Someone in Your Contact List: Cued Recall-Based Textual Passwords

Textual passwords remain the most commonly employed user authentication mechanism, and potentially will continue to be so for years to come. Despite the well-known security and usability issues concerning textual passwords, none of the numerous proposed authentication alternatives appear to have ach...

Full description

Saved in:
Bibliographic Details
Published in:IEEE transactions on information forensics and security 2017-11, Vol.12 (11), p.2574-2589
Main Authors: Alomar, Noura, Alsaleh, Mansour, Alarifi, Abdulrahman
Format: Article
Language:English
Subjects:
Access control
Analytical models
Authentication
cued recall-based textual passwords
Cybersecurity
Electronic mail
Lists
Memory management
password hint
password recall
Passwords
Recall
Servers
Usability
Citations: Items that this one cites
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Textual passwords remain the most commonly employed user authentication mechanism, and potentially will continue to be so for years to come. Despite the well-known security and usability issues concerning textual passwords, none of the numerous proposed authentication alternatives appear to have achieved a sufficient level of adoption to dominate in the foreseeable future. Password hints, consisting of a user generated text saved at the account setup stage, are employed in several authentication systems to help users to recall forgotten passwords. However, users are often unable to create hints that jog the memory without revealing too much information regarding the passwords themselves. We propose a rethink of password hints by introducing SỲNTHIMA, a novel cued recall-based textual password method that reveals no information regarding the password, requires no modifications to authentication servers, and requires no additional setup or registration steps. SỲNTHIMA makes use of users' contact lists, so that mapped password hints extracted from a user's contacts are automatically generated while the user is typing the password. We create formal models for relevant aspects of the password hint mechanism, define its threat model, and analyze the security and usability of SỲNTHIMA. We also present the results of an in-lab user study of SỲNTHIMA on 30 participants to evaluate its effectiveness and usability. The results demonstrate that SỲNTHIMA minimizes the number of incorrect login attempts and improves long-term password recall, with acceptable login times and positive user feedback. We summarize the lessons learned from the user study, with the hope of provoking further insights regarding the design of effective cued recall-based textual password schemes.
ISSN:1556-6013
1556-6021
DOI:10.1109/TIFS.2017.2712126