CHEN_-_Thesis_Draft_(Final)

advertisement
Image-based Authentication for Mobile
Phones: Performance and User Opinions
By
Yeah Teck Chen
A thesis submitted for the degree of
Master of Science (Computer and Information Science)
School of Computer and Information Science
Division of Information Technology, Engineering and the Environment
University of South Australia
Supervisor
Gaye Lewis
2010
University of South Australia
Image-Based Authentication for Mobile Phones: Performance and User Opinions
Abstract
Mobile phones are becoming increasingly sophisticated, enabling consumers to do more and
generating more data which can be personal and sensitive. With more than 200,000 mobile phones
stolen each year in Australia (ATMA 2008), the default personal identification number (PIN) and
password protection are no longer sufficient to protect these data from being used unfavourably. A
survey for mobile security usage has shown that 34% of the users disabled PIN and password on
their phones while the other 66% of the users who do use PIN and password, did so inappropriately
(Clarke, NL & Furnell 2005). This calls for better security to protect mobile phone users.
PIN and password authentication have issues related to their memorability and usability which
results in improper use by consumers. Thus, other authentication methods attempting to address
these shortcomings such as tokens and biometrics were developed. However, these more advanced
authentications are not without their own limitations such as token can be forgotten or lost and
biometrics that often has accuracy and privacy issues. Both of these authentications also use PIN
and password as secondary or fallback authentication mechanisms.
Research on image based authentication (IBA) was on the rise to leverage the humans’ ability to
recognize and recall graphics better than a sequence of strings and numbers. In all of the research
(Dhamija & Perrig 2000; Jansen 2004; Takada, Onuki & Koike 2006), results have shown that users
are able to authenticate better using IBA techniques by recognizing images rather than recalling PIN
and passwords. Although IBA techniques seem to yield better memorability among test subjects,
these various techniques have always been compared against PIN and password.
The focus of this paper will be to compare two IBA techniques, Picture Password and Awase-E
against one another. The performance of these authentication techniques is important to reveal a
range of usability design issues that are important in designing an easy to use and memorable
system. In order to do this, the performance as well as usability design of these two IBA techniques
will be compared.
In summary, the two compared IBA techniques performed unexpectedly in terms of speed of
authentication where Awase-E was significantly faster than Picture Password. As for authentication
success rate, Awase-E was able to maintain a high success rate while Picture Password experienced
a poor success rate. In terms of user preference, there is a strong indication that participants in the
experiment preferred Awase-E over Picture Password. The findings have been presented and
discussed along with proposed improvements for the IBA techniques.
Prepared By: Yeah Teck Chen
Page i
University of South Australia
Image-Based Authentication for Mobile Phones: Performance and User Opinions
Table of Contents
Abstract ............................................................................................................................................ i
List of Figures ..................................................................................................................................iii
List of Tables ...................................................................................................................................iii
Acronyms and Abbreviations ..........................................................................................................iii
Declaration ......................................................................................................................................iv
Acknowledgement ...........................................................................................................................v
1 Introduction .............................................................................................................................. 1
1.1 Motivation ........................................................................................................................ 2
1.2 Research Questions and Contributions............................................................................ 2
2 Literature Survey....................................................................................................................... 3
2.1 Overview .......................................................................................................................... 3
2.2 Introduction...................................................................................................................... 3
2.3 User Authentication Techniques ...................................................................................... 4
2.4 IBA Performance ............................................................................................................ 10
3 Research Methodology ........................................................................................................... 11
3.1 Selecting IBA Technique to Evaluate .............................................................................. 11
3.2 Prototype Development ................................................................................................. 11
3.3 Data Collection ............................................................................................................... 11
3.4 Analysis and Expected Outcomes .................................................................................. 13
4 Findings ................................................................................................................................... 14
4.1 Speed of Authentication ................................................................................................ 14
4.2 Authentication Success Rate .......................................................................................... 15
4.3 User Behaviour and Opinions towards Mobile Security and IBA................................... 17
4.4 Problems and Improvements for Picture Password ...................................................... 19
4.5 Problems and Improvements for Awase-E .................................................................... 20
4.6 Improvements for both IBA techniques ......................................................................... 20
5 Conclusion ............................................................................................................................... 21
References .................................................................................................................................... 22
Appendix A – User selected code ................................................................................................. A1
Appendix B – Performance data (Authentication Speed) ............................................................ B1
Appendix C – Déjà vu .................................................................................................................... C1
Prepared By: Yeah Teck Chen
Page ii
University of South Australia
Image-Based Authentication for Mobile Phones: Performance and User Opinions
List of Figures
Figure 1: Token-device authentication binding in Transient Authentication (Nicholson, Corner & Noble
2006) ............................................................................................................................................................. 5
Figure 2: Example of multiple biometric authentications (Furnell, S, Clarke & Karatzouni 2008) ............... 6
Figure 3: FAR, FRR and EER for biometrics (Clarke, N).................................................................................. 6
Figure 4: Example PDA screen (Jansen 2004) ............................................................................................... 7
Figure 5: Example random art from déjà vu (Dhamija & Perrig 2000) ......................................................... 8
Figure 6: Example verification stage for Awase-E (Takada & Koike 2003) ................................................... 8
Figure 7: Example of PassPoint clicks (Dirik, Memon & Birget 2007) ........................................................... 9
Figure 8: Draw-a-secret authentication process (Jermyn et al. 1999) .......................................................... 9
Figure 9: Left: Using shape to remember PIN 7-1-9-7. Middle: Stroke direction and the internal value
interpreted by the PassShape. Right: Strokes interpreted as U93DL9L3XU3U with X as a padding value
for multiple drawing. (Weiss & Luca 2008) ................................................................................................ 10
Figure 10: Authentication speed for PIN, Password, Picture Password and Awase-E................................ 14
Figure 11: Authentication success rate for PIN, Password, Picture Password and Awase-E...................... 15
Figure 12: Number of trials for PIN, Password, Picture Password and Awase-E ........................................ 16
List of Tables
Table 1: Design differences between Picture Password and Awase-E ...................................................... 11
Table 2: Authentication speed for PIN, Password, Picture Password and Awase-E .................................. 14
Table 3: Authentication success rate for PIN, Password, Picture Password and Awase-E ........................ 15
Table 4: Number of trials for PIN, Password, Picture Password and Awase-E .......................................... 17
Table 5: Type of error and mistake made by participants ......................................................................... 17
Table 6: Usage a Day against number of willing authentication ............................................................... 18
Table 7: Criteria rating and preference of PIN, Password, Picture Password and Awase-E ...................... 19
Acronyms and Abbreviations
IBA – Image based Authentication
PDA – Personal Digital Assistant
PIN – Personal Identification Number
WiFi – Wireless networking technology for high speed Internet and network connection
Prepared By: Yeah Teck Chen
Page iii
University of South Australia
Image-Based Authentication for Mobile Phones: Performance and User Opinions
Declaration
This thesis presents work carried out by myself and does not incorporate without acknowledgment any
material previously submitted for a degree or diploma in any university; to the best of my knowledge it
does not contain any materials previously published or written by another person except where due
reference is made in the text; and all substantive contributions by others to the work presented,
including jointly authored publications, are clearly acknowledged.
……………………………………………..
Yeah Teck Chen
June 2010
Prepared By: Yeah Teck Chen
Page iv
University of South Australia
Image-Based Authentication for Mobile Phones: Performance and User Opinions
Acknowledgement
I wish to express my sincere gratitude to my minor thesis supervisor Gaye Lewis, who is a Program Director in
the School of Computer and Information Science, for her superb insights and suggestion, support and
encouragement throughout the experiment, analysis of the findings and final write up of the thesis. In
addition, I also wish to extend many thanks to my former thesis supervisor, Chris Steketee who was a Senior
Lecturer in the School of Computer and Information Science, for all the unreserved and enlightening pointers
and comments during the formation of the thesis, literature review and experiment design. Special thanks
also go to all of the participants in the experiments for their earnest involvement and comments for the
research. Finally, I would like to express my deepest thanks to my family and friends for their unwavering
encouragement and support during my study here in Adelaide.
Prepared By: Yeah Teck Chen
Page v
University of South Australia
Image-Based Authentication for Mobile Phones: Performance and User Opinions
1 Introduction
Mobile phones that are released in the market are becoming increasingly sophisticated with packed
features and increased capabilities. Consumers are able to do more with the phone resulting in more
services being consumed and data being generated and stored in the phone - with some of the data
sensitive in nature. Personal consumers are most likely to possess private information such as family
contact numbers, personal photos and messages in the phone. Protection of the privacy of this
information will be important to them. Business users, on the other hand may have more crucial
information stored in the mobile phone such as vendor and customer information, business
correspondence such as emails and access to corporate resources. Thus, mobile security will be the
utmost critical requirement for this user group. With more than 200,000 mobile phones reported
stolen each year in Australia (ATMA 2008) alone, with even more that go unreported, these sensitive
data may be at risk of being used unfavourably. This calls for better security for protecting mobile
phone data.
A standard mobile phone would normally come with a simple device power-on PIN protection while
more advanced models may include PIN authentication for waking from inactivity. However, research
has shown that 34% of the users disabled the PIN and 30% found the believing PIN to be
troublesome. For those 66% who do use PIN, 38% of them had at least once forgotten the PIN and
locked themselves out of the phone, 45% used the default PIN, 42% changed it once after buying the
phone and only 13% changed the PIN more than once (Clarke, NL & Furnell 2005). Another survey
revealed that 50% of the respondents recorded their password or PIN in one form or another
(Adams, Sasse & Lunt 1997).
A potential explanation for such consumer behaviour could be due to the limitation of human
memory. Firstly, Johnson in 1991 (Yan et al. 2000) explained that human has limitation in memorizing
a sequence of items in a short period of time and secondly Miller in 1956 (Yan et al. 2000) explain
that human’s short term memory has the capacity of about seven plus or minus two items.
Although a significant amount of research has been conducted to improve the security of PIN and
password systems, the focus of this research has always been on designing new technical methods to
authenticate users rather than examining the usability of those methods (Adams & Sasse 1999).
Image based authentication (IBA) research, which leverages human ability at recognizing better than
recalling, showed promising results with the improvement in memorability of pass-images, hence
lower authentication failure. This can be seen in the work of the Déjà vu (refer to Appendix C) project
(Dhamija & Perrig 2000). However, IBA techniques tend to yield higher authentication time (Dhamija
& Perrig 2000) and other input errors such as wrong sequence and double selection (De Angeli et al.
2003). These techniques were also compared against only PIN and password.
This paper aims to conduct an experiment to compare two IBA techniques, Picture Password and
Awase-E back to back with PIN and password as control techniques. The focus will be on
performance of these IBA techniques. User opinions regarding IBA techniques will also be gathered
during the experiment. By investigating the performance, in terms of authentication speed and
success rate, and the user opinions on these techniques, usability issues can be identified and hence
better design suggestions to improve the performance of these IBA techniques can be derived.
Prepared By: Yeah Teck Chen
Page 1 of 23
University of South Australia
Image-Based Authentication for Mobile Phones: Performance and User Opinions
1.1
Motivation
Most of the input methods for IBA techniques are similar to PIN and password systems. In addition,
PIN and password systems are still the most used mechanism for user authentication but their
limitations result in bad practices among consumers.
While advanced authentication systems such as token-based and biometrics exist, those systems are
well known for their drawbacks, including, but not limited to requiring extra hardware, increased
implementation cost and accuracy issues (Grashey & Schuster 2006; Nicholson, Corner & Noble
2006). Often, token-based and biometric authentication systems implement some level of PIN or
password based mechanism for either initialization, or as a “fallback” or secondary authentication
method.
On the other hand, research of IBA techniques such as Déjà Vu that leverages the human ability to
recognize previously seen images has shown improved memorability among test subjects (Dhamija &
Perrig 2000; De Angeli et al. 2003). As a result, several authentication systems similar to this concept
such as Awase-E (Takada & Koike 2003) and IBRA (Akula & Devisetty 2004) were developed.
However, improved memorability does not mean a more usable system, but there’s room for
improvement for these techniques if their design is user-centred. Thus, data gathered from
experiments could reveal both design and user acceptance issues that are crucial for the diffusion of
the technique for public and private use, especially for business use.
1.2
Research Questions and Contributions
This paper will focus on the performance and usability of two IBA techniques and will aim to answer
the following research questions:
a) Which IBA technique allows the user to authenticate faster?
b) Which IBA technique is easier to remember, resulting in a higher authentication success
rate?
c) What are some of the user’s opinions regarding the design of user authentication in general
and specifically on IBA authentication?
The task completion time for enrolment and authentication and the authentication error rate will be
collected so that the results can be analysed and discussed in relation to the IBA technique’s system
design. Also, experiment participants will be interviewed to study their behaviours and opinions
towards mobile authentication.
This paper will contribute to the body of knowledge about user authentication especially in the
usability studies on IBA systems, not only for mobile devices but also for other electronic devices and
machines such as computers and ATMs. Improved usability and user authentication experience could
encourage consumers to better adopt these IBA security systems for their mobile devices and
computers, of which are increasingly valuable.
Prepared By: Yeah Teck Chen
Page 2 of 23
University of South Australia
Image-Based Authentication for Mobile Phones: Performance and User Opinions
2 Literature Survey
2.1 Overview
In this section, the description and mechanism of various types of user authentication techniques are
presented and critically reviewed in terms of their weaknesses and usability issues on mobile phones.
These techniques include PIN, Password, Token based authentications, Biometrics and IBA.
As the focus of this thesis is on IBA techniques and specifically on their performance, a section on the
currently known performance data for the experimented IBA Picture Password and Awase-E will also
be presented for later comparison.
2.2 Introduction
Imagine you’re starting a new job at a new building and are introduced to the security guard on duty
that will screen through all the employees. When you turn up for work the following day, how does
the security guard recognize you? Well, the security guard may do so by verifying your name,
observing your general appearance, observing your voice and etc. Now, imagine the company
decides to replace the security guard with a machine. How, will the machine recognize you as who
you really are and not someone else?
That was a simple example for explaining the analogy of user authentication. Human to machine
authentication is a vital mechanism employed to protect assets and more importantly, access to data
and resources. There are generally three factors (O'Gorman 2003) for authenticating users and they
are:
a) Knowledge Based – that are dependent on “something the user knows” such as password.
This authentication technique is only effective if the knowledge is kept secret from other
people. Another example of knowledge based authentication is personal identification
number (PIN), secret phrase, secret question and answer, and many more.
b) Object Based – is reliant on “something that the user possess” such as a token. The token
normally stores certain information such as keys and digital certificate that proves that the
token is valid. The user is authenticated as long as the token is present, or at least when the
token is presented during initial authentication.
c) ID Based – leverages unique attributes of a person or “someone who the user is” such as his
or her biometrics and behaviour. Sensor devices such as fingerprint scanner and camera are
needed to capture the user’s biometrics to be compared with samples that have been
provided earlier.
The user authentication techniques are developed around these factors and details of its
implementation are discussed in the following section.
Prepared By: Yeah Teck Chen
Page 3 of 23
University of South Australia
Image-Based Authentication for Mobile Phones: Performance and User Opinions
2.3 User Authentication Techniques
2.3.1 PIN and Password
PIN and password are still the most common methods used to authenticate users for almost
everything from computer login, mobile phone power-on, ATM withdrawal, online banking,
emails, to social network account login. Organizations prefer to implement PIN and password
because they virtually do not cost anything to create, are available in almost every device, and
are common among users and help desk (Phifer 2008).
In order to ensure maximum security, PIN and password were system-generated. However, the
resulting PIN and password with high entropy forces users to initially write them down for easy
reference later, putting the password protected system in risks. Consequently, this led to usergenerated password in order to improve memorability (Adams, Sasse & Lunt 1997).
Federal Information Processing Standard (FIPS) and security experts suggest various guidelines
and tips for choosing both easy to recall and secure passwords to encourage users to create
good passwords. Examples of good password advice may include the use of alphanumeric
password with special characters, and ensure the password contains no words that can be found
in a dictionary. Mnemonic methods using first letter of a phrase such as “I stayed in the city for 2
years” to derive “Isitcf2y” were also commonly known. However, research has shown that users
generally continue to choose poor passwords even if they were educated, especially if there are
no policies and mechanisms to enforce good password selection (Yan et al. 2000).
A poorly selected password is one issue; some users may completely disable authentication
mechanisms. Compared to laptops, mobile devices such as PDAs and smart phones are used
more frequently to perform shorter tasks and require instantaneous accessibility. Troublesome
authentications get disabled when there are no policies enforcing the use of PIN and password
(Phifer 2008).
All in all, both memorability and usability of password and PIN have caused bad practice among
users (Adams, Sasse & Lunt 1997; Clarke, NL & Furnell 2005) and this puts the both personal and
business assets and data at risk.
2.3.2 Token Based Authentication
In order to tackle issues related to PIN and password usage, token authentication was developed
to remove the need for users to remember lengthy and non-meaningful strings by storing the
authentication information within the token. Instead, authenticate user based on “something
the user possess”.
Based on public key infrastructure, tokens such as removable smart medias (MMC, SD, etc) hold
digital certificates that are impossible, or at least hard to forge (Phifer 2008). The smart card
needs to be inserted into a reader on the mobile device to perform verification of the digital
certificate. Working similarly to a car key, a token must be present either at the initialization or
for the entire period a service or function is in operation. This type of token however, results in
users leaving them in situ for the sake of convenience, as with the Subscriber Identity Module
Prepared By: Yeah Teck Chen
Page 4 of 23
University of South Australia
Image-Based Authentication for Mobile Phones: Performance and User Opinions
(SIM) card. As such, a lost mobile device that is found together with the token intact is equal to
the mobile device without its password protection.
There is also research that aims to deal with the problem of users leaving smart media in situ.
Tokens using contactless technology such as RFID, Bluetooth and WiFi were produced. A good
example of this is Transient Authentication that uses WiFi connection to authenticate the token
(Nicholson, Corner & Noble 2006). It uses a wearable token such as an IBM Linux wrist watch
that comes with sufficient computational power to serve as an authentication server. A mobile
device which is bound to the authentication server will act as the authenticating client, and will
constantly detect if the wireless token is within range of about several meters. When the token
goes out of range, the mobile device will engage a lock down mechanism which includes
encrypting files and memory, flushing caches and rendering a blank screen. The reverse process
is performed when the token moves back within range (refer Figure 1).
Figure 1: Token-device authentication binding in Transient Authentication (Nicholson, Corner &
Noble 2006).
However, tokens are not without limitations. Primarily, implementation of token authentication
will increase cost and effort for the extra hardware and establishment of policies regarding
handling and usage. Tokens may also be forgotten or lost. If either of these scenarios occurs,
users will have to rely on the fallback or secondary authentication method for the mobile device
and in most cases, it is a PIN and password (Furnell, S, Clarke & Karatzouni 2008). Another
significant drawback related to wireless token is that it drains battery power of mobile devices
(Jansen 2004).
2.3.3 Biometrics Authentication
PIN and password suffers from dilemma between using a strong but unusable password, or
weak but memorable password, while token can be lost and forgotten. Hence, biometrics
techniques authenticate users based on “someone who the user is” to solve issues related to the
former techniques.
Biometric techniques can be based on two factors: physiological and behavioural traits (Furnell,
SM & Clarke 2007). The physiological traits allow users to be recognized based on their physical
features such as fingerprint (Su et al. 2005), face (Han et al. 2007), iris (Dae Sik et al. 2005), and
teeth (Kim & Hong 2008). This type of biometric is usually used for user authentication. On the
other hand, the behavioural traits show an identifiable pattern based on voice, key strokes
Prepared By: Yeah Teck Chen
Page 5 of 23
University of South Australia
Image-Based Authentication for Mobile Phones: Performance and User Opinions
(Isohara, Takemori & Sasase 2008), signature and gait (Gafurov 2006) and are typically
researched for anomaly detection in user behaviour pattern.
Figure 2: Example of multiple biometric authentications (Furnell, S, Clarke & Karatzouni 2008).
A typical biometrics system will start with enrolment, a process to acquire samples of biometric
traits as a training set. It is also critical that the identity of the user is confirmed at this stage.
These samples will serve as a template against which new samples collected from users in
subsequent authentications will be compared to.
Similarly to token, some biometric techniques require extra hardware for collecting biometrics
samples such as fingerprints while most of the other techniques would leverage built-in
capabilities of newer phone models such as camera, key pad, touch screen and even
accelerometer to detect face, voice and gait patterns and other features.
The main challenge of biometric techniques however, is the accuracy issues that are associated
with the techniques. Biometrics techniques suffer from two types of error: false acceptance rate
(FAR) and false rejection rate (FRR) (Furnell, SM & Clarke 2007). FAR indicates the rate of which
a pretender is being accepted by the system while FRR shows the rate of which an authorized
person is being rejected by the system. The crossing value between FAR and FFR is the equal
error rate (ERR), a measurement that is normally benchmarked against the industry ERR
standard.
Figure 3: FAR, FRR and EER for biometrics (Clarke, N)
Lowering FAR value will increase security of the system but the usability of the system could be
compromised because then the FRR would high resulting authorized user being locked out of
the system. Vice versa, setting the FFR low will improve user acceptance, security of the system
may be compromised (refer Figure 3).
Prepared By: Yeah Teck Chen
Page 6 of 23
University of South Australia
Image-Based Authentication for Mobile Phones: Performance and User Opinions
Factors that cause the accuracy issues in biometrics include small training set and noise. Training
can be improved but may significantly reduce usability if the system needed to be trained
extensively. Noise while acquiring template samples and authentication samples such as
surrounding noise for voice, and lighting for face or iris may also be reduced by moving away
from noisy environments or authenticating under sufficient lighting, but these too may reduce
system usability.
2.3.4 Image Based Authentication
There is, however a significant body of research that aims to improve memorability of
passwords – by replacing them with graphics and photos. The logic behind this technique is that
humans can generally recognize better than they can recall, argued Nielsen in 1993 (Dhamija &
Perrig 2000). The research can be grouped into two distinctive categories. The first type is the
recognition based technique, which is the main focus of this research that uses image,
photographs and icons to stimulate user’s recognition ability during a later authentication
process. The user may not be able to explicitly remember the graphics, but later prompts using
the selected images help users to recognize and pin point them. The other category, similar to a
biometric signature technique, is based on recalling graphics that are created by the user. These
graphics can be in the form of shapes, drawings or a signature. The idea is that no visual stimuli
will be given and users need to specifically remember and reproduce the previously created
graphics.
a) Recognition Based Authentication
In experiments conducted by Paivio and Csapo in 1969 and Intraub in 1980, it was revealed
that humans can recognize a large number of pictures just by having a short glance at them
(Dhamija & Perrig 2000).
Using this knowledge, image based authentication systems are designed so that a user is
presented with a group of images from which the user will choose several images as the
pass-images. The images can be photos, icons, or parts of a photo. During authentication,
users will need to point out, in sequence, the previously selected images for authentication.
This technique can be seen in a research conducted by Jansen in 2004 (refer to Figure 4).
Figure 4: Example PDA screen (Jansen 2004)
Prepared By: Yeah Teck Chen
Page 7 of 23
University of South Australia
Image-Based Authentication for Mobile Phones: Performance and User Opinions
A variation of this technique may be using random art (refer Figure 5) in place of the icons
or image as seen in the Déjà vu project (Dhamija & Perrig 2000). Another technique seen in
Awase-E (Takada & Koike 2003) requires users to select only one image from the first
selection screen and another image from the second selection screen, iterating up to 4
times (refer Figure 6). Awase-E also allows user to have “no-pass-image” in some selection
screens and there’s no need to remember sequence of the images as they may appear
randomly in any screen. There is also another variation as seen in the work of Onali and
Ginesu (2006) that allows users to select one part of a picture, and the system will zoom
into that region and similarly divide the zoomed image into several parts to be selected by
the user. This is iterated several times. Other variations include the use of personal photos
(Pering et al. 2003) and the use of images of faces (Doi et al. 1997) for authentication.
Figure 5: Example random art from déjà vu (Dhamija & Perrig 2000)
Figure 6: Example verification stage for Awase-E (Takada & Koike 2003)
Using a similar approach to Jansen’s (2004) pass image, PassPoint (Dirik, Memon & Birget
2007) is another technique using images to help users recognize points, as well as the
sequence, within the picture that were previously selected as the authentication points
(refer to Figure 7). The background image serves as a guide for the user to choose
memorable points.
Prepared By: Yeah Teck Chen
Page 8 of 23
University of South Australia
Image-Based Authentication for Mobile Phones: Performance and User Opinions
Figure 7: Example of PassPoint clicks (Dirik, Memon & Birget 2007)
b) Recall Based Authentication
Perhaps the earliest recall based authentication, other than signature, is the Draw-a-secret
(DAS) technique (Jermyn et al. 1999) where the user draws on a 2D grid and the sequence
and the direction of the pen strokes are recorded. In this technique, the coordinates of the
drawing are also essential as it will be authenticated along with the sequential and
directional data. Users will then need to reproduce the drawing for authentication (refer to
Figure 8).
Figure 8: Draw-a-secret authentication process (Jermyn et al. 1999)
Another drawing based authentication technique is PassShape (Weiss & Luca 2008) that
does not take into account the coordinate as did the Draw-a-secret system, but only takes
into account the stroke sequence and direction (refer Figure 9). The concept was derived
from using shapes to remember PIN numbers on the keypad. In order to make the system
more secure, the user is required to draw the shape and PassShape’s internal system will
interpret and generate the pass code for the drawing. For multiple drawings, the system
uses “X” as a padding value.
Prepared By: Yeah Teck Chen
Page 9 of 23
University of South Australia
Image-Based Authentication for Mobile Phones: Performance and User Opinions
Figure 9: Left: Using shape to remember PIN 7-1-9-7. Middle: Stroke direction and the
internal value interpreted by the PassShape. Right: Strokes interpreted as U93DL9L3XU3U
with X as a padding value for multiple drawing. (Weiss & Luca 2008)
2.4 IBA Performance
The IBA performance aspects investigated in this experiment are authentication speed and success
rate and the data collected from experiment participants can be used to deduct usability issues of
the investigated IBA techniques.
Currently, there has been no literature found that discusses performance in terms of authentication
speed and success rate for Picture Password. Literature found mainly describes the mechanism and
entropy of the technique.
On the other hand, Awase-E has several reports that extensively discuss the authentication success
rate of the technique, which were reported to be as high as 100% success rate even after an
experiment period of 16 weeks (Takada, Onuki & Koike 2006). However, authentication speed seem
to be not one of the strength of the technique as it was briefly reported that Awase-E authenticates
at an average of 24.6 seconds (Takada, Onuki & Koike 2006).
The research methodology for the experiment will be explained in the following section.
Prepared By: Yeah Teck Chen
Page 10 of 23
University of South Australia
Image-Based Authentication for Mobile Phones: Performance and User Opinions
3 Research Methodology
3.1 Selecting IBA Technique to Evaluate
From the literature survey, two IBA techniques will be compared along side with PIN and password
to test their performance in memorability and usability. The first technique is Picture Password
(Jansen 2004) while the second technique is Awase-E (Takada & Koike 2003). In design, both these
techniques are quite different (refer to Table 1) and it is worth looking into the performance of
these techniques side by side.
Picture Password
Tested on PDA
Once screen authentication
Pass-image input sequence important
Awase-E
Tested on mobile phone
Multiple screen authentication
User choose randomly placed pass-image
across multiple screen
Use thumbnails of multiple images
Uses thumbnails of multiple images or a full
image divided into parts
Select at least 4 pass-images
Select at least 1 pass-image
Table 1: Design differences between Picture Password and Awase-E
The main reason for selecting the Picture Password and Awase-E to investigate is because their
input methods for authentication are very similar to PIN and Password. Input is done by pressing on
images instead of buttons which are also arranged in a grid. Similar and familiar input and
interactivity may result in higher user acceptance in the area of user interface. In contrast, Pass
Points, Draw-a-secret, PassShape and others have very different input mechanisms.
Another reason for choosing Picture Password and Awase-E to examine is because they were easier
to develop than other IBA techniques and can be completed within the time constraint of the thesis.
3.2 Prototype Development
The prototype for each authentication technique was to be as similar as to the original method in
terms of the user interface authentication. This is to ensure that there is no bias towards any of the
selected techniques. The prototypes were deployed and tested on the same smart phone with touch
screen to enable all the techniques to be evaluated equally.
The IBA prototypes, and the PIN and password prototypes, have been developed using the .NET
Mobile Platform with Visual Studio 2005 Professional IDE. Initial prototype testing was performed to
ensure the system contains no errors and that the prototypes are designed and developed as similar
as the original authentication technique.
3.3 Data Collection
In order to collect data for analysis, the experiment involved 20 test subjects. The participants were
asked to authenticate on the prototypes. In order to remove bias, the test subjects have been varied
and balanced in terms of:
Prepared By: Yeah Teck Chen
Page 11 of 23
University of South Australia
Image-Based Authentication for Mobile Phones: Performance and User Opinions




Age
Gender
Educational level
Knowledge of password authentication
The experiment consists of 3 stages: Enrolment and learning, memory test 1, and memory test 2.
During each stage, each participant has authenticated on all 4 of the prototypes in random order. In
order to answer the research question of this paper, the data for task completion time and error
rate have been recorded during the experiment for analysis at a later stage. The 3 stages in the
experiment are detailed as follows:
a) Stage 1: Enrolment and Learning
Participants were given a brief introduction on the purpose of the experiment and how the
experiment will be conducted.
For each of the authentication techniques, the participant was given a demonstration on how
the enrolment and authentication work. Next, the participant was asked to enrol themself and
was given several authentication trials for learning, according to the sequence of enrolment.
For the PIN, the minimum length has to be 4 digits and should be a combination that the
participant believes to be safe and never been used before. The password should be
alphanumeric with a minimum length of 6 characters. Picture Password requires at least 4 passimages while Awase-E requires at least one pass-image.
b) Stage 2: Survey and Memory Test 1
Following the enrolment and learning stage, the participant was asked to complete a
questionnaire that is related to their behaviours and opinions on mobile authentication in
general. The questionnaire will also collect data regarding their perception towards the tested
IBA techniques. This questionnaire has also served as an unrelated task before the memory test
that follows.
After the completion of the questionnaire, which took around 15 to 20 minutes, the participant
was asked to perform authentications in random order. The participant can retry as many times
as they wish until they have successfully authenticated themself.
c) Stage 3: Memory Test 2
For memory test 2, the participant was requested to return a week later to perform the
authentication, again in random order and for as many times as they wish until they are
authenticated, or until they have given up trying.
Following the memory test, the participant was asked to complete a brief questionnaire to
obtain their post experiment views and perception on the tested IBA techniques. Responses
from this exit interview will be compared to the previous interview response for analysis.
Prepared By: Yeah Teck Chen
Page 12 of 23
University of South Australia
Image-Based Authentication for Mobile Phones: Performance and User Opinions
3.4 Analysis and Expected Outcomes
The performance for the IBA techniques will be discussed in relation to their technique design. The
findings on the user opinion will also be discussed. This information will be used to derive some
design guides and issues for future IBA technique designs.
In terms of authentication speed, the expected outcome will have PIN as being the fastest
technique, followed by Picture Password, password and Awase-E. This is because the input method
for PIN and Picture Password are quite similar and easy to use while password has longer and harder
to input characters. Awase-E’s multiple screens that require users to analyse each image is expected
to result in a longer authentication process.
As for memorability, the most memorable technique will be Picture Password and Awase-E followed
by PIN and password. This is in conjunction with previous research that suggests IBA techniques will
perform better in terms of memorability as compared with PIN and password.
Prepared By: Yeah Teck Chen
Page 13 of 23
University of South Australia
Image-Based Authentication for Mobile Phones: Performance and User Opinions
4 Findings
In this chapter, both the quantitative and qualitative data collected from the IBA prototype and user
survey will be analysed and presented in an integrated approach to discuss and also answer the research
questions. First, the findings on the speed of authentication will be presented followed by the findings
on authentication success rate and lastly, the user behaviour and opinions towards mobile security and
IBA will be discussed. In the last section, the issues and improvement areas for Picture Password and
Awase-E will also be addressed.
4.1 Speed of Authentication
Time to Complete Authentication
25.00
Time (seconds)
20.00
PIN
15.00
Password
Picture Password
10.00
Awase-E
5.00
0.00
Stage 1
Stage 2
Stage 3
Mean
Figure 10: Authentication speed for PIN, Password, Picture Password and Awase-E
As expected, PIN took the shortest time to authenticate participants averaging approximately 5
seconds in all stages. While its speed has experienced marginal decrease over the duration of the
experiment, PIN remains significantly faster than the other techniques. Interestingly, the
performance of password is slower by at least twice, if not thrice slower compared to PIN,
recording an average of 15.62 seconds to authenticate.
Stage
Stage 1
Stage 2
Stage 3
Mean
PIN
3.49
4.66
6.94
5.03
Method/Time (seconds)
Picture
Password
Password
Awase-E
12.03
9.65
8.10
15.75
12.96
8.44
19.07
19.63
13.22
15.62
14.08
9.92
Table 2: Authentication speed for PIN, Password, Picture Password and Awase-E
The Picture Password authenticates quicker than password by a small gap in Stage 1 and 2 but
unexpectedly slowed much to match passwords speed in Stage 3, averaging just about 14 seconds
in all stages. Perhaps the most surprising was that Awase-E, in contrast with the predicted result,
comes in second in terms of authentication speed, considerably and constantly authenticating
Prepared By: Yeah Teck Chen
Page 14 of 23
University of South Australia
Image-Based Authentication for Mobile Phones: Performance and User Opinions
faster than password and Picture Password, recording an average of a little less than 10 seconds at
9.92 seconds.
The Picture Password authors had never published test results in terms of speed of authentication
for the technique but in this experiment, it shows that picture password indeed is a rather slow
technique, in contrast with the earlier predicted outcome. Awase-E on the other hand, was
reported to perform at an average of 24.6 seconds (Takada, Onuki & Koike 2006), which shows a
huge gap with the performance result in this experiment that recorded Awase-E authenticating at
an average of 9.92 seconds. As the Awase-E authors had not discussed much relating to the speed
of authentication, it can only be speculated that perhaps most the participants in that experiment
might have used more than 1 pass-image that results the slower authentication speed, in contrast
with the majority of participants in this experiment who had used only 1 pass-image.
Again, personal devices such as mobile phones require instantaneous access (Phifer 2008) and in
this case users seeking convenience may still prefer to use PIN simply because it is the fastest
technique. However, some participants suggested that mobile phone users may be willing to
tolerate slower authentication techniques such as password, Picture Password and Awase-E as long
as it is deemed more secure especially in the scenario where they are required to authenticate only
once or several times in a day, for example. Users that prefer to be authenticated every time they
access the phone may be put off by slow authentication techniques.
4.2 Authentication Success Rate
Authentication Success Rate on First Trial
120.00%
Success Rate
100.00%
80.00%
PIN
Password
60.00%
Picture Password
40.00%
Awase-E
20.00%
0.00%
Stage 1
Stage 2
Stage 3
Figure 11: Authentication success rate for PIN, Password, Picture Password and Awase-E
Again, as expected Awase-E has the highest authentication success rate, recording 90% success rate
in stage 1 and 95% both in stage 2 and 3. PIN and password were expected to decline in success
rate and did so with PIN doing better than password, scoring 75% and 65% success rate in stage 3,
respectively. It is interesting to note that Awase-E performed more poorly than other techniques in
stage 1 where two participants made a mistake by missing their pass image and pressed the no pass
image button.
Prepared By: Yeah Teck Chen
Page 15 of 23
University of South Australia
Image-Based Authentication for Mobile Phones: Performance and User Opinions
Stage/Method
Stage 1
Stage 2
Stage 3
Mean
PIN
100.00%
85.00%
75.00%
86.67%
Password
100.00%
85.00%
65.00%
83.33%
Picture
Password
100.00%
85.00%
55.00%
80.00%
Awase-E
90.00%
95.00%
95.00%
93.33%
Table 3: Authentication success rate for PIN, Password, Picture Password and Awase-E
Picture Password, on the other hand performed as expected with high success rate, rating equally
as PIN and password in stage 1 and 2 and was expected to score higher success rate in stage 3.
Instead, however, Picture Password’s success rate dropped significantly to almost 50% success rate,
recording only 55%.
While no performance data were published for Picture Password, it seems that its performance in
terms of success rate did as poorly as its speed of authentication. As for Awase-E, its success rate
results in this experiment is consistent with Awase-E performance report where it has been shown
to maintain a high authentication success rate as time increases (Takada, Onuki & Koike 2006),
which was as high as 100% success rate even after the period of 16 weeks. However, there’s a
difference between how the said report interpreted a successful authentication compared to this
report. In the research (Takada, Onuki & Koike 2006), the participant is allowed 3 trials for all
authentication techniques and if participants succeeded within 3 trials then the attempt was
considered successful. This report regards successful first trial or attempt as successful
authentication and thus the findings from both reports are not directly comparable.
Awase-E indeed could improve authentication rates among users and could potentially serve as an
alternative security measure to PIN and password while users may be reluctant to use Picture
Password due to the high chance of authentication failure. However, it is important to note that
even though PIN and password did poorly compared to Awase-E, users may still prefer to use the
former techniques due to familiarity. By crossing the authentication success rate data with
participant survey, at least 35% of the participants rated PIN or password as their preferred
technique (Top 1 and 2) despite making an error while using PIN or password in stage 3 (table 6).
Figure 12: Number of trials for PIN, Password, Picture Password and Awase-E
As users are more prone to failure to authenticate as time increases, for example in stage 3, it is
also worth looking at how many times participants needs to re-authenticate when they made an
error because users who made a mistake in the first trial but succeeded in the second trial may be
willing to continue using the technique. However, if the user needs to re-authenticate more than
Prepared By: Yeah Teck Chen
Page 16 of 23
University of South Australia
Image-Based Authentication for Mobile Phones: Performance and User Opinions
twice too frequently, the user may feel that the authentication technique is being too obtrusive and
disable them.
Stage 3
1st Trial
2nd Trial
More than 2 trials
PIN
75.00%
5.00%
20.00%
Password
65.00%
15.00%
20.00%
Picture
Password
60.00%
10.00%
30.00%
Awase-E
95.00%
0.00%
5.00%
Table 4: Number of trials for PIN, Password, Picture Password and Awase-E
PIN, password and Picture Password recorded 5%, 15% and 10% second trial, respectively while
Awase-E has no second trial. Surprisingly, the number of participants requiring at least a third trial
is more than the participants requiring only 2 trials in all four techniques, with PIN and password
recording 20% of more than 2 trials each, while Picture Password and Awase-E recording 30% and
5% correspondingly. Again, Awase-E has exceeded the performance of Picture Password in this
aspect.
Error/Mistake
Picture too small
Confused with sequence
Input error
Recall error
Touch screen unresponsive
Unfamiliar with touch screen
Double clicked
0 Week
10
6
4
3
9
4
1
1 Week
3
7
2
10
2
1
0
Table 5: Type of error and mistake made by participants
Lastly, the type of error made by the participants could also reveal improvement areas for the IBA
methods. The resulting authentication success rate could be due to one of the problems, errors or
mistakes in table 5. Included among these are the user being confused with the sequence of either
PIN or Picture Password, input error and most importantly, recall error which has increased from 3
to 10 occurrences after one week. Notably, sequence and recall error had the strongest effect on
the authentication success rate. However, further research will be needed to identify which
technique is more prone to which type of error and which ones matter the most to the users.
4.3 User Behaviour and Opinions towards Mobile Security and IBA
When asked how many times the participant is willing to be authenticated in a day, 15% answered
none at all, 40% only once during power on, 25% several times in a day and 20% every time they
access the phone (refer to Table 6). This means in total, at least 85% of the participants are willing
to use authentication security on their mobile phones. However, the data collected were not
significant enough to be analysed in terms of authentication frequency preference according usage
groups. Future research can be done to focus on this area.
Prepared By: Yeah Teck Chen
Page 17 of 23
University of South Australia
Image-Based Authentication for Mobile Phones: Performance and User Opinions
Phone Usage Per Day
1 to 5 (35%)
5 to 10 (30%)
More than 10 (35%)
Total
None
1
2
0
15%
Willing Authentication Per Day
Once
Several
Every time
4
1
1
3
0
1
1
4
2
40%
25%
20%
Table 6: Usage a Day against number of willing authentication
Although all of the participants were aware of some sort of security mechanism on their phone
such as power on PIN, SIM lock or standby lock, only 35% use them quoting the need to protect
data and email accounts from unintended use and in case the phone was lost. The remaining 65%
of the participants either did not know how to set up a PIN or password lock or were reluctant to
use it giving reasons that it was unnecessary, not having significant data stored, troublesome,
disabled by default, too time consuming for frequent access to phone, and some were very
particular about their phone and had never let other people use them.
While more than half of the participants are not currently using any mobile security mechanism on
their phone, the survey in this experiment showed that, if made aware, user may be willing to
adopt some sort of authentication mechanism to protect their phone, IBA being one of them.
4.3.1 User selected PIN, Password and Pass Images
In the experiment, the participants were asked to use PIN, password, Picture Password and
Awase-E and a summary of the “secret code” selected by the participants follows:
PIN – consists of numbers only and participants are required to use a PIN of minimum 4 digits,
which most did. From the data, it is clear that the subjects chose PIN which is easy to guess such
as dates, number with meanings such as 1437 that represents “I love you forever”, 4 of the same
digits such as 8888, sequential numbers such as 1234 or 9876, and numbers forming a shape on
the number pad such as 2563 forming a “U” shape and 159357 forming a “X”.
Password – consists of alphanumeric characters and again most participants used the required
minimum 6 characters password. Among the password used by the participants are words,
names or nicknames, brand names, and also sequential key press on the key pad resulting
passwords such as adgjmp or gjmptw. Interestingly, there are some participants that choose a
certain word that are a little shorter than the required 6 characters, and then pad them with an
unrelated character such as unisa1 or names1.
Picture Password – consists of a minimum of 4 selected images and the participant has to
remember the sequence of the selected images. For this technique, all of the participants used
the minimum number of images. As an observer, it is quite impossible to guess what the
selected images mean although it could be derived that some selected images represent a short
story, while there are a few that used 4 of the same images. An example of a short story where
the image of a man, heart, dog and computer were selected could mean “men love dogs and
computers” or “I love dogs and computers”.
Awase-E – requires participants to capture and use at least 1 image as pass image. Most of them
used 1 image while a few used 2. None used more than 3 pass images. As a participant needs to
Prepared By: Yeah Teck Chen
Page 18 of 23
University of South Australia
Image-Based Authentication for Mobile Phones: Performance and User Opinions
capture an image using the phone’s camera, they captured objects they can find in front of them
such as telephone, watch, water bottle, image in a newspaper, and food while a few captured
image of a view such as kitchen or a room which may be harder to recognize during
authentication compared to distinct objects.
4.3.2 User Preference of the Authentication Techniques
Criteria/Techniques
Easy to create
Easy to authenticate
Easy to remember
Secure
Preference (Top 1)
Preference (Top 2)
PIN
0 week 1 week
90%
80%
85%
85%
65%
45%
60%
15%
45%
25%
50%
Password
0 week 1 week
75%
60%
70%
70%
65%
70%
75%
20%
45%
35%
55%
Picture Password
0 week 1 week
60%
50%
45%
45%
25%
85%
80%
25%
45%
0%
30%
Awase-E
0 week 1 week
65%
75%
75%
70%
70%
60%
50%
45%
70%
40%
65%
Table 6: Criteria rating and preference of PIN, Password, Picture Password and Awase-E
The preference on PIN increasing over the duration of the experiment could be due to the fact
that it has a higher speed for authentication and also higher authentication success rate.
However, surprisingly, the preference for password also increased although the technique
performed poorly in terms of speed and authentication success rate. The only possible
explanation for this would be that password remains as the more familiar authentication
technique and users are unready to give it up completely and opt for newer authentication
systems. Follow up, questionnaire maybe needed to confirm this. Finally, as expected, the poor
performance by Picture Password results the significant drop in preference. Interestingly,
Awase-E has managed to maintain a high percentage of preference despite a experiencing a
slight drop towards the end of the experiment.
4.4 Problems and Improvements for Picture Password
Initially, Picture Password was notably a top favourite for at least 25% of the participants.
However, this declined sharply after one week where none of the participants rated it as their
top preferred authentication method. Apart from finding the method confusing and hard to
remember, participants were having trouble finding or locating their pass images, resulting in
high error rates and slow authentication speed.
Participants were suggesting that this technique could be improved if the pass image sequence
restriction were lifted, enabling the users to input whichever selected pass images they saw first,
followed by the remainder of the pass images. This is, of course a probable solution to improve
authentication speed and success rate. However, users may instead need to remember which
pass image has been inputted to avoid inputting the same pass image more than once. In
addition, the implication on the technique’s entropy may need to be studied.
Prepared By: Yeah Teck Chen
Page 19 of 23
University of South Australia
Image-Based Authentication for Mobile Phones: Performance and User Opinions
4.5 Problems and Improvements for Awase-E
Many participants stated that they may use Awase-E and that the technique could improve
security. In fact, Awase-E was highly preferred throughout the experiment, recording 45% top
favourite despite dropping slightly to 40% towards the end of the experiment.
Participants suggested that the Awase-E technique should allow pass images to be selected from
the photo collection already residing in their phone. This was a plausible function as seen in
Awase-E research report (Takada, Onuki & Koike 2006) where users can upload their personal
photograph to be used as a pass image to an Awase-E server from either a computer or mobile
phone. The user’s mobile phone can also act as the standalone server. However, due to the
nature of this experiment, the data from all participants needs to be centralized thus,
participants were asked to create an ad hoc and simple pass image using the camera function on
the mobile phone used in this experiment.
4.6 Improvements for both IBA techniques
From the author’s observation during the experiment sessions, there are also several UI
improvements that both Picture Password and Awase-E can adopt.
a) Larger image for user input – Some participants have big fingers especially the thumb which
often blocks the image button the participant is trying to press. The smaller image button
used has caused participants to accidently select the wrong image.
b) Larger gaps between buttons or images could improve user’s perception of the precise
location of the image. Other than that, accidental pressing of adjacent buttons or images
can also be avoided.
c) Button or image press event – A “click” event requires a user to press and release the same
button to complete the event. Often participants’ button clicks were cancelled because
they failed to complete the second part of the click event, releasing their presses on the
same button. Instead, participants’ presses were released away from the button they were
trying to click. In order to solve this, images or buttons should use the “keydown” event
rather than the “click” event where the UI can detect inputs instantly when the user presses
the button.
Prepared By: Yeah Teck Chen
Page 20 of 23
University of South Australia
Image-Based Authentication for Mobile Phones: Performance and User Opinions
5 Conclusion
In this last chapter, a summary of the thesis and experiment conducted will be presented along with the
contributions, limitations and future research:
Mobile phones are becoming increasing important and valuable but the current authentication
techniques of PIN and Password are often misused resulting in unprotected data and information in the
phones. While other authentication methods such as tokens and biometrics exist, they have well known
limitations that may hinder user adoption. Alternatively, image based authentication (IBA) shows
promising results in relation to improved memorability.
This thesis conducted an experiment to compare two IBA techniques, Picture Password and Awase-E in
terms of their usability, performance and user opinions towards the techniques in order to answer three
research questions: Which IBA technique authenticates faster, which IBA technique has a higher
authentication success rate, and what the user opinions are towards the IBA techniques. The key
findings show that PIN authenticates the fastest, followed by Awase-E while Awase-E shows higher
authentication success rate followed by PIN. Both Awase-E and PIN are rated the highest in terms of
user preference among the experimented authentication techniques. The findings have been presented
and discussed along with proposed improvements for the IBA techniques.
The thesis contributes towards the body of knowledge in user authentication especially in the usability
study of IBA techniques for authentication purposes in general by providing an indication of the usability
of IBA techniques and proposing improvements that can enhance the authentication experience, thus
encouraging consumers to increase adoption of IBA for their mobile phones and other devices.
However, the main limitation with this research is the sample size. The small sample size may result in
misrepresentation of the performance of the IBA techniques for the whole population. Despite the
limitations, this thesis serves as an exploratory endeavour to provide indications of the usability,
performance and user opinions towards IBA and also identifies potential directions for future research.
Thus, future research based on a larger sample size, can explore other statistical values such as standard
deviation. Other factors such as age, gender or social group can also be taken into consideration for
analysis. Also, although the research questions were answered, there was no one best technique that
performed excellently across all aspects investigated in this experiment. However, it can be concluded
that apart from PIN and Password that were included in the experiment as control techniques, between
Picture Password and Awase-E, the latter outperformed the former significantly in terms of
authentication speed and success rate and is thus worthy of further investigation and improvements.
Therefore, further research is proposed for investigating what and which user acceptance criteria are
the most important for mobile authentication and how IBA, especially Awase-E, performs in terms of the
identified criteria. For example, one of the criteria could be pass-image creation time which may be
investigated by allowing Awase-E to select pass-images from the user’s own photo gallery in the phone.
The performance of Picture Password without implementing sequence restriction is also an interesting
avenue for future study. Lastly, it is also important to investigate the type of errors that the IBAs are
prone to, which matter the most to users and how they can be improved.
Prepared By: Yeah Teck Chen
Page 21 of 23
University of South Australia
Image-Based Authentication for Mobile Phones: Performance and User Opinions
References
Adams, A & Sasse, M 1999, 'Users are not the enemy', Commun. ACM, vol. 42, no. 12, pp. 4046.
Adams, A, Sasse, M & Lunt, P 1997, 'Making passwords secure and usable', People and
Computers, pp. 1-20.
Akula, S & Devisetty, V 2004, 'Image based registration and authentication system'.
ATMA 2008, '2008 Annual Report', AMTA Publication.
Clarke, N 'Biometric User Authentication for Mobile Devices'.
Clarke, N & Furnell, S 2005, 'Authentication of users on mobile telephones–A survey of
attitudes and practices', Computers & Security, vol. 24, no. 7, pp. 519-527.
Dae Sik, J, Hyun-Ae, P, Kang Ryoung, P & Jaihie, K 2005, 'Iris recognition in mobile phone based
on adaptive Gabor filter', Berlin, Germany.
De Angeli, A, Coventry, L, Johnson, G & Coutts, M 2003, 'Usability and user authentication:
Pictorial passwords vs. PIN', Contemporary Ergonomics, pp. 253-258.
Dhamija, R & Perrig, A 2000, 'Deja vu: A user study using images for authentication'.
Dirik, AE, Memon, N & Birget, J-C 2007, Modeling user choice in the PassPoints graphical
password scheme, ACM, Pittsburgh, Pennsylvania.
Doi, M, Chen, Q, Sato, K & Chihara, K 1997, 'Lock-control system using face identification',
Lecture Notes in Computer Science, vol. 1206, pp. 361-368.
Furnell, S, Clarke, N & Karatzouni, S 2008, 'Beyond the PIN: Enhancing user authentication for
mobile devices', Computer Fraud and Security, vol. 2008, no. 8, pp. 12-17.
Furnell, SM & Clarke, NL 2007, 'Advanced user authentication for mobile devices', Computers &
Security, vol. 26, no. 2, pp. 109-119.
Gafurov, D, Helkala, K, Søndrol, T 2006, 'Biometric Gait Authentication Using Accelerometer
Sensor', Journal of Computers, vol. 1, no. 7, pp. 51-59.
Grashey, S & Schuster, M 2006, 'Multiple Biometrics', SmartKom: Foundations of Multimodal
Dialogue Systems, pp. 181-193.
Prepared By: Yeah Teck Chen
Page 22 of 23
University of South Australia
Image-Based Authentication for Mobile Phones: Performance and User Opinions
Han, S, Park, H, Cho, D, Park, K & Lee, S 2007, 'Face recognition based on near-infrared light
using mobile phone', Lecture Notes in Computer Science, vol. 4432, p. 440.
Isohara, T, Takemori, K & Sasase, I 2008, 'Anomaly Detection on Mobile Phone Based
Operational Behavior', Information and Media Technologies, vol. 3, no. 1, pp. 156-164.
Jansen, W 2004, 'Authenticating mobile device users through image selection', The Internet
Society: Advances in Learning, Commerce and Security, vol. 1, pp. 183-194.
Jermyn, I, Mayer, A, Fabian Monrose, Z, Reiter, M & Rubin, A 1999, 'The Design and Analysis of
Graphical Passwords'.
Kim, D-J & Hong, K-S 2008, 'Multimodal biometric authentication using teeth image and voice in
mobile environment', IEEE Transactions on Consumer Electronics, vol. 54, no. 4, pp. 1790-1797.
Nicholson, AJ, Corner, MD & Noble, BD 2006, 'Mobile device security using transient
authentication', IEEE Transactions on Mobile Computing, vol. 5, no. 11, pp. 1489-502.
O'Gorman, L 2003, 'Comparing passwords, tokens, and biometrics for user authentication',
Proceedings of the IEEE, vol. 91, no. 12, pp. 2021-2040.
Pering, T, Sundar, M, Light, J & Want, R 2003, 'Photographic authentication through untrusted
terminals', IEEE Pervasive Computing, vol. 2, no. 1, pp. 30-36.
Phifer, L 2008, 'Mobile Security: Protecting mobile devices, data integrity and your corporate
network', Search Mobile Computing.
Su, Q, Tian, J, Chen, X & Yang, X 2005, 'A fingerprint authentication mobile phone based on
sweep sensor', Lecture Notes in Computer Science, vol. 3687, p. 295.
Takada, T & Koike, H 2003, 'Awase-E: image-based authentication for mobile phones using
user's favorite images', Lecture Notes in Computer Science, pp. 347-351.
Takada, T, Onuki, T & Koike, H 2006, 'Awase-E: Recognition-based Image Authentication
Scheme Using Users’ Personal Photographs', Innovations in Information Technology, 2006, pp.
1-5.
Weiss, R & Luca, AD 2008, PassShapes: utilizing stroke based authentication to increase
password memorability, ACM, Lund, Sweden.
Yan, J, Blackwell, A, Anderson, R & Grant, A 2000, 'The memorability and security of passwords:
some empirical results', TECHNICAL REPORT-UNIVERSITY OF CAMBRIDGE COMPUTER
LABORATORY, p. 1.
Prepared By: Yeah Teck Chen
Page 23 of 23
University of South Australia
Image-Based Authentication for Mobile Phones: Performance and User Opinions
Appendix A – User selected code
ParticipantID
Participant 1
PIN
110285
Password
ableman
Participant 2
1437
zyxw32
Participant 3
61003
alexlee
Participant 4
625213
cacing82
Participant 5
8052
helloo
Participant 6
2141
ibanez
Participant 7
5555
joanne
Participant 8
159357
asiawin
Participant 9
9876
unisa1
Participant 10
1698
adgjmp
Participant 11
7229
jason1
Prepared By: Yeah Teck Chen
Picture Password
Awase-E
,
A1
University of South Australia
Image-Based Authentication for Mobile Phones: Performance and User Opinions
Participant 12
5805
aakash
Participant 13
36987
timberleng
Participant 14
8888
gjmptw
Participant 15
1223
rulers
Participant 16
1234
password
Participant 17
2563
dajtwm
Participant 18
2826
alvins
Participant 19
5246
wbilby
Participant 20
2421
dexters
Prepared By: Yeah Teck Chen
A2
University of South Australia
Image-Based Authentication for Mobile Phones: Performance and User Opinions
Appendix B – Performance data (Authentication Speed)
Stage 1
Stage 2
Stage3
Method/Time
Subject PIN
PW
PP
AE
1
5.93 14.80 16.67 12.10
2
2.70 13.90
6.70
5.50
3
4.20 13.40
7.40
8.15
4
2.60 12.80
5.20
5.90
5
2.90 12.90
8.80 13.60
6
3.00 11.30
9.20
8.70
7
3.00
6.60 13.00
6.10
8
6.50 15.20
5.10
5.50
9
3.80 12.40
6.00
6.45
10
2.50
3.70 10.80
9.20
11
5.50
9.00 11.50 11.90
12
2.40
7.80
5.60
9.40
13
3.80 11.00 18.30
7.30
14
2.30 16.45 18.20
6.60
15
2.20
8.20
5.30
5.70
16
3.10 15.30
7.90
8.90
17
3.50
4.50
5.30
6.40
18
4.40 22.60
8.50
8.50
19
2.60 13.40 12.70
8.70
20
2.90 15.40 10.80
7.30
Mean
3.49 12.03
9.65
8.10
Method/Time
Subject PIN
PW
PP
AE
1
6.10 24.95 12.20 15.30
2
3.30 12.50
6.40
6.20
3
3.90
7.80 19.40 13.00
4
2.80 10.60
6.95
5.65
5
4.80 15.90 28.40 13.20
6
4.50 13.10
8.80
7.50
7
2.90
6.60 15.40
4.30
8
6.30 19.20 14.10
8.60
9
4.20 66.80
6.60 10.70
10 18.70
5.45 25.20
7.95
11
5.50
8.20
9.60
7.70
12
4.45
8.70 10.90
7.60
13
2.70 12.10 26.90
7.20
14
1.90 17.30
5.80
4.15
15
2.30 10.50
6.80
5.30
16
2.35
8.70
6.90
7.00
17
5.60
9.00
9.70
6.40
18
4.00 24.90 12.30 14.50
19
4.00 12.90
9.85
8.30
20
2.80 19.75 16.93
8.20
Mean
4.66 15.75 12.96
8.44
Method/Time
Subject PIN
PW
PP
AE
1 19.43 34.57 28.27 42.30
2
4.00 28.10 12.68 11.70
3
5.60 20.08 20.35 19.80
4
3.60 37.00 21.50
6.60
5
7.08 11.20 14.30 12.96
6
5.70 13.10
9.65 10.20
7
8.90 10.80 23.90
8.80
8 12.30 40.10 18.80 15.20
9
4.40 29.70
9.20 23.30
10
3.20
8.77 16.20
6.15
11 16.60
9.60 27.98 10.50
12
2.70
9.10 12.60 12.20
13
5.80 22.80 63.78
8.80
14
6.50 11.74 25.00
5.50
15
7.20
8.95
9.60 13.40
16
2.90 13.70 22.33 12.70
17
4.90
8.35 15.40
4.90
18
8.20 30.70 13.70 20.10
19
6.83 16.00 16.20
9.10
20
3.00 17.10 11.20 10.20
Mean
6.94 19.07 19.63 13.22
Prepared By: Yeah Teck Chen
B1
University of South Australia
Image-Based Authentication for Mobile Phones: Performance and User Opinions
Appendix C – Déjà vu
Déjà vu (Dhamija & Perrig 2000) is a recognition based IBA technique that uses random art or
abstract images for user authentication. The Déjà vu prototype requires users to select a
username and pass-images from a given set. During authentication, users will need to re-enter
the username and select their pass-images from a set of images that also contains decoy
images. The user study (Dhamija & Perrig 2000) conducted showed slower creation and
authentication speed but has lower failed logins as compared to PIN and password. The
technique was also proposed for use on ATMs and for web authentication.
Prepared By: Yeah Teck Chen
C1
Download