Evaluating the usability and security of a graphical one-time PIN system

Brostoff, Sacha; Inglesant, Philip; Sasse, M. Angela

doi:10.14236/ewic/hci2010.13

Cited by 22 publications

(15 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…GrIDsure is one such example, users are asked to memorise a pattern and then when authenticating they receive a grid filled with digits and need to enter the digits that correspond to their pattern. Brostoff, Inglesant and Sasse (2010) looked at the usability of GrIDsure and found that in nearly 18% of usages, participants were trying to enter the PIN on the grid directly instead of typing it. This undermines the security property offered by the grid, namely resistance to shoulder-surfing.…”

Section: Related Workmentioning

confidence: 99%

“Too Taxing on the Mind!” Authentication Grids are not for Everyone

Krol

Papanicolaou

Vernitski

et al. 2015

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

The security and usability issues associated with passwords have encouraged the development of a plethora of alternative authentication schemes. These aim to provide stronger and/or more usable authentication, but it is hard for the developers to anticipate how users will perform with and react to such schemes. We present a case study of a one-time password entry method called the Vernitski Authentication Grid (VAG), which requires users to enter their password in pairs of characters by finding where the row and the column containing the characters intersect and entering the character from this intersection. We conducted a laboratory user evaluation (n=36) and found that authentication took 88.6s on average, with login times decreasing with practice. Participants were faster authenticating on a tablet than on a PC. Overall, participants found using the grid complex and time-consuming. Their stated willingness to use it depended on the context of use, with most participants considering it suitable for accessing infrequently used and high-stakes accounts and systems. While using the grid, 31 out of 36 participants pointed at the characters, rows and columns with their fingers or mouse, which undermines the shoulder-surfing protection that the VAG is meant to offer. Our results demonstrate there cannot be a onesize-fits-all replacement for passwordsusability and security can only be achieved through schemes designed to fit a specific context of use.

show abstract

Section: Related Workmentioning

confidence: 99%

“Too Taxing on the Mind!” Authentication Grids are not for Everyone

Krol

Papanicolaou

Vernitski

et al. 2015

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…The mechanisms studied include graphical passwords [8], Passfaces [9] and grids (e.g. [10], [11]) to name a few. In reality, securityrelated actions are secondary tasks and a study has to mimic this set-up.…”

Section: Related Workmentioning

confidence: 99%

Pico in the Wild: Replacing Passwords, One Site at a Time

Aebischer¹,

Dettoni²,

Jenkinson³

et al. 2017

Proceedings 2nd European Workshop on Usable Security

View full text Add to dashboard Cite

Passwords are a burden on the user, especially nowadays with an increasing number of accounts and a proliferation of different devices. Pico is a token-based login method that does not ask users to remember any secrets, nor require keyboard entry of one-time passwords. We wish to evaluate its claim of being simultaneously more usable and more secure than passwords, whilst testing its support for frictionless deployment to web-based services. Our main aim is to collect actionable intelligence on how to improve it. In our study, we teamed up with an Alexa Top 500 website, Gyazo, to offer this alternative login mechanism to users intent on performing a real task of image sharing. We focused on the ecological validity of the trial, and gained knowledge both through the challenges of the trial and the results generated. Users appreciated the ability to avoid password entry but the overall benefit was mitigated by the existing measures put in place by Gyazo to minimise the number of times users are presented with a password entry box. Our main finding is that providing enough benefit requires a solution that applies across sites, rather than focusing on authentication for a single site in isolation. 1 https://gyazo.com/ Permission to freely reproduce all or part of this paper for noncommercial purposes is granted provided that copies bear this notice and the full citation on the first page. Reproduction for commercial purposes is strictly prohibited without the prior written consent of the Internet Society, the first-named author (for reproduction of an entire paper only), and the author's employer if the paper was prepared within the scope of employment.

show abstract

“…GrIDsure has been found to be easy to learn and the recall of patterns is acceptably reliable; however, as with other password schemes, the effective pattern space is far smaller than the maximum possible [7]. However, to understand the actual pattern space, simple assumptions are not sufficient [6]; as well as the shape, the order of cells and placement on the grid are important factors distinguishing between patterns.…”

Section: B Existing Research On Gridsurementioning

confidence: 99%

“…However, to understand the actual pattern space, simple assumptions are not sufficient [6]; as well as the shape, the order of cells and placement on the grid are important factors distinguishing between patterns. Although there are common patterns, these do not all occur with similar frequency [6], [7]. Brostoff et al have developed a taxonomy of patterns, and our current work builds on this.…”

Section: B Existing Research On Gridsurementioning

confidence: 99%

“…Brostoff et al [7] found that users did indeed chose predictable patterns unless they were instructed to pick less predictable ones, and concluded that Bond's analysis affected security in some usage scenarios, but not others. They recommended its use as a second factor authentication where the capture of both one-time PIN and grid is unlikely such as at Point-of-Sale.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Make mine a quadruple: Strengthening the security of graphical one-time PIN authentication

Jhawar

Inglesant

Courtois

et al. 2011

2011 5th International Conference on Network and System Security

Self Cite

View full text Add to dashboard Cite

Secure and reliable authentication is an essential prerequisite for many online systems, yet achieving this in a way which is acceptable to customers remains a challenge. GrIDsure, a one-time PIN scheme using random grids and personal patterns, has been proposed as a way to overcome some of these challenges. We present an analytical study which demonstrates that GrIDsure in its current form is vulnerable to interception. To strengthen the scheme, we propose a way to fortify GrIDsure against Man-in-the-Middle attacks through (i) an additional secret transmitted out-of-band and (ii) multiple patterns. Since the need to recall multiple patterns increases user workload, we evaluated user performance with multiple captures with 26 participants making 15 authentication attempts each over a 3-week period. In contrast with other research into the use of multiple graphical passwords, we find no significant difference in the usability of GrIDsure with single and with multiple patterns.

show abstract

Evaluating the usability and security of a graphical one-time PIN system

Cited by 22 publications

References 10 publications

“Too Taxing on the Mind!” Authentication Grids are not for Everyone

“Too Taxing on the Mind!” Authentication Grids are not for Everyone

Pico in the Wild: Replacing Passwords, One Site at a Time

Make mine a quadruple: Strengthening the security of graphical one-time PIN authentication

Contact Info

Product

Resources

About