Today, most Internet applications still establish user authentication with traditional text based passwords. Designing a secure as well as a user-friendly password-based method has been on the agenda of security researchers for a long time. On one hand, there are password manager programs which facilitate generating site-specific strong passwords from a single user password to eliminate the memory burden due to multiple passwords. On the other hand, there are studies exploring the viability of graphical passwords as a more secure and user-friendly alternative. In this paper, we present GPEX, a password manager program implemented as a web browser plug-in to enable using graphical passwords to secure Internet applications without any need to change their authentication interface. Experimental results show that GPEX has security and usability advantages over other password manager plug-ins …

Click based graphical passwords that use background images suffer from hot-spot problem. Previous graphical password schemes based on recognition of images do not have a sufficiently large password space suited for most Internet applications. In this paper, we propose two novel graphical password methods based on recognition of icons to solve the hotspot problem without decreasing the password space. The experiment we have conducted that compares the security and usability of proposed methods with earlier work (i.e. Passpoints) shows that hotspot problem can be eliminated if a small increase in password entrance and confirmation times is tolerable.

Our agenda is two-fold. First, we introduce and give a technical description of gridWord, a novel knowledge-based authentication mechanism involving elements of both text and graphical passwords. It is intended to address a new research challenge arising from the evolution of Internet access devices, and which may arguably be viewed as motivating a new paradigm: remote access password schemes which accommodate users who alternately login from devices with, and without, full physical keyboards (e.g., users alternating between desktops with easy text input, and mobile devices with tiny or touch-screen virtual keyboards). While the core ideas behind gridWord are well-formed, and may be viewed as a new variation of old (text-based) ideas of building passwords from multiple words, many aspects including recommended parameterization and configuration details, preferred platforms, and primary targets …

One of the most popular aids adopted by users to reduce the pain suffered from the use of passwords is browsers' autocomplete feature. This feature, caching username and password after getting the user consent and using them later for automatic completion, is available in all modern browsers but communication with the user asking consent is implemented in different ways. In this paper, we report on user studies comparing active communication with a blocking dialog box and passive communication with a non-intrusive toolbar. We found that a dialog box misled users to save passwords in public computers. Conversely, no security problem was observed with passive communication. Our exploration provides empirical evidence for the risks of preferring active communication for password autocomplete and other similar interactions and sheds light on many other aspects of password autocomplete.

We carry out a hybrid lab and field study of a password manager program, and report on usability and security. Our study explores iPMAN, a browser-based password manager that in addition uses a graphical password scheme for the master password. We present our findings as a set of observations and insights expected to be of interest both to those exploring password managers, and graphical passwords. © 2012 Springer-Verlag.

Keystroke Dynamics, which is a biometric characteristic that depends on typing style of users, could be a viable alternative or a complementary technique for user authentication if tolerable error rates are achieved. Most of the earlier studies on Keystroke Dynamics were conducted with irreproducible evaluation conditions therefore comparing their experimental results are difficult, if not impossible. One of the few exceptions is the work done by Killourhy and Maxion, which made a dataset publicly available, developed a repeatable evaluation procedure and evaluated the performance of different methods using the same methodology. In their study, the error rate of neural networks was found to be one of the worst-performing. In this study, we have a second look at the performance of neural networks using the evaluation procedure and dataset same as in Killourhy and Maxion’s work. We find that performance of …

Server-side authenticated key-establishment protocols are characterized by placing a heavy workload on the server. We propose LAKE: a new protocol that enables amortizing servers’ workload peaks by moving most of the computational burden to the clients. We provide a formal analysis of the LAKE protocol under the Canetti-Krawczyk model and prove it to be secure. To the best of our knowledge, this is the most computationally efficient authenticated key-establishment ever proposed in the literature.

Users generally choose weak passwords which can be easily guessed. On the other hand, adoption of alternatives to text passwords has been slow due to cost and usability factors. We acknowledge that incumbent passwords remain difficult to beat and introduce in this study Type&Click (T&C), a hybrid scheme supporting text passwords with the graphical passwords. In T&C, users first type a text as usual and then make a single click on an image to complete the password entry. While largely preserving the login experience with the text passwords, the new scheme utilizes accumulated scientific knowledge in graphical password research (implicit feedback, persuasion during password creation, leveraging cued recall memory). The results of our user study suggest that T&C is promising for augmenting text passwords for improved security without degrading usability.

Current mobile authentication solutions put a cognitive burden on users to detect and avoid Man-In-The-Middle attacks. In this paper, we present a mobile authentication protocol named Mobile-ID which prevents Man-In-The-Middle attacks without relying on a human in the loop. With Mobile-ID, the message signed by the secure element on the mobile device incorporates the context information of the connected service provider. Hence, upon receiving the signed message the Mobile-ID server could easily identify the existence of an on-going attack and notify the genuine service provider.

Authentication proxies, which store users' secret credentials and submit them to servers on their behalf, offer benefits with respect to security of the authentication and usability of credential management. However, as being a service that is not in control of users, one important problem they suffer is the trust problem; how users trust that their secrets are handled securely in the proxy and not revealed to third parties. In this paper, we present a solution called Trust-in-the-Middle, a TPM based proxy system which ensures that user credentials are securely stored and submitted without disclosing them even if the proxy is compromised. We build our architecture on a trust chain bootstrapped by TPM DRTM and prevent access to credentials if any entity in the chain is maliciously modified. We use remote attestation to guarantee that all critical operations on the proxy are performed securely and credentials are cryptographically protected when they are not in DRTM-supported isolation.

Android Lock Pattern is popular as a screen lock method on mobile devices but it cannot be used directly over the Internet for user authentication. In our work, we carefully adapt Android Lock Pattern to satisfy the requirements of remote authentication and introduce a new pattern based method called charPattern. Our new method allows dual-mode of input (typing a password and drawing a pattern) hence accommodate users who login alternately with a physical keyboard and a touchscreen device. It uses persuasive technology to create strong passwords which withstand attacks involving up to 106 guesses; an amount many experts believe sufficient against online attacks. We conduct a hybrid lab and web study to evaluate the usability of the new method and observe that logins with charPattern are significantly faster than the ones with text passwords on mobile devices.

Significant portion of contemporary computer users are children, who are vulnerable to threats coming from the Internet. To protect children from such threats, in this study, we investigate how successfully typing data can be used to distinguish children from adults. For this purpose, we collect a dataset comprising keystroke data of 100 users and show that distinguishing child Internet users from adults is possible using Keystroke Dynamics with equal error rates less than 10 percent. However the error rates increase significantly when there are impostors in the system.