acm-header
Sign In

Communications of the ACM

Virtual extension

Visual Passwords: Cure-All or Snake-Oil?


Users of computer systems are accustomed to being asked for passwords – it is as universal as it is frustrating. In the past there was little tolerance for the problems experienced remembering passwords, and many users still remember, with embarrassment, having to go hat-in-hand to request a password change and being treated with disdain by a lofty administrator. Latterly there is more understanding of the problems experienced by users, especially since the "password conundrum" has reached epidemic proportions for Web users, who are asked for passwords with unrelenting predictability.

The problems with passwords are clear – users cannot remember numbers of meaningless alphanumeric strings with ease. Hence, they react by choosing simple and predictable words or numbers related to their everyday life, and engaging in insecure practices, such as writing passwords down or sharing them. These practices cause a breach affecting even the most secure and protected network system. Hence the user is often called the weakest link of the security chain, with system administrators despairing of trying to maintain security with the weak link so often reaching breaking point. Users forgetting passwords has serious economical consequences for organizations.

Both academia and industry have been investigating alternatives to passwords, with varying degrees of success. One of the most well-known solutions is the biometric – measurement of either behavioral or physiological characteristics of the end-user. This is obviously superior to the password because it removes the burden on the user's memory. So why don't we just switch to biometrics and give the poor user a break? There are some valid and hard-to-overcome reasons for the slow uptake of biometrics, but before we can discuss them we need to consider the mechanics of authentication.

Back to Top

Authentication

Authentication is required to verify that the user's proffered identity is valid. When person-to-person authentication is carried out, it is often done by means of a token such as a photo-id. Digital authentication is much more difficult, as no physical cues are directly available. Authentication is a four stage process, consisting of:

  1. Enrollment – matching the user with a secret (the authentication key). The key can be issued by the system or provided by the user, with the latter being more common.
  2. Authentication – the user is challenged by the system to provide the key. The provided key is compared to the stored key. If they match the user is granted access.
  3. Replacement – this occurs if the user forgets the key and needs to have a new one issued.
  4. De-registration – the user should have the right to close his or her account and to have all authentication details removed from the system.

This process works differently depending on the context – the environment within which the user accesses the system. So, for example, if the system controls access to financial details, the enrolment process is usually far more time consuming and stringent, than the enrolment process for a Web site providing personalized information. Similarly, the number of authentication keys and stages, and their complexity, is likely to vary depending on the required level of security. If the user wishes to manage her banking accounts online, the bank normally issues several security codes which need to be entered on a secure Web site. If the user forgets any of these codes, she needs to re-enroll. In a less stringent context, such as email access or personalized Web sites, users are normally allowed to choose their own password which is requested at authentication together with the preset user identifier. If the user forgets the password, or the identifier, the information is often emailed, in unencrypted format, or the user is asked some questions to verify her identity before she is allowed to choose a new password.

Let's also consider the legal aspects of authentication. In order to support non-repudiation it is necessary to show that the person has been authenticated without reasonable doubt. This simply cannot be done when passwords or PINs are being used. Imposters can easily beat the system at authentication if it is based on a secret which can easily be communicated or obtained by devious means. Systems that have a non-repudiation requirement need something less fallible than a factbased secret.

Now, back to biometrics – these are the only techniques which allow confirmation that a person is actually present rather than merely their token or identifier. Nevertheless, biometrics still cause problems at all stages of authentication. Some users have difficulties recording their biometric and thus cannot enroll. If that hurdle is overcome users have to present their biometric at authentication time. If, for example, the biometric is their fingerprint, they have to allow their fingerprint to be read. This is fraught with difficulty since fingerprints change as people age or have accidents. There is also a reported case of a user having his finger removed by criminals in order to steal his car. Hence one needs to incorporate a "liveness" test in unsupervised biometric readers in order to discourage such crimes.

The third stage of the authentication process, replacement, is especially problematical for biometrics as they are impossible to replace and this stage usually requires a switch to another biometric. Since we all have so many different biometrics, this, at first glance, does not appear to be a problem until one considers that biometric readers are expensive and few systems can afford to have a number of different readers available at all authentication points. Another fundamental issue affecting the use of biometrics within Internet applications is the potential size of the user-base, which can easily reach millions of users. This drives a number of problems such as template storage, and the requirement for verification (match between a proffered identifier and a biometric template) rather than recognition (the biometric is compared to the entire data-base). Finally, biometrics require specific devices which are not, as yet, widely available to the Web-population.

Biometrics do have their place in authentication, but they are obviously not applicable across all domains, and we have to find other ways of authenticating users, especially in an uncontrolled environment such as the Web. The group of authentication mechanisms we consider in this paper is the visual password.

Back to Top

Visual Passwords

Visual passwords use pictures instead of words or numbers. The idea is driven by the assumption that pictures are more secure and easier to remember than words. The increase in security is associated with the increased difficulty in communicating or recording pictures as compared to words and numbers. This should inhibit insecure practices. The increase in memorability is predicted by the picture superiority effect demonstrated in several psychology studies.8 According to this effect, humans have a vast, almost limitless memory for pictures which they remember far better and for longer than words.

One reason for the picture superiority effect could be that people encode images in their minds in two different ways – by remembering both the visual configuration and a lexical description of the picture. Another reason could be that pictures are stored more comprehensively and with more mental pathways which can be used to retrieve them from memory.

Pictures have been used in a variety of ways to support authentication, and can be classified into three distinct groups:

  • Searchmetrica systems that require searching a number of images in a challenge set. The target images are then selected by a variety of input techniques, ranging from direct touch to indirect operation of other interface devices.
  • Locimetric systems that require identification of a series of positions within an image; and
  • Drawmetric systems that require the user to sketch a drawing.

Searchmetric Systems. Searchmetric systems require users to choose a number of images making up their authentication key from a challenge set which includes the authentication key and a number of distractors. Nowadays, a number of systems based on the searchmetric model are available on the market. Examples are Pointsecb and Lockscreenc shown in Figure 2, both developed for PDA use and displaying iconic images. Examples of searchmetric systems which have been evaluated in terms of security and usability are Passfaces™ by Real User Corporation and VIP, shown in Figure 1.

Passfaces™ is probably the most widely used visual password and initial results seemed encouraging. However, some problems have emerged: if the user is permitted to choose her own (pass)faces to make up the authentication key, she usually chooses a female of her own race.2 Another complicating factor is that extended use of the mechanism familiarizes users with the "decoy" faces and they start to recognize these faces as well, with predictable confusion resulting.

The VIP project investigated different graphical layouts for authentication.3 It showed that the usability of graphical authentication is a function of the system's overall design and strongly depends on the type of picture used. It also showed that searchmetric systems are subjected to the same tricky tradeoff between usability and security affecting passwords. The most usable mechanisms (in terms of ease of remembering and efficiency) are also the most insecure.

Revisiting the picture superiority effect. Most of what is written about the potential of searchmetric mechanisms refers to the famed "picture superiority" effect. What is often missed is that this effect was proved in a very different context from the way pictures are used in authentication. In the first place, people in picture memory experiments were shown a set of pictures and, at a later time, they were shown a series of picture pairs – one they had seen before, and another they hadn't. Under these conditions, they identified the picture they had seen before with a significant measure of success. In authentication, however, the user's secret pictures are displayed as one of a set of pictures. The target could have been seen only once more than the distractor pictures and the distractors outnumber the target by at least 8 to 1. Clearly the context is different and the demands placed on the user are dissimilar.

Whereas the picture superiority effect is the cornerstone of this kind of authentication, and the factor that could well make it superior to textual passwords, this ignores one of the most important features of the mechanism. The means by which people identify their target is called "visual search" and the literature in this area provides important insights. When people are presented with an array of pictures and have to find one particular picture they don't take the entire visual scene in at one glance and identify the target picture, because humans can attend to only one or two objects at a time, especially if the pictures are fairly complex and differ markedly from one another.

They therefore have to embark on a visual search process, looking at each picture in turn to find the target picture. The most efficient way of doing this is by starting at the top and working methodically left to right and top to bottom until the picture is found. Unfortunately, that's not the way we do things. Research has shown that the visual search process starts off with a perception phase – the viewer takes in the whole panorama and registers colours, shapes and shadows. This phase is followed by a more serial phase, where viewers home in on pictures with visual similarities to the target image they are searching for. This leads to a somewhat unpredictable searching process. There is also evidence that people revisit previously attended images during the searching process, slowing the search process even further and making it inefficient.

The kinds of images used will affect the searching process. The more visually complex the image, the longer the search process will take. The more visually similar the target picture is to the distractor pictures, the longer the process will take. The larger the set of images displayed the longer the reaction time, indicating that the challenge set size is important. Hence the design of the searchmetric mechanism and the choice of target and distractor images is crucial, and some factors have been insufficiently researchedc in this area to know what the optimal design boundaries are.

Searchmetric systems are also prone to shoulder surfing and key-logging software, as they require the person to point at a relatively large target, sometimes using a touch screen. This problem has generated interesting solutions, as described below.

Back to Top

Minimum Disclosure Searchmetric

This kind of mechanism does not require the user to directly identify secret images. Minimum disclosure searchmetric often relies on the use of arrow keys, or the mouse, to demonstrate knowledge of authentication key images without identifying them directly. Most of these mechanisms have some measure of redundancy so that an observer is not able to deduce the key from casual observation but would have to either observe the user entering their key many times or carry out an errorprone deduction of the key based on a few observations. Figure 3 shows the v.Crypt system from Bharosa,d which requires the user to line up a shape on the bottom row with an alphanumeric key on the top row using the arrow keys. This is done for as many letters and numbers as there are in the password. The user now has to engage in a visual search for two different targets: a number or character, and a shape. Then, instead of clicking directly on either, the user has to engage with the interface to line them up. No usability studies have been published but one wonders whether the average user will be able to use this kind of mechanism with ease.

Another example of a minimum disclosure searchmetric is the convex hull click scheme proposed by Wiedenbeck et al.12 The user has a number of pass-icons, which are displayed in a challenge set. To authenticate, the user has to search for his or her pass icons and visualizes a convex hull encompassing at least 3 of the pass-icons. Then he or she clicks anywhere within the visualized convex hull. A number of challenges are presented, so that the user has to prove knowledge of all the pass-icons for authentication. They tested their mechanism with 14 users and reported positive results. However, one wonders about the general populace's ability to understand the requirements of this mechanism, and using it properly without inadvertently clicking on their secret images whilst trying to visualize the convex hull.

A different type of minimum disclosure searchmetric, which relies on information conveyed via an auxiliary channel, is Dynahand.10 Dynahand relies on the user's recognition of his or her own handwriting, which is tested by means of an auxiliary channel, an implicit skill that is not transferrable to other users. Dynahand displays random PINs in the user's own handwritten numerals. This is done a number of times in order to reduce the possibility of random guessing helping an intruder. Since the PINs are random, the user recognises his or her own handwriting and clicks on the PIN. It is therefore impossible for a user to tell another user what his or her PIN is. Information gleaned from covert observation is less likely to be helpful to an intruder. On the other hand, it is entirely possible that someone close to the user will be able to identify his or her numerals, and this means that this kind of mechanism is not secure enough to be used for high risk sites. However, it could be used as a secondary mechanism once the user has been authenticated with a regular password, perhaps to authenticate particular transactions.

The minimum disclosure searchmetric mechanisms attempt to foil shoulder surfing in different ways. Some use direct identification of nonrepeatable targets, as is the case for Dynahand. Others, however, require the user to position images or to draw lines around groups of images, using redundancy to obfuscate. Unfortunately, in these cases, the mouse is a mediator – in indirect input mechanism – and users may well have some difficulty interacting with these mechanisms.

Locimetric Systems. Locimetric systems require users to remember, and be able to point at, a number of positions within an image. Unlike searchmetric systems, they usually use only one image at authentication and most of them allow the user to choose the image. At enrolment, the user chooses a number of positions within the image. At authentication they have to click on the same places. Examples of two commercially available locimetric systems are VisKeye and PicturePassword.f The former is shown on the right in Figure 2. There are no published usability evaluations of these products.

Usability research so far has concentrated on computer-based locimetric systems, where the user input is mediated by a mouse.9 Empirical studies have evinced a number of predictable issues related to pointing precision, but also other problems related to predictability (positions which attracted visual attention were much more likely to be selected than others). The PassClicksg experiment tested human memory of locations within images. The positions chosen by 157090 people in a PassClicks image are shown in Figure 5, which neatly demonstrates the weakness of this mechanism.

The positions chosen by people are predictable if we, once again, turn to the available literature. It is well known that vision focuses primarily on objects. An experimental study into people's perceptions of scenes demonstrated that the participants' descriptions tended to be related to the objects within the scenes rather than being a general description of the scene: such as a baby reaching for a butterfly.6 Epstein and Kanwisher4 identified a specific part of the brain that responded mainly to passively viewed scenes but the response to single objects was weak and no response was detected when faces were viewed. This suggests that our brains have a special area for processing scenes, which might well operate differently from those areas devoted to object recognition. In fact, Epstein suggests that this specialized sceneprocessing area is not a memory area, nor is it involved in planning routes or mediating locomotion. Epstein et al.5 suggests that the function of this area might well be related more to determining the relationship between the viewer and his or her local space.

To conclude, it is understandable that locimetric authentication users will focus on a particular object's position, and remember the object. Unfortunately, any picture has a limited number of distinct objects (as compared to the number of available textual passwords) and this makes locimetric systems untenable.

Drawmetric systems require the user to sketch a previously-drawn image at authentication time. One example of this is the Draw-a-Secret scheme.7 Unfortunately, participants in an evaluation of this scheme were not able to reproduce the picture accurately enough. This is unsurprising. Humans are not machines and simply cannot reproduce the same drawing time after time. It is unreasonable to expect this.

Furthermore, a study by Thorpe and van Oorschot11 demonstrated that the potentially unlimited dictionary for this kind of mechanism is reduced by users' tendency to draw symmetrical images. This mechanism also requires a graphical tablet to be available at all authentication attempts – a somewhat unrealistic requirement.

Drawmetric systems are a special category of visual authentication mechanisms, which lies at the border with biometric systems based on handwriting recognition. It is important to raise this distinction and highlight the fact that visual authentication mechanisms require some form of visual memory, either through recognition or recall. Systems which require users to sign a graphical tablet measure signature biometrics (an implicit skill) – drawmetric systems require the user to draw and then redraw a picture. From a system perspective, the technical properties of handwriting biometrics and drawmetric systems seem to be fairly similar. From a user perspective, however, they are very different: systems that authenticate based on a handwritten signature test kinaesthetic memory, drawmetric systems test visual and action-planning memory.

Back to Top

Conclusion

We return to the question posed in the title: "Are visual passwords the "silver bullet" to answer all the problems related to passwords, or are they merely yet another big idea that disappoints and does not have much substance?" Currently published research is unable to provide a definitive answer to this question. No evaluation study has, as yet, reliably demonstrated a clear advantage of the visual mechanisms over traditional passwords and PINs, and it seems to us that the latest evolution of the graphical idea, in the form of minimum disclosure techniques, could potentially add a number of complications. The user does not only have to remember her pictures, but she needs to be able to interact with the system in more complicated fashion in order to authenticate.

There are two basic issues to be considered in designing authentication systems: usability and security. These are by no means orthogonal, since a system with poor usability will often cause users to take subversive measures.1 Each type of user authentication, including graphical proposals, represents some sort of compromise addressing both security and usability. The primary question is related to the required level of protection as dictated by the information and functionality being protected. The typical Web applications, which feature a standard level of protection (user identifier and password), lead to a situation where familiarity breeds contempt and eventually nothing is perceived as really important. In this state of affairs, users are very likely to find ways to circumvent security procedures. Then, designers are encouraged to give up on security to increase usability whenever the situation allows it or to make sure that more stringent security requirements are understood and respected by the user.

When discussing the viability of graphical authentication, we need to consider that the picture superiority effect is by no means undisputed; it has often been reversed or inhibited simply by changing the setting within which a person is requested to recognize previously-seen pictures. The problem is related to the way people remember images. Pictures are not remembered in their entirety like a photograph which can be called up at will. On the contrary, schematic information is stored which is limited to meaning, layout, and perhaps the abstract identities of objects in the image, and these are used to mentally reconstruct the picture. The level and wealth of detail stored about an image depends on the attention focused on the image when the person mentally stores this information.

Graphical authentication success is dependent on the types of pictures used, as well as the encoding and the retrieving context. Such as, the success depends on the interaction design. We believe that visual passwords will turn out to have some potential, especially in uncontrolled environments such as the Web. However, one cannot simply rely on psychological findings which were discovered in controlled experiments that do not necessarily apply to this new domain. At this stage much work needs to be done to fully understand the constraints and principles under which these authentication keys can indeed function effectively. The only way to determine whether, in the light of these limitations, pictures still have a place in authentication, is to evaluate these systems rigorously.

Back to Top

References

1. Adams, A. and Sasse, M A. Users are not the enemy. Comm. of the ACM 42, 12, (Dec. 1999), 40–46.

2. Davis, D., Monrose, F. Reiter, M K. On user choice in graphical password schemes. In Proceedings of the 13th USENIX Security Symposium, Aug. 2004, San Diego, CA.

3. De Angeli, A., Coventry, L., Johnson, G., Renaud, K. Is a picture really worth a thousand words? On the feasibility of graphical authentication systems. International Journal of Human-Computer Studies, special issue: HCI research on Privacy and Security, 63, 1–2, (July 2005), 128–152.

4. Epstein, R. and Kanwisher, N. A cortical representation of the local visual environment. Nature. 1998. 476–84.

5. Epstein, R., Graham, K S. and Downing, P E. Viewpoint-specific scene representations in human parahippocampal cortex. Neuron, 37, 5, (Mar. 2003), 865–876.

6. Henderson, J M. and Hollingworth, A. High-level scene perception. Annual Review of Psychology 50, (1999), 243–71.

7. Jermyn, I., Mayer, A., Monrose, F., Reiter, M.K., Rubin, A.D., The design and analysis of graphical passwords. Proceedings of the 8th USENIX Security Symposium, 1994, 1–14.

8. Madigan, S., Picture memory. Yuille J.C. (Ed.), Imagery, Memory, and Cognition: Essays in Honor of Allan Paivio. Erlbaum, Hillsdale, NJ, 1983, 66–89.

9. Renaud, K V. and De Angeli, A. My password is here! Investigating authentication schemes based on visuospatial memory. Interacting with Computers 16, 6, (2004), 1017–1041.

10. Renaud, K V. and Olsen, E. DynaHand: Observation-resistant recognition-based Web authentication. IEEE Technology and Society. Special Issue on Usable Security and Privacy 26, 2, (2007), 22–31.

11. Thorpe, J. and van Oorschot, P. Graphical dictionaries and the memorable space of graphical passwords. In 13th USENIX Security Symposium, 2004.

12. Wiedenbeck, S., Waters, J., Birget, J.-C., Brodskiy, A. and Memon, N. PassPoints: Design and longitudinal evaluation of a graphical password system. International Journal of Human-Computer Studies 63, 1–2, (2005), 102–127.

Back to Top

Authors

Karen Renaud ([email protected]) is a senior lecturer for the Department of Computing Science at University of Glasgow, United Kingdom.

Antonella De Angeli ([email protected]) is a lecturer for the Manchester Business School at The University of Manchester, UK.

Back to Top

Footnotes

a. In a previous article3 we assigned the label cognometric to this category because the word denoted the measurement (metric) of recognition activity (cognition). In retrospect we have realised that this label inaccurately describes this particular mechanism since other types of visual passwords also involve some form of recognition. Hence, in this paper we propose to label them as searchmetric, as they require the user to search a challenge set in order to recognise and identify the target(s).

b. http://www.pointsec.com/core/default.asp

c. http://www.learningtogo.com/ls/forppc.php

d. http://www.bharosa.com

e. http://www.viskey.com

f. http://www.picturepassword.com/otp_skins.php

g. http://labs.mininova.org/passclicks

DOI: http://doi.acm.org/10.1145/1610252.1610287

Back to Top

Figures

F1Figure 1.

F2Figure 2.

F3Figure 3.

F4Figure 4.

F5Figure 5.

Back to top


©2009 ACM  0001-0782/09/1200  $10.00

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.

The Digital Library is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.


 

No entries found