Much valuable and sensitive data (e.g., health, intellectual property, and banking information) is accessible digitally. For example, we no longer have to go to a physical bank to transfer money or to cash a check. We simply download an application or go to a website. However, this level of convenience comes at a cost. Hackers from around the world are now able to access our accounts remotely. Therefore, it is essential that systems housing valuable data be able to correctly verify users' identities. The authentication process attempts to validate a user's identity. Usually, this is achieved by asking for a username and a password known only to one user. Thus, attackers work to reveal passwords through a variety of methods, including social engineering, brute force guessing, shoulder surfing, key logging, interception, and searching physical and virtual space near the target (GCHQ & CPNI, 2015). Most of the research efforts have focused on developing stronger technical defenses against these attack methods. However, users are a critical part of the security loop, so designing an authentication system that encourages appropriate behavior increases the defensive strength of the system. Users are instructed to use "strong passwords", because they are more difficult for hackers to determine. Some basic guidelines for creating strong passwords include keeping the password private and secure (do not share it or write it down), avoiding the use of common words, using longer and more complex passwords (e.g., by including numbers and symbols), using different passwords for each account, and changing passwords following suspect activity. Following these "simple" guidelines demands an increased cognitive load. According to Grawemeyer and Johnson (2011), end-users reuse, share, and write down passwords in order to overcome an effortful authentication experience. In other words, end-users are aware of many of the best practice guidelines; unfortunately, these guidelines are not usable ones. Also, some of the best practices are not necessary, if others are followed. For instance, if one takes the time to develop and remember a strong password, changing it often is not necessary. There are many usability issues associated with conventional alphanumeric authentication. Users are forced to remember a significant number of complex passwords, which are always changing. Not only are users irritated by complex and changing passwords, but their password selection also becomes less secure as they are asked to remember more of them. For example, as the number of passwords increase, users are more likely to reuse the same password or some part of an already existing password. In one study, up to 50% of passwords were reused, and some were reused up to four times by the same user (Grawemeyer & Johnson, 2011). Also, when users do comply and use a unique password, they are nearly 18 times more likely to write down the password than if they had used a more familiar password (Grawemeyer & Johnson,
