Over-the-Shoulder Attack Resistant Graphical Authentication Schemes Impact on Working Memory

  • Jeremiah D. StillEmail author
  • Ashley A. Cain
Conference paper
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 960)


Alphanumeric passwords are the most commonly employed authentication scheme. However, technical security requirements often make alphanumeric authentication difficult to use. Researchers have developed graphical authentication schemes to help strike a balance between security requirements and usability. However, replacing characters with pictures has introduced both negative (security vulnerabilities) and positive (memorability benefits) outcomes. We are aware of the noteworthy long-term memory advantages of graphical passcodes, but little is known about the impact on users’ limited working memory resources. Authentication is always a secondary task, which probably consumes working memory. This pilot study examines the impact graphical authentication schemes (Convex-Hull Click; Use Your Illusion; What You See is Where you Enter) have on working memory (Verbal; Spatial; Central Executive). Our findings suggest that graphical authentication schemes impact on working memory varies. This work shows that further investigation is needed to understand the complex relationship between scheme design and working memory.


Human factors Cybersecurity Authentication Working memory Human-Computer interaction Usability 



We thank Paige Duplantis, Lauren Tiller, and Ayobami Fakulujo for their assistance collecting data.


  1. 1.
    Grawemeyer, B., Johnson, H.: Using and managing multiple passwords: a week to a view. Interact. Comput. 23, 256–267 (2011)CrossRefGoogle Scholar
  2. 2.
    Zviran, M., Haga, W.J.: Password security: an empirical study. J. Man. Info. Sys. 15, 161–185 (1999)CrossRefGoogle Scholar
  3. 3.
    Cain, A.A., Edwards, M.E., Still, J.D.: An exploratory study of cyber hygiene behaviors and knowledge. J. Info. Secur. App. 42, 36–45 (2018)Google Scholar
  4. 4.
    Still, J.D.: Cybersecurity needs you! ACM Interact. (May + June: Feature). 23, 54–58 (2016)CrossRefGoogle Scholar
  5. 5.
    Cain, A.A., Still, J.D.: Usability comparison of over-the-shoulder attack resistant authentication schemes. J. Usab. Stud. 13, 196–219 (2018)Google Scholar
  6. 6.
    Cain, A.A., Werner, S., Still, J.D.: Graphical authentication resistance to over-the-shoulder-attacks. In: Proceedings CHI Conference Extended Abstracts, pp. 2416–2422 (2017)Google Scholar
  7. 7.
    Biddle, R., Chiasson, S., Van Oorschot, P.C.: Graphical passwords: learning from the first twelve years. ACM Comp. Sur. (CSUR) 44, 1–25 (2012)CrossRefGoogle Scholar
  8. 8.
    Mintzer, M.Z., Snodgrass, J.G.: The picture superiority effect: support for the distinctiveness model. Amer. J. Psyc. 112, 113–146 (1999)CrossRefGoogle Scholar
  9. 9.
    Still, J.D., Cain, A., Schuster, D.: Human-centered authentication guidelines. Info. Comp. Sec. 25, 437–453 (2017)Google Scholar
  10. 10.
    Tulving, E., Thomson, D.M.: Encoding specificity and retrieval processes in episodic memory. Psyc. Rev. 80, 352–373 (1973)CrossRefGoogle Scholar
  11. 11.
    Werner, S., Hauck, C., Masingale, M.: Password entry times for recognition-based graphical passwords. Proc. Hum. Factors Ergon. Soc. Annu. Meet. 60, 755–759 (2016)CrossRefGoogle Scholar
  12. 12.
    Braz, C., Robert, J.: Security and usability: the case of the user authentication methods. In: Proceedings of the 18th International Conference on Association Francophone d’Interaction Homme-Machine, 199–203 (2006)Google Scholar
  13. 13.
    Baddeley, A.: Working memory. Science 255, 556–559 (1992)CrossRefGoogle Scholar
  14. 14.
    Logie, R.H.: Retiring the central executive. Q. J. Exp. Psychol. (2016). advance online publicationGoogle Scholar
  15. 15.
    Wiedenbeck, S., Waters, J., Sobrado, L., Birget, J. C.: Design and evaluation of a shoulder-surfing resistant graphical password scheme. In: Proceedings of the Working Conference on Advanced Visual Interfaces, pp. 177–184 (2006)Google Scholar
  16. 16.
    Hayashi, E., Dhamija, R., Christin, N., Perrig, A.: Use your illusion: secure authentication usable anywhere. In: Proceedings of the 4th Symposium on Usable Privacy and Security, pp. 35–45 (2008)Google Scholar
  17. 17.
    Khot, R.A., Kumaraguru, P., Srinathan, K.: WYSWYE: shoulder surfing defense for recognition based graphical passwords. In: Proceedings of the 24th Australian CHI Conference, pp. 285–294 (2012)Google Scholar
  18. 18.
    Ankush, D.A., Husain, S.S.: Authentication scheme for shoulder surfing using graphical and pair based scheme. Intern. J. Adv. Res. Comp. Sci. Mang. Stud. 2, 161–166 (2014)Google Scholar
  19. 19.
    Behl, U., Bhat, D., Ubhaykar, N., Godbole, V., Kulkarni, S.: Multi-level scalable textual-graphical password authentication scheme for web based applications. J. Electron. Commun. 3, 166–124 (2014)Google Scholar
  20. 20.
    Chen, Y.L., Ku, W.C., Yeh, Y.C., Liao, D.M.: A simple text-based shoulder surfing resistant graphical password scheme. In: IEEE ISNE, pp. 161–164 (2013)Google Scholar
  21. 21.
    Joshuva, M., Rani, T.S., John, M.S.: Implementing CHC to counter shoulder surfing attack in PassPoint–style graphical passwords. Intern. J. Adv. Net. App. 2, 906–910 (2011)Google Scholar
  22. 22.
    Kiran, T.S.R., Rao, K.S., Rao, M.K.: A novel graphical password scheme resistant to peeping attack. Int. J. Comput. Sci. Inf. Technol. 3, 5051–5054 (2012)Google Scholar
  23. 23.
    Manjunath, G., Satheesh, K., Saranyadevi, C., Nithya, M.: Text-based shoulder surfing resistant graphical password scheme. Intern. J. Comp. Sci. Info. Tech. 5, 2277–2280 (2014)Google Scholar
  24. 24.
    Rao, K., Yalamanchili, S.: Novel shoulder-surfing resistant authentication schemes using text-graphical passwords. Int. J. Inf. Secur. 1, 163–170 (2012)Google Scholar
  25. 25.
    Vachaspati, P.S.V., Chakravarthy, A.S.N., Avadhani, P.S.: A novel soft computing authentication scheme for textual and graphical passwords. Intern. J. Comp. App. 71, 42–54 (2013)Google Scholar
  26. 26.
    Zhao, H., Li, X.: S3PAS: a scalable shoulder-surfing resistant textual-graphical password authentication scheme. In: 21st AINAW, vol. 2, pp. 467–472 (2007)Google Scholar
  27. 27.
    Tiller, L., Cain, A., Potter, L., Still, J.D.: Graphical authentication schemes: balancing amount of image distortion. In: Ahram, T., Nicholson, D. (eds.) Advances in Human Factors in Cybersecurity, pp. 88–98 (2019) Google Scholar
  28. 28.
    Cain, A.A., Still, J.D.: A rapid serial visual presentation method for graphical authentication. In: Nicholson, D. (ed.) Advances in Human Factors Cybersecurity, pp. 3–11. Springer, Cham (2016). Scholar
  29. 29.
    Gao, H., Guo, X., Chen, X., Wang, L., Liu, X.: Yagp: yet another graphical password strategy. In: Computer Security Applications Conference, pp. 121–129 (2008)Google Scholar
  30. 30.
    Ghori, F., Abbasi, K.: Secure user authentication using graphical passwords. J. Ind. Stud. Res. 11, 34–40 (2013)Google Scholar
  31. 31.
    Hui, L.T., Bashier, H.K., Hoe, L.S., Kwee, W.K., Sayeed, M.S.: A hybrid graphical password scheme for high-end system. Aust. J. Bas. App. Sci. 8, 23–29 (2014)Google Scholar
  32. 32.
    Jenkins, R., McLachlan, J.L., Renaud, K.: Facelock: familiarity-based graphical authentication. Peer J. 2, 1–24 (2014)CrossRefGoogle Scholar
  33. 33.
    Lin, D., Dunphy, P., Olivier, P., Yan, J.: Graphical passwords & qualitative spatial relations. In: Proceedings of Symposium on Usable Privacy and Security, pp. 161–162 (2007)Google Scholar
  34. 34.
    Meng, Y., Li, W.: Enhancing click-draw based graphical passwords using multi-touch on mobile phones. In: IFIP Conference, pp. 55–68 (2013)CrossRefGoogle Scholar
  35. 35.
    Nicholson, J.: Design of a Multi-touch shoulder surfing resilient graphical password. B. Sci. Info. Sys. (2009) Google Scholar
  36. 36.
    Sasamoto, H., Christin, N., Hayashi, E.: Undercover: authentication usable in front of prying eyes. In: Proceedings of the SIGCHI Conference, pp. 183–192 (2008)Google Scholar
  37. 37.
    Yakovlev, V.A., Arkhipov, V.V.: User authentication based on the chess graphical password scheme resistant to shoulder surfing. Auto. Con. Comp. Sci. 49, 803–812 (2015)CrossRefGoogle Scholar
  38. 38.
    Zakaria, N.H., Griffiths, D., Brostoff, S., Yan, J.: Shoulder surfing defense for recall-based graphical passwords. In: Proceedings of Seventh Symposium on Usable Privacy and Security, pp. 6–18 (2011)Google Scholar
  39. 39.
    Bianchi, A., Oakley, I., Kim, H.: PassBYOP: bring your own picture for securing graphical passwords. IEEE Trans. Hum. Mach. Syst. 46, 380–389 (2016)CrossRefGoogle Scholar
  40. 40.
    Brostoff, S., Inglesant, P., Sasse, M.A.: Evaluating the usability and security of a graphical one-time PIN system. In: Proceedings of the 24th BCS Interaction Specialist Conference, pp. 88–97 (2010)Google Scholar
  41. 41.
    De Luca, A., Hertzschuch, K., Hussmann, H.: ColorPIN: securing PIN entry through indirect input. In: Proceedings of the SIGCHI, pp. 1103–1106 (2010)Google Scholar
  42. 42.
    Gao, H., Liu, X., Dai, R., Wang, S., Chang, X.: Analysis and evaluation of the colorlogin graphical password scheme. In: Fifth International Conference on Image and Graphics, pp. 722–727 (2009)Google Scholar
  43. 43.
    Gupta, S., Sahni, S., Sabbu, P., Varma, S., Gangashetty, S.V.: Passblot: a highly scalable graphical one time password system. Intern. J. Net. Sec. App. 4, 201–216 (2012)Google Scholar
  44. 44.
    Kawagoe, K., Sakaguchi, S., Sakon, Y., Huang, H.H.: Tag association based graphical password using image feature matching. In: International Conference on Database Systems for Advanced Applications, pp. 282–286 (2012)CrossRefGoogle Scholar
  45. 45.
    Lashkari, A.H., Manaf, A.A., Masrom, M.: A secure recognition based graphical password by watermarking. In: 11th International Conference on Computer and Information Technology, pp. 164–170 (2011)Google Scholar
  46. 46.
    Perkovic, T., Cagalj, M., Rakic, N.: SSSL: shoulder surfing safe login. In: 17th International Conference Software, Telecommunications & Computer Network, pp. 270–275 (2009)Google Scholar
  47. 47.
    Zangooei, T., Mansoori, M., Welch, I.: A hybrid recognition and recall based approach in graphical passwords. In: Proceedings of the 24th Australian CHI Conference, pp. 665–673 (2012)Google Scholar
  48. 48.
    Still, J.D., Dark, V.J.: Examining working memory load and congruency effects on affordances and conventions. Int. J. Hum Comput Stud. 68, 561–571 (2010)CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  1. 1.Psychology of Design Laboratory, Department of PsychologyOld Dominion UniversityNorfolkUSA

Personalised recommendations