The Authentication Game - Secure User Authentication by Gamification?

  • Frank Ebbers
  • Philipp BruneEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9694)


Knowledge-based authentication with username and password still is the predominant authentication method in practice. As the number of online accounts increases, users need to remember more and more passwords, leading to the choice of better memorable but insecure passwords. Therefore, it is important to take into account the users’ behavior to improve IT security. While gamification has been proposed as a concept to influence users’ behavior in various domains, it has not been applied to user authentication methods so far. Therefore, in this paper an approach for a gamified authentication method is presented. Using a prototype implementation, a qualitative evaluation in an empirical study is performed. Results illustrate the general feasibility of the proposed approach.


Information security User authentication Graphical passwords Biometrics Gamification 


  1. 1.
    Amorin, J.A., Hendix, M., Andler, S.F., Gustavsson, P.M.: Gamified training for cyber defence: Methods and automated tools for situation and threat assessment (2013)Google Scholar
  2. 2.
    Andress, J.: The Basics of Information Security: Understanding the Fundamentals of InfoSec in Theory and Practice, 2nd edn. Elsevier Science, USA (2014)Google Scholar
  3. 3.
    Balfanz, D., Durfee, G., Smetters, D., Grinter, R.: In search of usable security: five lessons from the field. IEEE Secur. Priv. 2(5), 19–24 (2004)CrossRefGoogle Scholar
  4. 4.
    Blonder, G.E.: Graphical password (1996).
  5. 5.
    Brostoff, S., Sasse, M.A.: Are passfaces more usable than passwords? a field trial investigation. In: McDonald, S., Waern, Y., Cockton, G. (eds.) People and Computers XIV – Usability or Else!, pp. 405–424. Springer, London (2000)CrossRefGoogle Scholar
  6. 6.
    Brown, M., Rogers, S.J.: User identification via keystroke characteristics of typed names using neural networks. Int. J. Man Mach. Stud. 39(6), 999–1014 (1993)CrossRefGoogle Scholar
  7. 7.
    Burke, M., Hiltbrand, T.: How gamification will change business intelligence. Bus. Intell. J. 16(2), 8–16 (2011)Google Scholar
  8. 8.
    Chaki, N.: Computer Networks & Communications (NetCom): Proceedings of the Fourth International Conference on Networks et Communications. Lecture Notes in Electrical Engineering, vol. 131. Springer, New York (2013)CrossRefGoogle Scholar
  9. 9.
    Choong, Y.-Y.: A cognitive-behavioral framework of user password management lifecycle. In: Tryfonas, T., Askoxylakis, I. (eds.) HAS 2014. LNCS, vol. 8533, pp. 127–137. Springer, Heidelberg (2014)Google Scholar
  10. 10.
    Das, A., Bonneau, J., Caesar, M., Borisov, N., Wang, X.: The tangled web of password reuse. In: Symposium on Network and Distributed System Security 2014, Washington, D.C. (2014)Google Scholar
  11. 11.
    Deterding, S., Sicart, M., Nacke, L., O’Hara, K., Dixon, D.: Gamification: using game-design elements in non-gaming contexts. In: Tan, D., Amershi, S., Begole, B., Kellogg, W.A., Tungare, M. (eds.) The 2011 Annual Conference Extended Abstracts, pp. 2425–2428 (2011)Google Scholar
  12. 12.
    Dunphy, P., Heiner, A.P., Asokan, N.: A closer look at recognition-based graphical passwords on mobile devices. In: Cranor, L.F. (ed.) SOUPS 2010. ACM International Conference Proceedings Series, p. 1. ACM, New York (2010).
  13. 13.
    Dunphy, P., Yan, J.: Do background images improve draw a secret graphical passwords?. In: Ning, P., Capitani, D., di Vimercati, S., Syverson, P., Capitani, D., di Vimercati, S., Syverson, P.F., Evans, D. (eds.) Proceedings of the 14th ACM conference on Computer and Communications Security, pp. 36–47. ACM Digital Library, New York (2007).
  14. 14.
    Fernandes, J., Duarte, D., Ribeiro, C., Farinha, C., Pereira, J.M., da Silva, M.M.: ithink: A game-based approach towards improving collaboration and participation in requirement elicitation. Procedia Comput. Sci. 15, 66–77 (2012)CrossRefGoogle Scholar
  15. 15.
    Florencio, D., Herley, C.: A large-scale study of web password habits. In: Williamson, C., Zurko, M.E. (eds.) Proceedings of the 16th International Conference on World Wide Web 2007, pp. 657–666. ACM, New York (2007)Google Scholar
  16. 16.
    Forget, A., Chiasson, S., Biddle, R.: Persuasion as education for computer security. In: World Conference on E-Learning in Corporate, Government, Healthcare, and Higher Education, vol. 2007(1), pp. 822–829 (2007)Google Scholar
  17. 17.
    Fortinet: Multiple password tendencies of gen x online users in the united states, as of February 2014: Statista (2014).
  18. 18.
    Gallego, A., Saxena, N., Voris, J.: Playful security: a computer game for secure wireless device pairing. In: 2011 16th International Conference on Computer Games (CGAMES), pp. 177–184, July 2011Google Scholar
  19. 19.
    Hari, K.K.K., Anbuoli, P., Manikandan, A., Saikishore, E. (eds.): Computer Applications I: Proceedings of the International Conference on Computer Applications, 24–27 December 2010, Pondicherry, India. Research Pub. Services, Singapore (2011)Google Scholar
  20. 20.
    Helkala, K., Svendsen, N.K.: The security and memorability of passwords generated by using an association element and a personal factor. In: Laud, P. (ed.) NordSec 2011. LNCS, vol. 7161, pp. 114–130. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  21. 21.
    Herold, R.: Managing an Information Security and Privacy Awareness and Training Program, 2nd edn. CRC Press, Boca Raton (2011)Google Scholar
  22. 22.
    InformationWeeks Analytics: Analytics report: Identity management - saas, mobility add urgency (2011).
  23. 23.
    Iranna, A., Pankaja, P.: Graphical password authentication using persuasive cued click point. Int. J. Eng. Res. Appl. 2, 2963–2974 (2013)Google Scholar
  24. 24.
    Jain, A.K., Flynn, P.J., Ross, A.A.: Handbook of Biometrics. Springer, New York (2007)Google Scholar
  25. 25.
    Jermyn, I., Mayer, A.J., Monrose, F., Reiter, M.K., Rubin, A.D., et al.: The design and analysis of graphical passwords. In: Association, U. (ed.) Proceedings of the 8th USENIX Security Symposium, Washington, D.C., USA, vol. 8. (1999)Google Scholar
  26. 26.
    Khot, R.A., Srinathan, K., Kumaraguru, P.: Marasim: a novel jigsaw based authentication scheme using tagging. In: Tan, D.S., Fitzpatrick, G., Gutwin, C., Begole, B., Kellogg, W.A. (eds.) CHI 2011, pp. 2605–2614 (2011).
  27. 27.
    Kroeze, C., Olivier, M.S.: Gamifying authentication. In: Venter, H.S., Loock, M., Coetzee, M. (eds.) 2012 Information Security for South Africa, pp. 1–8. IEEE, Piscataway (2012)Google Scholar
  28. 28.
    Kuo, C., Romanosky, S., Cranor, L.F.: Human selection of mnemonic phrase-based passwords. In: Cranor, L.F. (ed.) SOUPS 2006: Proceedings of the Second Symposium on Usable Privacy and Security, pp. 67–78. ACM, New York (2006)Google Scholar
  29. 29.
    Loy, C.C., Lai, W.K., Lim, C.P.: Keystroke patterns classification using the artmap-fd neural network. In: Liao, B.Y. (ed.) IIHMSP 2007, pp. 61–64. IEEE Computer Society, Los Alamitos (2007)Google Scholar
  30. 30.
    Luca, A.D., Hang, A., Brudy, F., Lindner, C., Hussmann, H.: Touch me once and i know it’s you! implicit authentication based on touch screen patterns. In: Konstan, J.A., Chi, E.H., Höök, K. (eds.) Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 987–996. ACM, New York (2012).
  31. 31.
    Newman, R.: Security and Access Control Using Biometric Technologies. Cengage Learning, New Delhi (2009)Google Scholar
  32. 32.
    Nielsen, J.: Usability Engineering. Morgan Kaufmann Publishers, San Francisco (1994). Updated ednGoogle Scholar
  33. 33.
    O’Gorman, L.: Comparing passwords, tokens, and biometrics for user authentication. Proc. IEEE 91(12), 2021–2040 (2003)CrossRefGoogle Scholar
  34. 34.
    Parsons, K., McCormac, A., Butavicius, M., Ferguson, L.: Human factors and information security: Individual, culture and security environment (2010)Google Scholar
  35. 35.
    SafeNet Inc.: Multi-factor authentication: Current usage and trends (2013).
  36. 36.
    Sarohi, H.K., Khan, F.U.: Graphical password authentication schemes: current status and key issues. Int. J. Comput. Sci. Issues (IJCSI) 10(2), 437 (2013)Google Scholar
  37. 37.
    Schneier, B.: Secrets and Lies: Digital Security in a Networked World. Wiley, New York (2011)Google Scholar
  38. 38.
    Schneier, B.: Secrets and Lies: Digital Security in a Networked World. Wiley, New York (2000)Google Scholar
  39. 39.
    Schultz, E.: The human factor in security. Comput. Secur. 24(6), 425–426 (2005)CrossRefGoogle Scholar
  40. 40.
    Shahzad, M., Liu, A.X., Samuel, A.: Secure unlocking of mobile touch screen devices by simple gestures: you can see it but you can not do it. In: Proceedings of the 19th Annual International Conference on Mobile Computing & Networking, MobiCom 2013, pp. 39–50. ACM, New York (2013).
  41. 41.
    Sharif, M., Faiz, T., Raza, M.: Time signatures - an implementation of keystroke and click patterns for practical and secure authentication. In: Third International Conference on Digital Information Management (ICDIM 2008), pp. 559–562. IEEE, Piscataway (2008)Google Scholar
  42. 42.
    Thiebes, S., Lins, S., Basten, D. (eds.): Gamifying information systems - a synthesis of gamification mechanics and dynamics. In: ECIS, Tel Aviv, Israel (2014)Google Scholar
  43. 43.
    Thornton, D., Francia, G.I.: Gamification of information systems and security training: Issues and case studies. Inf. Secur. Edu. J. 1(1), 19–29 (2014)Google Scholar
  44. 44.
    Uellenbeck, S., Dürmuth, M., Wolf, C., Holz, T.: Quantifying the security of graphical passwords: the case of android unlock patterns. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, CCS 2013, pp. 161–172. ACM, New York (2013).
  45. 45.
    Wang, P.: Pattern Recognition, Machine Intelligence and Biometrics. Springer, Heidelberg (2012)Google Scholar
  46. 46.
    Yee, K.P.: Aligning security and usability. IEEE Comput. Soc. 2(5), 48–55 (2004)Google Scholar
  47. 47.
    Zakaria, N.H., Griffiths, D., Brostoff, S., Yan, J.: Shoulder surfing defence for recall-based graphical passwords. In: Cranor, L.F. (ed.) Proceedings of the Seventh Symposium on Usable Privacy and Security, vol. 2011, pp. 1–12. ACM, New York (2011)Google Scholar
  48. 48.
    von Zezschwitz, E., De Luca, A., Hussmann, H.: Survival of the shortest: a retrospective analysis of influencing factors on password composition. In: Kotzé, P., Marsden, G., Lindgaard, G., Wesson, J., Winckler, M. (eds.) INTERACT 2013, Part III. LNCS, vol. 8119, pp. 460–467. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  49. 49.
    Zichermann, G., Cunningham, C.: Gamification by Design: Implementing Game Mechanics in Web and Mobile Apps, 1st edn. O’Reilly Media, Sebastopol (2011)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.University of Applied Sciences Neu-UlmNeu-UlmGermany

Personalised recommendations