Password Entry Times for Recognition-based Graphical Passwords

Abstract

Graphical passwords offer a more memorable alternative to traditional, text-based passwords. Among current contenders, cued-recall based click-point or gesture centered authentication systems like Microsoft’s picture gesture authentication (PGA) have been commercially more successful than recognition based systems (e.g., PassFaces). One perceived drawback of graphical authentication systems in general and especially recognition based authentication is the assumption that graphical authentication is slower and thus less user-friendly than traditional password entry via keyboard. This paper addresses these concerns and demonstrates a lower limit for recognition-based password entry times achievable with sufficient practice. While slightly slower than traditional keyboard based passwords, the entry speed of often-used graphical passwords is shown to reach 10 bits/s in an optimized configuration, which is sufficient for everyday use (3-6s per authentication sequence @ 36 bits) and exceeds the reported speed of similarly secure text-based passwords on non-traditional devices using virtual keyboards.