The Impact of Cues and User Interaction on the Memorability of System-assigned Random Passwords

Abstract

Given the choice, users produce passwords reflecting common strategies and patterns that ease recall but offer uncertain and often weak security. Addressing this usability-security tension in user authentication remains the key research issue in password studies for decades. In this thesis, we aim to understand how humans' cognitive abilities could be leveraged to design more secure and memorable authentication schemes. To achieve this goal, we draw upon multiple theories from cognitive psychology and implement them in the context of improving memorability for system-assigned random passwords.

We argue that while the system assigns random passwords, it should also help users with memorization and recall. We investigated the feasibility of this approach with CuedR, a novel cued-recognition authentication scheme that provides users with multiple cues (visual, verbal, and spatial) and lets them choose the cues that best fit their learning process for later recognition of system-assigned keywords. The lab study on CuedR showed promise for providing multiple cues with a 100% memorability rate over the span of one week.

The study on CuedR did not examine the individual impact of each cue. Thus, we performed a second study to explore deeper into this issue, where we examined the efficacy of spatial cues (fixed position of images), verbal cues (phrases/facts related to the images), and employing user interaction (learning images through writing a short description at registration) to improve the memorability of system-assigned passwords based on face images and object images. In our multi-session lab study with 56 participants, we had a 98% login success rate for a scheme offering spatial and verbal cues (ObjectSV), while a scheme based on user interaction had a 95% login success rate for face images (FaceSUI) and a 93% login success rate for object images (ObjectSUI). Our analysis shows that verbal cues and user interaction made an important contribution to gain significantly higher login success rate as compared to the control conditions representing existing graphical password schemes.

Since the combination of spatial and verbal cues performed best in the second study in providing satisfactory memorability for system-assigned recognition-based graphical passwords, in the third study, we examined the impact of combining spatial and verbal cues for system-assigned recognition-based textual passwords. We designed three different study conditions to achieve this goal. In a study with 52 participants, we had a 94.2% login success rate for a textual recognition-based scheme offering spatial and verbal cues (TextV), which was significantly higher than that for the control condition providing only spatial cues. To understand the usability gain of accommodating images for a scheme providing verbal cues, we compared TextV and GraphicV schemes, and found no significant difference in login success rate, although users required less time to recognize the keywords when they were accommodated with images. To note, the GraphicV scheme in this study is similar to the ObjectSV scheme in the second study.

The results from these lab studies showed that a cued-recognition-based scheme (e.g., GraphicV/ObjectSV) offering users with spatial and verbal cues for object images performed best in terms of memorability. So, we conducted a field study for a further understanding on the usability of this scheme in a real-life scenario, where the memorability for GraphicV scheme was quite satisfactory with an average login success rate of 98%. Our analysis also shows that login time significantly improved with more login sessions because of training effect.

We believe that our research makes an important contribution to understand how humans' cognitive abilities could be leveraged to design more secure and memorable authentication schemes.