sign in sign up
<<
Home , Brag (folklore), Finfolk, Haltija, Lubber fiend, Moss people, Nekomata

The Potential of Narrative Passwords for Cognitive Authentication Systems 2094 Ste en Werner & Connor Hoover, University of Idaho

Motivation Study 1 Study 2

A. E. K. N. Q. U. Aigikampoi Eagle Spirit Naga reballs Qilin Al Rakim Ekek Kami Qiqirn Umibōzu Alan Eleionomae V. Kanbari-nyūdō Quinotaur Alan Domovoi Kanbari-nyūdō Penghou Alien Emim Nang Takian Valravn Kanedama R. Ammit Enchanted Moor Narasimha Vardøger Nav' Alien Duwende Kanedama Peryton The need for secure and usable cognitive password systems has long been recognized. In- Ani Hyuntikwalaski En eld Raijū Věri Şělen Neck Procedure Argus Panoptes Erchitu Rainbow crow Vrykolakas Procedure Koro-pok-guru Nekomata Argus Panoptes Eagle Spirit Koro-pok-guru Pesanta Arikura-no-baba F. Raven Mocker W. Azukitogi Kraken Nekomusume Wanyūdō Raven Spirit B. Kubikajiri Witte Wieven Ba Jiao Gui Ekek Kushtaka Feathered Serpent Nightmarchers Ba Jiao Gui Kuda-gitsune Wulver Nikusui Bahamut Reichsadler X. Nimerigar En eld Kwakwakalanooksiwae Quinotaur Bake-kujira Rompo Xing Fish-man Kui Nocnitsa 861±2 word short story with 11 randomizable elements S. Xiuhcoatl 861±2 word short story with 11 randomizable elements Forest Bull Kurabokko Nu Gui Beast Fenghuang Laelaps Samebito Bar Juchne Y. spired by our studies on recognition-based graphical passwords, this study focuses on “narra- Furu-utsubo Kushtaka Nuno Sakabashira Barghest Yadōkai G. Kwakwakalanooksiwae Nure-onna Samebito Barong Yagyō-san Bishop- sh Forest Bull Laukų dvasios Sceadugenga Galtzagorriak Kyūbi-no-kitsune Nyami Nyami Sceadugenga Beast O. Yali L. Bhūta Odmience Scylla Yama-uba Ghost Lavellan Ghost Bishop- sh Laelaps Oiwa Shachihoko Yomotsu-shikome Gigelorum 20 participants, average 3:52 min reading time Lampades Okuri-inu Shade Yosuzume 34 participants, average 4:04 min reading time Gigelorum Lightning Bird Si-Te-Cah Landvættir Ōmukade Shahbaz You Hun Ye Gui Boo Golem Laukų dvasios Yowie Căpcăun Glaistig Alien Mbwiri En eldSky Women Mbwiri Goryō Shedu Brag Lavellan Onoskelis Yuxa tive passwords”. Users are presented with a short story (< 1,000 words) that contains inter- Bugbear Guhin Ophiotaurus Shishi Z. Chichevache H. Orang Bunian Shōjō Hokhokw Mormolykeia Sleipnir Buggane Leucrota Zduhać Argus Panoptes Forest Bull Mormolykeia C. Hadhayosh Ork Simurgh Zhulong Leviathan Cretan Bull Hōkō Naga reballs Trenti Canotila Hag Orthrus Si-Te-Cah Libyan P. Căpcăun Skookum Ba Jiao Gui Ghost Nikusui Centaur Hellhound Lidérc Paasselkä devils Daitengu Indrik Nang Takian Tsurube-otoshi Lightning Bird Panes Sky Women 64 Cercopes Hiderigami Panis Independent Variables Hihi Ljósálfar Sleipnir Independent Variables Daitya Jack-In-Irons Narasimha Wanyūdō Parandrus Beast Gigelorum Penghou Cherufe Lou Carcolh Sodehiki-kozō Hippocamp Pegaeae changeable story elements (e.g., protagonist’s name, story location, objects) randomly select- Chibaiskweda Hitodama Lubber end Sōgenbi Jatayu Nekomata Yomotsu-shikome Pegasus Chichevache Luison Pelesit Spear nger Brag Indrik Pesanta Chrysomallus Hokhokw M. Peluda Dipsa Kanbari-nyūdō Nikusui Zduhać Cretan Bull Hōkō Mami Wata Penghou T. Crocotta Houri MannegishiAlan Peryton Domovoi Kanbari-nyūdō Penghou Daitengu Jack-In-Irons Pixie Within: Retention Interval (RI: 10 min, >1 week) D. Taurokampoi Within: Retention Interval (RI: 10 min, >1 week) Huma Mareikura Pesanta Daitengu Peuchen Te-no-me Hydra Marid Daitya256I. Alien Phoenix DuwendeThe Cu Bird Kanedama Peryton Demon Jatayu Sky Women Martino Datsue-ba Ibong Adarna Piatek Three-legged bird Alien Ghost Mbwiri ed from separate pools of possible items. These elements form the narrative password, while Deity Ifrit Pillan Toyol Demigod Pim-skwa-wagen-owad Iku-Turso Demon Argus Panoptes Pixie Eagle SpiritTrenti Koro-pok-guru Pesanta Dipsa Kanedama Wanyūdō Indrik Misi-kinepikw Within: Recall vs Recognition (8 levels) Di Penates Pollo Maligno Tritons Within: Recall vs Recognition Ippon-datara Mono Grande Argus Panoptes Gigelorum Dipsa Ponaturi Isonade Mora Domovoi Ba Jiao Gui Psotnik EkekTsuchinoko Kushtaka Pixie Domovoi Koro-pok-guru Yomotsu-shikome J. Morgens Pterippus Druk 32 Morinji-no-okama Jack-In-Irons Pugot Tsurube-otoshi Ba Jiao Gui Indrik Duergar Jatayu MormolykeiaBarghest Putz En eld Kwakwakalanooksiwae Quinotaur Duwende Laukų dvasios Zduhać the story serves as a context to enhance memory for the items. Between: Cued vs Uncued (target items boldface) Duwende Jenglot Moss people Python Tzitzimitl Between: Information Entropy (36, 45, & 54 bits) Beast Fenghuang Laelaps Samebito Ekek LightningBeast Bird Lightning Bird Bishop- sh Forest Bull Laukų dvasios Sceadugenga Daitengu Mbwiri Brag Ghost Lavellan Shachihoko Between: First/Lastname separated vs. combined To authenticate using a narrative password the user would have to either reproduce (cued Buggane Gigelorum Lightning Bird Si-Te-Cah Demon Mormolykeia Căpcăun Glaistig Mbwiri Sky Women En eld16Pesanta Chichevache Hokhokw Mormolykeia Sleipnir Forest Bull Yomotsu-shikome Cretan Bull Hōkō Naga reballs Trenti recall) speci c pieces of information, or the user has to pick the correct answer out of a Alien Daitengu 64Indrik Nang Takian Tsurube-otoshiEn eld Mbwiri Daitya Jack-In-IronsArgus PanoptesNarasimha ForestWanyūdō Bull Mormolykeia Demon Jatayu Nekomata Yomotsu-shikome Recognition vs. Recall for Cued vs. Uncued Conditions Ba Jiao Gui Ghost Nikusui Recall vs. Recognition Performance by Recognition Set Size number of alternatives (recognition). Graphical passwords mainly use recognition-based Dipsa Kanbari-nyūdō Nikusui Zduhać 100% Beast Gigelorum Penghou 100%$!!"# methods to achieve high authentication performance. Brag Indrik Pesanta Daitengu Jack-In-Irons Pixie Demon Jatayu Sky Women ,!"# Dipsa Kanedama Wanyūdō Domovoi32Koro-pok-guruAlien Yomotsu-shikome Ghost +!"# Duwende Laukų dvasios Zduhać Argus Panoptes Gigelorum Ekek Lightning Bird Ba Jiao Gui Indrik *!"# Beast Lightning Bird

50% Daitengu Mbwiri )!"# Demon Mormolykeia -.--/01#$#2.3455# En eld16Pesanta (!"# -.--/01#%#2.3455# Forest Bull Yomotsu-shikome 50% -.--/01#$#2.3061#

-.--/01#%#2.3061# '!"#

&!"# 0% uncued cued Recall (blue) vs. Recognition at 9x4 bits (orange) %!"# Examples of three dierent graphical password systems. The user has to identify the correct password elements to authenticate. lighter bars indicate 10 min RI, darker bars >1 week RI Results study 2 $!"#

Study 1 used a step-down recognition paradigm where participants rst tried to recall the rele- 0%!"# undef $)# 16 undef &%# 32 undef )'# 64 vant information in response to speci c questions (e.g., “what was the protagonist’s rst Recall (blue) vs. Recognition (orange) name”) after which they were shown decending lists of potential responses containing lighter bars indicate 10 min RI, darker bars >1 week RI n Recall and Recognition Performance by Question 2 (8 > n ≥ 0) choices. We were particularly interested in the optimal recognition set size to 100%100% Testing after short distraction task (10 min) Recognition of Protagonist and Minor Character Names maximize information entropy. In addition we tested the eect of highlighting the target 90% 100% 10 min >1 week items in the text. 80%

70% Study 2 compared the performance of a narrative password at three dierent levels of informa- 60% 50% tion entropy (36, 45, and 54 bits of information). We also investigated how to best use agents’ 50%50% names as part of a narrative password. 40%

30% 0% Protagonist Minor Character Protagonist Minor Character 20% Recognition of First Name and Last Name vs. Combined Names Conclusions 10% for both Retention Intervals 0% 8lastName...... 1 8...... priest 1 8...... color 1 feature4.. 1 8rstName...... 1 room5... 1 smell6 .... 1 drink6 .... itemGiven8 ...... 11 itemRecieved4 .. 1 8 visitor...... 1 Performance in an adaptive recognition procedure is signi - Protagonist Minor Color Feature Protagonist Location Smell Drink Gift Item Visitor Login Performance After 1 Week Retention Interval cantly better than free recall even at large recognition sets last name name of Item of item rst name (room) identity by Di erent Password Systems (text / graphical) 100%100% 100%$!!"# >1 week retention interval Elements highlighted in the text are remembered better 90% ,!"#

80% +!"# Story elements have to be selected carefully to ensure high 70% *!"# performance 60% )!"#

-.--/01#$#2.3455# Name recognition is driven largely by rst names. The last 50%50% 50%(!"# -.--/01#%#2.3455# -.--/01#$#2.3061# 40% -.--/01#%#2.3061# name is usually poorly remembered and doesn’t provide an '!"# 30% additional recognition cue &!"# 20% Information entropy of narrative passwods is potentially su- %!"# 10% cient for use in secure passwords but overall performance is $!"# 0% 8...... 1 8...... 1 8...... 1 4.. 1 8...... 1 5... 1 6 .... 1 6 ....8 ...... 11 4 .. 1 8 ...... 1 0%!"# currently less than graphical passwords. lastName priest color feature rstName room smell drink itemGiven itemRecieved visitor $)# &%# )'# Recall (blue) vs. Recognition (orange, successively decreasing response sets [bits of information]) Uncued Alpha- PassPoints Cued PassFaces VIP CSA Narrative numeric Narrative 36 bits 36-46 bits 36-46 bits 36-54 bits 36-46 bits 36-46 bits 36-46 bits

Biddle, R., Chiasson, S., & van Oorschot, P.C. (2012). Graphical passwords: Learning from the rst twelve years. ACM Johnson, K. & Werner, S. (2008). Graphical User Authentication – A comparative evaluation of Composite Scene Au- Shepard, R. N. (1967). Recognition memory for words, sentences, and pictures. Journal of Verbal Learning and Verbal Computing Surveys 44(4), Article 19. thentication (CSA) vs. three competing graphical passcode systems (Passfaces, VIP, PassPoints). In Proceedings of the Behavior, 6, 156-163. 52nd annual meeting of the Human Factors and Ergonomics Society. Baltimore, MD De Angeli, A., Coventry, L., Johnson, G. & Renaud, K. (2005). Is a picture really worth a thousand words? Exploring the Wiedenbeck, S., Waters, J., Birget, J.C., Brodskiy, A., & Memon, N. (2005). PassPoints: Design and longitudinal evaluation feasibility of graphical authentication systems. International Journal of Human Computer Studies, 63, 128-152. Keith, M. Shao, B. & Steinbart, P. J. (2007). The usability of passphrases for authentication: An empirical eld study. Inter- of a graphical password system. International Journal of Human-Computer Studies, 63, 102-127. national Journal of Human-Computer Studies. 65(1), 17-28. Wright, N., Patrick, A., & Biddle, R. (2012). Do You See Your Password? Applying Recognition to Textual Passwords. Sym- Kurzban, S. A. (1985). Easily Remembered Passphrases—A Better Approach. ACM SIGSAC Review, 3(2-4), 10-21. posium on Usable Privacy and Security, (pp. 1-14). Washington D.C.