Abstract
Picture passwords, which require users to complete a picture-based task to login, are increasingly being embraced by researchers as they offer a better tradeoff between security and memorability. Recent works proposed the use of personalized familiar pictures, which are bootstrapped to the users’ prior sociocultural activities and experiences. However, such personalized approaches might entail guessing vulnerabilities by people close to the user (e.g., family members, acquaintances) with whom they share common experiences within the depicted familiar sceneries. To shed light on this aspect, we conducted a controlled in-lab eye-tracking user study (n = 18) focusing on human attack vulnerabilities among people sharing common sociocultural experiences. Results revealed that insider attackers, who share common experiences with the legitimate users, can easily identify regions of their selected secrets. The extra knowledge possessed by people close to the user was also reflected on their visual behavior during the human attack phase. Such findings can drive the design of assistive security mechanisms within personalized picture password schemes.
Access provided by Autonomous University of Puebla. Download conference paper PDF
Similar content being viewed by others
Keywords
1 Introduction
Computer security systems encompass concepts and methods for the protection of sensitive information. In this context, user authentication is an essential security task performed daily by millions of users. Traditional solutions employ text-based passwords, which require users to memorize a sequence of alphanumeric characters. However, memorizing strong text-based passwords results in increased cognitive load and often leads to poor usability and limited security [1]. To offer a better tradeoff between security and usability, prior works proposed various picture password schemes [3], which require users to complete a picture-based task to authenticate.
An important interface design factor that affects both the security [4, 5, 7] and usability [9,10,11, 13] of picture password schemes is the background picture(s) used [4, 5, 15]. Several studies have investigated various picture content types, which can be broadly categorized as generic (i.e., not familiar to the users, e.g., stock, landscapes, abstract, etc.) and personal (i.e., highly familiar to the users, e.g., depicting scenes, people, or objects highly familiar to users), and reported their effects on the security and memorability of the user-chosen picture passwords. In particular, the use of generic pictures impacts negatively both the security and memorability of picture passwords [4, 15], while the use of personal pictures impacts negatively the security but leads to increased memorability of picture passwords [15, 16]. In an attempt to achieve a better tradeoff between security and memorability, more recent works investigated and proposed the use of personalized familiar pictures, which are bootstrapped to the users’ prior sociocultural activities, experiences and explicit memories [18, 19, 34, 35], revealing a positive impact on the security without hampering the memorability of picture passwords [18, 19]. Nevertheless, such personalized picture delivery approaches might be susceptible to attacks performed by insiders [21, 22] (i.e., people close to the user, such as, family members, acquaintances) with whom they share common experiences within the depicted familiar pictures.
Given that the process of picture password authentication is a visual search task, eye-tracking technology could be used to shed light on how a legitimate user’s gaze path relates to an insider attacker’s gaze path, and eventually infer whether the person attempting to login is a legitimate user or an insider attacker close to the legitimate user. While attempts have been made towards improving and estimating the security of authentication schemes using eye-tracking technology [15, 23,24,25, 27, 28], to the best of the authors’ knowledge, no research attempts have been made to estimate the legitimacy of the user authenticating in a personalized picture password scheme that leverages on users’ prior sociocultural activities, experiences and explicit memories. This work presents the initial findings of applying an eye gaze-driven metric for unobtrusively estimating the legitimacy of the person authenticating in a personalized picture password scheme by analyzing the users’ eye gaze behavior during login.
2 Related Work
2.1 Picture Content in Picture Passwords
Prior works investigated the use of picture semantics and their effects on the security and memorability of user-chosen picture passwords. Pictures can be broadly categorized as generic (i.e., not directly relevant nor familiar to the users, e.g., abstract, nature, landscapes, etc.) or personal (i.e., directly relevant and highly familiar to the users, e.g., depicting people, objects, or scenes highly personal to users). The use of generic picture content has a negative impact on both the security and memorability of the user-chosen passwords. Studies in [4, 15] revealed that various generic pictures are susceptible to hotspots (i.e., certain points on a picture that are more likely to be selected by users), which leads to the creation of predictable passwords that are prone to automated attacks [30]. From the memorability perspective, generic picture content leads to decreased memorability since users experience difficulties in creating strong connections between their episodic memories and the depicted content [16, 31]. The use of personal picture content also impacts the security and memorability of picture passwords. From the security perspective, the use of pictures that are familiar to the user increases the likelihood of certain areas on the picture to be chosen as part of the password [15]. However, from the memorability perspective, the use of personal pictures leads to increased memorability possibly due to familiarity of users with the depicted picture content [16]. More recent works investigated the use of personalized familiar pictures, which are bootstrapped to the users’ prior sociocultural activities, experiences and explicit memories, revealing a positive impact on the security without hampering the memorability of picture passwords [18, 19].
2.2 Eye Gaze in User Authentication
Eye-tracking technology has been widely used in the context of user authentication. Darrell and Duchowski [23] proposed a rotary interface for gaze-based PIN code entry during user authentication, while Bulling et al. [15] proposed to hide potential picture hotspots using saliency maps. A study conducted by Sluganovic et al. [27] revealed that the reflexive physiological behavior of human eyes can be used to build fast and reliable biometric authentication systems. More recent works employed eye gaze data for predicting image content familiarity in picture password schemes [36], as well as for understanding how individuals make their picture password selections [26]. Moreover, works in [24, 28] proposed eye gaze-driven security metrics for estimating the strength of picture passwords.
3 Eye-Tracking Study
Bearing in mind that when using the personalized picture password approach, the password selections are based on the users’ existing sociocultural experiences, it is probable that such personalized approaches might be susceptible to attacks performed by insiders [21, 22] (i.e., people close to the user, such as, family members, acquaintances) with whom they share common experiences. In order to shed light on this aspect, we conducted an in-lab eye-tracking human attack study focusing on attacks performed by insiders among people sharing common sociocultural experiences. Each session of the study embraced pairs of participants that were closely related (e.g., friends, couples, relatives, etc.) and who shared common experiences. In each session, both participants were first requested to create a picture password, and then each participant was requested to guess the password selections of the other participant.
3.1 Research Question
RQ. Is there a significant difference in users’ visual behavior between legitimate users and insider attackers when authenticating in a picture password scheme that employs personalized picture content?
3.2 Study Instruments and Metrics
Picture Password Authentication Scheme. We implemented a Web-based picture password scheme, similar to Windows 10™ PGA [32], in which users can create picture passwords consisting of three gestures (any combination of taps, lines, and circles). The picture is divided in a grid containing 100 segments on the longest side and scaled accordingly on the shortest side. The mechanism allows for a tolerance distance in terms of the coordinates on the grid (36 segments around each initial selected segment are acceptableFootnote 1 [13], thus, building a circle of 3 segments radius). This tolerance allows for better accuracy of users’ selections during login. However, there is no tolerance regarding ordering, type, and directionality of the gestures.
Picture Content.
To control participants’ sociocultural familiarity with the picture semantics and thus investigate the research question, we adjusted the picture semantics to reflect participants’ shared, individual and common sociocultural experiences from their daily life context (i.e., working places in the case of colleagues, café/bars in which couples or close friends usually hang out, etc.), as depicted in Fig. 1. For doing so, prior to the study, we asked each pair of participants to provide a set of pictures from places in which they share common experiences. To avoid bias effects, we did not inform the participants about the reason they were providing us the pictures until the end of the study. The sets of pictures were based on existing research that has shown that users tend to select pictures illustrating sceneries [5, 8, 33].
Considering that the number of hotspots and the picture complexity affect the password strength [6, 13], we chose pictures of similar number of hotspots and complexity. For doing so, we followed a semi-automated approach to detect the hotspots regions through a combination of computer vision techniques for object detectionFootnote 2,Footnote 3 and saliency filters [12]. Furthermore, we assessed the equivalence of the two picture sets by calculating the picture complexity using entropy estimators [29].
Equipment and Eye Gaze Metrics.
An All-in-One HP computer with a 24″ monitor was used (1920 × 1080 pixels, 16:9 aspect ratio). To capture eye movements, we used Gazepoint GP3Footnote 4 eye tracker, which captures data at 60 Hz and was calibrated following the manufacturer’s guidelines. No equipment was attached to the participants. Following existing approaches for capturing the variability of users’ eye movement characteristics within picture password schemes [24, 28], we relied on the gaze transition entropy proposed by Krejtz et al. [14]. In particular, we estimated the stationary entropy Hs, which captures the distribution of fixations over the stimulus (i.e., areas of interest (AOIs) in which the eye-tracking metrics are applied). Greater values of Hs occur when the visual attention is distributed more equally among AOIs, while lower values of Hs indicate that fixations tend to be concentrated on certain AOIs. Stationary entropy Hs was conducted using Shannon’s entropy equation:
where X is the set of fixations for each user, N is the number of the available AOIs, and p is the probability of a user to fixate on AOI i. Considering that fixation duration correlates with cognitive processing [17, 20], and that users who exhibit longer fixations on AOIs tend to select them [2], the probability pi is computed as follows:
where di is the distribution of pi across N, representing the total fixation duration on AOI i. By applying Eq. (2) to Eq. (1), the entropy of fixations is computed as follows:
N = 3: the picture is divided into three vertical AOIs [14].
3.3 Sampling and Procedure
Participants. A total of 18 individuals (9 females) participated in the study, ranging in age between 25–60 years old (m = 41.43, sd = 11.88). Since the purpose of this study was to understand whether there are differences between legitimate users’ and insiders’ visual behavior, we intentionally recruited pairs of participants that are close to each other (3 couples, 3 pairs of close friends, 3 pairs of colleagues). To increase the internal validity of the study, we recruited participants that had no prior experience with picture password authentication mechanisms, as assessed by a post-study interview in order to exclude any participants with prior knowledge on picture passwords.
Experimental Design and Procedure.
Participation in the study was anonymized to ensure privacy compliance according to the EU General Data Protection Regulation. Participants were informed that the collected data will be analyzed for research purposes only. Also, we took all the necessary measures against Covid-19 to ensure the participants’ safety. The study was conducted in a quiet lab room with only the researcher present and was split in two phases as follows: i) Phase A – Password Creation: Each pair of closely related participants (e.g., friends, couples, colleagues, etc.) visited the laboratory in a pre-scheduled time within the Covid-19 safety regulations. First, the eye calibration process started, and then participants were requested independently to create a picture password by drawing 3 gestures on the picture (any combination of taps, lines, circles) in order to access an online service. To avoid bias effects during Phase B (Human Guessing Attack), each participant created a password on a different picture that depicted places in which they share common experiences; ii) Phase B – Human Guessing Attack: We switched the picture of the pairs and each participant was requested to guess the other participant’s secrets by indicating 3 areas (i.e., 3 (x, y) segments on the grid) on the picture for which they believe that the other participant made their selections around them. Also, we adopted the think-aloud protocol aiming to elicit whether the rationale behind the attacker’s selections is related to the shared memories and experiences with the other participant from the same pair. Finally, both participants completed a questionnaire on demographics.
3.4 Analysis of Results
Visual Behavior Differences Between Legitimate Users and Insider Attackers During Login. To investigate our RQ, we ran a paired-samples t-test with the entropy from Eq. (3) as the dependent variable tested under two different conditions (i.e., during legitimate user login and during insider attacker login). The analysis revealed that insider attackers exhibited higher stationary entropy Hs (8.70 ± 2.02 bits) than legitimate users (1.55 ± 0.78 bits), a statistically significant difference of 7.15 ± 1.24 bits (95% CI, 3.35 to 10.94 bits), t(8) = 4.04, p = .001. Figure 2 shows the stationary entropy Hs of both legitimate users and insider attackers.
Revealing the Insider Attacker’s Strategy When Guessing a Picture Password.
To get further insights about the approach followed by the insider attackers, at the end of Phase B (Human Guessing Attack) we asked each participant to show us the picture password selections they made on the screen, and we labelled them as either H (Hotspot), E (Experience spot; provided by the user), or O (Other; non-hotspot, non-experience spot). In order to understand the similarities in terms of areas correctly matched on the picture grid between legitimate users’ password selections and insider attackers’ guessing selections, we disregarded the order and the type of the gestures and rather focused on the positions of the password selections as follows: For circles, we disregarded the radius and the directionality, and kept only the center of the circle as a (x, y) segment, while for lines, we considered only the (x, y) segment of the starting point of the line. Table 1 summarizes the approach followed by the legitimate users and the areas correctly matched by the insider attackers.
4 Conclusions and Future Work
In this work, we conducted a controlled in-lab eye-tracking user study focusing on human attack vulnerabilities among people sharing common sociocultural experiences within personalized picture password schemes. Results revealed that insider attackers who share common experiences with the legitimate users can easily identify regions of their selected secrets, as shown in Table 1. The extra knowledge possessed by people who are close to the legitimate user was also reflected on their visual behavior during the human guessing attack phase. In particular, we found that the insider attackers exhibited higher stationary entropy Hs than the legitimate users. As stated previously, greater values of Hs occur when the visual attention is distributed more equally among AOIs, which might occur in cases of insider attackers who use extra knowledge to guess the user’s picture password, while lower values of Hs indicate that fixations tend to be concentrated on certain AOIs, which might occur in cases of legitimate users who know their passwords and make fixations on certain AOIs.
Such findings can be used for the estimation of the legitimacy of the user authenticating in a personalized picture password scheme that leverages on users’ prior sociocultural activities, experiences and explicit memories, and drive the design of assistive security mechanisms. We envision that such visual behavior differences in personalized picture password schemes can be used for the creation of multi-class classifiers for predicting the legitimacy of the individual during authentication (i.e., legitimate user, insider attacker, other attacker). Such a classifier will notify the legitimate users about the type of attacker attempting to login to their account, as well as limit the account lockout threshold accordingly (e.g., apply a more strict policy in cases of insider attackers). Expansion of our research will consider the feasibility of building such a multi-class classifier for predicting the legitimacy of the user authenticating, as well as conducting additional user studies to triangulate findings with diverse user communities and sociocultural experiences.
Notes
- 1.
MicrosoftTM Picture Password blog - bit.ly/2SajCDO.
- 2.
Google Cloud Vision - bit.ly/21xSsUV.
- 3.
Tensorflow - bit.ly/1MWEhkH.
- 4.
GP3 Eye Tracker - bit.ly/3g8rDWq.
References
Sasse, M.A., Brostoff, S., Weirich, D.: Transforming the ‘weakest link’—a human/computer interaction approach to usable and effective security. BT Technol. J. 19(3), 122–131 (2001)
Raptis, G.E., Katsini, C., Belk, M., Fidas, C., Samaras, G., Avouris, N.: Using eye gaze data and visual activities to infer human cognitive styles: method and feasibility studies. In: ACM UMAP 2017, pp. 164–173. ACM Press (2017)
Biddle, R., Chiasson, S., Van Oorschot, P.C.: Graphical passwords: learning from the first twelve years. ACM Comput. Surv. 44(4), 41 p. (2012). Article no. 19
Thorpe, J., van Oorschot, P.C.: Human-seeded attacks and exploiting hot-spots in graphical passwords. In: USENIX Security Symposium (SS 2007), pp. 1–16 (2007). Article no. 8
Alt, F., Schneegass, S., Shirazi, A.S., Hassib, M., Bulling, A.: Graphical passwords in the wild: understanding how users choose pictures and passwords in image-based authentication schemes. In: ACM MobileHCI 2015, pp. 316–322. ACM Press (2015)
Wiedenbeck, S., Waters, J., Birget, J.C., Brodskiy, A., Memon, N.: Authentication using graphical passwords: effects of tolerance and image choice. In: Symposium on Usable Privacy and Security (SOUPS 2005), pp. 1–12. ACM Press (2005)
Zhao, Z., Ahn, G.J., Seo, J.J., Hu, H.: On the security of picture gesture authentication. In: USENIX Conference on Security (SEC 2013), pp. 383–398 (2013)
Zhao, Z., Ahn, G.J., Hu, H.: Picture gesture authentication: empirical analysis, automated attacks, and scheme evaluation. In: ACM TISSEC 2015, vol. 17, no. 4, pp. 1–37 (2015)
Mihajlov, M., Jerman-Blažič, B., Ciunova Shuleska, A.: Why that picture? Discovering password properties in recognition-based graphical authentication. Elsevier IJHCS 32(12), 975–988 (2016)
Mihajlov, M., Jerman-Blažič, B.: On designing usable and secure recognition-based graphical authentication mechanisms. Interact. Comput. 23(6), 582–593 (2011)
Everitt, K.M., Bragin, T., Fogarty, J., Kohno, T.: A comprehensive study of frequency, interference, and training of multiple graphical passwords. In: ACM SIGCHI 2009, pp. 889–898. ACM Press (2009)
Perazzi, F., Krähenbühl, P., Pritch, Y., Hornung, A.: Saliency filters: contrast based filtering for salient region detection. In: IEEE Conference on Computer Vision and Pattern Recognition, pp. 733–740. IEEE (2012)
Katsini, C., Fidas, C., Raptis, G.E., Belk, M., Samaras, G., Avouris, N.: Influences of human cognition and visual behavior on password strength during picture password composition. In: ACM CHI 2018, pp. 1–14. ACM Press (2018). Paper 87
Krejtz, K., et al.: Gaze transition entropy. In: ACM TAP 2015, vol. 13, no. 1, pp. 1–20 (2015)
Bulling, A., Alt, F., Schmidt, A.: Increasing the security of gaze-based cued-recall graphical passwords using saliency masks. In: ACM SIGCHI 2012, pp. 3011–3020. ACM Press (2012)
Tullis, T.S., Tedesco, D.P.: Using personal photos as pictorial passwords. In: ACM CHI EA 2005, pp. 1841–1844. ACM Press (2005)
Fidas, C., Belk, M., Hadjidemetriou, G., Pitsillides, A.: Influences of mixed reality and human cognition on picture passwords: an eye tracking study. In: Lamas, D., Loizides, F., Nacke, L., Petrie, H., Winckler, M., Zaphiris, P. (eds.) INTERACT 2019. LNCS, vol. 11747, pp. 304–313. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-29384-0_19
Constantinides, A., Fidas, C., Belk, M., Pietron, A., Han, T., Pitsillides, A.: From hot-spots towards experience-spots: leveraging on users’ sociocultural experiences to enhance security in cued-recall graphical authentication. Elsevier IJHCS 149 (2021). 102602
Constantinides, A., Pietron, A., Belk, M., Fidas, C., Han, T., Pitsillides, A.: A cross-cultural perspective for personalizing picture passwords. In: ACM UMAP 2020, pp. 43–52. ACM Press (2020)
Irwin, D.E.: Fixation location and fixation duration as indices of cognitive processing. In: Henderson, J.M., Ferreira, F. (eds.) The Interface of Language, Vision, and Action: Eye Movements and the Visual World, pp. 105–133. Psychology Press, London (2004)
Aljahdali, H.M., Poet, R.: Educated guessing attacks on culturally familiar graphical passwords using personal information on social networks. In: ACM SIN 2014, pp. 272–278. ACM Press (2014)
Muslukhov, I., Boshmaf, Y., Kuo, C., Lester, J., Beznosov, K.: Know your enemy: the risk of unauthorized access in smartphones by insiders. In: ACM MobileHCI 2013, pp. 271–280. ACM Press (2013)
Best, D.S., Duchowski, A.T.: A rotary dial for gaze-based PIN entry. In: ACM ETRA 2016, pp. 69–76. ACM Press (2016)
Katsini, C., Raptis, G.E., Fidas, C., Avouris, N.: Towards gaze-based quantification of the security of graphical authentication schemes. In: ACM ETRA 2018, 5 p. ACM Press (2018). Article 17
De Luca, A., Denzel, M., Hussmann, H.: Look into my eyes!: can you guess my password?. In: ACM SOUPS 2009, 12 p. ACM Press (2009). Article 7
Constantinides, A., Fidas, C., Belk, M., Pitsillides, A.: “I recall this picture”: understanding picture password selections based on users’ sociocultural experiences. In: IEEE/WIC/ACM WI 2019, pp. 408–412. ACM Press (2019)
Sluganovic, I., Roeschlin, M., Rasmussen, K.B., Martinovic, I.: Using reflexive eye movements for fast challenge-response authentication. In: ACM SIGSAC CCS 2016, pp. 1056–1067. ACM Press (2016)
Constantinides, A., Belk, M., Fidas, C., Pitsillides, A.: An eye gaze-driven metric for estimating the strength of graphical passwords based on image hotspots. In: ACM IUI 2020, pp. 33–37. ACM Press (2020)
Cardaci, M., Di Gesù, V., Petrou, M., Tabacchi, M.E.: A fuzzy approach to the evaluation of image complexity. Fuzzy Sets Syst. 160(10), 1474–1484 (2009)
Salehi-Abari, A., Thorpe, J., Van Oorschot, P.C.: On purely automated attacks and click-based graphical passwords. In: IEEE ACSAC 2008, pp. 111–120 (2008)
Renaud, K.: On user involvement in production of images used in visual authentication. J. Vis. Lang. Comput. 20(1), 1–15 (2009)
Johnson, J.J., et al.: Picture gesture authentication (2014). https://www.google.com/patents/US8910253. Accessed 10 June 2021
Dunphy, P., Yan, J.: Do background images improve “draw a secret” graphical passwords?. In: ACM CCS 2007, pp. 36–47. ACM Press (2007)
Constantinides, A., Belk, M., Fidas, C., Samaras, G.: On cultural-centered graphical passwords: leveraging on users' cultural experiences for improving password memorability. In: ACM UMAP 2018, pp. 245–249. ACM Press (2018)
Constantinides, A., Fidas, C., Belk, M., Samaras, G.: On sociocultural-centered graphical passwords: an initial framework. In: ACM MobileHCI 2018 Adjunct, pp. 277–284. ACM Press (2018)
Constantinides, A., Belk, M., Fidas, C., Pitsillides, A.: On the accuracy of eye gaze-driven classifiers for predicting image content familiarity in graphical passwords. In: ACM UMAP 2019, pp. 201–205. ACM Press (2019)
Acknowledgements
The work has been partially supported by the EU Horizon 2020 Grant 826278 “Securing Medical Data in Smart Patient-Centric Healthcare Systems” (Serums), the Research and Innovation Foundation (Project DiversePass: COMPLEMENTARY/0916/0182), and the European project TRUSTID - Intelligent and Continuous Online Student Identity Management for Improving Security and Trust in European Higher Education Institutions (Grant Agreement No: 2020-1-EL01-KA226-HE-094869), which is funded by the European Commission within the Erasmus+ 2020 Programme and the Greek State Scholarships Foundation I.K.Y.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 IFIP International Federation for Information Processing
About this paper
Cite this paper
Constantinides, A., Belk, M., Fidas, C., Pitsillides, A. (2021). Understanding Insider Attacks in Personalized Picture Password Schemes. In: Ardito, C., et al. Human-Computer Interaction – INTERACT 2021. INTERACT 2021. Lecture Notes in Computer Science(), vol 12935. Springer, Cham. https://doi.org/10.1007/978-3-030-85610-6_42
Download citation
DOI: https://doi.org/10.1007/978-3-030-85610-6_42
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-85609-0
Online ISBN: 978-3-030-85610-6
eBook Packages: Computer ScienceComputer Science (R0)