User Authentication Rachna Dhamija Human Centered Computing Course December 6, 1999 Image Recognition in

 Security systems  human factors?  Passwords  multiple long strings Problem

 Replace text w/ images?  Replace recall w/ recognition  Portfolio  “Random Art” & Real Images A solution

 “Vast, almost limitless memory” for pictures [Haber]  Recognition  Fraction of a sec to remember & recognize [Intraub, Pavio & Codes]  2560 photos for few seconds  90 % recognition rate [Standing, Conezio & Haber]  10,000 photos  2 days, 66% recognized [Standing]  Recall  recall semantics or sketch  “pictures are not only recognized better but are also recalled better than words” [Standing] Visual Memory

 Target population = general computer users  novice/expert users  few passwords/multiple passwords  10 (+20) people interviewed about behavior  10 – 40+ instances vs. 1-7 actual passwords  names, phone numbers, fav movies, ~6 char  tools: majority wrote them down, 2 PIM  minimum effort, never change them  ability to share is a feature  people hate passwords  but prefer them to alternatives Task Analysis

Security: Brute Force Attack 4 Digit PIN = 5 out of 20 images 6 char password = 10 out of 55 BUT most passwords require < brute force!

 Benefits  Images easier to remember  less errors  change more frequently  good for infrequently used passwords?  Images esp Random Art is hard to describe  Vulnerabilities  “shoulder surfing” attack  “intersection” attack Security Analysis (cont)

 Task: create portfolio & login  People can remember images! (4-10)  Photos/art – 50/50 preference & time  Wanted to view portfolio during creation  Must be simple and fast (no click through screens)  Horizontal layout for quick scanning Lo-fi Prototype

 Create 4 “passwords” PIN (4 digits) Password (6 char.) Art portfolio (5/100) Photo portfolio (5/100)  Login PIN Password Art (5/25) Photo (5/25)  Task order- 50% did Art first  Image order  Repeat login after 1 week! Experiment Design

Test Measures Does not include uncompleted tasks sev1: minor sev2: major, recoverable sev3: major, unrecoverable No unrecoverable errors made with portfolios

 Comfort Level  Create portfolio  Login portfolio - wow  Text vs. images  Passwords/PINS faster to create/logon  Photos easier to remember than PINS (short term)  Art vs. photos  Photos easier to remember, schemes, more personal  People chose similar photos, but not art  Interface issues  Scrolling is bad, one screen, thumbnails, single-click  Lack of feedback  # picked so far, which picked??  how to give feedback securely? More Results

1 image selected Changes to next version show # selected hide selected images smaller images

 Potential for use  where text input is hard, limited observation (e.g., ATM, PDA)  infrequent, high availability passwords  Future Directions  Self created images  authenticate: recreate or recognize Conclusions  Random Art + Text  Sharing & collaboration  Other human abilities?

 Houston JP. Fundamentals of learning and memory. 4th ed. Florida: Harcourt Brace Jovanovich;  Ralph Norman Haber. How we remember what we see. Scientific American, 222(5): , May  Lionel Standing. Learning 10,000 pictures. Quarterly Journal of Experimental Psychology, 25: ,  Lionel Standing, Jerry Conezio, and Ralph Norman Haber. Perception and memory for pictures: Single-trial learning of 2500 visual stimuli. Psychonomic Science, 19(2):73-74,  Helene Intraub. Presentation rate and the representation of briefly glimpsed pictures in memory. Journal of Experimental Psychology: Human Learning and Memory, 6(1):1-12,  Hash Visualization: A New Technique to Improve Real-World Security, Adrian Perrig and Dawn Song, in Proceedings of the 1999 International Workshop on Cryptographic Techniques and E-Commerce (CryTEC '99) References