This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Persuasive Cued Click-Points: Design, Implementation, and Evaluation of a Knowledge-Based Authentication Mechanism
March/April 2012 (vol. 9 no. 2)
pp. 222-235
ASCII Text
x 
 
Sonia Chiasson, Elizabeth Stobert, Alain Forget, Robert Biddle, Paul C. van Oorschot, "Persuasive Cued Click-Points: Design, Implementation, and Evaluation of a Knowledge-Based Authentication Mechanism," IEEE Transactions on Dependable and Secure Computing, vol. 9, no. 2, pp. 222-235, March/April, 2012.
 
 
BibTex
x
 
@article{ 10.1109/TDSC.2011.55,
author = {Sonia Chiasson and Elizabeth Stobert and Alain Forget and Robert Biddle and Paul C. van Oorschot},
title = {Persuasive Cued Click-Points: Design, Implementation, and Evaluation of a Knowledge-Based Authentication Mechanism},
journal ={IEEE Transactions on Dependable and Secure Computing},
volume = {9},
number = {2},
issn = {1545-5971},
year = {2012},
pages = {222-235},
doi = {http://doi.ieeecomputersociety.org/10.1109/TDSC.2011.55},
publisher = {IEEE Computer Society},
address = {Los Alamitos, CA, USA},
}
 
 
RefWorks Procite/RefMan/Endnote
x 
 
TY - JOUR
JO - IEEE Transactions on Dependable and Secure Computing
TI - Persuasive Cued Click-Points: Design, Implementation, and Evaluation of a Knowledge-Based Authentication Mechanism
IS - 2
SN - 1545-5971
SP222
EP235
EPD - 222-235
A1 - Sonia Chiasson,
A1 - Elizabeth Stobert,
A1 - Alain Forget,
A1 - Robert Biddle,
A1 - Paul C. van Oorschot,
PY - 2012
KW - Authentication
KW - graphical passwords
KW - usable security
KW - empirical studies.
VL - 9
JA - IEEE Transactions on Dependable and Secure Computing
ER -
 
Sonia Chiasson, Carleton University, Ottawa
Elizabeth Stobert, Carleton University, Ottawa
Alain Forget, Carleton University, Ottawa
Robert Biddle, Carleton University, Ottawa
Paul C. van Oorschot, Carleton University, Ottawa
This paper presents an integrated evaluation of the Persuasive Cued Click-Points graphical password scheme, including usability and security evaluations, and implementation considerations. An important usability goal for knowledge-based authentication systems is to support users in selecting passwords of higher security, in the sense of being from an expanded effective security space. We use persuasion to influence user choice in click-based graphical passwords, encouraging users to select more random, and hence more difficult to guess, click-points.

[1] S. Chiasson, R. Biddle, and P. van Oorschot, “A Second Look at the Usability of Click-Based Graphical Passwords,” Proc. ACM Symp. Usable Privacy and Security (SOUPS), July 2007.
[2] S. Chiasson, A. Forget, R. Biddle, and P. van Oorschot, “Influencing Users towards Better Passwords: Persuasive Cued Click-Points,” Proc. British HCI Group Ann. Conf. People and Computers: Culture, Creativity, Interaction, Sept. 2008.
[3] S. Chiasson, A. Forget, E. Stobert, P. van Oorschot, and R. Biddle, “Multiple Password Interference in Text and Click-Based Graphical Passwords,” Proc. ACM Conf. Computer and Comm. Security (CCS), Nov. 2009.
[4] E. Stobert, A. Forget, S. Chiasson, P. van Oorschot, and R. Biddle, “Exploring Usability Effects of Increasing Security in Click-Based Graphical Passwords,” Proc. Ann. Computer Security Applications Conf. (ACSAC), 2010.
[5] S. Chiasson, A. Forget, R. Biddle, and P.C. van Oorschot, “User Interface Design Affects Security: Patterns in Click-Based Graphical Passwords,” Int'l J. Information Security, vol. 8, no. 6, pp. 387-398, 2009.
[6] J. Yan, A. Blackwell, R. Anderson, and A. Grant, “The Memorability and Security of Passwords,” Security and Usability: Designing Secure Systems That People Can Use, L. Cranor and S. Garfinkel, eds., ch. 7, pp. 129-142, O'Reilly Media, 2005.
[7] S. Chiasson, P. van Oorschot, and R. Biddle, “Graphical Password Authentication Using Cued Click Points,” Proc. European Symp. Research in Computer Security (ESORICS), pp. 359-374, Sept. 2007.
[8] L. Jones, A. Anton, and J. Earp, “Towards Understanding User Perceptions of Authentication Technologies,” Proc. ACM Workshop Privacy in Electronic Soc., 2007.
[9] L. O'Gorman, “Comparing Passwords, Tokens, and Biometrics for User Authentication,” Proc. IEEE, vol. 91, no. 12, pp. 2019-2020, Dec. 2003.
[10] A. Jain, A. Ross, and S. Pankanti, “Biometrics: A Tool for Information Security,” IEEE Trans. Information Forensics and Security (TIFS), vol. 1, no. 2, pp. 125-143, June 2006.
[11] D. Nelson, V. Reed, and J. Walling, “Pictorial Superiority Effect,” J. Experimental Psychology: Human Learning and Memory, vol. 2, no. 5, pp. 523-528, 1976.
[12] R. Biddle, S. Chiasson, and P. van Oorschot, “Graphical Passwords: Learning from the First Twelve Years,” to be published in ACM Computing Surveys, vol. 44, no. 4, 2012.
[13] A. De Angeli, L. Coventry, G. Johnson, and K. Renaud, “Is a Picture Really Worth a Thousand Words? Exploring the Feasibility of Graphical Authentication Systems,” Int'l J. Human-Computer Studies, vol. 63, nos. 1/2, pp. 128-152, 2005.
[14] E. Tulving and Z. Pearlstone, “Availability versus Accessibility of Information in Memory for Words,” J. Verbal Learning and Verbal Behavior, vol. 5, pp. 381-391, 1966.
[15] S. Wiedenbeck, J. Waters, J. Birget, A. Brodskiy, and N. Memon, “PassPoints: Design and Longitudinal Evaluation of a Graphical Password System,” Int'l J. Human-Computer Studies, vol. 63, nos. 1/2, pp. 102-127, 2005.
[16] S. Wiedenbeck, J. Waters, J. Birget, A. Brodskiy, and N. Memon, “Authentication Using Graphical Passwords: Effects of Tolerance and Image Choice,” Proc. First Symp. Usable Privacy and Security (SOUPS), July 2005.
[17] K. Golofit, “Click Passwords under Investigation,” Proc. 12th European Symp. Research in Computer Security (ESORICS), Sept. 2007.
[18] A. Dirik, N. Menon, and J. Birget, “Modeling User Choice in the Passpoints Graphical Password Scheme,” Proc. Third ACM Symp. Usable Privacy and Security (SOUPS), July 2007.
[19] J. Thorpe and P.C. van Oorschot, “Human-Seeded Attacks and Exploiting Hot-Spots in Graphical Passwords,” Proc. 16th USENIX Security Symp., Aug. 2007.
[20] A. Salehi-Abari, J. Thorpe, and P. van Oorschot, “On Purely Automated Attacks and Click-Based Graphical Passwords,” Proc. Ann. Computer Security Applications Conf. (ACSAC), 2008.
[21] P.C. van Oorschot, A. Salehi-Abari, and J. Thorpe, “Purely Automated Attacks on PassPoints-Style Graphical Passwords,” IEEE Trans. Information Forensics and Security, vol. 5, no. 3, pp. 393-405, Sept. 2010.
[22] B. Fogg, Persuasive Technologies: Using Computers to Change What We Think and Do. Morgan Kaufmann Publishers, 2003.
[23] J. Wolf, “Visual Attention,” Seeing, K. De Valois, ed., pp. 335-386, Academic Press, 2000.
[24] D. Davis, F. Monrose, and M. Reiter, “On User Choice in Graphical Password Schemes,” Proc. 13th USENIX Security Symp., 2004.
[25] PD Photo, PD Photo Website, http:/pdphoto.org, Feb. 2007.
[26] D. Florencio and C. Herley, “Where Do Security Policies Come from?,” Proc. Symp. Usable Privacy and Security, 2010.
[27] M. Weir, S. Aggarwal, M. Collins, and H. Stern, “Testing Metrics for Password Creation Policies by Attacking Large Sets of Revealed Passwords,” Proc. ACM Conf. Computer and Comm. Security (CCS), 2010.
[28] S. Chiasson, C. Deschamps, E. Stobert, M. Hlywa, B. Freitas Machado, A. Forget, N. Wright, G. Chan, and R. Biddle, “ [Short Paper] The MVP Web-Based Authentication Framework,” Proc. Financial Cryptography and Data Security (FC), LNCS, 2012.
[29] S. Chiasson, J. Srinivasan, R. Biddle, and P.C. van Oorschot, “Centered Discretization with Application to Graphical Passwords,” Proc. USENIX Workshop Usability, Psychology, and Security (UPSEC), Apr. 2008.
[30] P. Diggle, Statistical Analysis of Spatial Point Patterns. Academic Press, 1983.
[31] A. Baddeley and R. Turner, “Spatstat: An R Package for Analyzing Spatial Point Patterns,” J. Statistical Software, vol. 12, no. 6, pp. 1-42, 2005.
[32] M. van Lieshout and A. Baddeley, “A Nonparametric Measure of Spatial Interaction in Point Patterns,” Statistica Neerlandica, vol. 50, no. 3, pp. 344-361, 1996.
[33] S. Chiasson, E. Stobert, A. Forget, R. Biddle, and P. van Oorschot, “Persuasive Cued Click-Points: Design, Implementation, and Evaluation of a Knowledge-Based Authentication Mechanism,” Technical Report TR-11-03, School of Computer Science, Carleton Univ., Feb. 2011.
[34] P.C. van Oorschot and J. Thorpe, “Exploiting Predictability in Click-Based Graphical Passwords,” J. Computer Security, vol. 19, no. 4, pp. 669-702, 2011.
[35] A. Forget, S. Chiasson, and R. Biddle, “Shoulder-Surfing Resistance with Eye-Gaze Entry in Click-Based Graphical Passwords,” Proc. ACM SIGCHI Conf. Human Factors in Computing Systems (CHI), 2010.
[36] P. Dunphy, J. Nicholson, and P. Olivier, “Securing Passfaces for Description,” Proc. Fourth ACM Symp. Usable Privacy and Security (SOUPS), July 2008.
[37] B. Pinkas and T. Sander, “Securing Passwords against Dictionary Attacks,” Proc. Ninth ACM Conf. Computer and Comm. Security (CCS), Nov. 2002.
[38] A. Duchowski, Eye Tracking Methodology: Theory and Practice, second ed. Springer, 2007.
[39] D. Florencio and C. Herley, “A Large-Scale Study of WWW Password Habits,” Proc. 16th ACM Int'l World Wide Web Conf. (WWW), May 2007.
[40] A. Forget, S. Chiasson, P. van Oorschot, and R. Biddle, “Improving Text Passwords through Persuasion,” Proc. Fourth Symp. Usable Privacy and Security (SOUPS), July 2008.

Index Terms:
Authentication, graphical passwords, usable security, empirical studies.
Citation:
Sonia Chiasson, Elizabeth Stobert, Alain Forget, Robert Biddle, Paul C. van Oorschot, "Persuasive Cued Click-Points: Design, Implementation, and Evaluation of a Knowledge-Based Authentication Mechanism," IEEE Transactions on Dependable and Secure Computing, vol. 9, no. 2, pp. 222-235, March-April 2012, doi:10.1109/TDSC.2011.55
Usage of this product signifies your acceptance of the Terms of Use.