Image-based Authentication for Mobile Phones: Performance and User Opinions

snakesailboatΑσφάλεια

23 Φεβ 2014 (πριν από 3 χρόνια και 8 μήνες)

178 εμφανίσεις



Image
-
based Authentication for Mobile
Phones: Performance and User Opinions




By


Yeah Teck
C
hen




A thesis submitted for the degree of


Master of Science (Computer and Information
Science)













School of Computer and Information Science

Division of Information Technology, Engineering and the Environment

University of South Australia



Supervisor

Gaye Lewis



20
10

University of South Australia



Image
-
Based Authentication for Mobile Phones: Performance and User Opinions



Prepared By: Yeah Teck C
hen



Page
i

Abstract


Mobile phones
are
becoming
inc
reasingly sophisticated, enabling

consumers to do more and

generating more data which can be personal and sensitive. With more than 200,000 mobile phones
stolen each year in Australia

(ATMA 2008)
, the default personal identification number (PIN) and
password protection

are

no longer sufficient to protect thes
e data from being used unfavourably.

A
survey for mobile security usage has shown that 34% of the users disabled PIN and password on
their phones while the other 66% of the users who do use PIN and password, did so
inappropriately

(Clarke, NL & Furnell 2005)
.
This calls for better security
to

protect mobile phone users.


PIN

and
password

authentication
have

issues related to
their memorabi
lity and usability which
result
s

in

improper use

by consumers. Thus, other authentication methods attempting to address
these

shortcomings such as tokens and biometrics were developed. However
,

these more advanced
authentications are not with
out their own limitations such as token
can be

forgotten or lost and
biometrics that often
has

accuracy and privacy issues. Both
of
these authentications
also

use PIN
and password
as secondary or fallback authentication mechanism
s
.


Research

on
image

base
d authentication

(IBA)

was

on the rise to
leverage the

humans


ability to
recognize

and recall

graphics better than
a
sequence of
s
trings

and numbers
. In all of the research

(Dhamija & Perrig 2000; Jansen 2004; Takada, Onuki & Koike 2006)
, results have shown that users
are able to authenticate better using
IBA

techniques

by recognizing

image
s

rather than recall
ing

PIN
and

passwords
.

Although
IBA

techniques

seem to yield better me
morability among test subjects,
these various techniques
have always been
compared against PIN and password.


The focus of this paper will be to compare
two

IBA

techniques
, Picture Password and Awa
se
-
E

against one another. The performance of these authentication technique
s is important to reveal a
range of usability design issues that
are

important in designing an easy to use and memorable
system
. In order to do this, the
performance as well as
usability design of these

two

IBA techniques

will be
compare
d
.


In summary, the two compared IBA techniques performed unexpectedly in terms of speed of
authentication where Awase
-
E was significantly faster than Picture Pas
s
word. As for authentication
succe
ss rate, Awase
-
E was able to maintain a high success rate while Picture Password experienced
a poor success rate.

In terms of user preference, there is a strong indication that participants in the
experiment preferred Awase
-
E over Picture Password.
The fin
dings have been presented and
discussed along with proposed improvements for the IBA techniques.


University of South Australia



Image
-
Based Authentication for Mobile Phones: Performance and User Opinions



Prepared By: Yeah Teck C
hen



Page
ii

Table of Contents


Abstract

................................
................................
................................
................................
............

i

List of Figures

................................
................................
................................
................................
..

iii

List of Tabl
es

................................
................................
................................
................................
...

iii

Acronyms and Abbreviations

................................
................................
................................
..........

iii

Declaration

................................
................................
................................
................................
......

iv

Acknowledgement

................................
................................
................................
...........................

v

1

Introduction

................................
................................
................................
..............................

1

1.1

Motivation

................................
................................
................................
........................

2

1.2

Research Questions and Contributions

................................
................................
............

2

2

Literature
Survey

................................
................................
................................
.......................

3

2.1

Overvi
ew

................................
................................
................................
..........................

3

2.2

Introduction
................................
................................
................................
......................

3

2.3

User Authentication Techniques

................................
................................
......................

4

2.4

IBA Performance

................................
................................
................................
............

10

3

Research Methodology

................................
................................
................................
...........

11

3.1

Selecting IBA Technique to Evaluate

................................
................................
..............

11

3.2

Prototype Development

................................
................................
................................
.

11

3.3

Data Collection

................................
................................
................................
...............

11

3.4

Analysis and Expected Outcomes

................................
................................
..................

13

4

Findings

................................
................................
................................
................................
...

14

4.1

Speed of Authentication

................................
................................
................................

14

4.2

Authentication Success Rate

................................
................................
..........................

15

4.3

User Behaviour and Opinions towards Mobile Security and IBA
................................
...

17

4.4

Problems and Improvements for Picture Password

................................
......................

19

4.5

Problems and Improvements for Awase
-
E

................................
................................
....

20

4.6

Improvements for both IBA techniques

................................
................................
.........

20

5

Conclusion

................................
................................
................................
...............................

21

References

................................
................................
................................
................................
....

22

Appendix A


User
selected code

................................
................................
................................
.

A
1

Appendix B


Performance data (Authentication Speed)

................................
............................

B
1

Appendix C


Déjà vu

................................
................................
................................
....................

C
1


University of South Australia



Image
-
Based Authentication for Mobile Phones: Performance and User Opinions



Prepared By: Yeah Teck C
hen



Page
iii




List of Figures


Figure 1: Token
-
device authentication binding in Transient Authentication (Nicholson, Corner & Noble
2006)

................................
................................
................................
................................
.............................

5

Figure 2: Example of multiple biometric authentications (Furnell, S, Clarke & Karatzouni 2008)

...............

6

Figure 3: FAR, FRR and EER for biometrics (Clarke, N)

................................
................................
..................

6

Figure 4: Example PDA screen (Jansen 2004)

................................
................................
...............................

7

Figure 5: Example random art from déjà vu (Dhamija & Perrig 2000)

................................
.........................

8

Figure 6: Example verification stage for Awase
-
E (Takada & Koike 2003)

................................
...................

8

Figure 7: Exam
ple of PassPoint clicks (Dirik, Memon & Birget 2007)

................................
...........................

9

Figure 8: Draw
-
a
-
secret authentication process (Jermyn et al. 1999)

................................
..........................

9

Figure 9: Left: Using shape to remember PIN 7
-
1
-
9
-
7. Middle: Stroke direction and the internal value
interpreted by the PassShape.
Right: Strokes interpreted as U93DL9L3XU3U with X as a padding value
for multiple drawing. (Weiss & Luca 2008)

................................
................................
................................

10

Figure 10: Authentication speed for PIN, Password, Picture Password and Awase
-
E

................................

14

Figure 11: Authentication success rate for PIN, Password,
Picture Password and Awase
-
E

......................

15

Figure 12: Number of trials for PIN, Password, Picture Password and Awase
-
E

................................
........

16



List of Tables


Table 1: Design differences between Picture Password and Awase
-
E

................................
......................

11

Table 2: Authentication speed for PIN, Password, Picture Password and Awase
-
E

................................
..

14

Table 3: Authentication success rate for PIN, Password, Picture Password and Awase
-
E

........................

15

Table 4: Number of trials for PIN, Password, Picture Password and Awase
-
E

................................
..........

17

Table 5: Type of error and mistake made by participants

................................
................................
.........

17

Table 6: Usage a Day against number of willing authentication

................................
...............................

18

Table 7: Criteria rating and preference of PIN, Password, Picture Password and Awase
-
E

......................

19


Acronyms and Abbreviations


IBA


Im
age based Authentication

PDA


Personal Digital Assistant

PIN


Personal Iden
tification

Number

WiFi


Wireless networking technology for high speed Internet and network connection


University of South Australia



Image
-
Based Authentication for Mobile Phones: Performance and User Opinions



Prepared By: Yeah Teck C
hen



Page
iv

Declaration


This thesis presents work carried out by myself and does not incorporate without acknowledgment any
material previously submitted for a degree or diploma in any university; to the best of my knowledge it
does not contain any materials previously published
or written by another person except where due
reference is made in the text; and all substantive contributions by others to the work presented,
including jointly authored publications, are clearly acknowledged.



……………………………………………..

Yeah Teck Chen

June

2
0
10





University of South Australia



Image
-
Based Authentication for Mobile Phones: Performance and User Opinions



Prepared By: Yeah Teck C
hen



Page
v

Acknowledgement


I wish to express my sincere gratitude to my minor thesis supervisor Gaye Lewis, who is a Program Director in
the School of Computer and Information Science, for her superb insights and suggestion, support and
encouragement
throughout the experiment, analysis of the findings and final write up of the thesis. In
addition, I also wish to extend many thanks to my former thesis supervisor, Chris Steketee who was a Senior
Lecturer in the School of Computer and Information Science,

for all the unreserved and enlightening pointers
and comments during the formation of the thesis, literature review and experiment design. Special thanks
also go to all of the participants in the experiments for their earnest involvement and comments for
the
research. Finally, I would like to express my deepest thanks to my family and friends for their unwavering
encouragement and support during my study here in Adelaide.


University of South Australia



Image
-
Based Authentication for Mobile Phones: Performance and User Opinions



Prepared By: Yeah Teck C
hen



Page
1

of
23

1

Introduction




Mobile phones that are released in the market are

becoming

increasingly

sophisticated with packed
features and increased capabilities.
C
onsumers are able to do more with the phone resulting
in
more
services being consumed and
data being generated and stored in the phone

-

with some
of
the
data
s
ensitive
in nature.

Personal consumers
are

most likely to possess private information such as family
contact numbers, personal photos and messages in the phone. Protection of the privacy of this
information will be important to them. Business users, on the other ha
nd may have more crucial
information
stored in the mobile phone
such as vendor and customer information, business
correspondence such as emails and access to corporate resources. Thus, mobile security will be the
utmost critical requirement for this user g
roup.

With more than 200,000 mobile phone
s

reported
stolen each year

in Australia
(ATMA 2008)

alone
,
with
even more that go unreported, these sensitive
data may be at risk of being use
d

unfavourably.

This calls for better security for protecting mobile
phone
data
.


A standard mobile phone

would normally come with a simple device
power
-
on

PIN protection while
more advanced model
s

may include PIN authentication

for waking

from inactivity
.
However,
research
has shown that 34% of the users disabled the PIN

and 30%
found the
believing PIN to be

troublesome.

For those

66% who do use PIN,
38% of
them had at least once forgotten the PIN and
locked themselves out of the phone
, 45% used the default PIN, 42% changed it once after buying the
phone and only 13% changed the PIN more than once
(Clarke, NL & Furnell 2005)
.

A
nother survey

revealed that 50% of
the

respondents recorded their password or PIN in one form or another
(Adams, Sasse & Lunt 1997)
.


A potential explanation for such consumer behaviour could be due to

the limitation of human
memory.

Firstly, Johnson in 1991

(Yan et al. 2000)

explained that human has limitation in memorizing
a sequence of item
s

in a short period of time and secondly Miller in 1956

(Yan et al. 2000)

explain
that human’s short term memory has the capacity of about seven plus or minus two items.


Although
a significant amount of

research

has

been conducted to improve the security of PIN and
pass
word systems, t
he focus of this research has

always been
on
designing new technica
l methods t
o
authenticate user
s

rather than examining the usability of those methods

(Adams & Sasse 1999)
.



Image based

authentication (IBA) research
, which leverages human ability
at
recognizing better than
recalling
,

showed promising results
with the

improve
ment in

memorability of pass
-
images,
hence
lower authentication failure. This can be seen in the work
of

the Déjà vu

(refer to Appendix C)

project
(Dhamija & Perrig 2000)
.

However,
IBA
techniques

tend

to yield higher authentication time

(Dhamija
& Perrig 2000)

and other input error
s

such a
s wrong sequence and double selection
(De Angeli et al.
2003)
. These techniques were
also

compared against

only

PIN and password.


This paper aims to

conduct an experiment to

compare
two

IBA
techniques
, Picture Password and
Awase
-
E

back to back with PIN and password as control
techniques
.

The focus will be on
performance of these IBA techniques
.

User
opinions

regarding

IBA
techniques

will also be gathered
during the experiment. By investigating the performance, in terms of
authentic
ation speed and
success rate
, and the user
opinions

on

these techniques,

usability issues can be identified

and h
ence
better
design

suggestion
s

to improve the performance of these IBA techniques
can be derived.



University of South Australia



Image
-
Based Authentication for Mobile Phones: Performance and User Opinions



Prepared By: Yeah Teck C
hen



Page
2

of
23


1.1

Motivation


Most of the input method
s

for
IBA
techniques

are

similar to PIN and password systems. In addition,
PIN

and password

system
s

are

still the most used mechanism for user authentication but their
limitation
s

result in

bad practices

among consumers
.



While a
dvanced auth
entication system
s

such as token
-
based

and biometrics exist
, those systems
are

well known
for their
drawbacks
,

including
,

but not limited to

requiring extra hardware, increase
d

implement
ation

cost and

accuracy issues

(Grashey & Schuster 2006; Nicholson, Corner & Noble
2006)
.
Often, token
-
based and biometric authentication system
s

implement some level of PIN or
password based mechanism for ei
ther initialization, or as a “fallback” or secondary authentication
method.


On the other hand, research

of

IBA
techniques

such as
Déjà

Vu

that
leverages the human ability to
recognize previously seen images

has shown improved memorability among test subjects

(Dhamija &
Perrig 2000; De Angeli et al. 2003)
.

As a result
, several authentication systems similar to

this concept
such as Awase
-
E
(Takada & Koike 2003)

and

IBRA
(Akula & Devisetty 2004)

were developed.



However,
improve
d

memorability does not mean a mo
re usable system
,

but there’s room for
improvement for
these techn
iques if
their

design is user
-
centred
.

Thus, data gathered from
experiments could reveal both design and user acceptance issues that are crucial for the diffusion of
the technique for public
and private
use
,

especially for business use
.


1.2

Research
Q
uestion
s

and
C
ontribution
s


This paper will focus on the performance and usability of
two
IBA
techniques

and will aim to answer
the following research questions:


a)

Which
IBA
technique

allows the user to authenticate

faster?

b)

Which IBA technique
is easier to remember, resulting
in a
higher authentication success
rate
?

c)

What are some of the user’s opinion
s

regarding
the design of user
authentication in general
and
specifically on
IBA authentication?


The task completion time for enrolment and authentication and the authentication error rate will be
collected
so that

the result
s

can

be analysed and discussed in relation to the IBA technique’s system
design. Also, experiment participants will be intervie
wed to study their behaviour
s and opinions

towards mobile authentication.


Th
is paper will contribute to the body of

knowledge
about

user authentication especially in the

usability

stud
ies on

IBA

systems
,

not only for mobile devices but also for

other electronic devices and
machines such as computers and ATMs
.

Improved usability and user authentication experience could
encourage consumers to better adopt
these IBA
secu
rity systems for their
mobile
devices and
computers
, of

which are increasingly
valuable.




University of South Australia



Image
-
Based Authentication for Mobile Phones: Performance and User Opinions



Prepared By: Yeah Teck C
hen



Page
3

of
23

2

Literature
Survey


2.1

Overview


In this section, the description and mechanism of various types of user authentication techniques are
presented and critically reviewed in terms of their weaknesses and usability issues on mobile phones.
These
techniques include PIN, Password, Token based authentications, Biometrics and IBA.


As the focus of this thesis is on IBA
techniques
and specifically on their performance, a section on the
currently known performance data for the experimented IBA Picture P
assword and Awase
-
E will also
be presented for later comparison.


2.2

Introduction


Imagine you’re starting a new job at a new building and are introduced to the security guard on duty
that will screen through all the employees. When you turn up for work the f
ollowing day, how does
the security guard recognize you? Well, the security guard may do so by verifying your name,
observ
ing
your general appearance, observ
ing

your voice

and

etc
.

Now, imagine the company
decide
s

to replace the security guard with a machi
ne. How, will the machine recognize you as who
you really are

and not someone else
?


That was a simple
example

for explaining the

analogy of user authentication
.
Human to machine
authentication is a vital
mechanism employed to protect assets and more
importantly, access to data
and resources. There are generally three factors

(O'Gorman 2003)

for authenticating users and they
are:


a)

Knowledge Based



that are dependent on

something the user knows


such as password.
This authentication
technique
is
only
effective if the knowledge is kept secret from other
people.
Ano
ther example of knowledge based authentication is personal identification
number (PIN), secret phrase, secret question and answer
,

and many more.


b)

Object Based



is reliant on

something that
the user possess


such as a token. The token
normally stores certain information such as keys and digital certificate that proves that the
token is valid.
The user is authenticate
d

as long as the token is present,

or at least when the
token is presented du
ring initial authentication
.


c)

ID Based



leverages unique attributes of a person or

someone

who

the user is


such as his
or her biometrics and behaviour. Sensor devices such as fingerprint scanner and camera are
needed to capture the user’s biometrics to be compared with samples that
have been
provided earlier.


The user authentication techniques are developed a
round these factors and details of its
implementation are discussed in the following section.



University of South Australia



Image
-
Based Authentication for Mobile Phones: Performance and User Opinions



Prepared By: Yeah Teck C
hen



Page
4

of
23

2.3

User Authentication Techniques


2.3.1

PIN and Password


PIN and password are

still the most common

method
s

used to

authenticate

user
s

for almost
everything from

computer login, mobile phone power
-
on,
ATM withdrawal, online banking,
emails,
to
social

network account

login
. Organizations prefer to implemen
t PIN and password
because they

virtually
do

not cost anything to create,
are
availabl
e in almost every device,
and
are

common among users and help desk
(Phifer 2008)
.


In order to ensure maximum security, PIN
and pass
word
were system
-
generated. However, the
resulting
PIN
and password

with high entropy forces users to initially write them down for easy
reference later, putting the password protected system in risks. Consequently, this led to user
-
generated password in order to improve memorability
(Adams, Sasse & Lunt 1997)
.


Federal Informa
tion Processing Standard (FIPS)

and security experts
suggest

various guidelines
and tips for choosing both easy to recall and secure passwords to encourage users to create
good passwords. Examples of good password
advice may include the use
of
alphanumeric
password with
special characters, and ensure the password c
ontain
s

no words that can be found
in a dictionary. Mnemonic methods using first letter of a phrase such as “I stayed in the city for 2
years” to derive “Isitcf2y” were also com
monly known. However, research

has shown that user
s

generally
continue to

choos
e poor

password
s

even if they were educated
,

especially

if there are
no policies

and mechanism
s

to enforce good pas
sword

selection

(Yan et al. 2000)
.


A poorly selected password is

one issue; some users may compl
etely disable authentication
mechanism
s
. Compared to lap
tops, mobile devices such as PDA
s

and
s
mart
p
hones are used
more frequently to perform shorter task
s

and require instantaneous accessibility.
Troublesome
authentication
s get

disabled when there

are no policies

enforcing

the

use of PIN and password
(Phifer 2008)
.


All in all, both memorability and u
sability of password and PIN
ha
ve

caused bad practice among
users
(Adams, Sasse & Lunt 1997; Clarke, NL & Furnell 2005)

and this puts the
both personal and
business
assets

and data

at risk.


2.3.2

Token Based Authentication


In

order to tackle issues related

to
PIN
and password

usage, token authentication

was developed
to

remove

the need for users to remember length
y

and non
-
meaningful s
trings by storing the
authentication information within the token.
Instead, authenticate user based on

something
the user possess

.


Based on public key
infrastructure
, tokens such as removable s
mart media
s

(MMC, SD, etc) h
old
digital certificates that are

impossible, or at least hard to forge
(Phifer 2
008)
.
The smart card
needs to be inserted into a reader on the mobile d
evice to perform verification of

the digital
certificate.
Working similar
ly

to a car key, a token must be present either at the initialization

or
for the entire period

a service or function

is in operation.

This type of token however, result
s

in

users leaving them in si
tu for the sake of convenience, as with

the

Subscriber Identity Module

University of South Australia



Image
-
Based Authentication for Mobile Phones: Performance and User Opinions



Prepared By: Yeah Teck C
hen



Page
5

of
23

(SIM)

card
.
As such
, a lost mobile device
that is found
together with the

token in
tact

is equal

to
the

mobile device without
its
password protection.


There
is also research

that aim
s

to deal with the problem of user
s

leaving smart media in situ.
Token
s

using
contact
less

technology such as RFID, Bluetooth and WiFi were produced. A good
example of this is Transient Authentication that uses WiFi connection to authenticate the token
(Nicholson, Corner & Noble 2006)
.
It

uses a wearable token such as an IBM Linux wrist watch
that comes with sufficient comp
utational power to serve as an authentication server. A mobile
device which is bound to the authentication server will act as the authenticating client, and will
constantly

detect if the wireless token is within range

of about
several meters
. When the token
goes out of range, the mobile device will engage
a
lock down mechanism which includes
encrypting files and memory, flushing caches and
rendering

a blank screen.
The reverse

process
is performed when
the token moves back
within

range (refer

Figure 1).



Figure
1:
Token
-
device authentication binding in Transient Authentication
(Nicholson, Corner &
Noble 2006)
.


Ho
wever, tokens are not without

limitation
s
. Primarily, implementation
o
f token authentication
will increase cost and effort for the extra hardware and establishment of policies regarding
handling and usage
. Token
s

may also be forgotten or lost. If either of the
se

scenarios

occur
s
,
user
s

will have to rely on the fallback or se
condary authentication method for the mobile device
and in most
cases,

it is a
PIN
and password

(Furnell, S, Clarke & Karatzouni 2008)
.

Another
significant
drawback related to wireless token i
s that it d
rain
s

battery

power

of mobile device
s

(Jansen 2004)
.



2.3.3

Biometrics
Authentication


PIN
and password

suffers from dilemma between using a strong but unusable password,
or
weak but memorable password, while token can be lost and forgotten. Hence, biometrics
techniques authenticate

us
er
s

based on

someone

who

the user is


to solve issues related to the
former techniques.


Biometric

technique
s

can be based on two factors: physiological and behavioural traits

(Furnell,
SM & Clarke 2007)
.

The physiological traits allow users to be recognized based on their physica
l
features such as fingerprint
(Su et al. 2005)
, face
(Han et al. 2007)
, iris
(Dae Sik et al. 2005)
, and
teeth
(Kim & Hong 2008)
. This type of biometr
ic is usually used for user authentication.

On the
other hand,

the behavioural traits show

a
n

identifiable pattern based on voice, key strokes

University of South Australia



Image
-
Based Authentication for Mobile Phones: Performance and User Opinions



Prepared By: Yeah Teck C
hen



Page
6

of
23

(Isohara, Takemori & Sasase 2008)
, signature

and

gait
(Gafurov 2006)

and
are

typically
researched for anomaly detection
in
user behaviour pattern.



Figure 2: Example of multiple biometric authentications
(Furnell, S, Clarke & Karatzouni 2008)
.


A typical biometric
s

system will start
with enrolment,
a process to acquire

samples of biometric

traits

as a training set. It is also critical that the identity of the user is confirmed at this stage.
Th
ese

s
amples will serve as a template

against

which new samples collected from user
s

in
subsequent authentica
tion
s

will be compared

to
.


S
imilar
ly to

token,
some
biometric techniques
require

extra ha
rdware for collecting biometrics
samples

such as

fingerprint
s

while most of the other techniques would leverage built
-
in
capabilities of newer

phone

models

such as camera, key pad, touch screen and even
accelerometer to detect face, voice and gait patterns and
other
features.



The main challenge

of biometric

techniques
however, is the accuracy
issues that are

associated
with the techniques.
Biometrics techn
iques suffer from

two types of error:

false acceptance rate
(FAR) and false rejection rate (FRR)

(Furnell, SM & Clarke 2007)
.
FAR indicates the rate of which
a

pretender is being accepted by the system while FRR shows the rate of

which an authorized
person
is being rejected by the system. The crossing value between FAR and FFR is the equal
error rate (ERR)
, a measurement

that

is

normally benchmarked
against

the industry ERR
standard.



Figure

3
: FAR, FRR and EER for biometrics
(Clarke, N)


Lowering

FAR
value
will increa
se securi
ty of the system but

the usability of the system
could be
compromised

because then the

FRR
would high

resulting

authorized

user

being locked

out of
the system. Vice versa, setting the FFR low will improve user acceptance, security of the system
may be comp
romised (refer Figure 3).


University of South Australia



Image
-
Based Authentication for Mobile Phones: Performance and User Opinions



Prepared By: Yeah Teck C
hen



Page
7

of
23


Factors that cause the accuracy issues
in biometrics include

small
training

set and noise. Training
can be improved but may significantly reduce usability if the system needed to be trained
extensively.

N
oise while acquiring

template

samples and authentication samples such as
surrounding noise for voice,

and lighting for face or iris may also be reduced by moving away
from noisy environment
s or authenticating

under sufficient lighting, but these too may reduce
system usabilit
y.


2.3.4

Image Based Authentication


There
is,
however
a significant body of
research that aims to improve memorability of
passwords


by replacing them with graphics

and photos
. The logic behind this technique is that
human
s

can generally recognize better than they can recall, argued Nielsen in 1993
(Dhamija &
Perrig 2000)
.
The
research

can be group
ed into two distinctive categories
.
The first type is th
e
recognition based technique
, which is the
main focus of
this
research that

uses image,
photographs and icons

to stimulate user’s recognition ability during a later authentication
process. The user may not be able to explicitly remember the graphics, but
later prompt
s

using
the selected images help user
s

to recognize and pin point them. T
he other category, similar to a
biometric signature technique, is based on
recalling
graphic
s

that
are

created by the user.

These
graphics can be in the form of shapes, drawings or a signature. The idea is that no visual stimuli
will be given and user
s

need to specifically remember and reproduce the previously created
graphics.


a)

Recognition Based Authentication


In experiments conducted by Paivio and Csapo in 1969 and Intraub in 1980, it
wa
s revealed
that human
s

can recognize
a
large number of picture
s

just b
y

having a short glance at
them

(D
hamija & Perrig 2000)
.



Using this knowledge,

image based authe
ntication system
s

are

designed
so that
a user

is

presented with a group of images

from
which the user will choose

several images

as the
pass
-
images. The image
s

can be

photos, icons, or parts of a photo
. During authentication,
user
s

will need to point out
, in sequence,

the previously selected images

for authentication.

This technique can be seen in a research conducted by Jansen in 2004

(refer

to
Figure

4
)
.



Figure

4
:
Example PDA screen
(Jansen 2004)



University of South Australia



Image
-
Based Authentication for Mobile Phones: Performance and User Opinions



Prepared By: Yeah Teck C
hen



Page
8

of
23

A

variation of this technique may be using

random art
(refer
F
igure
5
)
in place of the icons
or image as seen in the Déjà vu project
(Dhamija & Perrig 2000)
. Another technique seen in
Awase
-
E
(Takada & Koike 2003)

requires user
s

to
select only one image from the first
selection screen and another image from the second selection screen,

iterating

up to 4
times

(refer Figure
6
)
. Awase
-
E
also
allows user to h
ave “no
-
pass
-
image” in some selection
screen
s

and there’s no need to remember sequence of the images

as they may appear
randomly in any screen
. There i
s also another variation

as seen in the work of Onali and
Ginesu (2006)

that allows user
s

to select one p
art of a picture,

and the system will zoom
into that region and similarly divide the zoomed image into several parts to be selected by
the user.

This is iterated several times. Other variations include the use of personal photo
s

(Pering et al. 2003)

and the use of images of faces
(Doi et al. 1997)

for authentication.



Figure

5
:

E
xample random art from déjà vu
(Dhamija & Perrig 2000)



Figure

6
:

Example verification stage for Awase
-
E
(Takada & Koike 2003)


Using a s
imilar approach to Jansen’s (2004) pa
ss image,
PassPoint

(Dirik, Memon & Birget
2007)

is another
technique

using

i
mage
s

to help user
s

recognize points
, as well as the
sequence,

within the picture that were previously selected as the authentication points
(refer
to
Figure
7
).
The background image serves as a guide for
the
user to choose
memorable points.



University of South Australia



Image
-
Based Authentication for Mobile Phones: Performance and User Opinions



Prepared By: Yeah Teck C
hen



Page
9

of
23


Figure

7
:

Example of
P
ass
P
oint clicks
(Dirik, Memon & Birget 2007)


b)

Recall

B
ased Authentication


Perhaps the earliest
recall

based authentication
, other than signature,

is

the

Draw
-
a
-
secret
(DAS)

technique

(J
ermyn et al. 1999)

where

the

user draws on a 2D grid and the sequence
and the direction of the pen strokes are recorded.
In this technique, the coordinates of the
drawing are also essential as it will be authe
nticated along with the sequential

and
direc
tion
al

data.
User
s

will then
n
eed to reproduce the drawing for authentication (refer

to

Figure
8
)
.



Figure
8
: Draw
-
a
-
secret authentication process
(Jermyn et al. 1999)


Another drawing based authentication
technique
is PassShape
(Weiss & Luca 2008)

that
does not take
into
account the coordinate as did the Draw
-
a
-
secret system, but only takes
into account the st
r
oke sequence and direction

(refer Figure
9
)
.

The concept was derived
from using shape
s

to
remember

PIN number
s

on the keypad. In order to make the system
more secure
,
the
user is required to draw the shape and PassShape’s internal system will
interpret and generate the
pass
code for the drawing. For multiple drawings, the system
uses “X” as a padding value.



University of South Australia



Image
-
Based Authentication for Mobile Phones: Performance and User Opinions



Prepared By: Yeah Teck C
hen



Page
10

of
23


Figure

9
:

Left: Using shape to remember PIN 7
-
1
-
9
-
7.
Middle: Stroke direction and the
internal value interpreted by the PassShape. Right:

Strokes interpreted as
U93DL9L3XU3U
with X as a padding value for multiple drawing.


(Weiss &
Luca 2008)


2.4

IBA Performance


The IBA performance

aspects

investigated in this experiment are authentication speed and success
rate and the data collected from experiment participants can be used to
deduct

usability issues of
the investigated IBA techniques.


Currently, there has been no literature found that discusse
s

performance in terms of authentication
speed and success rate for Picture Password. Literature found mainly describes the mechanism and
ent
ropy

of the technique.


On the other hand, Awase
-
E has several reports that extensively
discuss

the authentication success
rate of the technique, which were reported to be as high as 100% success rate even after an
experiment period of 16 weeks
(Takad
a, Onuki & Koike 2006)
. However, authentication speed seem
to be not one of the strength of the technique as it was
briefly
reported that Awase
-
E authenticates
at an average of 24.6 seconds
(Takada, Onuki & Koike 2006)
.


The research methodology

for the experiment will be explained in the following section.




University of South Australia



Image
-
Based Authentication for Mobile Phones: Performance and User Opinions



Prepared By: Yeah Teck C
hen



Page
11

of
23

3

Research Methodology


3.1

Selecting
IBA Technique to
Evaluate



From the literature survey,
two IBA techniques will be compared along side with PIN and password
to test their

performance in

memorability and usability. The first technique is Picture Password
(Jansen 2004
)

while the second technique is Awase
-
E
(Takada & Koike 2003)
. In design, both these
technique
s are

quite

differe
nt (refer to Table 1) and it is worth looking into the performance of
these techniques side by side.


Picture Password

Awase
-
E

Tested on PDA

Tested on mobile phone

Once screen authentication

Multiple screen authentication

Pass
-
image input sequence important

User choose randomly placed pass
-
image
across multiple screen

Uses thumbnails of multiple images or a full
image di
vided into parts

Use thumbnails of multiple images

Select at least 4 pass
-
images

Select at least 1 pass
-
image

Table 1: Design differences between Picture Password and Awase
-
E


The main reason for selec
ting the Picture Password and Awase
-
E to investigate is because their
input methods for authentication
are
very similar to PIN and Password
. Input is done by pressing on
images instead of buttons which are also arranged in
a
grid. Similar and familiar input and
interactivity may result
in
higher user acceptance in the area of user interface. In contrast, Pass

Points, Draw
-
a
-
secret
,

PassShape and others ha
ve

very different input mechanisms.


Another reason for choosing Picture Password and Awase
-
E to examine is because they were easier
to develop than other IBA
techniques and
can be completed within the time constrain
t

of the thesis
.


3.2

Prototype Development


The prototype for each authenticati
on
technique

was to be as

similar

as

to the original method in

terms of the user interface
authentication
. This is

to ensure

that

there is no bias towards any of the
selected techniques.

The prototypes
w
ere

deployed

and tested

on the same

smart phone with touch
screen to enable all the tec
hniques to be evaluated equally
.



T
he
IBA

prototype
s, and the

PIN and password

prototypes,
have been

developed using
the
.NET
Mobile Platform

with
Visual Studio 2005 Professional

IDE.

I
nitial prototype

testing
was

performed to
ensure the system contain
s

no errors and that the prototypes are

designed and developed

as similar
as the original authentication
technique
.


3.3

Data Collection


In order to collect data for analysis, the experiment involve
d

20 test subjects. The participants
were

asked to
authenticate on the
prototype
s
.

In order to remove bias, the test subjects
have been

varied
and balanced in terms of:


University of South Australia



Image
-
Based Authentication for Mobile Phones: Performance and User Opinions



Prepared By: Yeah Teck C
hen



Page
12

of
23




Age



Gender



Educational level



Kno
wledge of password authentication


The experiment cons
ists of 3 stages: Enrolment and learning,

memory

t
est 1, and

memory

t
est 2.
During each stage, each

participant

has

authenticated

on

all 4 of the prototypes in random order.

In
order to answer the research question of this paper,
the data
for

task completion time
and error
rate
have been

recorded
during the experiment for analysis at

a
later stage. The 3 stages
in the
experiment
are detailed
as follow
s
:


a)

Stage 1:
Enrolment and
L
earning


Participants
were

given a brief introduction on the purpose of the experiment and how the
experiment will be conducted.



For each of the authentication techniques, the participant
was

given a demonstration on how
the enrolment and authentication work. Next, the participan
t
was

asked to enro
l themself

and
was

given
several

authentication trials for learning, according to the sequence of enrolment.


For
the
PIN, the minimum length
has to

be 4 digits and should be a combination that the
participant believes to be safe and never been used before. The password should be
alphanumeric with
a
minimum length of 6

characters
.

Picture Password requires

at least 4 pass
-
images while Awase
-
E requires

at least one pass
-
image.


b)

Stage 2:
Survey and
Memory
T
est
1


Following the enrolment and learning stage, the participant
was
asked
to complete a
questionnaire that
is

related to their
behaviours and
opinions on mobile authentication in
general. The
questionnaire

will also collect data regarding

their perception
towards
the tested
IBA techniques
. This
questionnaire

has

also serve
d

as an unrelated task before the memory test
that follows.


After
the completion of the

questionnaire, which took around
15

to
2
0 minutes, the participant
was
asked t
o perform authentications
in random order. The participant can retry as many times
as they wish until they have successfully authenticated themself.


c)

Stage 3:
Memory
T
est
2


For memory test 2, the participant
was

requested to
return

a week

later

to perform the
authentication, again in random order and for as many times as they wish until they are
authenticated, or until they have given up trying.


Following the memor
y test, the participant was asked to complete a
brief questionnaire

to
obtain

their post experiment
views

and

perception on the
tested
IBA
techniques.
Responses
from this exit interview

will be compared
to

the previous interview response for analysis.




University of South Australia



Image
-
Based Authentication for Mobile Phones: Performance and User Opinions



Prepared By: Yeah Teck C
hen



Page
13

of
23

3.4

Analysis and Expected Outcome
s


The performance for the IBA techniques will be discussed in relation to their
technique

design. The
findings on the user opinion will also be discussed.

This

information will be used to derive some
design guides and issues for future IBA technique designs.


In terms of authentication speed, the expected outcome will have PIN as being the fastest
technique, followed by Picture Password, password and Awase
-
E. This is because the input method
for PIN and Picture Password are quite similar

and easy to use

while password has longer and harder
to input characters
. Awase
-
E’s multiple screen
s

that
require

user
s

to analyse each image is expected
to result
in a
longer authentication process.



As for memorability, the most memorable technique will be Picture Pas
sword and Awase
-
E followed
by PIN and password.

This is in conjunction with previous research that suggest
s

IBA techniques will
perform better in term
s

o
f

memorability as compared with PIN and password.




University of South Australia



Image
-
Based Authentication for Mobile Phones: Performance and User Opinions



Prepared By: Yeah Teck C
hen




Page
14

of
23

4

Findings


In this chapter, both the quantitative and qualitative data collected from the IBA prototype and user
survey will be analysed and presented in an integrated approach to discuss and also answer the research
questions
. First, the findings on the speed of authentication will be presented followed by the findings
on authentication success rate and lastly, the user behaviour and opinion
s

towards mobile security and
IBA will be
discussed
.

In the last section, the issues an
d improvement areas for Picture Password and
Awase
-
E will also be
addressed
.


4.1

Speed of Authentication



Figure 10: Authentication speed for PIN, Password, Picture Password and Awase
-
E


As expected, PIN took the shortest time to authenticate participants

averaging approximately 5
seconds in all stages
. While
its

speed has experienced
marginal

decrease over the duration of the
experiment,
PIN

remains significantly faster than the other techniques.

Interestingly, the
performance of password is slower by at
least twice, if not thrice slower compared to PIN
,
recording an average of 15.62 seconds to authenticate
.


Stage

Method/Time (seconds)



PIN

Password

Picture
Password

Awase
-
E

Stage 1

3.49

12.03

9.65

8.10

Stage 2

4.66

15.75

12.96

8.44

Stage 3

6.94

19.07

19.63

13.22

Mean

5.03

15.62

14.08

9.92

Table 2: Authentication speed for PIN, Password, Picture Password and Awase
-
E


The Picture Password authenticates quicker than password by a small gap

in Stage 1 and 2
but
unexpectedly slowed
much to match
passwords speed in Stage 3
, averaging
just about
14 seconds
in all stages
.
Perhaps the most surprising was that Awase
-
E
, in contrast with the predicted result,

comes in second in terms of authentication speed
,
considerably and
constantly
authenticat
ing

Time to Complete Authentication
0.00
5.00
10.00
15.00
20.00
25.00
Stage 1
Stage 2
Stage 3
Mean
Time (seconds)
PIN
Password
Picture Password
Awase-E

University of South Australia



Image
-
Based Authentication for Mobile Phones: Performance and User Opinions



Prepared By: Yeah Teck C
hen




Page
15

of
23

fas
ter than password and Picture Password
, recording an average of
a little
less than

10 seconds at
9.92 seconds.


The Picture Password authors had never published test results in terms of speed of authentication

for the technique but in this experiment, it shows that picture password indeed is a rather slow
technique
, in contrast with the earlier predicted outcome
.
Awase
-
E on the other hand,
was

reported to perform at an average of 24.6 seconds
(Takada, Onuk
i & Koike 2006)
, which
shows a
huge gap

with the performance result in this experiment that
recorded

Awase
-
E
authenticating

at
an average of 9.92 seconds.

As the Awase
-
E authors had not discussed much relating to the speed
of authentication, it can only

be speculated that perhaps most the participants in that experiment
might have used more than 1 pass
-
image that results the slower authentication speed
,

in contrast
with the

majority of

participants in this experiment
who

had used only 1 pass
-
image.



Again
,

personal devices such as mobile phone
s

require instantaneous access
(Phifer 2008)

and
in
this case
user
s

seeking convenience may still prefer to use PIN

simply because it is the fastest
technique
.

However, some participants suggest
ed

that mobile phone users may be willing to
tolerate slower authentication techniques such as password, Picture Password an
d Awase
-
E as long
as it is deemed more secure
especially

in the scenario where they are
required

to authenticate

only

once or several times in a day, for example.

Users that prefer to be authenticated every time they
access the phone may be put off by slow

authentication techniques.


4.2

Authentication Success Rate



Figure 1
1
: Authentication success rate for PIN, Password, Picture Password and Awase
-
E


Again, as expected Awase
-
E has the highest authentication success rate, recording 90% success rate
in stage 1 and 95% both in stage 2 and 3.
PIN and password were expected to decline in success
rate and did so with
PIN doing better than password, scoring 7
5% and 65% success rate in stage 3,
respectively.

It is interesting to note that Awase
-
E
performed more
poor
ly

than other techniques in
stage 1 where two participants made a mistake by missing their pass image and pressed the no pass
image button.






Authentication Success Rate on First Trial
0.00%
20.00%
40.00%
60.00%
80.00%
100.00%
120.00%
Stage 1
Stage 2
Stage 3
Success Rate
PIN
Password
Picture Password
Awase-E

University of South Australia



Image
-
Based Authentication for Mobile Phones: Performance and User Opinions



Prepared By: Yeah Teck C
hen




Page
16

of
23

Stage/Method

PIN

P
assword

P
icture

P
assword

A
wase
-
E

Stage 1

100.00%

100.00%

100.00%

90.00%

Stage 2

85.00%

85.00%

85.00%

95.00%

Stage 3

75.00%

65.00%

55.00%

95.00%

Mean

86.67%

83.33%

80.00%

93.33%

Table 3: Authentication success rate for PIN, Password,
Picture Password and Awase
-
E


Pict
ure Password, on the other hand performed as expected with high success rate, rating equally
as PIN and password in stage 1 and 2 and was expected to score higher success rate in stage 3.
Instead, however, Picture
Password’s success rate dropped significantly to almost 50% success rate,
recording only 55%.


While no performance data were published for Picture Password, it seems that its performance in
terms of success rate did as poorly as its speed of authenticatio
n.

As for Awase
-
E, its success rate
results
in this experiment
is consistent with Awase
-
E performance report where it has
been
shown
to maintain
a
high authentication success rate as time increases
(Takada, Onuki & Koike 2006)
,
which was as high as

100% success rate even after the period of 16 weeks
.

However, there’s a
difference between how
the

said

report

interpret
ed

a successful authentication

compared to this
report. I
n
the

research

(Takada, Onuki & Koike 2006)
, the participant is allowe
d 3 trials

for all
authentication techniques

and if
participant
s

succeeded within 3 trials then the att
empt was
considered successful. This report regards

successful

first trial
or attempt
as

successful
authentication

and thus the findings

from both reports

are not directly comparable
.



Awase
-
E indeed could improve authentication rate
s

among user
s

and could potentially serve as an
alternative secur
ity measure to PIN and password while user
s

may be reluctant to use Picture
Password due to t
he high chance of authentication failure.
However, it is important to note that
even though PIN and password did poorly compared to Awase
-
E, users may still prefer to use the
former techniques due to familiarity. By crossing the authentication success rate

data with
participant survey, at least 35% of the participants rated PIN or password as their preferred
technique (Top 1 and 2) despite making an error while using PIN or password in stage 3

(table 6
)
.



Figure 12: Number of trials for PIN, Password,
Picture Password and Awase
-
E


As users are more prone to failure to authenticate as time increases
, for example in stage 3
, i
t is
also worth
looking

at how many times participants needs to re
-
authenticate when they
made an
error because user
s

who

made a mi
stake in the first trial but succeeded in

the
second trial

may be
willing to continue using the technique. However, if
the
user needs to re
-
authenticate more than

University of South Australia



Image
-
Based Authentication for Mobile Phones: Performance and User Opinions



Prepared By: Yeah Teck C
hen




Page
17

of
23

twice

too frequently
, the user may feel that the authentication

technique

is

being

too obtrus
ive and
disable them.


Stage 3

PIN

Password

Picture
Password

Awase
-
E

1st Trial

75.00%

65.00%

60.00%

95.00%

2nd Trial

5.00%

15.00%

10.00%

0.00%

More than 2 trials

20.00%

20.00%

30.00%

5.00%

Table 4: Number of trials for PIN, Password, Picture Password
and Awase
-
E


PIN, password and Picture Password recorded 5%, 15% and 10%
second
trial, respectively while
Awase
-
E has no s
econd
trial
. Surprisingly, the
number of
participant
s

requiring
a
t least a

third trial

is

more than the participant
s

requiring only 2 trials in all four techniques
,

with PIN and password
recording 20%

of

more than 2 trials each,
while
Picture Password and Awase
-
E
recording 30% and
5%

correspondingly
.

Again, Awase
-
E has exceed
ed

the performance of Picture Password in thi
s
aspect.










Table 5
:
Type of error and mistake
made by participants


Lastly, the type of error made by the participants could also reveal improvement areas for the IBA
methods.
The resulting authentication success rate could be due to one of the problem
s
, error
s

or
mistakes in
t
able 5
.
Included a
mong
the
se

are the user being
confused with the sequence of either
PIN or Picture Password, input error and most importantly, recall error which has increased from 3
to 10 occurrence
s

after one week. Notably, sequence and recall error had

the strongest

effect o
n

the authentication success rate.

However, f
urther research will be needed to identify which
technique is more prone to which type of
error and which one
s matter

the most to the users.


4.3

User
Behaviour and
Opinion
s

towards
Mobile Security

and IBA


When
asked how many times the participant is willing to be authenticated in a day, 15% answered
none at all, 40% only once during power on, 25% several times in a day and 20% every time they
access the phone

(refer to Table 6)
.

This means in total, at least 85%

of the participants are willing
to use authentication security on their mobile phones.

However, the data collected were not
significant enough to be analysed in terms of authentication frequency preference according usage
groups. Future research can be do
ne to focus on this area.






Error/Mistake

0 Week

1 Week

Picture too small

10

3

Confused with sequence

6

7

Input error

4

2

Recall error

3

10

Touch screen unresponsive

9

2

Unfamiliar with touch screen

4

1

Double clicked

1

0


University of South Australia



Image
-
Based Authentication for Mobile Phones: Performance and User Opinions



Prepared By: Yeah Teck C
hen




Page
18

of
23



Willing Authentication Per Day

Phone Usage Per Day

None

Once

Several

Every

time

1 to 5 (35%)

1

4

1

1

5 to 10 (30%)

2

3

0

1

More than 10 (35%)

0

1

4

2

Total

15%

40%

25%

20%

Table 6: Usage a Day against number of
willing authentication


A
lthough all of the participants were aware of some sort of security mechanism on their phone
such as power on PIN, SIM lock or standby lock, only 35% use them quoting the need to protect
data and email accounts from unintended use
and in case the phone was lost.
The remaining 65%
of the participants either did not know how to set up a PIN or password lock or
were
reluctant to
use it giving reasons that it was unnecessary, not having significant data stored, troublesome,
disabled by default, too time consuming for frequent access to phone, and some were very
particular about their phone and
had never let

other peopl
e use them.


While more than half of the participants are not currently using any mobile security mechanism on
their phone, the survey in this experiment showed that, if made aware, user may be willing to
adopt some sort of authentication mechanism to prot
ect their phone, IBA being one of them.


4.3.1

U
ser selected PIN, Password and Pass Images


In the experiment, the participants were asked to use

PIN, password, Picture Password and
Awase
-
E and a summary of the “secret code” selected by the participants follows:


PIN


consists of numbers only and participants
are

required to use a PIN of minimum 4 digits,
which most did. From the data, it is clear that the subjects chose PIN which is easy to guess such
as dates, number with meanings such as
1437

that represents
“I love you forever”, 4 of the same
digits such as
8888
, sequential numbers such as
1234

or
9876
, and numbers forming a shape on
the number pad such as
2563

forming a “U” shape and
159357

forming a “X”.


Password


consists of alphanumeric characters and again most participants used the required
minimum 6 characters password. Among the password used by the participants are words,
names or nicknames, brand names, and also sequential key press on the key pad

resulting
passwords such as
adgjmp

or
gjmptw
. Interestingly, there are some participants that choose a
certain word that are a little short
er

than the required 6 characters, and then pad them with an
unrelated character such as
unisa1

or
names1
.


Picture
Password


consists of
a
minimum
of
4 selected images and the participant has to
remember the sequence of the selected images. For this technique, all of the participants used
the minimum number of images. As an observer, it is quite impossible to guess wh
at the
selected images mean although it could be derived that some selected images represent a short
story, while there are a few that used 4 of the same images. An example of a short story where
the image of a man, heart, dog and computer were selected co
uld mean “men love dogs and
computers” or “I love dogs and computers”.


Awase
-
E


requires participant
s

to capture and use at least 1 image as pass image. Most of them
used 1

image while

a few used 2
.

N
one used more than 3 pass images. As
a
participant nee
ds to

University of South Australia



Image
-
Based Authentication for Mobile Phones: Performance and User Opinions



Prepared By: Yeah Teck C
hen




Page
19

of
23

capture an image using the phone’s camera, they captured objects they can find in front of them
such as telephone, watch, water bottle, image in a newspaper, and food while a few captured
image of a view such as kitchen or a room which may be harder
to recognize during
authentication compared to distinct objects.


4.3.2

User
Preference
of the Authentication Techniques


Criteria/Techniques

PIN

Password

Picture Password

Awase
-
E



0 week

1 week

0 week

1 week

0 week

1 week

0 week

1 week

Easy to create

90%


75%


60%


65%


Easy to authenticate

80%

85%

60%

70%

50%

45%

75%

75%

Easy to remember

85%

65%

70%

65%

45%

25%

70%

70%

Secure

45%

60%

70%

75%

85%

80%

60%

50%











Preference (Top 1)

15%

25%

20%

35%

25%

0%

45%

40%

Preference (Top 2)

45%

50%

45%

55%

45%

30%

70%

65%

Table 6
: Criteria rating and
preference of PIN, Password, Picture Password and Awase
-
E


The preference on PIN increas
ing

over the duration of the experiment could be due to the fact
that
it has
a
higher speed for authentication and also higher authentication success rate.
However,
surprisingly, the preference for password also increased although the technique
performed poorly in terms of speed and authentication success rate
. The only
possible
explanation for this would be that password remains as the more familiar authentication
te
chnique and users are
un
ready to
give

it

up

completely and opt for newer authentication
systems
.
Follow up, questionnaire maybe needed to confirm this. Finally, a
s expected, the poor
performance by Picture Password results the significant drop in preferenc
e. Interestingly,
Awase
-
E has managed to maintain a high percentage of preference despite a experiencing a
slight drop towards the end of the experiment.


4.4

Problem
s

and Improvement
s

for Picture Password


Initi
ally, Picture Password was notably a top favouri
te for at least 25% of the participants.
However, this declined sharply after one week where none of the participants rated it as their
top preferred authentication method.

Apart from finding the method confusing and hard to
remember, participants were having trouble finding or locating their pass images, resulting
in
high

error rate
s

and
slow

authentication speed
.


Participants were suggesting that this technique could be im
proved if the pass image sequence
restriction were lifted, enabling the users to input whichever selected pass image
s

they saw first
,

followed by the remainder

of the pass images.

This is, of course a probable solution to improve
authentication speed and s
uccess rate. However, user
s

may instead need to remember which
pass image has been
inputted

to avoid inputting the same pass image more than once
. I
n
addition, the implication on the technique’s
entropy

may need to be studied.





University of South Australia



Image
-
Based Authentication for Mobile Phones: Performance and User Opinions



Prepared By: Yeah Teck C
hen




Page
20

of
23

4.5

Problem
s

and Improvement
s

for Awase
-
E


Many participants stated that they may use Awase
-
E and that the technique could improve
security. In fact, Awase
-
E was highly preferred throughout the experiment, recording 45% top
favourite despite dropping slightly to 40% towards the end of

the experiment.


Participants suggested that the Awase
-
E technique
should

allow pass images to be selected from
the photo collection already residing in their phone. This was a plausible function as seen in
Awase
-
E research report
(Takada, Onuki & Ko
ike 2006)

where user
s

can upload their personal
photograph to be used as a pass image to an Awase
-
E server from either a computer or mobile
phone.

The user’s mobile phone can also act as the standalone server.

However, due to the
nature of this experiment,
the data from all participants needs to be centralized thus,
participants were asked to create an ad hoc and simple pass
image using the camera function

on
the mobile phone used in this experiment
.


4.6

Improveme
nt
s

for both IBA

techniques


From the author’s observation during
the
experiment session
s
, t
here are also several

UI

improvement
s

that both Picture

Password and Awase
-
E can adopt.


a)

Larger image for user input


Some participants have big fingers especially

the thumb which
often block
s

the image button the participant is trying to press. The smaller image button
used has caused participant
s

to accidently select the wrong image.

b)

Larger gaps between button
s or images could improve user’s perception of the prec
ise
location of the image. Other than that, accidental pressing of adjacent buttons or images
can also be avoided.

c)

Button or image press event


A

click


event requires a user to press and release
the same

button to complete the event.
Often parti
cipants’

button

clicks

were cancelled because
they failed to complete the second part of the click event, releasing their
presses

on the
same button. Instead, participants’
presses

were

released

away from the button they were
trying to click.

In order to solve this, images or buttons should use the “keydown” event
rather than the “click”

event where the UI can detect inputs instantly when the user presses
the button.






University of South Australia



Image
-
Based Authentication for Mobile Phones: Performance and User Opinions



Prepared By: Yeah Teck C
hen




Page
21

of
23

5

Conclusion


In this last chapter, a summary of the thesis and experiment
conducted will be presented along with the
contributions, limitation
s

and future research
:


Mobile phones are becoming increasing important and valuable but
the
current authentication
techniques of
PIN and Password are often misused resulting
in
unprotected data and information in the
phones. While other authentication methods such as tokens and biometrics exist, they have well known
limitations that may hinder user adoption.
Alternatively, i
mage based authentication (IBA
) shows

promising results

in relation to improv
ed

memorability.


This thesis conducted an experiment to compare two IBA techniques, Picture Password and Awase
-
E in
terms of their usability, performance and user opinions towards the techniques in order to answer
three

research que
stions: Which IBA technique authenticate
s

faster, which IBA technique has
a
higher
authentication success rate, and what the user opinions are towards the IBA techniques.
The key
findings show that PIN authenticates the fastest, followed by Awase
-
E while A
wase
-
E shows higher
authentication success rate followed by PIN. Both Awase
-
E and PIN
are rated the highest
in terms of
user preference among the experiment
ed

authentication
techniques.
The findings ha
ve

been presented
and discussed along with proposed imp
rovements for the IBA techn
i
ques.


The thesis contributes towards the body of knowledge in user authentication especially in the usability
study of IBA techniques for authentication purposes in general by providing an indication of the usability
of IBA tec
hniques and proposing improvements that can enhance the authentication experience, thus
encouraging consumers to increase adoption of IBA for their mobile phones and other devices.


However, t
he main limitation with this research is the sample size. The
small sample size may result in
misrepresentation of the performance of the IBA techniques for the whole population. Despite the
limitations, this thesis serves as an exploratory endeavour to provide indications of the usability,
performance and user opini
ons towards IBA and also identifies potential directions for future research.


Thus, f
uture research based on a larger sample size, can explore other statistical values such as standard
deviation. Other factors such as age, gender or social group can also
be taken into consideration for
analysis.
Also, a
lthough the research questions were answered, there was no one best technique that
performed excellently across all aspects investigated in this experiment. However, it can be concluded
that apart from PIN a
nd Password that were included in the experiment as control techniques, between
Picture Password and Awase
-
E, the latter outperformed the former significantly in terms of
authentication speed and success rate and is thus worthy of further investigation and

improvements.
Therefore, further research is proposed for investigating what and which user acceptance criteria are
the most important for mobile authentication and how IBA, especially Awase
-
E, performs in terms of the
identified criteria. For example, on
e of the criteria could be pass
-
image creation time which may be
investigated by allowing Awase
-
E to select pass
-
images from the user’s own photo gallery in the phone.
The performance of Picture Password without implementing sequence restriction is also an

interesting
avenue

for future study. Lastly, it is also important to investigate the type of errors that the IBAs are
prone to, which matter the most to users and how they can be improved.





University of South Australia



Image
-
Based Authentication for Mobile Phones: Performance and User Opinions



Prepared By: Yeah Teck C
hen




Page
22

of
23

References


Adams, A &

Sasse, M 1999, 'Users are not the enemy',
Commun. ACM,
vol
.
42, no. 12, pp. 40
-
46.


Adams, A, Sasse, M & Lunt, P 1997, 'Making passwords secure and usable',
People and
Computers
, pp. 1
-
20.


Akula, S & Devisetty, V 2004, 'Image based registration and
authentication system'.


ATMA 2008, '2008 Annual Report',
AMTA Publication
.


Clarke, N 'Biometric User Authentication for Mobile Devices'.


Clarke, N & Furnell, S 2005, 'Authentication of users on mobile telephones

A survey of
attitudes and practices',
Com
puters & Security,
vol
.
24, no. 7, pp. 519
-
527.


Dae Sik, J, Hyun
-
Ae, P, Kang Ryoung, P & Jaihie, K 2005, 'Iris recognition in mobile phone based
on adaptive Gabor filter', Berlin, Germany.


De Angeli, A, Coventry, L, Johnson, G & Coutts, M 2003, 'Usabilit
y and user authentication:
Pictorial passwords vs. PIN',
Contemporary Ergonomics
, pp. 253
-
258.


Dhamija, R & Perrig, A 2000, 'Deja vu: A user study using images for authentication'.


Dirik, AE, Memon, N & Birget, J
-
C 2007,
Modeling user choice in the PassP
oints graphical
password scheme
, ACM, Pittsburgh, Pennsylvania.


Doi, M, Chen, Q, Sato, K & Chihara, K 1997, 'Lock
-
control system using face identification',
Lecture Notes in Computer Science,
vol
.
1206, pp. 361
-
368.


Furnell, S, Clarke, N & Karatzouni, S
2008, 'Beyond the PIN: Enhancing user authentication for
mobile devices',
Computer Fraud and Security,
vol
.
2008, no. 8, pp. 12
-
17.


Furnell, SM & Clarke, NL 2007, 'Advanced user authentication for mobile devices',
Computers &
Security,
vol
.
26, no. 2, pp.

109
-
119.


Gafurov, D, Helkala, K, Søndrol, T 2006, 'Biometric Gait Authentication Using Accelerometer
Sensor',
Journal of Computers,
vol
.
1, no. 7, pp. 51
-
59.


Grashey, S & Schuster, M 2006, 'Multiple Biometrics',
SmartKom: Foundations of Multimodal
Dialogue Systems
, pp. 181
-
193.



University of South Australia



Image
-
Based Authentication for Mobile Phones: Performance and User Opinions



Prepared By: Yeah Teck C
hen




Page
23

of
23

Han, S, Park, H, Cho, D, Park, K & Lee, S 2007, 'Face recognition based on near
-
infrared light
using mobile phone',
Lecture Notes in Computer Science,
vol
.
4432, p. 440.


Isohara, T, Takemori, K & Sasase, I 2008, 'Anomaly De
tection on Mobile Phone Based
Operational Behavior',
Information and Media Technologies,
vol
.
3, no. 1, pp. 156
-
164.


Jansen, W 2004, 'Authenticating mobile device users through image selection',
The Internet
Society: Advances in Learning, Commerce and Sec
urity,
vol
.
1, pp. 183
-
194.


Jermyn, I, Mayer, A, Fabian Monrose, Z, Reiter, M & Rubin, A 1999, 'The Design and Analysis of
Graphical Passwords'.


Kim, D
-
J &

Hong, K
-
S 2008, 'Multimodal biometric authentication using teeth image and voice in
mobile environment',
IEEE Transactions on Consumer Electronics,
vol
.
54, no. 4, pp. 1790
-
1797.


Nicholson, AJ, Corner, MD & Noble, BD 2006, 'Mobile device security using t
ransient
authentication',
IEEE Transactions on Mobile Computing,
vol
.
5, no. 11, pp. 1489
-
502.


O'Gorman, L 2003, 'Comparing passwords, tokens, and biometrics for user authentication',
Proceedings of the IEEE,
vol
.
91, no. 12, pp. 2021
-
2040.


Pering, T, Su
ndar, M, Light, J & Want, R 2003, 'Photographic authentication through untrusted
terminals',
IEEE Pervasive Computing,
vol
.
2, no. 1, pp. 30
-
36.


Phifer, L 2008, 'Mobile Security: Protecting mobile devices, data integrity and your corporate
network',
Searc
h Mobile Computing
.


Su, Q, Tian, J, Chen, X & Yang, X 2005, 'A fingerprint authentication mobile phone based on
sweep sensor',
Lecture Notes in Computer Science,
vol
.
3687, p. 295.


Takada, T & Koike, H 2003, 'Awase
-
E: image
-
based authentication for mobil
e phones using
user's favorite images',
Lecture Notes in Computer Science
, pp. 347
-
351.


Takada, T, Onuki, T & Koike, H 2006, 'Awase
-
E: Recognition
-
based Image Authentication
Scheme Using Users’ Personal Photographs',
Innovations in Information Technology,

2006
, pp.
1
-
5.


Weiss, R & Luca, AD 2008,
PassShapes: utilizing stroke based authentication to increase
password memorability
, ACM, Lund, Sweden.


Yan, J, Blackwell, A, Anderson, R &

Grant, A 2000, 'The memorability and security of passwords:
some empirical results',
TECHNICAL REPORT
-
UNIVERSITY OF CAMBRIDGE COMPUTER
LABORATORY
, p. 1.



University of South Australia



Image
-
Based Authentication for Mobile Phones: Performance and User Opinions



Prepared By: Yeah Teck C
hen






A
1

Appendix A


User
selected code


ParticipantID

PIN

Password

Picture Password

Awase
-
E

Participant 1

110285

ableman



Participant 2

1437

zyxw32




Participant 3

61003

alexlee



Participant 4

625213

cacing82



Participant 5

8052

helloo



Participant 6

2141

ibanez



Participant 7

5555

joanne



Participant 8

159357

asiawin



Participant 9

9876

unisa1

,



Participant 10

1698

adgjmp



Participant 11

7229

jason1




University of South Australia



Image
-
Based Authentication for Mobile Phones: Performance and User Opinions



Prepared By: Yeah Teck C
hen






A
2

Participant 12

5805

aakash



Participant 13

36987

timberleng



Participant 14

8888

gjmptw



Participant 15

1223

rulers



Participant 16

1234

password



Participant 17

2563

dajtwm



Participant 18

2826

alvins



Participant 19

5246

wbilby



Participant 20

2421

dexters







University of South Australia



Image
-
Based Authentication for Mobile Phones: Performance and User Opinions



Prepared By: Yeah Teck C
hen






B
1

Appendix B


Performance data (Authentication Speed)


Stage 1










Stage 2










Stage3











































Method/Time




Method/Time




Method/Time

Subject

PIN

PW

PP

AE


Subject

PIN

PW

PP

AE


Subject

PIN

PW

PP

AE

1

5.93

14.80

16.67

12.10


1

6.10

24.95

12.20

15.30


1

19.43

34.57

28.27

42.30

2

2.70

13.90

6.70

5.50


2

3.30

12.50

6.40

6.20


2

4.00

28.10

12.68

11.70

3

4.20

13.40

7.40

8.15


3

3.90

7.80

19.40

13.00


3

5.60

20.08

20.35

19.80

4

2.60

12.80

5.20

5.90


4

2.80

10.60

6.95

5.65


4

3.60

37.00

21.50

6.60

5

2.90

12.90

8.80

13.60


5

4.80

15.90

28.40

13.20


5

7.08

11.20

14.30

12.96

6

3.00

11.30

9.20

8.70


6

4.50

13.10

8.80

7.50


6

5.70

13.10

9.65

10.20

7

3.00

6.60

13.00

6.10


7

2.90

6.60

15.40

4.30


7

8.90

10.80

23.90

8.80

8

6.50

15.20

5.10

5.50


8

6.30

19.20

14.10

8.60


8

12.30

40.10

18.80

15.20

9

3.80

12.40

6.00

6.45


9

4.20

66.80

6.60

10.70


9

4.40

29.70

9.20

23.30

10

2.50

3.70

10.80

9.20


10

18.70

5.45

25.20

7.95


10

3.20

8.77

16.20

6.15

11

5.50

9.00

11.50

11.90


11

5.50

8.20

9.60

7.70


11

16.60

9.60

27.98

10.50

12

2.40

7.80

5.60

9.40


12

4.45

8.70

10.90

7.60


12

2.70

9.10

12.60

12.20

13

3.80

11.00

18.30

7.30


13

2.70

12.10

26.90

7.20


13

5.80

22.80

63.78

8.80

14

2.30

16.45

18.20

6.60


14

1.90

17.30

5.80

4.15


14

6.50

11.74

25.00

5.50

15

2.20

8.20

5.30

5.70


15

2.30

10.50

6.80

5.30


15

7.20

8.95

9.60

13.40

16

3.10

15.30

7.90

8.90


16

2.35

8.70

6.90

7.00


16

2.90

13.70

22.33

12.70

17

3.50

4.50

5.30

6.40


17

5.60

9.00

9.70

6.40


17

4.90

8.35

15.40

4.90

18

4.40

22.60

8.50

8.50


18

4.00

24.90

12.30

14.50


18

8.20

30.70

13.70

20.10

19

2.60

13.40

12.70

8.70


19

4.00

12.90

9.85

8.30


19

6.83

16.00

16.20

9.10

20

2.90

15.40

10.80

7.30


20

2.80

19.75

16.93

8.20


20

3.00

17.10

11.20

10.20

Mean

3.49

12.03

9.65

8.10


Mean

4.66

15.75

12.96

8.44


Mean

6.94

19.07

19.63

13.22





University of South Australia



Image
-
Based Authentication for Mobile Phones: Performance and User Opinions



Prepared By: Yeah Teck C
hen






C
1

Appendix C


Déjà vu




Déjà vu
(Dhamija & Perrig 2000)

is a recognition based IBA technique that u
ses random art or
abstract image
s

for user authentication. The Déjà vu prototype requires users to select a
username and pass
-
images from a given set. During authentication, users will need to re
-
enter
the username and select their pass
-
images from a set o
f image
s

that also contains decoy
images. The user study

(Dhamija & Perrig 2000)

conducted showed slower creation and
authentication speed but has lower failed logins as compared to P
IN and password.

The
technique was also proposed for use on ATMs and for web authentication.