ABSTRACT
Free-form gesture passwords have been introduced as an alternative mobile authentication method. Text passwords are not very suitable for mobile interaction, and methods such as PINs and grid patterns sacrifice security over usability. However, little is known about how free-form gestures perform in the wild. We present the first field study (N=91) of mobile authentication using free-form gestures, with text passwords as a baseline. Our study leveraged Experience Sampling Methodology to increase ecological validity while maintaining control of the experiment. We found that, with gesture passwords, participants generated new passwords and authenticated faster with comparable memorability while being more willing to retry. Our analysis of the gesture password dataset indicated biases in user-chosen distribution tending towards common shapes. Our findings provide useful insights towards understanding mobile device authentication and gesture-based authentication.
- Anne Adams and Martina Angela Sasse. 1999. Users Are Not the Enemy. Commun. ACM 42, 12 (Dec. 1999), 40-46. DOI: http://dx.doi.org/10.1145/322796.322806 Google ScholarDigital Library
- Florian Alt, Stefan Schneegass, Alireza Sahami Shirazi, Mariam Hassib, and Andreas Bulling. 2015. Graphical Passwords in the Wild: Understanding How Users Choose Pictures and Passwords in Image-based Authentication Schemes. In Proceedings of the 17th International Conference on Human-Computer Interaction with Mobile Devices and Services (MobileHCI '15). 316-322. DOI: http://dx.doi.org/10.1145/2785830.2785882 Google ScholarDigital Library
- Lisa Feldman Barrett and Daniel J Barrett. 2001. An introduction to computerized experience sampling in psychology. Social Science Computer Review 19, 2 (2001), 175-185. Google ScholarDigital Library
- Joseph Bonneau. 2012. The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords. In Proceedings of the 2012 IEEE Symposium on Security and Privacy (SP '12). IEEE Computer Society, Washington, DC, USA, 538-552. DOI: http://dx.doi.org/10.1109/SP.2012.49 Google ScholarDigital Library
- Joseph Bonneau, Cormac Herley, Paul C. van Oorschot, and Frank Stajano. 2012. The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes. In Proceedings of the 2012 IEEE Symposium on Security and Privacy (SP '12). IEEE Computer Society, 553-567. DOI: http://dx.doi.org/10.1109/SP.2012.44 Google ScholarDigital Library
- Joseph Bonneau and Sören Preibusch. 2010. The Password Thicket: Technical and Market Failures in Human Authentication on the Web. In 9th Annual Workshop on the Economics of Information Security, WEIS 2010. http://weis2010.econinfosec.org/ papers/session3/weis2010_bonneau.pdfGoogle Scholar
- Jon Brodkin. 2012. 10 (or so) of the worst passwords exposed by the LinkedIn hack. (2012). http://arstechnica.com/security/2012/06/10-orso-of-the-worst-passwords-exposed-by-thelinkedin-hack/.Google Scholar
- ChaosComputerClub. 2013. Chaos Computer Club breaks Apple TouchID. (2013). Retrieved May 3 2015 from http://www.ccc.de/en/updates/2013/cccbreaks-apple-touchid.Google Scholar
- Sonia Chiasson, Alain Forget, Elizabeth Stobert, P. C. van Oorschot, and Robert Biddle. 2009. Multiple Password Interference in Text Passwords and Click-based Graphical Passwords. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS '09). 500-511. DOI: http://dx.doi.org/10.1145/1653662.1653722 Google ScholarDigital Library
- Karen Church, Mauro Cherubini, and Nuria Oliver. 2014. A Large-scale Study of Daily Information Needs Captured in Situ. ACM Trans. Comput.-Hum. Interact. (2014), 10:1-10:46. DOI: http://dx.doi.org/10.1145/2552193 Google ScholarDigital Library
- Gradeigh D. Clark and Janne Lindqvist. 2015. Engineering Gesture-Based Authentication Systems. Pervasive Computing, IEEE (Jan 2015), 18-25. DOI: http://dx.doi.org/10.1109/MPRV.2015.6Google Scholar
- Mihaly Csikszentmihalyi and Reed Larson. 1987. Validity and reliability of the experience-sampling method. The Journal of nervous and mental disease 175, 9 (1987), 526-536.Google ScholarCross Ref
- Mihaly Csikszentmihalyi, Reed Larson, and Suzanne Prescott. 1977. The ecology of adolescent activity and experience. Journal of youth and adolescence 6, 3 (1977), 281-294.Google ScholarCross Ref
- Alexander De Luca, Alina Hang, Frederik Brudy, Christian Lindner, and Heinrich Hussmann. 2012. Touch Me Once and I Know It's You!: Implicit Authentication Based on Touch Screen Patterns. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '12). 987-996. DOI: http://dx.doi.org/10.1145/2207676.2208544 Google ScholarDigital Library
- Alexander De Luca, Alina Hang, Emanuel von Zezschwitz, and Heinrich Hussmann. 2015. I Feel Like I'M Taking Selfies All Day!: Towards Understanding Biometric Authentication on Smartphones. In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems (CHI '15). 1411-1414. DOI: http://dx.doi.org/10.1145/2702123.2702141 Google ScholarDigital Library
- Alexander De Luca, Marian Harbach, Emanuel von Zezschwitz, Max-Emanuel Maurer, Bernhard Ewald Slawik, Heinrich Hussmann, and Matthew Smith. 2014. Now You See Me, Now You Don'T: Protecting Smartphone Authentication from Shoulder Surfers. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '14). 2937-2946. DOI:http://dx.doi.org/10.1145/2556288.2557097 Google ScholarDigital Library
- Alexander De Luca and Janne Lindqvist. 2015. Is secure and usable smartphone authentication asking too much? Computer 48, 5 (May 2015), 64-68. DOI: http://dx.doi.org/10.1109/MC.2015.134Google Scholar
- Alexander De Luca, Emanuel von Zezschwitz, Ngo Dieu Huong Nguyen, Max-Emanuel Maurer, Elisa Rubegni, Marcello Paolo Scipioni, and Marc Langheinrich. 2013. Back-of-device Authentication on Smartphones. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '13). 2389-2398. DOI: http://dx.doi.org/10.1145/2470654.2481330 Google ScholarDigital Library
- Serge Egelman, Sakshi Jain, Rebecca S. Portnoff, Kerwell Liao, Sunny Consolvo, and David Wagner. 2014. Are You Ready to Lock?. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS '14). 750-761. DOI: http://dx.doi.org/10.1145/2660267.2660273 Google ScholarDigital Library
- Serge Egelman, Andreas Sotirakopoulos, Ildar Muslukhov, Konstantin Beznosov, and Cormac Herley. 2013. Does My Password Go Up to Eleven?: The Impact of Password Meters on Password Selection. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '13). 2379-2388. DOI:http://dx.doi.org/10.1145/2470654.2481329 Google ScholarDigital Library
- Katherine M. Everitt, Tanya Bragin, James Fogarty, and Tadayoshi Kohno. 2009. A Comprehensive Study of Frequency, Interference, and Training of Multiple Graphical Passwords. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '09). 889-898. DOI: http://dx.doi.org/10.1145/1518701.1518837 Google ScholarDigital Library
- Sascha Fahl, Marian Harbach, Yasemin Acar, and Matthew Smith. 2013. On the Ecological Validity of a Password Study. In Proceedings of the Ninth Symposium on Usable Privacy and Security (SOUPS '13). 13:1-13:13. DOI: http://dx.doi.org/10.1145/2501604.2501617 Google ScholarDigital Library
- Andy Field, Jeremy Miles, and Zoé Field. 2012. Discovering statistics using R. SAGE Publications. 428-429 pages.Google ScholarDigital Library
- Edwin A Fleishman and James F Parker Jr. 1962. Factors in the retention and relearning of perceptual-motor skill. Journal of Experimental Psychology 64, 3 (1962), 215.Google ScholarCross Ref
- Dinei Florencio and Cormac Herley. 2007. A Large-scale Study of Web Password Habits. In Proceedings of the 16th International Conference on World Wide Web (WWW '07). 657-666. DOI: http://dx.doi.org/10.1145/1242572.1242661 Google ScholarDigital Library
- Michael Frank, Ralf Biedert, En-Di Ma, Ivan Martinovic, and Dong Song. 2013. Touchalytics: On the Applicability of Touchscreen Input as a Behavioral Biometric for Continuous Authentication. Information Forensics and Security, IEEE Transactions on (2013), 136-148. DOI: http://dx.doi.org/10.1109/TIFS.2012.2225048 Google ScholarDigital Library
- Google. 2013. Google NGram Viewer. (2013). Retrieved May 3 2015 from http://storage.googleapis.com/ books/ngrams/books/datasetsv2.html.Google Scholar
- Marian Harbach, Emanuel von Zezschwitz, Andreas Fichtner, Alexander De Luca, and Matthew Smith. 2014. It's a Hard Lock Life: A Field Study of Smartphone (Un)Locking Behavior and Risk Perception. In Symposium On Usable Privacy and Security (SOUPS 2014). USENIX Association, Menlo Park, CA, 213-230. https://www.usenix.org/conference/ soups2014/proceedings/presentation/harbachGoogle Scholar
- Sandra G Hart and Lowell E Staveland. 1988. Development of NASA-TLX (Task Load Index): Results of empirical and theoretical research. Advances in psychology (1988), 139-183.Google Scholar
- hashcat. 2015. oclHashcat - advanced password recovery. (2015). Retrieved May 2 2015 from http://hashcat.net/oclhashcat/.Google Scholar
- Eiji Hayashi and Jason Hong. 2011. A Diary Study of Password Usage in Daily Life. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '11). 2627-2630. DOI: http://dx.doi.org/10.1145/1978942.1979326 Google ScholarDigital Library
- Robin M. Hogarth, Mariona Portell, and Anna Cuxart. 2007. What Risks Do People Perceive in Everyday Life? A Perspective Gained from the Experience Sampling Method (ESM). Risk Analysis 27 (2007), 1427-1439. DOI:http://dx.doi.org/10.1111/j.15396924.2007.00978.xGoogle ScholarCross Ref
- KoreLogic Inc. 2015. KoreLogic Security. (2015). Retrieved May 2 2015 from http://www.korelogic.com.Google Scholar
- Philip G. Inglesant and M. Angela Sasse. 2010. The True Cost of Unusable Password Policies: Password Use in the Wild. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '10). 383-392. DOI: http://dx.doi.org/10.1145/1753326.1753384 Google ScholarDigital Library
- Ari Juels and Madhu Sudan. 2006. A fuzzy vault scheme. Designs, Codes and Cryptography 38, 2 (2006), 237-257. Google ScholarDigital Library
- KoreLogic. 2010. KoreLogic HashCat Rules. (2010). Retrieved May 1 2015 from http://contest2010.korelogic.com/rules-hashcat.html.Google Scholar
- John Lawler. 1999. The "web2" File of English Words. (1999). Retrieved May 3 2015 http://wwwpersonal.umich.edu/?jlawler/wordlist.Google Scholar
- Yang Li. 2010. Protractor: A Fast and Accurate Gesture Recognizer. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '10). 2169-2172. DOI: http://dx.doi.org/10.1145/1753326.1753654 Google ScholarDigital Library
- Nicholas Micallef, Mike Just, Lynne Baillie, Martin Halvey, and Hilmi Günes¸ Kayacik. 2015. Why Aren't Users Using Protection? Investigating the Usability of Smartphone Locking. In Proceedings of the 17th International Conference on Human-Computer Interaction with Mobile Devices and Services (MobileHCI '15). 284-294. DOI: http://dx.doi.org/10.1145/2785830.2785835 Google ScholarDigital Library
- Wendy Moncur and Grégory Leplâtre. 2007. Pictures at the ATM: Exploring the Usability of Multiple Graphical Passwords. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '07). 887-894. DOI: http://dx.doi.org/10.1145/1240624.1240758 Google ScholarDigital Library
- Miguel A. Nacenta, Yemliha Kamber, Yizhou Qiang, and Per Ola Kristensson. 2013. Memorability of Pre-designed and User-defined Gesture Sets. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '13). 1099-1108. DOI:http://dx.doi.org/10.1145/2470654.2466142 Google ScholarDigital Library
- James Nicholson, Lynne Coventry, and Pam Briggs. 2013. Age-related Performance Issues for PIN and Face-based Authentication Systems. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '13). 323-332. DOI: http://dx.doi.org/10.1145/2470654.2470701 Google ScholarDigital Library
- Antti Oulasvirta, Anna Reichel, Wenbin Li, Yan Zhang, Myroslav Bachynskyi, Keith Vertanen, and Per Ola Kristensson. 2013. Improving Two-thumb Text Entry on Touchscreen Devices. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '13). 2765-2774. DOI: http://dx.doi.org/10.1145/2470654.2481383 Google ScholarDigital Library
- Antti Oulasvirta, Sakari Tamminen, Virpi Roto, and Jaana Kuorelahti. 2005. Interaction in 4-second Bursts: The Fragmented Nature of Attentional Resources in Mobile HCI. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '05). 919-928. DOI: http://dx.doi.org/10.1145/1054972.1055101 Google ScholarDigital Library
- Allan Paivio and Kalman Csapo. 1973. Picture superiority in free recall: Imagery or dual coding? Cognitive psychology 5, 2 (1973), 176-206.Google Scholar
- Martin Pielot, Karen Church, and Rodrigo de Oliveira. 2014. An In-situ Study of Mobile Phone Notifications. In Proceedings of the 16th International Conference on Human-computer Interaction with Mobile Devices & Services (MobileHCI '14). 233-242. DOI: http://dx.doi.org/10.1145/2628363.2628364 Google ScholarDigital Library
- Benjamin Poppinga, Alireza Sahami Shirazi, Niels Henze, Wilko Heuten, and Susanne Boll. 2014. Understanding Shortcut Gestures on Mobile Touch Devices. In Proceedings of the 16th International Conference on Human-computer Interaction with Mobile Devices & Services (MobileHCI '14). 173-182. DOI:http://dx.doi.org/10.1145/2628363.2628378 Google ScholarDigital Library
- Napa Sae-Bae, Kowsar Ahmed, Katherine Isbister, and Nasir Memon. 2012. Biometric-rich Gestures: A Novel Approach to Authentication on Multi-touch Devices. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '12). 977-986. DOI:http://dx.doi.org/10.1145/2207676.2208543 Google ScholarDigital Library
- M. Angela Sasse, Michelle Steves, Kat Krol, and Dana Chisnell. 2014. The Great Authentication Fatigue And How to Overcome It. In Cross-Cultural Design. Springer International Publishing, 228-239. DOI: http://dx.doi.org/10.1007/978--3--319-07308--8_23Google Scholar
- Muhammad Shahzad, Alex X. Liu, and Arjmand Samuel. 2013. Secure Unlocking of Mobile Touch Screen Devices by Simple Gestures: You Can See It but You Can Not Do It. In Proceedings of the 19th Annual International Conference on Mobile Computing & Networking (MobiCom '13). 39-50. DOI: http://dx.doi.org/10.1145/2500423.2500434 Google ScholarDigital Library
- Michael Sherman, Gradeigh Clark, Yulong Yang, Shridatt Sugrim, Arttu Modig, Janne Lindqvist, Antti Oulasvirta, and Teemu Roos. 2014. User-generated Free-form Gestures for Authentication: Security and Memorability. In Proceedings of the 12th Annual International Conference on Mobile Systems, Applications, and Services (MobiSys '14). 176-189. DOI:http://dx.doi.org/10.1145/2594368.2594375 Google ScholarDigital Library
- Aaron Smith. 2015. U.S. Smartphone Use in 2015. (2015). Retrieved August 27 2015 from http://www.pewinternet.org/2015/04/01/ussmartphone-use-in-2015/.Google Scholar
- Youngbae Song, Geumhwan Cho, Seongyeol Oh, Hyoungshick Kim, and Jun Ho Huh. 2015. On the Effectiveness of Pattern Lock Strength Meters: Measuring the Strength of Real World Pattern Locks. In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems (CHI '15). 2343-2352. DOI: http://dx.doi.org/10.1145/2702123.2702365 Google ScholarDigital Library
- Trustwave SpiderLabs. 2012. Hey, I just met you, and this is crazy, but here's my hashes, so hack me maybe? (2012). Retrieved Feb 12 2015 from https://www.trustwave.com/Resources/SpiderLabsBlog/Hey,-I-just-met-you,-and-this-is-crazy,but-here-s-my-hashes,-so-hack-me-maybe-/.Google Scholar
- SRLab. 2013. Spoofing fingerprints. (2013). Retrieved Feb 12 2015 from https://srlabs.de/spoofing-fingerprints/.Google Scholar
- Elizabeth Stobert and Robert Biddle. 2013. Memory Retrieval and Graphical Passwords. In Proceedings of the Ninth Symposium on Usable Privacy and Security (SOUPS '13). Article 15, 14 pages. DOI: http://dx.doi.org/10.1145/2501604.2501619 Google ScholarDigital Library
- Jing Tian, Chengzhang Qu, Wenyuan Xu, and Song Wang. 2013. KinWrite: Handwriting-Based Authentication Using Kinect. In Proceedings of NDSS 2013.Google Scholar
- Sebastian Uellenbeck, Markus Dürmuth, Christopher Wolf, and Thorsten Holz. 2013. Quantifying the Security of Graphical Passwords: The Case of Android Unlock Patterns. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security (CCS '13). 161-172. DOI: http://dx.doi.org/10.1145/2508859.2516700 Google ScholarDigital Library
- Blase Ur, Sean M. Segreti, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Saranga Komanduri, Darya Kurilova, Michelle L. Mazurek, William Melicher, and Richard Shay. 2015. Measuring Real-World Accuracies and Biases in Modeling Password Guessability. In 24th USENIX Security Symposium (USENIX Security 15). 463-481. https://www.usenix.org/conference/ usenixsecurity15/technicalsessions/presentation/ur Google ScholarDigital Library
- Emanuel von Zezschwitz, Alexander De Luca, and Heinrich Hussmann. 2014. Honey, I Shrunk the Keys: Influences of Mobile Devices on Password Composition and Authentication Performance. In Proceedings of the 8th Nordic Conference on Human-Computer Interaction: Fun, Fast, Foundational (NordiCHI '14). 461-470. DOI: http://dx.doi.org/10.1145/2639189.2639218 Google ScholarDigital Library
- Emanuel von Zezschwitz, Alexander De Luca, Philipp Janssen, and Heinrich Hussmann. 2015. Easy to Draw, but Hard to Trace?: On the Observability of Grid-based (Un)Lock Patterns. In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems (CHI '15). 2339-2342. DOI: http://dx.doi.org/10.1145/2702123.2702202 Google ScholarDigital Library
- Emanuel von Zezschwitz, Paul Dunphy, and Alexander De Luca. 2013. Patterns in the Wild: A Field Study of the Usability of Pattern and Pin-based Authentication on Mobile Devices. In Proceedings of the 15th International Conference on Human-computer Interaction with Mobile Devices and Services (MobileHCI '13). 261-270. DOI: http://dx.doi.org/10.1145/2493190.2493231 Google ScholarDigital Library
- Frank Wilcoxon. 1945. Individual Comparisons by Ranking Methods. Biometrics Bulletin (1945), 80-83.Google Scholar
- Yulong Yang, Janne Lindqvist, and Antti Oulasvirta. 2014. Text Entry Method Affects Password Security. In The LASER Workshop: Learning from Authoritative Security Experiment Results (LASER 2014). https://www.usenix.org/conference/laser2014/ program/agenda/presentation/yangGoogle Scholar
- Nan Zheng, Kun Bai, Hai Huang, and Haining Wang. 2014. You Are How You Touch: User Verification on Smartphones via Tapping Behaviors. In Network Protocols (ICNP), 2014 IEEE 22nd International Conference on. 221-232. DOI: http://dx.doi.org/10.1109/ICNP.2014.43 Google ScholarDigital Library
Index Terms
- Free-Form Gesture Authentication in the Wild
Recommendations
User-generated free-form gestures for authentication: security and memorability
MobiSys '14: Proceedings of the 12th annual international conference on Mobile systems, applications, and servicesThis paper studies the security and memorability of free-form multitouch gestures for mobile authentication. Towards this end, we collected a dataset with a generate-test-retest paradigm where participants (N=63) generated free-form gestures, repeated ...
Hide my Gaze with EOG!: Towards Closed-Eye Gaze Gesture Passwords that Resist Observation-Attacks with Electrooculography in Smart Glasses
MoMM2019: Proceedings of the 17th International Conference on Advances in Mobile Computing & MultimediaSmart glasses allow for gaze gesture passwords as a hands-free form of mobile authentication. However, pupil movements for password input are easily observed by attackers, who thereby can derive the password. In this paper we investigate closed-eye gaze ...
Free-Form Gaze Passwords from Cameras Embedded in Smart Glasses
MoMM2019: Proceedings of the 17th International Conference on Advances in Mobile Computing & MultimediaContemporary personal mobile devices support a variety of authentication approaches, featuring different levels of security and usability. With cameras embedded in smart glasses, seamless, hands-free mobile authentication based on gaze is possible. Gaze ...
Comments