The Impact of Length and Mathematical Operators on the Usability and Security of System-Assigned One-Time PINs

  • Patrick Gage Kelley
  • Saranga Komanduri
  • Michelle L. Mazurek
  • Richard Shay
  • Timothy Vidas
  • Lujo Bauer
  • Nicolas Christin
  • Lorrie Faith Cranor
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7862)

Abstract

Over the last decade, several proposals have been made to replace the common personal identification number, or PIN, with often-complicated but theoretically more secure systems. We present a case study of one such system, a specific implementation of system-assigned one-time PINs called PassGrids. We apply various modifications to the basic scheme, allowing us to review usability vs. security trade-offs as a function of the complexity of the authentication scheme. Our results show that most variations of this one-time PIN system are more enjoyable and no more difficult than PINs, although accuracy suffers for the more complicated variants. Some variants increase resilience against observation attacks, but the number of users who write down or otherwise store their password increases with the complexity of the scheme. Our results shed light on the extent to which users are able and willing to tolerate complications to authentication schemes, and provides useful insights for designers of new password schemes.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Adar, E.: Why i hate mechanical turk research (and workshops). In: Proc. CHI Workshop on Crowdsourcing and Human Computation (2011)Google Scholar
  2. 2.
    Anderson, R.: Why cryptosystems fail. In: ACM CCS 1993, pp. 215–227 (1993)Google Scholar
  3. 3.
    Asghar, H.J., Li, S., Pieprzyk, J., Wang, H.: Cryptanalysis of the convex hull click human identification protocol. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 24–30. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  4. 4.
    Aviv, A.J., Gibson, K., Mossop, E., Blaze, M., Smith, J.M.: Smudge attacks on smartphone touch screens. In: WOOT 2010, pp. 1–7 (2010)Google Scholar
  5. 5.
    Biddle, R., Chiasson, S., van Ookrschot, P.: Graphical passwords: Learning from the first twelve years. ACM Computing Surveys (2011) (to appear)Google Scholar
  6. 6.
    Bond, M.: Comments on gridsure authentication (2008), http://www.cl.cam.ac.uk/~mkb23/
  7. 7.
    Brostoff, S., Inglesant, P., Sasse, M.A.: Evaluating the usability and security of a graphical one-time PIN system. In: BCS Conference on HCI (2010)Google Scholar
  8. 8.
    Brostoff, S., Sasse, A.: Are passfaces more usable than passwords? a field trial investigation. In: HCI 2000, pp. 405–424 (2000)Google Scholar
  9. 9.
    Buhrmester, M., Kwang, T., Gosling, S.D.: Amazon’s Mechanical Turk: A new source of inexpensive, yet high-quality, data? Perspectives on Psychological Science 6(1), 3–5 (2011)CrossRefGoogle Scholar
  10. 10.
    De Luca, A., Denzel, M., Hussmann, H.: Look into my eyes!: Can you guess my password? In: SOUPS 2009, pp. 1–12. ACM (2009)Google Scholar
  11. 11.
    Downs, J.S., Holbrook, M.B., Sheng, S., Cranor, L.F.: Are your participants gaming the system? Screening Mechanical Turk workers. In: Proc. CHI (2010)Google Scholar
  12. 12.
    Golle, P., Wagner, D.: Cryptanalysis of a cognitive authentication scheme. In: IEEE SP 2007 (2007)Google Scholar
  13. 13.
    Jakobsson, M.: Experimenting on Mechanical Turk: 5 How Tos (July 2009), http://blogs.parc.com/blog/2009/07/experimenting-on-mechanical-turk-5-how-tos/
  14. 14.
    Jermyn, I., Mayer, A., Monrose, F., Reiter, M.K., Rubin, A.D.: The design and analysis of graphical passwords. In: USENIX Security Symposium, p. 1 (1999)Google Scholar
  15. 15.
    Kittur, A., Chi, E.H., Suh, B.: Crowdsourcing user studies with Mechanical Turk. In: Proc. CHI (2008)Google Scholar
  16. 16.
    Komanduri, S., Shay, R., Kelley, P.G., Mazurek, M.L., Bauer, L., Christin, N., Cranor, L.F., Egelman, S.: Of passwords and people: Measuring the effect of password-composition policies. In: CHI 2011 (2011)Google Scholar
  17. 17.
    Krebs, B.: ATM skimmers: Hacking the cash machine (2011), http://krebsonsecurity.com/2011/04/atm-skimmers-hacking-the-cash-machine/
  18. 18.
    Sasamoto, H., Christin, N., Hayashi, E.: Undercover: authentication usable in front of prying eyes. In: SIGCHI 2008, pp. 183–192. ACM (2008)Google Scholar
  19. 19.
    Suo, X., Zhu, Y., Owen, G.S.: Graphical passwords: A survey. In: ACSAC 2005, pp. 463–472 (2005)Google Scholar
  20. 20.
    SyferLock. Syferlock technology, http://www.syferlock.com/day1/demovidpin.htm
  21. 21.
    Tari, F., Ozok, A.A., Holden, S.H.: A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords. In: SOUPS 2006, pp. 56–66 (2006)Google Scholar
  22. 22.
    Thorpe, J., van Oorschot, P.C.: Human-seeded attacks and exploiting hot-spots in graphical passwords. In: USENIX Security Symposium, pp. 8:1–8:16 (2007)Google Scholar
  23. 23.
    Toomim, M., Kriplean, T., Pörtner, C., Landay, J.: Utility of human-computer interactions: toward a science of preference measurement. In: Proc. CHI (2011)Google Scholar
  24. 24.
    Weiss, R., De Luca, A.: Passshapes: Utilizing stroke based authentication to increase password memorability. In: 5th Nordic Conference on HCI (2008)Google Scholar
  25. 25.
    Wiedenbeck, S., Waters, J., Birget, J.-C., Brodskiy, A., Memon, N.: Authentication using graphical passwords: effects of tolerance and image choice. In: SOUPS 2005, pp. 1–12 (2005)Google Scholar
  26. 26.
    Wiedenbeck, S., Waters, J., Sobrado, L., Birget, J.-C.: Design and evaluation of a shoulder-surfing resistant graphical password scheme. In: AVI 2006, pp. 177–184 (2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Patrick Gage Kelley
    • 1
    • 2
  • Saranga Komanduri
    • 1
    • 2
  • Michelle L. Mazurek
    • 1
    • 2
  • Richard Shay
    • 1
    • 2
  • Timothy Vidas
    • 1
    • 2
  • Lujo Bauer
    • 1
    • 2
  • Nicolas Christin
    • 1
    • 2
  • Lorrie Faith Cranor
    • 1
    • 2
  1. 1.University of New MexicoUSA
  2. 2.Carnegie Mellon UniversityUSA

Personalised recommendations