Image-based Authentication for Mobile Phones: Performance and User Opinions By Yeah Teck Chen A thesis submitted for the degree of Master of Science (Computer and Information Science) School of Computer and Information Science Division of Information Technology, Engineering and the Environment University of South Australia Supervisor Gaye Lewis 2010 University of South Australia Image-Based Authentication for Mobile Phones: Performance and User Opinions Abstract Mobile phones are becoming increasingly sophisticated, enabling consumers to do more and generating more data which can be personal and sensitive. With more than 200,000 mobile phones stolen each year in Australia (ATMA 2008), the default personal identification number (PIN) and password protection are no longer sufficient to protect these data from being used unfavourably. A survey for mobile security usage has shown that 34% of the users disabled PIN and password on their phones while the other 66% of the users who do use PIN and password, did so inappropriately (Clarke, NL & Furnell 2005). This calls for better security to protect mobile phone users. PIN and password authentication have issues related to their memorability and usability which results in improper use by consumers. Thus, other authentication methods attempting to address these shortcomings such as tokens and biometrics were developed. However, these more advanced authentications are not without their own limitations such as token can be forgotten or lost and biometrics that often has accuracy and privacy issues. Both of these authentications also use PIN and password as secondary or fallback authentication mechanisms. Research on image based authentication (IBA) was on the rise to leverage the humans’ ability to recognize and recall graphics better than a sequence of strings and numbers. In all of the research (Dhamija & Perrig 2000; Jansen 2004; Takada, Onuki & Koike 2006), results have shown that users are able to authenticate better using IBA techniques by recognizing images rather than recalling PIN and passwords. Although IBA techniques seem to yield better memorability among test subjects, these various techniques have always been compared against PIN and password. The focus of this paper will be to compare two IBA techniques, Picture Password and Awase-E against one another. The performance of these authentication techniques is important to reveal a range of usability design issues that are important in designing an easy to use and memorable system. In order to do this, the performance as well as usability design of these two IBA techniques will be compared. In summary, the two compared IBA techniques performed unexpectedly in terms of speed of authentication where Awase-E was significantly faster than Picture Password. As for authentication success rate, Awase-E was able to maintain a high success rate while Picture Password experienced a poor success rate. In terms of user preference, there is a strong indication that participants in the experiment preferred Awase-E over Picture Password. The findings have been presented and discussed along with proposed improvements for the IBA techniques. Prepared By: Yeah Teck Chen Page i University of South Australia Image-Based Authentication for Mobile Phones: Performance and User Opinions Table of Contents Abstract ............................................................................................................................................ i List of Figures ..................................................................................................................................iii List of Tables ...................................................................................................................................iii Acronyms and Abbreviations ..........................................................................................................iii Declaration ......................................................................................................................................iv Acknowledgement ...........................................................................................................................v 1 Introduction .............................................................................................................................. 1 1.1 Motivation ........................................................................................................................ 2 1.2 Research Questions and Contributions............................................................................ 2 2 Literature Survey....................................................................................................................... 3 2.1 Overview .......................................................................................................................... 3 2.2 Introduction...................................................................................................................... 3 2.3 User Authentication Techniques ...................................................................................... 4 2.4 IBA Performance ............................................................................................................ 10 3 Research Methodology ........................................................................................................... 11 3.1 Selecting IBA Technique to Evaluate .............................................................................. 11 3.2 Prototype Development ................................................................................................. 11 3.3 Data Collection ............................................................................................................... 11 3.4 Analysis and Expected Outcomes .................................................................................. 13 4 Findings ................................................................................................................................... 14 4.1 Speed of Authentication ................................................................................................ 14 4.2 Authentication Success Rate .......................................................................................... 15 4.3 User Behaviour and Opinions towards Mobile Security and IBA................................... 17 4.4 Problems and Improvements for Picture Password ...................................................... 19 4.5 Problems and Improvements for Awase-E .................................................................... 20 4.6 Improvements for both IBA techniques ......................................................................... 20 5 Conclusion ............................................................................................................................... 21 References .................................................................................................................................... 22 Appendix A – User selected code ................................................................................................. A1 Appendix B – Performance data (Authentication Speed) ............................................................ B1 Appendix C – Déjà vu .................................................................................................................... C1 Prepared By: Yeah Teck Chen Page ii University of South Australia Image-Based Authentication for Mobile Phones: Performance and User Opinions List of Figures Figure 1: Token-device authentication binding in Transient Authentication (Nicholson, Corner & Noble 2006) ............................................................................................................................................................. 5 Figure 2: Example of multiple biometric authentications (Furnell, S, Clarke & Karatzouni 2008) ............... 6 Figure 3: FAR, FRR and EER for biometrics (Clarke, N).................................................................................. 6 Figure 4: Example PDA screen (Jansen 2004) ............................................................................................... 7 Figure 5: Example random art from déjà vu (Dhamija & Perrig 2000) ......................................................... 8 Figure 6: Example verification stage for Awase-E (Takada & Koike 2003) ................................................... 8 Figure 7: Example of PassPoint clicks (Dirik, Memon & Birget 2007) ........................................................... 9 Figure 8: Draw-a-secret authentication process (Jermyn et al. 1999) .......................................................... 9 Figure 9: Left: Using shape to remember PIN 7-1-9-7. Middle: Stroke direction and the internal value interpreted by the PassShape. Right: Strokes interpreted as U93DL9L3XU3U with X as a padding value for multiple drawing. (Weiss & Luca 2008) ................................................................................................ 10 Figure 10: Authentication speed for PIN, Password, Picture Password and Awase-E................................ 14 Figure 11: Authentication success rate for PIN, Password, Picture Password and Awase-E...................... 15 Figure 12: Number of trials for PIN, Password, Picture Password and Awase-E ........................................ 16 List of Tables Table 1: Design differences between Picture Password and Awase-E ...................................................... 11 Table 2: Authentication speed for PIN, Password, Picture Password and Awase-E .................................. 14 Table 3: Authentication success rate for PIN, Password, Picture Password and Awase-E ........................ 15 Table 4: Number of trials for PIN, Password, Picture Password and Awase-E .......................................... 17 Table 5: Type of error and mistake made by participants ......................................................................... 17 Table 6: Usage a Day against number of willing authentication ............................................................... 18 Table 7: Criteria rating and preference of PIN, Password, Picture Password and Awase-E ...................... 19 Acronyms and Abbreviations IBA – Image based Authentication PDA – Personal Digital Assistant PIN – Personal Identification Number WiFi – Wireless networking technology for high speed Internet and network connection Prepared By: Yeah Teck Chen Page iii University of South Australia Image-Based Authentication for Mobile Phones: Performance and User Opinions Declaration This thesis presents work carried out by myself and does not incorporate without acknowledgment any material previously submitted for a degree or diploma in any university; to the best of my knowledge it does not contain any materials previously published or written by another person except where due reference is made in the text; and all substantive contributions by others to the work presented, including jointly authored publications, are clearly acknowledged. …………………………………………….. Yeah Teck Chen June 2010 Prepared By: Yeah Teck Chen Page iv University of South Australia Image-Based Authentication for Mobile Phones: Performance and User Opinions Acknowledgement I wish to express my sincere gratitude to my minor thesis supervisor Gaye Lewis, who is a Program Director in the School of Computer and Information Science, for her superb insights and suggestion, support and encouragement throughout the experiment, analysis of the findings and final write up of the thesis. In addition, I also wish to extend many thanks to my former thesis supervisor, Chris Steketee who was a Senior Lecturer in the School of Computer and Information Science, for all the unreserved and enlightening pointers and comments during the formation of the thesis, literature review and experiment design. Special thanks also go to all of the participants in the experiments for their earnest involvement and comments for the research. Finally, I would like to express my deepest thanks to my family and friends for their unwavering encouragement and support during my study here in Adelaide. Prepared By: Yeah Teck Chen Page v University of South Australia Image-Based Authentication for Mobile Phones: Performance and User Opinions 1 Introduction Mobile phones that are released in the market are becoming increasingly sophisticated with packed features and increased capabilities. Consumers are able to do more with the phone resulting in more services being consumed and data being generated and stored in the phone - with some of the data sensitive in nature. Personal consumers are most likely to possess private information such as family contact numbers, personal photos and messages in the phone. Protection of the privacy of this information will be important to them. Business users, on the other hand may have more crucial information stored in the mobile phone such as vendor and customer information, business correspondence such as emails and access to corporate resources. Thus, mobile security will be the utmost critical requirement for this user group. With more than 200,000 mobile phones reported stolen each year in Australia (ATMA 2008) alone, with even more that go unreported, these sensitive data may be at risk of being used unfavourably. This calls for better security for protecting mobile phone data. A standard mobile phone would normally come with a simple device power-on PIN protection while more advanced models may include PIN authentication for waking from inactivity. However, research has shown that 34% of the users disabled the PIN and 30% found the believing PIN to be troublesome. For those 66% who do use PIN, 38% of them had at least once forgotten the PIN and locked themselves out of the phone, 45% used the default PIN, 42% changed it once after buying the phone and only 13% changed the PIN more than once (Clarke, NL & Furnell 2005). Another survey revealed that 50% of the respondents recorded their password or PIN in one form or another (Adams, Sasse & Lunt 1997). A potential explanation for such consumer behaviour could be due to the limitation of human memory. Firstly, Johnson in 1991 (Yan et al. 2000) explained that human has limitation in memorizing a sequence of items in a short period of time and secondly Miller in 1956 (Yan et al. 2000) explain that human’s short term memory has the capacity of about seven plus or minus two items. Although a significant amount of research has been conducted to improve the security of PIN and password systems, the focus of this research has always been on designing new technical methods to authenticate users rather than examining the usability of those methods (Adams & Sasse 1999). Image based authentication (IBA) research, which leverages human ability at recognizing better than recalling, showed promising results with the improvement in memorability of pass-images, hence lower authentication failure. This can be seen in the work of the Déjà vu (refer to Appendix C) project (Dhamija & Perrig 2000). However, IBA techniques tend to yield higher authentication time (Dhamija & Perrig 2000) and other input errors such as wrong sequence and double selection (De Angeli et al. 2003). These techniques were also compared against only PIN and password. This paper aims to conduct an experiment to compare two IBA techniques, Picture Password and Awase-E back to back with PIN and password as control techniques. The focus will be on performance of these IBA techniques. User opinions regarding IBA techniques will also be gathered during the experiment. By investigating the performance, in terms of authentication speed and success rate, and the user opinions on these techniques, usability issues can be identified and hence better design suggestions to improve the performance of these IBA techniques can be derived. Prepared By: Yeah Teck Chen Page 1 of 23 University of South Australia Image-Based Authentication for Mobile Phones: Performance and User Opinions 1.1 Motivation Most of the input methods for IBA techniques are similar to PIN and password systems. In addition, PIN and password systems are still the most used mechanism for user authentication but their limitations result in bad practices among consumers. While advanced authentication systems such as token-based and biometrics exist, those systems are well known for their drawbacks, including, but not limited to requiring extra hardware, increased implementation cost and accuracy issues (Grashey & Schuster 2006; Nicholson, Corner & Noble 2006). Often, token-based and biometric authentication systems implement some level of PIN or password based mechanism for either initialization, or as a “fallback” or secondary authentication method. On the other hand, research of IBA techniques such as Déjà Vu that leverages the human ability to recognize previously seen images has shown improved memorability among test subjects (Dhamija & Perrig 2000; De Angeli et al. 2003). As a result, several authentication systems similar to this concept such as Awase-E (Takada & Koike 2003) and IBRA (Akula & Devisetty 2004) were developed. However, improved memorability does not mean a more usable system, but there’s room for improvement for these techniques if their design is user-centred. Thus, data gathered from experiments could reveal both design and user acceptance issues that are crucial for the diffusion of the technique for public and private use, especially for business use. 1.2 Research Questions and Contributions This paper will focus on the performance and usability of two IBA techniques and will aim to answer the following research questions: a) Which IBA technique allows the user to authenticate faster? b) Which IBA technique is easier to remember, resulting in a higher authentication success rate? c) What are some of the user’s opinions regarding the design of user authentication in general and specifically on IBA authentication? The task completion time for enrolment and authentication and the authentication error rate will be collected so that the results can be analysed and discussed in relation to the IBA technique’s system design. Also, experiment participants will be interviewed to study their behaviours and opinions towards mobile authentication. This paper will contribute to the body of knowledge about user authentication especially in the usability studies on IBA systems, not only for mobile devices but also for other electronic devices and machines such as computers and ATMs. Improved usability and user authentication experience could encourage consumers to better adopt these IBA security systems for their mobile devices and computers, of which are increasingly valuable. Prepared By: Yeah Teck Chen Page 2 of 23 University of South Australia Image-Based Authentication for Mobile Phones: Performance and User Opinions 2 Literature Survey 2.1 Overview In this section, the description and mechanism of various types of user authentication techniques are presented and critically reviewed in terms of their weaknesses and usability issues on mobile phones. These techniques include PIN, Password, Token based authentications, Biometrics and IBA. As the focus of this thesis is on IBA techniques and specifically on their performance, a section on the currently known performance data for the experimented IBA Picture Password and Awase-E will also be presented for later comparison. 2.2 Introduction Imagine you’re starting a new job at a new building and are introduced to the security guard on duty that will screen through all the employees. When you turn up for work the following day, how does the security guard recognize you? Well, the security guard may do so by verifying your name, observing your general appearance, observing your voice and etc. Now, imagine the company decides to replace the security guard with a machine. How, will the machine recognize you as who you really are and not someone else? That was a simple example for explaining the analogy of user authentication. Human to machine authentication is a vital mechanism employed to protect assets and more importantly, access to data and resources. There are generally three factors (O'Gorman 2003) for authenticating users and they are: a) Knowledge Based – that are dependent on “something the user knows” such as password. This authentication technique is only effective if the knowledge is kept secret from other people. Another example of knowledge based authentication is personal identification number (PIN), secret phrase, secret question and answer, and many more. b) Object Based – is reliant on “something that the user possess” such as a token. The token normally stores certain information such as keys and digital certificate that proves that the token is valid. The user is authenticated as long as the token is present, or at least when the token is presented during initial authentication. c) ID Based – leverages unique attributes of a person or “someone who the user is” such as his or her biometrics and behaviour. Sensor devices such as fingerprint scanner and camera are needed to capture the user’s biometrics to be compared with samples that have been provided earlier. The user authentication techniques are developed around these factors and details of its implementation are discussed in the following section. Prepared By: Yeah Teck Chen Page 3 of 23 University of South Australia Image-Based Authentication for Mobile Phones: Performance and User Opinions 2.3 User Authentication Techniques 2.3.1 PIN and Password PIN and password are still the most common methods used to authenticate users for almost everything from computer login, mobile phone power-on, ATM withdrawal, online banking, emails, to social network account login. Organizations prefer to implement PIN and password because they virtually do not cost anything to create, are available in almost every device, and are common among users and help desk (Phifer 2008). In order to ensure maximum security, PIN and password were system-generated. However, the resulting PIN and password with high entropy forces users to initially write them down for easy reference later, putting the password protected system in risks. Consequently, this led to usergenerated password in order to improve memorability (Adams, Sasse & Lunt 1997). Federal Information Processing Standard (FIPS) and security experts suggest various guidelines and tips for choosing both easy to recall and secure passwords to encourage users to create good passwords. Examples of good password advice may include the use of alphanumeric password with special characters, and ensure the password contains no words that can be found in a dictionary. Mnemonic methods using first letter of a phrase such as “I stayed in the city for 2 years” to derive “Isitcf2y” were also commonly known. However, research has shown that users generally continue to choose poor passwords even if they were educated, especially if there are no policies and mechanisms to enforce good password selection (Yan et al. 2000). A poorly selected password is one issue; some users may completely disable authentication mechanisms. Compared to laptops, mobile devices such as PDAs and smart phones are used more frequently to perform shorter tasks and require instantaneous accessibility. Troublesome authentications get disabled when there are no policies enforcing the use of PIN and password (Phifer 2008). All in all, both memorability and usability of password and PIN have caused bad practice among users (Adams, Sasse & Lunt 1997; Clarke, NL & Furnell 2005) and this puts the both personal and business assets and data at risk. 2.3.2 Token Based Authentication In order to tackle issues related to PIN and password usage, token authentication was developed to remove the need for users to remember lengthy and non-meaningful strings by storing the authentication information within the token. Instead, authenticate user based on “something the user possess”. Based on public key infrastructure, tokens such as removable smart medias (MMC, SD, etc) hold digital certificates that are impossible, or at least hard to forge (Phifer 2008). The smart card needs to be inserted into a reader on the mobile device to perform verification of the digital certificate. Working similarly to a car key, a token must be present either at the initialization or for the entire period a service or function is in operation. This type of token however, results in users leaving them in situ for the sake of convenience, as with the Subscriber Identity Module Prepared By: Yeah Teck Chen Page 4 of 23 University of South Australia Image-Based Authentication for Mobile Phones: Performance and User Opinions (SIM) card. As such, a lost mobile device that is found together with the token intact is equal to the mobile device without its password protection. There is also research that aims to deal with the problem of users leaving smart media in situ. Tokens using contactless technology such as RFID, Bluetooth and WiFi were produced. A good example of this is Transient Authentication that uses WiFi connection to authenticate the token (Nicholson, Corner & Noble 2006). It uses a wearable token such as an IBM Linux wrist watch that comes with sufficient computational power to serve as an authentication server. A mobile device which is bound to the authentication server will act as the authenticating client, and will constantly detect if the wireless token is within range of about several meters. When the token goes out of range, the mobile device will engage a lock down mechanism which includes encrypting files and memory, flushing caches and rendering a blank screen. The reverse process is performed when the token moves back within range (refer Figure 1). Figure 1: Token-device authentication binding in Transient Authentication (Nicholson, Corner & Noble 2006). However, tokens are not without limitations. Primarily, implementation of token authentication will increase cost and effort for the extra hardware and establishment of policies regarding handling and usage. Tokens may also be forgotten or lost. If either of these scenarios occurs, users will have to rely on the fallback or secondary authentication method for the mobile device and in most cases, it is a PIN and password (Furnell, S, Clarke & Karatzouni 2008). Another significant drawback related to wireless token is that it drains battery power of mobile devices (Jansen 2004). 2.3.3 Biometrics Authentication PIN and password suffers from dilemma between using a strong but unusable password, or weak but memorable password, while token can be lost and forgotten. Hence, biometrics techniques authenticate users based on “someone who the user is” to solve issues related to the former techniques. Biometric techniques can be based on two factors: physiological and behavioural traits (Furnell, SM & Clarke 2007). The physiological traits allow users to be recognized based on their physical features such as fingerprint (Su et al. 2005), face (Han et al. 2007), iris (Dae Sik et al. 2005), and teeth (Kim & Hong 2008). This type of biometric is usually used for user authentication. On the other hand, the behavioural traits show an identifiable pattern based on voice, key strokes Prepared By: Yeah Teck Chen Page 5 of 23 University of South Australia Image-Based Authentication for Mobile Phones: Performance and User Opinions (Isohara, Takemori & Sasase 2008), signature and gait (Gafurov 2006) and are typically researched for anomaly detection in user behaviour pattern. Figure 2: Example of multiple biometric authentications (Furnell, S, Clarke & Karatzouni 2008). A typical biometrics system will start with enrolment, a process to acquire samples of biometric traits as a training set. It is also critical that the identity of the user is confirmed at this stage. These samples will serve as a template against which new samples collected from users in subsequent authentications will be compared to. Similarly to token, some biometric techniques require extra hardware for collecting biometrics samples such as fingerprints while most of the other techniques would leverage built-in capabilities of newer phone models such as camera, key pad, touch screen and even accelerometer to detect face, voice and gait patterns and other features. The main challenge of biometric techniques however, is the accuracy issues that are associated with the techniques. Biometrics techniques suffer from two types of error: false acceptance rate (FAR) and false rejection rate (FRR) (Furnell, SM & Clarke 2007). FAR indicates the rate of which a pretender is being accepted by the system while FRR shows the rate of which an authorized person is being rejected by the system. The crossing value between FAR and FFR is the equal error rate (ERR), a measurement that is normally benchmarked against the industry ERR standard. Figure 3: FAR, FRR and EER for biometrics (Clarke, N) Lowering FAR value will increase security of the system but the usability of the system could be compromised because then the FRR would high resulting authorized user being locked out of the system. Vice versa, setting the FFR low will improve user acceptance, security of the system may be compromised (refer Figure 3). Prepared By: Yeah Teck Chen Page 6 of 23 University of South Australia Image-Based Authentication for Mobile Phones: Performance and User Opinions Factors that cause the accuracy issues in biometrics include small training set and noise. Training can be improved but may significantly reduce usability if the system needed to be trained extensively. Noise while acquiring template samples and authentication samples such as surrounding noise for voice, and lighting for face or iris may also be reduced by moving away from noisy environments or authenticating under sufficient lighting, but these too may reduce system usability. 2.3.4 Image Based Authentication There is, however a significant body of research that aims to improve memorability of passwords – by replacing them with graphics and photos. The logic behind this technique is that humans can generally recognize better than they can recall, argued Nielsen in 1993 (Dhamija & Perrig 2000). The research can be grouped into two distinctive categories. The first type is the recognition based technique, which is the main focus of this research that uses image, photographs and icons to stimulate user’s recognition ability during a later authentication process. The user may not be able to explicitly remember the graphics, but later prompts using the selected images help users to recognize and pin point them. The other category, similar to a biometric signature technique, is based on recalling graphics that are created by the user. These graphics can be in the form of shapes, drawings or a signature. The idea is that no visual stimuli will be given and users need to specifically remember and reproduce the previously created graphics. a) Recognition Based Authentication In experiments conducted by Paivio and Csapo in 1969 and Intraub in 1980, it was revealed that humans can recognize a large number of pictures just by having a short glance at them (Dhamija & Perrig 2000). Using this knowledge, image based authentication systems are designed so that a user is presented with a group of images from which the user will choose several images as the pass-images. The images can be photos, icons, or parts of a photo. During authentication, users will need to point out, in sequence, the previously selected images for authentication. This technique can be seen in a research conducted by Jansen in 2004 (refer to Figure 4). Figure 4: Example PDA screen (Jansen 2004) Prepared By: Yeah Teck Chen Page 7 of 23 University of South Australia Image-Based Authentication for Mobile Phones: Performance and User Opinions A variation of this technique may be using random art (refer Figure 5) in place of the icons or image as seen in the Déjà vu project (Dhamija & Perrig 2000). Another technique seen in Awase-E (Takada & Koike 2003) requires users to select only one image from the first selection screen and another image from the second selection screen, iterating up to 4 times (refer Figure 6). Awase-E also allows user to have “no-pass-image” in some selection screens and there’s no need to remember sequence of the images as they may appear randomly in any screen. There is also another variation as seen in the work of Onali and Ginesu (2006) that allows users to select one part of a picture, and the system will zoom into that region and similarly divide the zoomed image into several parts to be selected by the user. This is iterated several times. Other variations include the use of personal photos (Pering et al. 2003) and the use of images of faces (Doi et al. 1997) for authentication. Figure 5: Example random art from déjà vu (Dhamija & Perrig 2000) Figure 6: Example verification stage for Awase-E (Takada & Koike 2003) Using a similar approach to Jansen’s (2004) pass image, PassPoint (Dirik, Memon & Birget 2007) is another technique using images to help users recognize points, as well as the sequence, within the picture that were previously selected as the authentication points (refer to Figure 7). The background image serves as a guide for the user to choose memorable points. Prepared By: Yeah Teck Chen Page 8 of 23 University of South Australia Image-Based Authentication for Mobile Phones: Performance and User Opinions Figure 7: Example of PassPoint clicks (Dirik, Memon & Birget 2007) b) Recall Based Authentication Perhaps the earliest recall based authentication, other than signature, is the Draw-a-secret (DAS) technique (Jermyn et al. 1999) where the user draws on a 2D grid and the sequence and the direction of the pen strokes are recorded. In this technique, the coordinates of the drawing are also essential as it will be authenticated along with the sequential and directional data. Users will then need to reproduce the drawing for authentication (refer to Figure 8). Figure 8: Draw-a-secret authentication process (Jermyn et al. 1999) Another drawing based authentication technique is PassShape (Weiss & Luca 2008) that does not take into account the coordinate as did the Draw-a-secret system, but only takes into account the stroke sequence and direction (refer Figure 9). The concept was derived from using shapes to remember PIN numbers on the keypad. In order to make the system more secure, the user is required to draw the shape and PassShape’s internal system will interpret and generate the pass code for the drawing. For multiple drawings, the system uses “X” as a padding value. Prepared By: Yeah Teck Chen Page 9 of 23 University of South Australia Image-Based Authentication for Mobile Phones: Performance and User Opinions Figure 9: Left: Using shape to remember PIN 7-1-9-7. Middle: Stroke direction and the internal value interpreted by the PassShape. Right: Strokes interpreted as U93DL9L3XU3U with X as a padding value for multiple drawing. (Weiss & Luca 2008) 2.4 IBA Performance The IBA performance aspects investigated in this experiment are authentication speed and success rate and the data collected from experiment participants can be used to deduct usability issues of the investigated IBA techniques. Currently, there has been no literature found that discusses performance in terms of authentication speed and success rate for Picture Password. Literature found mainly describes the mechanism and entropy of the technique. On the other hand, Awase-E has several reports that extensively discuss the authentication success rate of the technique, which were reported to be as high as 100% success rate even after an experiment period of 16 weeks (Takada, Onuki & Koike 2006). However, authentication speed seem to be not one of the strength of the technique as it was briefly reported that Awase-E authenticates at an average of 24.6 seconds (Takada, Onuki & Koike 2006). The research methodology for the experiment will be explained in the following section. Prepared By: Yeah Teck Chen Page 10 of 23 University of South Australia Image-Based Authentication for Mobile Phones: Performance and User Opinions 3 Research Methodology 3.1 Selecting IBA Technique to Evaluate From the literature survey, two IBA techniques will be compared along side with PIN and password to test their performance in memorability and usability. The first technique is Picture Password (Jansen 2004) while the second technique is Awase-E (Takada & Koike 2003). In design, both these techniques are quite different (refer to Table 1) and it is worth looking into the performance of these techniques side by side. Picture Password Tested on PDA Once screen authentication Pass-image input sequence important Awase-E Tested on mobile phone Multiple screen authentication User choose randomly placed pass-image across multiple screen Use thumbnails of multiple images Uses thumbnails of multiple images or a full image divided into parts Select at least 4 pass-images Select at least 1 pass-image Table 1: Design differences between Picture Password and Awase-E The main reason for selecting the Picture Password and Awase-E to investigate is because their input methods for authentication are very similar to PIN and Password. Input is done by pressing on images instead of buttons which are also arranged in a grid. Similar and familiar input and interactivity may result in higher user acceptance in the area of user interface. In contrast, Pass Points, Draw-a-secret, PassShape and others have very different input mechanisms. Another reason for choosing Picture Password and Awase-E to examine is because they were easier to develop than other IBA techniques and can be completed within the time constraint of the thesis. 3.2 Prototype Development The prototype for each authentication technique was to be as similar as to the original method in terms of the user interface authentication. This is to ensure that there is no bias towards any of the selected techniques. The prototypes were deployed and tested on the same smart phone with touch screen to enable all the techniques to be evaluated equally. The IBA prototypes, and the PIN and password prototypes, have been developed using the .NET Mobile Platform with Visual Studio 2005 Professional IDE. Initial prototype testing was performed to ensure the system contains no errors and that the prototypes are designed and developed as similar as the original authentication technique. 3.3 Data Collection In order to collect data for analysis, the experiment involved 20 test subjects. The participants were asked to authenticate on the prototypes. In order to remove bias, the test subjects have been varied and balanced in terms of: Prepared By: Yeah Teck Chen Page 11 of 23 University of South Australia Image-Based Authentication for Mobile Phones: Performance and User Opinions Age Gender Educational level Knowledge of password authentication The experiment consists of 3 stages: Enrolment and learning, memory test 1, and memory test 2. During each stage, each participant has authenticated on all 4 of the prototypes in random order. In order to answer the research question of this paper, the data for task completion time and error rate have been recorded during the experiment for analysis at a later stage. The 3 stages in the experiment are detailed as follows: a) Stage 1: Enrolment and Learning Participants were given a brief introduction on the purpose of the experiment and how the experiment will be conducted. For each of the authentication techniques, the participant was given a demonstration on how the enrolment and authentication work. Next, the participant was asked to enrol themself and was given several authentication trials for learning, according to the sequence of enrolment. For the PIN, the minimum length has to be 4 digits and should be a combination that the participant believes to be safe and never been used before. The password should be alphanumeric with a minimum length of 6 characters. Picture Password requires at least 4 passimages while Awase-E requires at least one pass-image. b) Stage 2: Survey and Memory Test 1 Following the enrolment and learning stage, the participant was asked to complete a questionnaire that is related to their behaviours and opinions on mobile authentication in general. The questionnaire will also collect data regarding their perception towards the tested IBA techniques. This questionnaire has also served as an unrelated task before the memory test that follows. After the completion of the questionnaire, which took around 15 to 20 minutes, the participant was asked to perform authentications in random order. The participant can retry as many times as they wish until they have successfully authenticated themself. c) Stage 3: Memory Test 2 For memory test 2, the participant was requested to return a week later to perform the authentication, again in random order and for as many times as they wish until they are authenticated, or until they have given up trying. Following the memory test, the participant was asked to complete a brief questionnaire to obtain their post experiment views and perception on the tested IBA techniques. Responses from this exit interview will be compared to the previous interview response for analysis. Prepared By: Yeah Teck Chen Page 12 of 23 University of South Australia Image-Based Authentication for Mobile Phones: Performance and User Opinions 3.4 Analysis and Expected Outcomes The performance for the IBA techniques will be discussed in relation to their technique design. The findings on the user opinion will also be discussed. This information will be used to derive some design guides and issues for future IBA technique designs. In terms of authentication speed, the expected outcome will have PIN as being the fastest technique, followed by Picture Password, password and Awase-E. This is because the input method for PIN and Picture Password are quite similar and easy to use while password has longer and harder to input characters. Awase-E’s multiple screens that require users to analyse each image is expected to result in a longer authentication process. As for memorability, the most memorable technique will be Picture Password and Awase-E followed by PIN and password. This is in conjunction with previous research that suggests IBA techniques will perform better in terms of memorability as compared with PIN and password. Prepared By: Yeah Teck Chen Page 13 of 23 University of South Australia Image-Based Authentication for Mobile Phones: Performance and User Opinions 4 Findings In this chapter, both the quantitative and qualitative data collected from the IBA prototype and user survey will be analysed and presented in an integrated approach to discuss and also answer the research questions. First, the findings on the speed of authentication will be presented followed by the findings on authentication success rate and lastly, the user behaviour and opinions towards mobile security and IBA will be discussed. In the last section, the issues and improvement areas for Picture Password and Awase-E will also be addressed. 4.1 Speed of Authentication Time to Complete Authentication 25.00 Time (seconds) 20.00 PIN 15.00 Password Picture Password 10.00 Awase-E 5.00 0.00 Stage 1 Stage 2 Stage 3 Mean Figure 10: Authentication speed for PIN, Password, Picture Password and Awase-E As expected, PIN took the shortest time to authenticate participants averaging approximately 5 seconds in all stages. While its speed has experienced marginal decrease over the duration of the experiment, PIN remains significantly faster than the other techniques. Interestingly, the performance of password is slower by at least twice, if not thrice slower compared to PIN, recording an average of 15.62 seconds to authenticate. Stage Stage 1 Stage 2 Stage 3 Mean PIN 3.49 4.66 6.94 5.03 Method/Time (seconds) Picture Password Password Awase-E 12.03 9.65 8.10 15.75 12.96 8.44 19.07 19.63 13.22 15.62 14.08 9.92 Table 2: Authentication speed for PIN, Password, Picture Password and Awase-E The Picture Password authenticates quicker than password by a small gap in Stage 1 and 2 but unexpectedly slowed much to match passwords speed in Stage 3, averaging just about 14 seconds in all stages. Perhaps the most surprising was that Awase-E, in contrast with the predicted result, comes in second in terms of authentication speed, considerably and constantly authenticating Prepared By: Yeah Teck Chen Page 14 of 23 University of South Australia Image-Based Authentication for Mobile Phones: Performance and User Opinions faster than password and Picture Password, recording an average of a little less than 10 seconds at 9.92 seconds. The Picture Password authors had never published test results in terms of speed of authentication for the technique but in this experiment, it shows that picture password indeed is a rather slow technique, in contrast with the earlier predicted outcome. Awase-E on the other hand, was reported to perform at an average of 24.6 seconds (Takada, Onuki & Koike 2006), which shows a huge gap with the performance result in this experiment that recorded Awase-E authenticating at an average of 9.92 seconds. As the Awase-E authors had not discussed much relating to the speed of authentication, it can only be speculated that perhaps most the participants in that experiment might have used more than 1 pass-image that results the slower authentication speed, in contrast with the majority of participants in this experiment who had used only 1 pass-image. Again, personal devices such as mobile phones require instantaneous access (Phifer 2008) and in this case users seeking convenience may still prefer to use PIN simply because it is the fastest technique. However, some participants suggested that mobile phone users may be willing to tolerate slower authentication techniques such as password, Picture Password and Awase-E as long as it is deemed more secure especially in the scenario where they are required to authenticate only once or several times in a day, for example. Users that prefer to be authenticated every time they access the phone may be put off by slow authentication techniques. 4.2 Authentication Success Rate Authentication Success Rate on First Trial 120.00% Success Rate 100.00% 80.00% PIN Password 60.00% Picture Password 40.00% Awase-E 20.00% 0.00% Stage 1 Stage 2 Stage 3 Figure 11: Authentication success rate for PIN, Password, Picture Password and Awase-E Again, as expected Awase-E has the highest authentication success rate, recording 90% success rate in stage 1 and 95% both in stage 2 and 3. PIN and password were expected to decline in success rate and did so with PIN doing better than password, scoring 75% and 65% success rate in stage 3, respectively. It is interesting to note that Awase-E performed more poorly than other techniques in stage 1 where two participants made a mistake by missing their pass image and pressed the no pass image button. Prepared By: Yeah Teck Chen Page 15 of 23 University of South Australia Image-Based Authentication for Mobile Phones: Performance and User Opinions Stage/Method Stage 1 Stage 2 Stage 3 Mean PIN 100.00% 85.00% 75.00% 86.67% Password 100.00% 85.00% 65.00% 83.33% Picture Password 100.00% 85.00% 55.00% 80.00% Awase-E 90.00% 95.00% 95.00% 93.33% Table 3: Authentication success rate for PIN, Password, Picture Password and Awase-E Picture Password, on the other hand performed as expected with high success rate, rating equally as PIN and password in stage 1 and 2 and was expected to score higher success rate in stage 3. Instead, however, Picture Password’s success rate dropped significantly to almost 50% success rate, recording only 55%. While no performance data were published for Picture Password, it seems that its performance in terms of success rate did as poorly as its speed of authentication. As for Awase-E, its success rate results in this experiment is consistent with Awase-E performance report where it has been shown to maintain a high authentication success rate as time increases (Takada, Onuki & Koike 2006), which was as high as 100% success rate even after the period of 16 weeks. However, there’s a difference between how the said report interpreted a successful authentication compared to this report. In the research (Takada, Onuki & Koike 2006), the participant is allowed 3 trials for all authentication techniques and if participants succeeded within 3 trials then the attempt was considered successful. This report regards successful first trial or attempt as successful authentication and thus the findings from both reports are not directly comparable. Awase-E indeed could improve authentication rates among users and could potentially serve as an alternative security measure to PIN and password while users may be reluctant to use Picture Password due to the high chance of authentication failure. However, it is important to note that even though PIN and password did poorly compared to Awase-E, users may still prefer to use the former techniques due to familiarity. By crossing the authentication success rate data with participant survey, at least 35% of the participants rated PIN or password as their preferred technique (Top 1 and 2) despite making an error while using PIN or password in stage 3 (table 6). Figure 12: Number of trials for PIN, Password, Picture Password and Awase-E As users are more prone to failure to authenticate as time increases, for example in stage 3, it is also worth looking at how many times participants needs to re-authenticate when they made an error because users who made a mistake in the first trial but succeeded in the second trial may be willing to continue using the technique. However, if the user needs to re-authenticate more than Prepared By: Yeah Teck Chen Page 16 of 23 University of South Australia Image-Based Authentication for Mobile Phones: Performance and User Opinions twice too frequently, the user may feel that the authentication technique is being too obtrusive and disable them. Stage 3 1st Trial 2nd Trial More than 2 trials PIN 75.00% 5.00% 20.00% Password 65.00% 15.00% 20.00% Picture Password 60.00% 10.00% 30.00% Awase-E 95.00% 0.00% 5.00% Table 4: Number of trials for PIN, Password, Picture Password and Awase-E PIN, password and Picture Password recorded 5%, 15% and 10% second trial, respectively while Awase-E has no second trial. Surprisingly, the number of participants requiring at least a third trial is more than the participants requiring only 2 trials in all four techniques, with PIN and password recording 20% of more than 2 trials each, while Picture Password and Awase-E recording 30% and 5% correspondingly. Again, Awase-E has exceeded the performance of Picture Password in this aspect. Error/Mistake Picture too small Confused with sequence Input error Recall error Touch screen unresponsive Unfamiliar with touch screen Double clicked 0 Week 10 6 4 3 9 4 1 1 Week 3 7 2 10 2 1 0 Table 5: Type of error and mistake made by participants Lastly, the type of error made by the participants could also reveal improvement areas for the IBA methods. The resulting authentication success rate could be due to one of the problems, errors or mistakes in table 5. Included among these are the user being confused with the sequence of either PIN or Picture Password, input error and most importantly, recall error which has increased from 3 to 10 occurrences after one week. Notably, sequence and recall error had the strongest effect on the authentication success rate. However, further research will be needed to identify which technique is more prone to which type of error and which ones matter the most to the users. 4.3 User Behaviour and Opinions towards Mobile Security and IBA When asked how many times the participant is willing to be authenticated in a day, 15% answered none at all, 40% only once during power on, 25% several times in a day and 20% every time they access the phone (refer to Table 6). This means in total, at least 85% of the participants are willing to use authentication security on their mobile phones. However, the data collected were not significant enough to be analysed in terms of authentication frequency preference according usage groups. Future research can be done to focus on this area. Prepared By: Yeah Teck Chen Page 17 of 23 University of South Australia Image-Based Authentication for Mobile Phones: Performance and User Opinions Phone Usage Per Day 1 to 5 (35%) 5 to 10 (30%) More than 10 (35%) Total None 1 2 0 15% Willing Authentication Per Day Once Several Every time 4 1 1 3 0 1 1 4 2 40% 25% 20% Table 6: Usage a Day against number of willing authentication Although all of the participants were aware of some sort of security mechanism on their phone such as power on PIN, SIM lock or standby lock, only 35% use them quoting the need to protect data and email accounts from unintended use and in case the phone was lost. The remaining 65% of the participants either did not know how to set up a PIN or password lock or were reluctant to use it giving reasons that it was unnecessary, not having significant data stored, troublesome, disabled by default, too time consuming for frequent access to phone, and some were very particular about their phone and had never let other people use them. While more than half of the participants are not currently using any mobile security mechanism on their phone, the survey in this experiment showed that, if made aware, user may be willing to adopt some sort of authentication mechanism to protect their phone, IBA being one of them. 4.3.1 User selected PIN, Password and Pass Images In the experiment, the participants were asked to use PIN, password, Picture Password and Awase-E and a summary of the “secret code” selected by the participants follows: PIN – consists of numbers only and participants are required to use a PIN of minimum 4 digits, which most did. From the data, it is clear that the subjects chose PIN which is easy to guess such as dates, number with meanings such as 1437 that represents “I love you forever”, 4 of the same digits such as 8888, sequential numbers such as 1234 or 9876, and numbers forming a shape on the number pad such as 2563 forming a “U” shape and 159357 forming a “X”. Password – consists of alphanumeric characters and again most participants used the required minimum 6 characters password. Among the password used by the participants are words, names or nicknames, brand names, and also sequential key press on the key pad resulting passwords such as adgjmp or gjmptw. Interestingly, there are some participants that choose a certain word that are a little shorter than the required 6 characters, and then pad them with an unrelated character such as unisa1 or names1. Picture Password – consists of a minimum of 4 selected images and the participant has to remember the sequence of the selected images. For this technique, all of the participants used the minimum number of images. As an observer, it is quite impossible to guess what the selected images mean although it could be derived that some selected images represent a short story, while there are a few that used 4 of the same images. An example of a short story where the image of a man, heart, dog and computer were selected could mean “men love dogs and computers” or “I love dogs and computers”. Awase-E – requires participants to capture and use at least 1 image as pass image. Most of them used 1 image while a few used 2. None used more than 3 pass images. As a participant needs to Prepared By: Yeah Teck Chen Page 18 of 23 University of South Australia Image-Based Authentication for Mobile Phones: Performance and User Opinions capture an image using the phone’s camera, they captured objects they can find in front of them such as telephone, watch, water bottle, image in a newspaper, and food while a few captured image of a view such as kitchen or a room which may be harder to recognize during authentication compared to distinct objects. 4.3.2 User Preference of the Authentication Techniques Criteria/Techniques Easy to create Easy to authenticate Easy to remember Secure Preference (Top 1) Preference (Top 2) PIN 0 week 1 week 90% 80% 85% 85% 65% 45% 60% 15% 45% 25% 50% Password 0 week 1 week 75% 60% 70% 70% 65% 70% 75% 20% 45% 35% 55% Picture Password 0 week 1 week 60% 50% 45% 45% 25% 85% 80% 25% 45% 0% 30% Awase-E 0 week 1 week 65% 75% 75% 70% 70% 60% 50% 45% 70% 40% 65% Table 6: Criteria rating and preference of PIN, Password, Picture Password and Awase-E The preference on PIN increasing over the duration of the experiment could be due to the fact that it has a higher speed for authentication and also higher authentication success rate. However, surprisingly, the preference for password also increased although the technique performed poorly in terms of speed and authentication success rate. The only possible explanation for this would be that password remains as the more familiar authentication technique and users are unready to give it up completely and opt for newer authentication systems. Follow up, questionnaire maybe needed to confirm this. Finally, as expected, the poor performance by Picture Password results the significant drop in preference. Interestingly, Awase-E has managed to maintain a high percentage of preference despite a experiencing a slight drop towards the end of the experiment. 4.4 Problems and Improvements for Picture Password Initially, Picture Password was notably a top favourite for at least 25% of the participants. However, this declined sharply after one week where none of the participants rated it as their top preferred authentication method. Apart from finding the method confusing and hard to remember, participants were having trouble finding or locating their pass images, resulting in high error rates and slow authentication speed. Participants were suggesting that this technique could be improved if the pass image sequence restriction were lifted, enabling the users to input whichever selected pass images they saw first, followed by the remainder of the pass images. This is, of course a probable solution to improve authentication speed and success rate. However, users may instead need to remember which pass image has been inputted to avoid inputting the same pass image more than once. In addition, the implication on the technique’s entropy may need to be studied. Prepared By: Yeah Teck Chen Page 19 of 23 University of South Australia Image-Based Authentication for Mobile Phones: Performance and User Opinions 4.5 Problems and Improvements for Awase-E Many participants stated that they may use Awase-E and that the technique could improve security. In fact, Awase-E was highly preferred throughout the experiment, recording 45% top favourite despite dropping slightly to 40% towards the end of the experiment. Participants suggested that the Awase-E technique should allow pass images to be selected from the photo collection already residing in their phone. This was a plausible function as seen in Awase-E research report (Takada, Onuki & Koike 2006) where users can upload their personal photograph to be used as a pass image to an Awase-E server from either a computer or mobile phone. The user’s mobile phone can also act as the standalone server. However, due to the nature of this experiment, the data from all participants needs to be centralized thus, participants were asked to create an ad hoc and simple pass image using the camera function on the mobile phone used in this experiment. 4.6 Improvements for both IBA techniques From the author’s observation during the experiment sessions, there are also several UI improvements that both Picture Password and Awase-E can adopt. a) Larger image for user input – Some participants have big fingers especially the thumb which often blocks the image button the participant is trying to press. The smaller image button used has caused participants to accidently select the wrong image. b) Larger gaps between buttons or images could improve user’s perception of the precise location of the image. Other than that, accidental pressing of adjacent buttons or images can also be avoided. c) Button or image press event – A “click” event requires a user to press and release the same button to complete the event. Often participants’ button clicks were cancelled because they failed to complete the second part of the click event, releasing their presses on the same button. Instead, participants’ presses were released away from the button they were trying to click. In order to solve this, images or buttons should use the “keydown” event rather than the “click” event where the UI can detect inputs instantly when the user presses the button. Prepared By: Yeah Teck Chen Page 20 of 23 University of South Australia Image-Based Authentication for Mobile Phones: Performance and User Opinions 5 Conclusion In this last chapter, a summary of the thesis and experiment conducted will be presented along with the contributions, limitations and future research: Mobile phones are becoming increasing important and valuable but the current authentication techniques of PIN and Password are often misused resulting in unprotected data and information in the phones. While other authentication methods such as tokens and biometrics exist, they have well known limitations that may hinder user adoption. Alternatively, image based authentication (IBA) shows promising results in relation to improved memorability. This thesis conducted an experiment to compare two IBA techniques, Picture Password and Awase-E in terms of their usability, performance and user opinions towards the techniques in order to answer three research questions: Which IBA technique authenticates faster, which IBA technique has a higher authentication success rate, and what the user opinions are towards the IBA techniques. The key findings show that PIN authenticates the fastest, followed by Awase-E while Awase-E shows higher authentication success rate followed by PIN. Both Awase-E and PIN are rated the highest in terms of user preference among the experimented authentication techniques. The findings have been presented and discussed along with proposed improvements for the IBA techniques. The thesis contributes towards the body of knowledge in user authentication especially in the usability study of IBA techniques for authentication purposes in general by providing an indication of the usability of IBA techniques and proposing improvements that can enhance the authentication experience, thus encouraging consumers to increase adoption of IBA for their mobile phones and other devices. However, the main limitation with this research is the sample size. The small sample size may result in misrepresentation of the performance of the IBA techniques for the whole population. Despite the limitations, this thesis serves as an exploratory endeavour to provide indications of the usability, performance and user opinions towards IBA and also identifies potential directions for future research. Thus, future research based on a larger sample size, can explore other statistical values such as standard deviation. Other factors such as age, gender or social group can also be taken into consideration for analysis. Also, although the research questions were answered, there was no one best technique that performed excellently across all aspects investigated in this experiment. However, it can be concluded that apart from PIN and Password that were included in the experiment as control techniques, between Picture Password and Awase-E, the latter outperformed the former significantly in terms of authentication speed and success rate and is thus worthy of further investigation and improvements. Therefore, further research is proposed for investigating what and which user acceptance criteria are the most important for mobile authentication and how IBA, especially Awase-E, performs in terms of the identified criteria. For example, one of the criteria could be pass-image creation time which may be investigated by allowing Awase-E to select pass-images from the user’s own photo gallery in the phone. The performance of Picture Password without implementing sequence restriction is also an interesting avenue for future study. Lastly, it is also important to investigate the type of errors that the IBAs are prone to, which matter the most to users and how they can be improved. Prepared By: Yeah Teck Chen Page 21 of 23 University of South Australia Image-Based Authentication for Mobile Phones: Performance and User Opinions References Adams, A & Sasse, M 1999, 'Users are not the enemy', Commun. ACM, vol. 42, no. 12, pp. 4046. Adams, A, Sasse, M & Lunt, P 1997, 'Making passwords secure and usable', People and Computers, pp. 1-20. Akula, S & Devisetty, V 2004, 'Image based registration and authentication system'. ATMA 2008, '2008 Annual Report', AMTA Publication. Clarke, N 'Biometric User Authentication for Mobile Devices'. Clarke, N & Furnell, S 2005, 'Authentication of users on mobile telephones–A survey of attitudes and practices', Computers & Security, vol. 24, no. 7, pp. 519-527. Dae Sik, J, Hyun-Ae, P, Kang Ryoung, P & Jaihie, K 2005, 'Iris recognition in mobile phone based on adaptive Gabor filter', Berlin, Germany. De Angeli, A, Coventry, L, Johnson, G & Coutts, M 2003, 'Usability and user authentication: Pictorial passwords vs. PIN', Contemporary Ergonomics, pp. 253-258. Dhamija, R & Perrig, A 2000, 'Deja vu: A user study using images for authentication'. Dirik, AE, Memon, N & Birget, J-C 2007, Modeling user choice in the PassPoints graphical password scheme, ACM, Pittsburgh, Pennsylvania. Doi, M, Chen, Q, Sato, K & Chihara, K 1997, 'Lock-control system using face identification', Lecture Notes in Computer Science, vol. 1206, pp. 361-368. Furnell, S, Clarke, N & Karatzouni, S 2008, 'Beyond the PIN: Enhancing user authentication for mobile devices', Computer Fraud and Security, vol. 2008, no. 8, pp. 12-17. Furnell, SM & Clarke, NL 2007, 'Advanced user authentication for mobile devices', Computers & Security, vol. 26, no. 2, pp. 109-119. Gafurov, D, Helkala, K, Søndrol, T 2006, 'Biometric Gait Authentication Using Accelerometer Sensor', Journal of Computers, vol. 1, no. 7, pp. 51-59. Grashey, S & Schuster, M 2006, 'Multiple Biometrics', SmartKom: Foundations of Multimodal Dialogue Systems, pp. 181-193. Prepared By: Yeah Teck Chen Page 22 of 23 University of South Australia Image-Based Authentication for Mobile Phones: Performance and User Opinions Han, S, Park, H, Cho, D, Park, K & Lee, S 2007, 'Face recognition based on near-infrared light using mobile phone', Lecture Notes in Computer Science, vol. 4432, p. 440. Isohara, T, Takemori, K & Sasase, I 2008, 'Anomaly Detection on Mobile Phone Based Operational Behavior', Information and Media Technologies, vol. 3, no. 1, pp. 156-164. Jansen, W 2004, 'Authenticating mobile device users through image selection', The Internet Society: Advances in Learning, Commerce and Security, vol. 1, pp. 183-194. Jermyn, I, Mayer, A, Fabian Monrose, Z, Reiter, M & Rubin, A 1999, 'The Design and Analysis of Graphical Passwords'. Kim, D-J & Hong, K-S 2008, 'Multimodal biometric authentication using teeth image and voice in mobile environment', IEEE Transactions on Consumer Electronics, vol. 54, no. 4, pp. 1790-1797. Nicholson, AJ, Corner, MD & Noble, BD 2006, 'Mobile device security using transient authentication', IEEE Transactions on Mobile Computing, vol. 5, no. 11, pp. 1489-502. O'Gorman, L 2003, 'Comparing passwords, tokens, and biometrics for user authentication', Proceedings of the IEEE, vol. 91, no. 12, pp. 2021-2040. Pering, T, Sundar, M, Light, J & Want, R 2003, 'Photographic authentication through untrusted terminals', IEEE Pervasive Computing, vol. 2, no. 1, pp. 30-36. Phifer, L 2008, 'Mobile Security: Protecting mobile devices, data integrity and your corporate network', Search Mobile Computing. Su, Q, Tian, J, Chen, X & Yang, X 2005, 'A fingerprint authentication mobile phone based on sweep sensor', Lecture Notes in Computer Science, vol. 3687, p. 295. Takada, T & Koike, H 2003, 'Awase-E: image-based authentication for mobile phones using user's favorite images', Lecture Notes in Computer Science, pp. 347-351. Takada, T, Onuki, T & Koike, H 2006, 'Awase-E: Recognition-based Image Authentication Scheme Using Users’ Personal Photographs', Innovations in Information Technology, 2006, pp. 1-5. Weiss, R & Luca, AD 2008, PassShapes: utilizing stroke based authentication to increase password memorability, ACM, Lund, Sweden. Yan, J, Blackwell, A, Anderson, R & Grant, A 2000, 'The memorability and security of passwords: some empirical results', TECHNICAL REPORT-UNIVERSITY OF CAMBRIDGE COMPUTER LABORATORY, p. 1. Prepared By: Yeah Teck Chen Page 23 of 23 University of South Australia Image-Based Authentication for Mobile Phones: Performance and User Opinions Appendix A – User selected code ParticipantID Participant 1 PIN 110285 Password ableman Participant 2 1437 zyxw32 Participant 3 61003 alexlee Participant 4 625213 cacing82 Participant 5 8052 helloo Participant 6 2141 ibanez Participant 7 5555 joanne Participant 8 159357 asiawin Participant 9 9876 unisa1 Participant 10 1698 adgjmp Participant 11 7229 jason1 Prepared By: Yeah Teck Chen Picture Password Awase-E , A1 University of South Australia Image-Based Authentication for Mobile Phones: Performance and User Opinions Participant 12 5805 aakash Participant 13 36987 timberleng Participant 14 8888 gjmptw Participant 15 1223 rulers Participant 16 1234 password Participant 17 2563 dajtwm Participant 18 2826 alvins Participant 19 5246 wbilby Participant 20 2421 dexters Prepared By: Yeah Teck Chen A2 University of South Australia Image-Based Authentication for Mobile Phones: Performance and User Opinions Appendix B – Performance data (Authentication Speed) Stage 1 Stage 2 Stage3 Method/Time Subject PIN PW PP AE 1 5.93 14.80 16.67 12.10 2 2.70 13.90 6.70 5.50 3 4.20 13.40 7.40 8.15 4 2.60 12.80 5.20 5.90 5 2.90 12.90 8.80 13.60 6 3.00 11.30 9.20 8.70 7 3.00 6.60 13.00 6.10 8 6.50 15.20 5.10 5.50 9 3.80 12.40 6.00 6.45 10 2.50 3.70 10.80 9.20 11 5.50 9.00 11.50 11.90 12 2.40 7.80 5.60 9.40 13 3.80 11.00 18.30 7.30 14 2.30 16.45 18.20 6.60 15 2.20 8.20 5.30 5.70 16 3.10 15.30 7.90 8.90 17 3.50 4.50 5.30 6.40 18 4.40 22.60 8.50 8.50 19 2.60 13.40 12.70 8.70 20 2.90 15.40 10.80 7.30 Mean 3.49 12.03 9.65 8.10 Method/Time Subject PIN PW PP AE 1 6.10 24.95 12.20 15.30 2 3.30 12.50 6.40 6.20 3 3.90 7.80 19.40 13.00 4 2.80 10.60 6.95 5.65 5 4.80 15.90 28.40 13.20 6 4.50 13.10 8.80 7.50 7 2.90 6.60 15.40 4.30 8 6.30 19.20 14.10 8.60 9 4.20 66.80 6.60 10.70 10 18.70 5.45 25.20 7.95 11 5.50 8.20 9.60 7.70 12 4.45 8.70 10.90 7.60 13 2.70 12.10 26.90 7.20 14 1.90 17.30 5.80 4.15 15 2.30 10.50 6.80 5.30 16 2.35 8.70 6.90 7.00 17 5.60 9.00 9.70 6.40 18 4.00 24.90 12.30 14.50 19 4.00 12.90 9.85 8.30 20 2.80 19.75 16.93 8.20 Mean 4.66 15.75 12.96 8.44 Method/Time Subject PIN PW PP AE 1 19.43 34.57 28.27 42.30 2 4.00 28.10 12.68 11.70 3 5.60 20.08 20.35 19.80 4 3.60 37.00 21.50 6.60 5 7.08 11.20 14.30 12.96 6 5.70 13.10 9.65 10.20 7 8.90 10.80 23.90 8.80 8 12.30 40.10 18.80 15.20 9 4.40 29.70 9.20 23.30 10 3.20 8.77 16.20 6.15 11 16.60 9.60 27.98 10.50 12 2.70 9.10 12.60 12.20 13 5.80 22.80 63.78 8.80 14 6.50 11.74 25.00 5.50 15 7.20 8.95 9.60 13.40 16 2.90 13.70 22.33 12.70 17 4.90 8.35 15.40 4.90 18 8.20 30.70 13.70 20.10 19 6.83 16.00 16.20 9.10 20 3.00 17.10 11.20 10.20 Mean 6.94 19.07 19.63 13.22 Prepared By: Yeah Teck Chen B1 University of South Australia Image-Based Authentication for Mobile Phones: Performance and User Opinions Appendix C – Déjà vu Déjà vu (Dhamija & Perrig 2000) is a recognition based IBA technique that uses random art or abstract images for user authentication. The Déjà vu prototype requires users to select a username and pass-images from a given set. During authentication, users will need to re-enter the username and select their pass-images from a set of images that also contains decoy images. The user study (Dhamija & Perrig 2000) conducted showed slower creation and authentication speed but has lower failed logins as compared to PIN and password. The technique was also proposed for use on ATMs and for web authentication. Prepared By: Yeah Teck Chen C1