An Assignment Cover Sheet Needs to Be Included with Each Assignment. Please Complete All

UNIVERSITY OF SOUTH AUSTRALIA Assignment Cover Sheet – Internal

An Assignment cover sheet needs to be included with each assignment. Please complete all details clearly.

If you are submitting the assignment on paper, please staple this sheet to the front of each assignment. If you are submitting the assignment online, please ensure this cover sheet is included at the start of your document. (This is preferable to a separate attachment.)

Please check your Course Information Booklet or contact your School Office for assignment submission locations.

Name: Yeah Teck Chen

Student ID 1 0 0 0 9 6 1 1 5

Email: [email protected]

Course code and title: INFT 4017 – CIS Research Methods

School: Computer and Information Science Program code: LMCP

Course Coordinator: Professor Paul Swatman Tutor:

Day, Time, Location of Tutorial/Practical:

Assignment number: Research Proposal Due date: 14 June 2009

Assignment topic as stated in Course Information Booklet: Research Proposal

Further Information: (e.g. state if extension was granted and attach evidence of approval, Revised Submission Date)

I declare that the work contained in this assignment is my own, except where acknowledgement of sources is made.

I authorise the University to test any work submitted by me, using text comparison software, for instances of plagiarism. I understand this will involve the University or its contractor copying my work and storing it on a database to be used in future to test work submitted by others.

I understand that I can obtain further information on this matter at http://www.unisanet.unisa.edu.au/learningconnection/student/studying/integrity.asp

Note: The attachment of this statement on any electronically submitted assignments will be deemed to have the same authority as a signed statement.

Signed: Chen Date: 15 June 2009

Date received from student Assessment/grade Assessed by:

Recorded: Dispatched (if applicable): This page is intentionally left blank University of South Australia CIS Research Methods (INFT 4017)

Research Proposal Image-Based Authentication for Mobile Phones: Performance and User Opinion

Prepared By: Chen Yeah Teck Supervisor: Chris Steketee

SP2 2009 University of South Australia CIS Research Methods

Abstract

Mobile phones in the market are increasingly getting sophisticated, enabling consumers to do more and generating more data which can be personal and sensitive. With more than 200,000 mobile phones stolen each year in Australia (ATMA 2008), the default personal identification number (PIN) and password protection no longer sufficient to protect these data from being used unfavourably. This calls for better security to protect mobile phone users.

PIN and password authentication have issues related to their memorability and usability which result improper use by consumers. Thus, other authentication methods attempting to address these shortcomings such as tokens and biometrics were developed. However, these more advanced authentications are not without their own limitations such as token can be forgotten or lost and biometrics that often has accuracy and privacy issues. Both of these authentications also use PIN and password as secondary or fallback authentication mechanism.

Researches on image based authentication (IBA) were on the rise to leverage the humans’ ability to recognize graphics better than a sequence of meaningless strings. In all of the researches, results have shown that users are able to authenticate better using IBA techniques by recognizing images rather than recalling them. Although IBA techniques seem to yield better memorability among test subjects, these various techniques were always compared against PIN and password.

The focus of this paper will be to compare two IBA techniques, Picture Password and Awase-E against one another. The performance of these authentication techniques is important to reveal a range of usability design issues that is important in designing an easy to use and memorable system. In order to do this, the performance as well as usability design of these two IBA techniques will be compared.

Prepared By: Chen Yeah Teck Page i University of South Australia CIS Research Methods

Table of Contents

Abstract...... i 1 Introduction...... 1 1.1 Thesis title...... 1 1.2 Motivation...... 2 1.3 Research Question and Contribution...... 2 2 Literature Survey...... 3 2.1 PIN and Password...... 3 2.2 Token Based Authentication...... 4 2.3 Biometrics Authentication...... 5 2.4 Related researches...... 6 3 Research Methodology...... 9 3.1 Choosing IBA Technique to Experiment...... 9 3.2 Prototype Development...... 10 3.3 Data Collection...... 10 3.4 Analysis and Expected Outcome...... 11 4 Project Plan...... 12 5 Conclusion...... 13 6 References...... 14

Prepared By: Chen Yeah Teck Page ii University of South Australia CIS Research Methods

1 Introduction

Mobile phones that are released in the market are increasingly getting sophisticated with packed features and increased capabilities. With that, consumers especially business users are able to do more with the phone resulting more data being generated and stored in the phone - with some the data is being sensitive in nature. With more than 200,000 mobile phone reported stolen each year in Australia (ATMA 2008) alone, with even more that goes unreported, these sensitive data may be at risk of being used unfavourably. This calls for better security for protecting mobile phone data.

A standard mobile phone would normally come with a simple device power-on PIN protection while more advanced model may include PIN authentication for waking from inactivity. However, research has shown that 34% of the users disabled the PIN and 30% believing PIN to be troublesome. For those 66% who do use PIN, 38% of them had at least once forgotten the PIN and locked themselves out of the phone, 45% used the default PIN, 42% changed it once after buying the phone and only 13% changed the PIN more than once (Clarke, NL & Furnell 2005). In another survey, it is revealed that 50% of the respondents recorded their password or PIN in one form or another (Adams, Sasse & Lunt 1997).

A potential explanation for such consumer behaviour could be due to the limitation of human memory. Firstly, Johnson in 1991 explained that human has limitation in memorizing a sequence of item in a short period of time and secondly Miller in 1956 explain that human’s short term memory has the capacity of about seven plus or minus two items (Yan et al. 2000).

Although many researches had been conducted to improve the security of PIN and password systems, the focus of these researches had always been designing new technical methods to authenticate user rather than examining the usability of those methods (Adams & Sasse 1999).

Image based authentication (IBA) researches, which leverages human ability at recognizing better than recalling, showed promising results with the improvement in memorability of pass-images, hence lower authentication failure. This can be seen in the work of the Déjà vu project (Dhamija & Perrig 2000). However, IBA techniques tends to yield higher authentication time (Dhamija & Perrig 2000) and other input error such as wrong sequence and double selection (De Angeli et al. 2003). These techniques were also compared against only PIN and password.

This paper aims to conduct an experiment to compare several IBA techniques back to back with PIN and password as control techniques. The focus will be on recognition based image authentication. User opinions regarding IBA techniques will also be gathered during the experiment. By investigating the performance, in terms of memorability and usability, and the user opinions on these techniques, better design for image-based authentication can be derived.

1.1 Thesis title

Image-based authentication for mobile phones: Performance and user opinion

Prepared By: Chen Yeah Teck Page 1 of 17 University of South Australia CIS Research Methods

1.2 Motivation

Most of the input method for IBA techniques is similar to PIN and password systems. In addition, PIN and password systems are still the most used mechanism for user authentication but their limitations results bad practices among consumers.

While advanced authentication system such as token-based and biometrics exists, those systems are well known for their drawbacks ranging from requiring extra hardware, increase implementation cost to accuracy issues (Grashey & Schuster 2006; Nicholson, Corner & Noble 2006). Often, token-based and biometric authentication system implements some level of PIN or password based mechanism for either initialization, or as a “fallback” or secondary authentication method.

On the other hand, researches of IBA techniques that leverages the human ability to recognize previously seen images has shown improved memorability among test subjects (Dhamija & Perrig 2000; De Angeli et al. 2003). As a result, several authentication system based on this concept such as Awase-E (Takada & Koike 2003), IBRA (Akula & Devisetty 2004), and Déjà vu (Dhamija & Perrig 2000) were developed.

However, improved memorability does not mean a more usable system, but there’s room for improvement for these techniques if its design is user-centered. Thus, data gathered from experiments could reveal both design and user acceptance issues that are crucial for the diffusion of the technique for public use – a scenario that will not happen in the near future.

1.3 Research Question and Contribution

This paper will focus on the performance and usability of several IBA techniques and will aim to answer the following research questions:

a) Which IBA technique performs faster? b) Which IBA technique has lower authentication error rate? c) What are some of the user’s opinion regarding the design of user authentication in general and specifically on IBA authentication?

The task completion time for enrolment and authentication and the authentication error rate will be collected so that the result can be analysed and discussed in relation to the IBA technique’s system design. Also, experiment participants will be interviewed to study their behaviours and opinions towards mobile authentication.

This paper will contribute to the body of knowledge about user authentication especially in the usability studies on IBA systems, not only for mobile devices but also for computers. Improved usability and user authentication experience could encourage consumers to better adopt these IBA security systems for their mobile devices and computers, of which are increasingly valuable.

Apart from that, the new authentication system that both improve memorability, usability and user acceptance may also be derived from the findings.

2 Literature Survey

Imagine you’re starting a new job at a new building and are introduced to the security guard on duty that will screen through all the employees. When you turn up for work the following day, how does the security guard recognize you? Well, the security guard may do so by verifying your name, observe your general appearance, observe your voice and many more. Now, imagine the company decide to replace the security guard with a machine. How, now will the machine recognize you as who you really are and not someone else?

That was a simple example for explaining the analogy of user authentication. Human to machine authentication is a vital mechanism employed to protect assets and more importantly, access to data and resources. There are generally three factors (O'Gorman 2003) for authenticating users and they are:

a) Knowledge Based – that are dependent on “something the user knows” such as password. This authentication technique is only effective if the knowledge is kept secret from other people. Other example of knowledge based authentication is personal identification number (PIN), secret phrase, secret question and answer, and many more.

b) Object Based – is reliant on “something that the user possess” such as a token. The token normally stores certain information such as keys and digital certificate that proves that the token is valid. The user is authenticated as long as the token is present, or at least when the token is presented during initial authentication.

c) ID Based – leverages unique attributes of a person or “someone who the user is” such as his or her biometrics and behaviour. Sensor devices such as fingerprint scanner and camera are needed to capture the user’s biometrics to be compared with samples that are provided earlier.

The user authentication techniques are developed around these factors and details of its implementation are discussed in the following section.

2.1PIN and Password

PIN and password are still the most common methods used to authenticate user for almost everything from computer login, mobile phone power-on, ATM withdrawal, online banking, emails, to social network account login. Organizations prefer to implement PIN and password because they virtually do not cost anything to create, available in almost every device, and are common among users and help desk (Phifer 2008).

In order to ensure maximum security, PIN and password were system-generated. However, the resulting PIN and password with high entropy forces users to initially write them down for easy reference later, putting the password protected system in risks. Consequently, this led to user- generated password in order to improve memorability (Adams, Sasse & Lunt 1997).

FIPS and security experts came up with various guidelines and tips for choosing both easy to recall and secure passwords to encourage users to create good passwords. Examples of good password

advice may include the use of alphanumeric password with special characters, and ensure the password contains no words that can be found in a dictionary. Mnemonic methods using first letter of a phrase such as “I stayed in the city for 2 years” to derive “Isitcf2y” were also commonly known. However, researches has shown that user generally continue to choose bad password even if they were educated, especially if there are no policies and mechanisms to enforce good password selection (Yan et al. 2000).

Bad password is one issue; some users may completely disable authentication mechanism. Compared to laptops, mobile devices such as PDAs and smart phones are used more frequently to perform shorter task and requires instantaneous accessibility. Troublesome authentications get disabled when there are no policies enforcing the use of PIN and password (Phifer 2008).

All in all, both memorability and usability of password and PIN has caused bad practice among users (Adams, Sasse & Lunt 1997; Clarke, NL & Furnell 2005) and this puts the assets and data an organization is trying to protect at risk.

2.2Token Based Authentication

In order to tackle issues related to PIN and password usage, token authentication was developed to removes the need for users to remember lengthy and non-meaningful strings by storing the authentication information within the token. Instead, authenticate user based on “something the user possess”.

Based on public key infrastructure, tokens such as removable smart medias (MMC, SD, etc) hold digital certificates that are impossible, or at least hard to forge (Phifer 2008). The smart card needs to be inserted into a reader on the mobile device to perform verification of the digital certificate. Working similarly to a car key, a token must be present either at the initialization or for the entire period a service or function is in operation. This type of token however, results users leaving them in situ for the sake of convenience, as with the Subscriber Identity Module (SIM) card. As such, a lost mobile device that is found together with the token intact is equal to the mobile device without its password protection.

There are also researches that aimed to deal with the problem of user leaving smart media in situ. Tokens using contactless technology such as RFID, Bluetooth and WiFi were produced. A good example of this is Transient Authentication that uses WiFi connection to authenticate the token (Nicholson, Corner & Noble 2006). Transient Authentication uses a wearable token such as an IBM Linux wrist watch that comes with sufficient computational power to serve as an authentication server. A mobile device which is bound to the authentication server will act as the authenticating client, and will constantly detect if the wireless token is within range of about several meters. When the token goes out of range, the mobile device will engage lock down mechanism which includes encrypting files and memory, flushing caches and rendering a blank screen. A reversed process is performed when the token moves back within range (refer Figure 1).

Figure 1: Token-device authentication binding in Transient Authentication (Nicholson, Corner & Noble 2006).

However, tokens are not without is limitation. Primarily, implementation of token authentication will increase cost and effort for the extra hardware and establishment of policies regarding handling and usage. Token may also be forgotten or lost. If either of the scenarios occurs, user will have to rely on the fallback or secondary authentication method for the mobile device and in most cases, it is a PIN and password (Furnell, S, Clarke & Karatzouni 2008). Another significant drawback related to wireless token is that it drain battery power of mobile device (Jansen 2004).

2.3Biometrics Authentication

PIN and password suffers from dilemma between using a strong but unusable password, or weak but memorable password, while token can be lost and forgotten. Hence, biometrics techniques authenticate user based on “someone who the user is” to solve issues related to the former techniques.

Biometrics technique can be based on two factors: physiological and behavioural traits (Furnell, SM & Clarke 2007). The physiological traits allow users to be recognized based on their physical features such as fingerprint (Su et al. 2005), face (Han et al. 2007), iris (Dae Sik et al. 2005), and teeth (Kim & Hong 2008). This type of biometric is usually used for user authentication. On the other hand, the behavioural traits shows an identifiable pattern based on voice, key strokes (Isohara, Takemori & Sasase 2008), signature and gait (Gafurov 2006) and is typically researched for anomaly detection in order to determine if it is really the owner of the phone that is using the phone.

Figure 2: Example of multiple biometric authentications (Furnell, S, Clarke & Karatzouni 2008).

A typical biometrics system will start with enrolment, a process to acquire samples of biometrics traits as a training set. It is also critical that the identity of the user is confirmed at this stage. These samples will serve as a template which new samples collected from user in subsequent authentication will be compared against.

Similarly to token, some biometric techniques require extra hardware for collecting biometrics samples such as fingerprint while most of the other techniques would leverage built-in capabilities of newer phone models such as camera, key pad, touch screen and even accelerometer to detect face, voice and gait patterns and other features.

The main challenge of biometrics techniques however, is the accuracy issues that are associated with the techniques. Biometrics techniques suffer from two types of error: false acceptance rate (FAR) and false rejection rate (FRR) (Furnell, SM & Clarke 2007). FAR indicates the rate of which a pretender is being accepted by the system while FRR shows the rate of which an authorized person is being rejected by the system. The crossing value between FAR and FFR is the equal error rate (ERR), a measurement that are normally benchmarked against the industry ERR standard.

Figure 3: FAR, FRR and EER for biometrics (Clarke, N)

Lowering FAR value will increase security of the system but the usability of the system could be compromised because then the FRR would high resulting authorized user being locked out of the system. Vice versa, setting the FFR low will improve user acceptance, security of the system may be compromised (refer Figure 3).

Factors that cause the accuracy issues in biometrics include small training set and noise. Training can be improved but may significantly reduce usability if the system needed to be trained extensively. Noise while acquiring samples and authentication samples such as surrounding noise for voice, and lighting for face or iris may also be reduced by moving away from noisy environment or authenticate under sufficient lighting, but these too may reduce system usability.

2.4Related researches

There are however many researches that aims to improve memorability of passwords – by replacing them with graphics and photos. The logic behind this technique is that human can generally recognize better than they can recall, argued Nielsen in 1993 (Dhamija & Perrig 2000). The researches can be grouped into two distinctive categories. The first type is the recognition based technique that uses image, photographs and icons to help user in recognizing them while the other category, similar to a biometric signature technique, is based on recalling something that are created by the user.

a) Recognition Based Authentication

In experiments conducted by Paivio and Csapo in 1969 and Intraub in 1980, it is revealed that human can recognize large number of picture just by having a short glance at it (Dhamija & Perrig 2000).

Using this knowledge, image based authentication system is designed in a way where a user is presented with a group of images from which the user will choose several images as the pass-images. The images can be photos, icons, or parts of a photo. During authentication, user will need to point out, in sequence, the previously selected images for authentication. This technique can be seen in a research conducted by Jansen in 2004 (refer Figure 4).

Figure 4: Example PDA screen (Jansen 2004)

A variation of this technique may be using random art (refer Figure 5) in place of the icons or image as seen in the Déjà vu project (Dhamija & Perrig 2000). Another technique seen in Awase-E (Takada & Koike 2003) requires user to select only one image from the first selection screen and another image from the second selection screen, iterating up to 4 times (refer Figure 6). Awase-E also allows user to have “no-pass-image” in some selection screen and there’s no need to remember sequence of the images as they may appear randomly in any screen. There is also another variation as seen in the work of Onali and Ginesu (2006) that allows user to select one part of a picture, and the system will zoom into that region and similarly divide the zoomed image into several parts to be selected by the user. This is iterated several times. Other variations includes the use of personal photo (Pering et al. 2003) and the use of images of faces (Doi et al. 1997) for authentication.

Figure 5: Example random art from déjà vu (Dhamija & Perrig 2000)

Figure 6: Example verification stage for Awase-E (Takada & Koike 2003)

Similar approach to Jansen’s (2004) pass image, PassPoint (Dirik, Memon & Birget 2007) is another technique using image to help user recognize points, as well as the sequence, within the picture that were previously selected as the authentication points (refer Figure 7). The background image serves as a guide for user to choose memorable points.

Figure 7: Example of PassPoint clicks (Dirik, Memon & Birget 2007)

b) Recall Based Authentication

Perhaps the earliest recall based authentication, other than signature, is the Draw-a-secret (DAS) technique (Jermyn et al. 1999) where the user draws on a 2D grid and the sequence and the direction of the pen strokes are recorded. In this technique, the coordinates of the drawing are also essential as it will be authenticated along with the sequential and directional data. User will then need to reproduce the drawing for authentication (refer Figure 8).

Figure 8: Draw-a-secret authentication process (Jermyn et al. 1999)

Another drawing based authentication is PassShape (Weiss & Luca 2008) that does not take account into the coordinate as did the Draw-a-secret system, but only takes into account the stoke sequence and direction (refer Figure 9). The concept was derived from using shape to remember PIN number on the keypad. In order to make the system more secure, user is required to draw the shape and PassShape’s internal system will interpret and generate the pass code for the drawing. For multiple drawings, the system uses “X” as a padding value.

Figure 9: Left: Using shape to remember PIN 7-1-9-7. Middle: Stroke direction and the internal value interpreted by the PassShape. Right: Strokes interpreted as U93DL9L3XU3U with X as a padding value for multiple drawing. (Weiss & Luca 2008) 3 Research Methodology

3.1Choosing IBA Technique to Experiment

From the literature survey, two IBA techniques will be compared along side with PIN and password to test their performance in memorability and usability. The first technique is Picture Password (Jansen 2004) while the second technique is Awase-E (Takada & Koike 2003). In design, both these techniques are quite different (refer to Table 1) and it is worth looking into the performance of these techniques side by side.

Picture Password Awase-E Tested on PDA Tested on mobile phone Once screen authentication Multiple screen authentication Pass-image input sequence important User choose randomly placed pass-image across multiple screen Uses thumbnails of multiple images or a full Use thumbnails of multiple images image divided into parts Select at least 4 pass-images Select at least 1 pass-image Table 1: Design differences between Picture Password and Awase-E

3.2Prototype Development

The prototype for each authentication methods should be similar to the original method in terms of the user interface for both enrolment and authentication. This is to ensure that there is no bias towards any of the selected techniques. The prototypes will be deployed and tested on the same smart phone with touch screen to enable all the techniques to be evaluated equally.

Although Awase-E was developed for mobile device with keypad, it is assumed that it performance on a touch screen will not be significantly reduced, if at all, whereas implementing Picture Password that has more selection that a 10 digit keypad can support, would requires a selection cursor to be scrolled around and this will be in contrast to the original technique implemented on a touch screen.

The IBA prototypes, and the PIN and password prototypes, will be developed using the J2ME platform with NetBeans IDE. An initial prototypes testing will be performed to ensure the system contain no errors and that the prototypes are designed and developed as similar as the original authentication method.

3.3Data Collection

In order to collect data for analysis, the experiment will involve 20 test subjects. The participants will be asked to test the prototype for authentication. In order to remove bias, the test subjects will be varied and balanced in terms of:

 Age  Gender  Educational level  Knowledge of password authentication

The experiment consists of 3 stages: Enrolment and learning, memory test 1, and memory test 2. During each stage, the participant will be testing all 4 of the prototypes in random order. In order to answer the research question of this paper, the data for task completion time and error rate will be recorded during the experiment for analysis at later stage. The 3 stages in the experiment are detailed as follow:

a) Enrolment and learning

Participants will be given a brief introduction on the purpose of the experiment and how the experiment will be conducted.

For each of the authentication techniques, the participant will be given a demonstration on how the enrolment and authentication work. Next, the participant will be asked to enrol themself to the system and are given 5 authentication trials for learning, according to the sequence of enrolment.

For PIN, the minimum length will be 4 digits and should be a combination that the participant believes to be safe and never been used before. The password should be alphanumeric with a minimum length of 6 characters. On the other hand, Picture Password will requires at least 4 pass-images while Awase-E requires at least one pass-image.

b) Memory test 1

Following the enrolment and learning stage, the participant will be interviewed and the questions asked are related to their opinions on mobile authentication in general. The interview focus will then be led towards their perception of the tested IBA techniques. This interview will also serve as an unrelated task before the memory test that follows.

After an interview of around 20 to 30 minutes, the participant will be asked to perform authentication on the systems in random order. The participant can retry as many times as they wish until they have successfully authenticated themself.

c) Memory test 2

For memory test 2, the participant will be requested to come back a week later to perform the authentication, again in random order and for as many times as they wish until they are authenticated, or until they have given up trying.

Following the memory test, the participant will be interviewed briefly to get their post experiment views and perception on the tested IBA techniques. These will be compared with the previous interview response for analysis.

3.4Analysis and Expected Outcome

The performance for the IBA techniques will be discussed in relation to their system design. The findings on the user opinion will also be discussed. This information will be used to derive some design guides and issues for future IBA technique designs.

In terms of authentication speed, the expected outcome will have PIN as being the fastest technique, followed by Picture Password, password and Awase-E. This is because the input method for PIN and Picture Password are quite similar and easy to use while password has longer and harder to input characters. Awase-E’s multiple screens that requires user to analyse each image is expected to result longer authentication process.

As for memorability, the most memorable technique will be Picture Password and Awase-E followed by PIN and password. This is in conjunction with the previous researches that suggest IBA techniques will perform better in term or memorability as compared with PIN and password.

4 Project Plan

2009 2010 Mar Apr May Jun Jul Aug Sept Oct Nov Dec Jan Feb Mar Apr May Jun 1 Initial Investigation 2 Develop Annotated Bibliography 3 Literature Review 4 Develop Methodology 5 Finalize Research Proposal 6 Prototype Design 7 Prototype Development and Testing 8 Finalize Interview Question 9 Conduct Experiment 10 Analyze Result 11 Write Up Experiment Result and Analysis 12 Finalize Research Paper

Figure 10: Timeline highlighting the major tasks in the proposed research

5 Conclusion

The PIN and password along with their more advanced counterparts, token and biometrics authentication has well known limitations. Image-based authentication techniques, on the other hand, show promising result for improving memorability for authentication but their usability are rarely investigated. This paper aims to compare two image-based authentication techniques and investigate their usability from the system design perspective and user views. The expected outcome and a timeline for the experiment were also presented.

6 References

Adams, A & Sasse, M 1999, 'Users are not the enemy', Commun. ACM, vol. 42, no. 12, pp. 40- 46.

Adams, A, Sasse, M & Lunt, P 1997, 'Making passwords secure and usable', People and Computers, pp. 1-20.

Akula, S & Devisetty, V 2004, 'Image based registration and authentication system'.

ATMA 2008, '2008 Annual Report', AMTA Publication.

Clarke, N 'Biometric User Authentication for Mobile Devices'.

Clarke, N & Furnell, S 2005, 'Authentication of users on mobile telephones–A survey of attitudes and practices', Computers & Security, vol. 24, no. 7, pp. 519-527.

Dae Sik, J, Hyun-Ae, P, Kang Ryoung, P & Jaihie, K 2005, 'Iris recognition in mobile phone based on adaptive Gabor filter', Berlin, Germany.

De Angeli, A, Coventry, L, Johnson, G & Coutts, M 2003, 'Usability and user authentication: Pictorial passwords vs. PIN', Contemporary Ergonomics, pp. 253-258.

Dhamija, R & Perrig, A 2000, 'Deja vu: A user study using images for authentication'.

Dirik, AE, Memon, N & Birget, J-C 2007, Modeling user choice in the PassPoints graphical password scheme, ACM, Pittsburgh, Pennsylvania.

Doi, M, Chen, Q, Sato, K & Chihara, K 1997, 'Lock-control system using face identification', Lecture Notes in Computer Science, vol. 1206, pp. 361-368.

Furnell, S, Clarke, N & Karatzouni, S 2008, 'Beyond the PIN: Enhancing user authentication for mobile devices', Computer Fraud and Security, vol. 2008, no. 8, pp. 12-17.

Furnell, SM & Clarke, NL 2007, 'Advanced user authentication for mobile devices', Computers & Security, vol. 26, no. 2, pp. 109-119.

Gafurov, D, Helkala, K, Søndrol, T 2006, 'Biometric Gait Authentication Using Accelerometer Sensor', Journal of Computers, vol. 1, no. 7, pp. 51-59.

Grashey, S & Schuster, M 2006, 'Multiple Biometrics', SmartKom: Foundations of Multimodal Dialogue Systems, pp. 181-193.

Han, S, Park, H, Cho, D, Park, K & Lee, S 2007, 'Face recognition based on near-infrared light using mobile phone', Lecture Notes in Computer Science, vol. 4432, p. 440.

Isohara, T, Takemori, K & Sasase, I 2008, 'Anomaly Detection on Mobile Phone Based Operational Behavior', Information and Media Technologies, vol. 3, no. 1, pp. 156-164.

Jansen, W 2004, 'Authenticating mobile device users through image selection', The Internet Society: Advances in Learning, Commerce and Security, vol. 1, pp. 183-194.

Jermyn, I, Mayer, A, Fabian Monrose, Z, Reiter, M & Rubin, A 1999, 'The Design and Analysis of Graphical Passwords'.

Kim, D-J & Hong, K-S 2008, 'Multimodal biometric authentication using teeth image and voice in mobile environment', IEEE Transactions on Consumer Electronics, vol. 54, no. 4, pp. 1790-1797.

Nicholson, AJ, Corner, MD & Noble, BD 2006, 'Mobile device security using transient authentication', IEEE Transactions on Mobile Computing, vol. 5, no. 11, pp. 1489-502.

O'Gorman, L 2003, 'Comparing passwords, tokens, and biometrics for user authentication', Proceedings of the IEEE, vol. 91, no. 12, pp. 2021-2040.

Pering, T, Sundar, M, Light, J & Want, R 2003, 'Photographic authentication through untrusted terminals', IEEE Pervasive Computing, vol. 2, no. 1, pp. 30-36.

Phifer, L 2008, 'Mobile Security: Protecting mobile devices, data integrity and your corporate network', Search Mobile Computing.

Su, Q, Tian, J, Chen, X & Yang, X 2005, 'A fingerprint authentication mobile phone based on sweep sensor', Lecture Notes in Computer Science, vol. 3687, p. 295.

Takada, T & Koike, H 2003, 'Awase-E: image-based authentication for mobile phones using user's favorite images', Lecture Notes in Computer Science, pp. 347-351.

Weiss, R & Luca, AD 2008, PassShapes: utilizing stroke based authentication to increase password memorability, ACM, Lund, Sweden.

Yan, J, Blackwell, A, Anderson, R & Grant, A 2000, 'The memorability and security of passwords: some empirical results', TECHNICAL REPORT-UNIVERSITY OF CAMBRIDGE COMPUTER LABORATORY.

Prepared By: Chen Yeah Teck Page 16 of 17