Visual and Cognitive Password Authentication

One aspect of computer security that remains problematic today is how computer systems challenge users that want access to a secure application. The most common paradigm is challenging the user with a presumably unique alphanumeric password. However, alphanumeric passwords have many inherent problems. Though alphanumeric passwords can be shown to have statistically enough permutations to be difficult to crack, the password then becomes difficult to remember. For a password to be very secure, it must also be changed regularly compounding the problem for a user to remember it. Additionally, alphanumeric passwords can be communicated either intentionally or unintentionally to an attacker. The communication can occur if the attacker captures the text from the computer system, finds it written on a piece of paper, overhears the password repeated by the user, or simply guesses it using information like a birth date or dictionary of common words.

Given the vulnerability of text-based passwords, many proposals to this problem have been investigated. Some proposals suggest using biometric devices like tracking eye or pupil movement, scanning a thumb or requiring a plug-in device. With biometric or physical devices, there is the cost of the device and the expertise needed for installation. Since there are many institutions that require secure access to their application, it might be problematic to expect them to use the same hardware and protocol. This could put a financial burden on the user and create a costly customer service support issue for many online financial institutions. Lastly, there is also the question of ethics when biometric information is collected, such as a thumb print.

Given the ubiquity of graphical screens compared to text screens, other solutions have suggested variations of mouse and keyboard input with some graphical image as a password. Many of these systems have suffered from being unusable or easy to attack. However, this area of research shows a promising short-term and cost effective approach to a stronger password. Users already have a mouse and keyboard and are familiar with how to use them. Graphical passwords have already been shown to have enough entropy to be unique and hard to guess. The problem is designing a graphical password that is easy to remember, relatively fast to input, hard to communicate, and hard to guess.

This proposal offers to investigate a possible solution for a usable and hard to crack graphical password. The design will be predicated on making several easy graphical tasks that individually may not be very unique but compounded would be unique and hard to guess. The tasks will vary based on research in visual and cognitive psychology and previous graphical password research. One task will use what psychologists call working memory. It has been shown that what is in working memory can bias an outcome of a task. Users will be shown a set of random images that will load the working memory as a cue to pick a spot on an image. Another area of research investigates what common “hotspots” or visual cues people are focused on in an image. Images will be chosen that have filtered many common hotspots. One crucial task will be based on the Ishihara colour vision test modified with other patterns.

Many designs have suffered from a small sample set of test data. This proposal offers to attempt a larger sample set, more diverse user background in a controlled environment. The design goal is to achieve the same efficacy as 8 alphanumeric random upper and lowercase characters. With identity theft and online security an immediate problem, this proposal hopes to offer a cheap, secure and usable solution that may be implemented in the near-term.