Every time you pick up your phone or other device, you are probably entering a password (like 1234, but not that, of course) or drawing a picture, maybe using a grid of dots or overlayed onto an image that is displayed on your phone. Have you ever wondered how secure those doodles are? DAUS faculty Donatella Delfino, Antonios Saravanos, and Stavros Zervoudakis, and Dongnanzi Zheng of Columbia University have been researching the usability of a locimetric form of graphical authentication on common devices where users validate their identity by selecting predetermined points on a predetermined image. In February 2021, they submitted a research paper to Lecture Notes in Computer Science, a series that publishes the latest research developments in all areas of computer science.
The primary advantage of this form of authentication over the ubiquitous text-based approach stems from users’ superior ability to remember visual information over textual information, coupled with the authentication process being transformed to one requiring recognition (instead of recall). Ideally, these differentiations enable users to create more complex passwords, which theoretically are more secure. Yet locimetric authentication has one significant weakness: hot-spots. This term refers to areas of an image that users gravitate towards, and which consequently have a higher probability of being selected.
Although many strategies have been proposed to counter the hot-spot problem, one area that has received little attention is that of resolution - the hypothesis being that high-resolution images afford a user a larger password space, and, consequently, any hot-spots would dissipate. “Microsoft's PicturePassword is currently the most popular implementation of the locimetric scheme,” asserts Professor Saravanos. “In fact it is a combination of the locimetric (click on a point) and drawmetric (draw a shape) schemes. Irrespective of screen resolution users should be aware of the weakness of hot-spots with the locimetric scheme (i.e., everyone selecting the same points) and instead rely on shapes to form the elements of their password even though they require a bit more effort over simple clicks.”
The research team employed an experimental approach, where users generated a series of locimetric passwords on either low- or high-resolution images. The research reveals the presence of hot-spots even in high-resolution images, albeit at a lower level than that exhibited with low-resolution images. In conclusion, other techniques – such as existing or new software controls or training – need to be utilized to mitigate the emergence of hot-spots with the locimetric scheme.
On collaborating with colleagues across disciplines on this research, Professor Delfino notes, “Curiosity goes a long way: we are all in different fields, so it is necessary to be open to jumping into areas of research that may not feel totally comfortable at the beginning. It is also key to be willing to learn from colleagues.”