From hot-spots towards experience-spots: Leveraging on users’ sociocultural experiences to enhance security in cued-recall graphical authentication

Abstract

This paper suggests a novel cued-recall-based graphical authentication method, which leverages on users’ sociocultural experiences for improving the security and memorability of selected secrets. We evaluated the suggested approach in the context of three user studies (n = 139): a) an eye-tracking study (n = 42) focusing on security in terms of resistance to brute-force attacks; b) a two-week study (n = 71) focusing on memorability and login usability; and c) a controlled in-lab user study (n = 26) focusing on human attack vulnerabilities among people sharing common sociocultural experiences. Analysis of results revealed that the suggested approach influenced visual behavior strategies of end-users, which subsequently resulted in significantly stronger passwords created on images reflecting their prior experiences than on images unfamiliar to them. Simultaneously, both reference and control groups performed similarly in terms of memorability and login efficiency and effectiveness. On the downside, the suggested approach introduces password guessing vulnerabilities in terms of allowing attackers who share common experiences with the end-users to more easily identify regions of their selected secrets. Findings point towards a new direction for delivering personalized cued-recall graphical authentication schemes that depict image semantics bootstrapped to users’ real-life experiences.