scholar
  8. Bunnell, J., Podd, J., Henderson, R., Napier, R. & Kennedy-Moffat, J. (1997), “Cognitive, Associative and Conventional Passwords: Recall and Guessing Rates”, Computers and Security 16(7), 629–41.CrossRefGoogle Scholar
  9. Clark-Carter, D. (1997), “The Account Taken of Statistical Power in Research Published in the British Journal of Psychology”, British Journal of Psychology 88(1), 71–83.CrossRefGoogle Scholar
  10. Cohen, G. (1996), Memory in the Real World, second edition, Psychology Press.Google Scholar
  11. Craik, F. I. M. & Lockhart, R. S. (1972), “Levels of Processing: A Framework for Memory Research”, Journal of Verbal Learning and Verbal Behavior 11(6), 671–84.CrossRefGoogle Scholar
  12. Davis, C. & Ganesan, R. (1993), BApassword: A New Proactive Password Checker, inL. Reiner & D. Gilbert (eds.), Proceedings of the National Computer Security Conference ‘83, the 16th NIST/NSA Conference, USA Government, pp. 1–15.Google Scholar
  13. Deane, F., Barrelle, K., Henderson, R. & Mahar, D. (1995), “Perceived Acceptability of Biometric Security Systems”, Computers and Security 14(3), 225–31.CrossRefGoogle Scholar
  14. Garfinkel, S. & Spafford, G. (1996), Practical Unix and Internet Security, second edition, O’Reilly.Google Scholar
  15. Kim, H.-J. (1995), “Biometrics, Is It a Viable Proposition for Identity Authentication and Access Control?”, Computers and Security 14(3), 205–14.CrossRefGoogle Scholar
  16. Menkus, B. (1988), “Understanding the Use of Passwords”, Computers and Security 7(2), 132–6.CrossRefGoogle Scholar
  17. Murrer, E. (1999), “Fingerprint Authentication”, Secure Computing 10(3), 26–30.Google Scholar
  18. Nelson, D. L., Reed, U. S. & Walling, J. R. (1977), “Picture Superiority Effect”, Journal of Experimental Psychology: Learning, Memory and Cognition 2(5), 523–8.Google Scholar
  19. Obaidat, M. & Sadoun, B. (1997), “Verification of Computer Users Using Keystroke Dynamics”, IEEE Transactions in Systems, Man and Cybernetics 27(2), 261–9.CrossRefGoogle Scholar
  20. Parkin, A. J. (1981), “Determinants of Cued Recall”, Psychological Research 1(4), 291–300.Google Scholar
  21. Parkin, A. J. (1993), Memory: Phenomena, Experiment and Theory, Blackwell.Google Scholar
  22. Reason, J. (1990), Human Error, Cambridge University Press.Google Scholar
  23. Roddy, A. R. & Stosz, J. D. (1997), “Fingerprint Features–Statistical Analysis and System Performance Estimates”, Proceedings of the IEEE 85(9), 1390–421.CrossRefGoogle Scholar
  24. Rosenthal, R. & Rosnow, R. (1991), The Essentials of Behavioural Research, second edition, McGraw-Hill.Google Scholar
  25. Sasse, M. A., Harris, C., Ismail, I. & Monthienvichienchai, P. (1998), Support for Authoring and Managing Web-based Coursework: The TACO Project, inR. Hazemi, S. Hailes & S. Wilbur (eds.), The Digital University: Reinventing the Academy, Springer-Verlag, pp. 155–75.CrossRefGoogle Scholar
  26. Spector, Y. & Ginzberg, J. (1994), “Pass Sentence — A New Approach to Computer Code”, Computers and Security 13(2), 145–60.CrossRefGoogle Scholar
  27. Svigals, J. (1994), “Smartcards — A Security Assessment”, Computers and Security 13(2), 107–14.CrossRefGoogle Scholar
  28. Tulving, E. & Psotka, A. (1971), “Retroactive Inhibition in Free Recall: Inaccessibility of Information in the Memory Store”, Journal of Educational Psychology 87(1), 1–8.Google Scholar
  29. Valentine, T. (1998), An Evaluation of the PassfaceTM Personal Authentication System, Technical Report, Goldmsiths College, University of London.Google Scholar
  30. Valentine, T. (1999), Memory for PassfacesTM After a Long Delay, Technical Report, Goldsmiths College, University of London.CrossRefGoogle Scholar
  31. Wickens, C. D. (1992), Engineering Psychology and Human Performance, Harper Collins.Google Scholar
  32. Zviran, M. & Haga, W. J. (1990), “Cognitive Passwords: The Key to Easy Access Control”, Computers and Security 9(8), 723–36.CrossRefGoogle Scholar
  33. Zviran, M. & Haga, W. J. (1993), “A Comparison of Password Techniques for Multilevel Authentication Mechanisms”, The Computer Journal 36(3), 227–37.CrossRefGoogle Scholar

Copyright information

© Springer-Verlag London 2000

Authors and Affiliations

  • Sacha Brostoff
    • 1
  • M Angela Sasse
    • 1
  1. 1.Department of Computer ScienceUniversity College LondonLondonUK

Personalised recommendations