User Authentication

1
User Authentication
Image Recognition in

• Rachna DhamijaHuman Centered Computing
  CourseDecember 6, 1999

2
Problem

• Security systems
• human factors?
• Passwords
• multiple long strings

3
A solution

• Replace text w/ images?
• Replace recall w/ recognition
• Portfolio
• Random Art Real Images

4
Visual Memory

• Vast, almost limitless memory for pictures
  Haber
• Recognition
• Fraction of a sec to remember recognize
  Intraub, Pavio Codes
• 2560 photos for few seconds ? 90 recognition
  rate Standing, Conezio Haber
• 10,000 photos ? 2 days, 66 recognized Standing
• Recall
• recall semantics or sketch
• pictures are not only recognized better but are
  also recalled better than words Standing

5
Task Analysis

• Target population general computer users
• novice/expert users
• few passwords/multiple passwords
• 10 (20) people interviewed about behavior
• 10 40 instances vs. 1-7 actual passwords
• names, phone numbers, fav movies, 6 char
• tools majority wrote them down, 2 PIM
• minimum effort, never change them
• ability to share is a feature
• people hate passwords
• but prefer them to alternatives

6
Security Brute Force Attack
4 Digit PIN 5 out of 20 images 6 char password
10 out of 55 BUT most passwords require lt
brute force!
7
Security Analysis (cont)

• Benefits
• Images easier to remember
• less errors
• change more frequently
• good for infrequently used passwords?
• Images esp Random Art is hard to describe
• Vulnerabilities
• shoulder surfing attack
• intersection attack

8
Lo-fi Prototype

• Task create portfolio login
• People can remember images! (4-10)
• Photos/art 50/50 preference time
• Wanted to view portfolio during creation
• Must be simple and fast (no click through
  screens)
• Horizontal layout for quick scanning

9
(No Transcript)
10
(No Transcript)
11
Experiment Design

• Create 4 passwords
• PIN (4 digits)
• Password (6 char.)
• Art portfolio (5/100)
• Photo portfolio (5/100)

• Login
• PIN
• Password
• Art (5/25)
• Photo (5/25)

• Task order- 50 did Art first
• Image order
• Repeat login after 1 week!

12
Test Measures
Does not include uncompleted tasks
sev1 minorsev2 major, recoverablesev3 major,
unrecoverable No unrecoverable errors made with
portfolios
13
More Results

• Comfort Level
• Create portfolio - _at_
• Login portfolio - wow
• Text vs. images
• Passwords/PINS faster to create/logon
• Photos easier to remember than PINS (short term)
• Art vs. photos
• Photos easier to remember, schemes, more personal
• People chose similar photos, but not art
• Interface issues
• Scrolling is bad, one screen, thumbnails,
  single-click
• Lack of feedback
• picked so far, which picked??
• how to give feedback securely?

14
Changes to next version
show selected
1 image selected
hide selected images
smaller images
15
Conclusions

• Potential for use
• where text input is hard, limited observation
  (e.g., ATM, PDA)
• infrequent, high availability passwords
• Future Directions
• Self created images
• authenticate recreate or recognize

• Random Art Text
• Sharing collaboration
• Other human abilities?

16
References

• Houston JP. Fundamentals of learning and memory.
  4th ed. Florida Harcourt Brace Jovanovich 1991.
  
• Ralph Norman Haber. How we remember what we see.
  Scientific American, 222(5)104-112, May 1970.
• Lionel Standing. Learning 10,000 pictures.
  Quarterly Journal of Experimental Psychology,
  25207-222, 1973.
• Lionel Standing, Jerry Conezio, and Ralph Norman
  Haber. Perception and memory for pictures
  Single-trial learning of 2500 visual stimuli.
  Psychonomic Science, 19(2)73-74, 1970.
• Helene Intraub. Presentation rate and the
  representation of briefly glimpsed pictures in
  memory. Journal of Experimental Psychology
  Human Learning and Memory, 6(1)1-12, 1980.
• Hash Visualization A New Technique to Improve
  Real-World Security, Adrian Perrig and Dawn Song,
  in Proceedings of the 1999 International Workshop
  on Cryptographic Techniques and E-Commerce
  (CryTEC '99)