Cognitive, associative and conventional passwords: Recall and guessing rates

Bunnell, Julie; Podd, John; Henderson, Ronald D.; Napier, R. Christopher; Kennedy-Moffat, James

doi:10.1016/s0167-4048(97)00008-4

Cited by 42 publications

(23 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…2) No mental burden on users. Users have to remember their password if they use a password-based authentication scheme; previous work has shown that users are not good at remembering passwords and they use work-arounds to avoid using passwords [4], [8]. In bilateral authentication there is no secret for users to remember.…”

Section: A Bilateral Authenticationmentioning

confidence: 99%

ZEBRA: Zero-Effort Bilateral Recurring Authentication

Mare

Markham

Cornelius

et al. 2014

2014 IEEE Symposium on Security and Privacy

120

View full text Add to dashboard Cite

Common authentication methods based on passwords, tokens, or fingerprints perform one-time authentication and rely on users to log out from the computer terminal when they leave. Users often do not log out, however, which is a security risk. The most common solution, inactivity timeouts, inevitably fail security (too long a timeout) or usability (too short a timeout) goals. One solution is to authenticate users continuously while they are using the terminal and automatically log them out when they leave. Several solutions are based on user proximity, but these are not sufficient: they only confirm whether the user is nearby but not whether the user is actually using the terminal. Proposed solutions based on behavioral biometric authentication (e.g., keystroke dynamics) may not be reliable, as a recent study suggests.To address this problem we propose Zero-Effort Bilateral Recurring Authentication (ZEBRA). In ZEBRA, a user wears a bracelet (with a built-in accelerometer, gyroscope, and radio) on her dominant wrist. When the user interacts with a computer terminal, the bracelet records the wrist movement, processes it, and sends it to the terminal. The terminal compares the wrist movement with the inputs it receives from the user (via keyboard and mouse), and confirms the continued presence of the user only if they correlate. Because the bracelet is on the same hand that provides inputs to the terminal, the accelerometer and gyroscope data and input events received by the terminal should correlate because their source is the same -the user's hand movement. In our experiments ZEBRA performed continuous authentication with 85 % accuracy in verifying the correct user and identified all adversaries within 11 s. For a different threshold that trades security for usability, ZEBRA correctly verified 90 % of users and identified all adversaries within 50 s.

show abstract

Section: A Bilateral Authenticationmentioning

confidence: 99%

ZEBRA: Zero-Effort Bilateral Recurring Authentication

Mare

Markham

Cornelius

et al. 2014

2014 IEEE Symposium on Security and Privacy

120

View full text Add to dashboard Cite

show abstract

“…The two Mikons are shown in Figure 8. If one removes the probable intrusion attempts, the success rate of the Mikons system is 92%, which exceeds expectations and out-performs any password system [37], [38], especially where the system is used infrequently, which was the case here. …”

Section: S S Fmentioning

confidence: 69%

Web Authentication Using Mikon Images

Renaud

2009

2009 World Congress on Privacy, Security, Trust and the Management of E-Business

View full text Add to dashboard Cite

Authentication is mostly achieved by means of the ubiquitous password. This is suboptimal in some settings, such as for user groups with cognitive or language difficulties. Many web-based systems have user groups with widely ranging capabilities, and more innovative authentication mechanisms should be investigated to enhance usability and accessibility while still delivering the required level of security to authorise legitimate users.This paper presents details of an authentication system which relies on the user identifying previously drawn Mikons 1 . Mikons are self-drawn icon-like images, meant to depict a message the artist wants to convey at that point in time. These are drawn, at enrolment, using an embedded ShockWave component within a browser. At authentication the user identifies his or her own Mikons from challenge sets, each containing one of the user's Mikon and a number of distractor Mikons.The efficacy of Mikons in this setting was investigated by using them in a recognition-based authentication system to authorise users of an online homework system over an eight month period. The Mikon-based system performed very well in terms of memorability and scalability, as anticipated, thus achieving the level of accessibility hoped for. A measure of predictability was observed, with a few of the participants being able to link sets of Mikons to their creators; but this did not pose a security risk to the system. This study shows that Mikon authentication has the potential to be a viable alternative to passwords for systems where the security requirement is secondary to other, more important, considerations. Such systems are usually low-risk and are often used by users with developmental, language or cognitive difficulties, or by users who are not yet literate. The imposition of a password on such users can be overly stringent and excessively demanding in terms of scarce cognitive resources. In this context, therefore, Mikons are a viable alternative to meet the needs of the target user group.

show abstract

“…But this arrangement remains controversial. On the one hand, as Bunnell et al (1997) and Mulligan & Elbirt (2005) point out, we will see that putting real matters into coding does help arouse the cognitive associates. It is indeed to the benefits of the online users.…”

Section: Coding Process and Featurementioning

confidence: 99%

“…Although accounts and passwords have become a necessity nowadays, many of online users establish their authentication code in a random manner for ease memory while never take the associated information security problems into account (Campbell et al, 2011;Weber, Guster, & Safonov, 2008). Meanwhile, a problem to arise here is that many website users often register different accounts and passwords in their applying for membership, and this it will end up with a notorious memory challenge to them (Bunnell, Podd, Henderson, Napier, & Kennedy-Moffat, 1997). It is admitted that written notes at hand may help solve this embarrassing moment, but these notes are also in danger of being misplaced or stolen.…”

Section: Introductionmentioning

confidence: 99%